{"description": "Enterprise techniques used by Flagpro, ATT&CK software S0696 (v1.0)", "name": "Flagpro (S0696)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) can communicate with its C2 using HTTP.(Citation: NTT Security Flagpro new December 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) can check the name of the window displayed on the system.(Citation: NTT Security Flagpro new December 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has dropped an executable file to the startup directory.(Citation: NTT Security Flagpro new December 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) can use `cmd.exe` to execute commands received from C2.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) can execute malicious VBA macros embedded in .xlsm files.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has encoded bidirectional data communications between a target system and C2 server using Base64.(Citation: NTT Security Flagpro new December 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) can collect data from a compromised host, including Windows authentication information.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has exfiltrated data to the C2 server.(Citation: NTT Security Flagpro new December 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) can download additional malware from the C2 server.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) can download malicious files with a .tmp extension and append them with .exe prior to execution.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) can use Native API to enable obfuscation including `GetLastError` and `GetTickCount`.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has been used to execute `net view` to discover mapped network shares.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has been delivered within ZIP or RAR password-protected archived files.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has been used to execute the net localgroup administrators command on a targeted system.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has been distributed via spearphishing as an email attachment.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has been used to run the tasklist command on a compromised system.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has been used to execute net view on a targeted system.(Citation: NTT Security Flagpro new December 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1029", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has the ability to wait for a specified time interval between communicating with and executing commands from C2.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog.(Citation: NTT Security Flagpro new December 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has been used to execute the ipconfig /all command on a victim system.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has been used to execute netstat -ano on a compromised host.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has been used to run the whoami command on the system.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Flagpro](https://attack.mitre.org/software/S0696) has relied on users clicking a malicious attachment delivered through spearphishing.(Citation: NTT Security Flagpro new December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Flagpro", "color": "#66b1ff"}]}