{"description": "Enterprise techniques used by STARWHALE, ATT&CK software S1037 (v1.1)", "name": "STARWHALE (S1037)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) has the ability to contact actor-controlled C2 servers via HTTP.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookM` registry key.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Mandiant UNC3313 Feb 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) has the ability to execute commands via `cmd.exe`.(Citation: Mandiant UNC3313 Feb 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) can use the VBScript function `GetRef` as part of its persistence mechanism.(Citation: Mandiant UNC3313 Feb 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) has the ability to create the following Windows service to establish persistence on an infected host: `sc create Windowscarpstss binpath= \"cmd.exe /c cscript.exe c:\\\\windows\\\\system32\\\\w7_1.wsf humpback_whale\" start= \"auto\" obj= \"LocalSystem\"`.(Citation: Mandiant UNC3313 Feb 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) has the ability to hex-encode collected data from an infected host.(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) can collect data from an infected local host.(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) has stored collected data in a file called `stari.txt`.(Citation: Mandiant UNC3313 Feb 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) can exfiltrate collected data to its C2 servers.(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) has been obfuscated with hex-encoded strings.(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) can gather the computer name of an infected host.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) has the ability to collect the IP address of an infected host.(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) can gather the username from an infected host.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[STARWHALE](https://attack.mitre.org/software/S1037) has relied on victims opening a malicious Excel file for execution.(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by STARWHALE", "color": "#66b1ff"}]}