{"description": "Enterprise techniques used by Action RAT, ATT&CK software S1028 (v1.0)", "name": "Action RAT (S1028)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Action RAT](https://attack.mitre.org/software/S1028) can use HTTP to communicate with C2 servers.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Action RAT](https://attack.mitre.org/software/S1028) can use `cmd.exe` to execute commands on an infected host.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Action RAT](https://attack.mitre.org/software/S1028) can collect local data from an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Action RAT](https://attack.mitre.org/software/S1028) can use Base64 to decode actor-controlled C2 server communications.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Action RAT](https://attack.mitre.org/software/S1028) has the ability to collect drive and file information on an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Action RAT](https://attack.mitre.org/software/S1028) has the ability to download additional payloads onto an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": " [Action RAT](https://attack.mitre.org/software/S1028)'s commands, strings, and domains can be Base64 encoded within the payload.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Action RAT](https://attack.mitre.org/software/S1028) can identify AV products on an infected host using the following command: `cmd.exe WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Action RAT](https://attack.mitre.org/software/S1028) has the ability to collect the hostname, OS version, and OS architecture of an infected host.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Action RAT](https://attack.mitre.org/software/S1028) has the ability to collect the MAC address of an infected host.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": " [Action RAT](https://attack.mitre.org/software/S1028) has the ability to collect the username from an infected host.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Action RAT](https://attack.mitre.org/software/S1028) can use WMI to gather AV products installed on an infected host.(Citation: MalwareBytes SideCopy Dec 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Action RAT", "color": "#66b1ff"}]}