{"description": "Enterprise techniques used by PyDCrypt, ATT&CK software S1032 (v1.1)", "name": "PyDCrypt (S1032)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032) has attempted to execute with PowerShell.(Citation: Checkpoint MosesStaff Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032) has used `cmd.exe` for execution.(Citation: Checkpoint MosesStaff Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032), along with its functions, is written in Python.(Citation: Checkpoint MosesStaff Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032) has decrypted and dropped the [DCSrv](https://attack.mitre.org/software/S1033) payload to disk.(Citation: Checkpoint MosesStaff Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032) has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using `netsh.exe` on remote machines.(Citation: Checkpoint MosesStaff Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032) will remove all created artifacts such as dropped executables.(Citation: Checkpoint MosesStaff Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032) has dropped [DCSrv](https://attack.mitre.org/software/S1033) under the `svchost.exe` name to disk.(Citation: Checkpoint MosesStaff Nov 2021)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032) has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase.(Citation: Checkpoint MosesStaff Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1049", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032) has used [netsh](https://attack.mitre.org/software/S0108) to find RPC connections on remote machines.(Citation: Checkpoint MosesStaff Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032) has probed victim machines with whoami and has collected the username from the machine.(Citation: Checkpoint MosesStaff Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[PyDCrypt](https://attack.mitre.org/software/S1032) has attempted to execute with WMIC.(Citation: Checkpoint MosesStaff Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PyDCrypt", "color": "#66b1ff"}]}