{"description": "Enterprise techniques used by Bumblebee, ATT&CK software S1039 (v1.1)", "name": "Bumblebee (S1039)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.(Citation: Cybereason Bumblebee August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can compress data stolen from the Registry and volume shadow copies prior to exfiltration.(Citation: Cybereason Bumblebee August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can use PowerShell for execution.(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can use `cmd.exe` to drop and run files.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can create a Visual Basic script to enable persistence.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has the ability to base64 encode C2 server responses.(Citation: Proofpoint Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can capture and compress stolen credentials from the Registry and volume shadow copies.(Citation: Cybereason Bumblebee August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can search for tools used in static analysis.(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can deobfuscate C2 server responses and unpack its code on targeted hosts.(Citation: Proofpoint Bumblebee April 2022)(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can encrypt C2 requests and responses with RC4(Citation: Proofpoint Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can send collected data in JSON format to C2.(Citation: Google EXOTIC LILY March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can use backup C2 servers if the primary server fails.(Citation: Proofpoint Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can uninstall its loader through the use of a `Sdl` command.(Citation: Proofpoint Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can download and execute additional payloads including through the use of a `Dex` command.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can use a COM object to execute queries to gather system information.(Citation: Proofpoint Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has named component DLLs \"RapportGP.dll\" to match those used by the security company Trusteer.(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can use multiple Native APIs.(Citation: Proofpoint Bumblebee April 2022)(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has gained execution through luring users into opening malicious attachments.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Cybereason Bumblebee August 2022)(Citation: Medium Ali Salem Bumblebee April 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has been spread through e-mail campaigns with malicious links.(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can identify processes associated with analytical tools.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can inject code into multiple processes on infected endpoints.(Citation: Cybereason Bumblebee August 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "The [Bumblebee](https://attack.mitre.org/software/S1039) loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can use asynchronous procedure call (APC) injection to execute commands received from C2.(Citation: Proofpoint Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can check the Registry for specific keys.(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1129", "comment": " [Bumblebee](https://attack.mitre.org/software/S1039) can use `LoadLibrary` to attempt to execute GdiPlus.dll.(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can identify specific analytical tools based on running processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.008", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can use `odbcconf.exe` to run DLLs on targeted hosts.(Citation: Cybereason Bumblebee August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has used `rundll32` for execution of the loader component.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can enumerate the OS version and domain on a targeted system.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has the ability to identify the user name.(Citation: Google EXOTIC LILY March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has relied upon a user downloading a file from a OneDrive link for execution.(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Cybereason Bumblebee August 2022)(Citation: Medium Ali Salem Bumblebee April 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has the ability to perform anti-virtualization checks.(Citation: Proofpoint Bumblebee April 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.(Citation: Medium Ali Salem Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has the ability to set a hardcoded and randomized sleep interval.(Citation: Proofpoint Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) has been downloaded to victim's machines from OneDrive.(Citation: Proofpoint Bumblebee April 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Bumblebee](https://attack.mitre.org/software/S1039) can use WMI to gather system information and to spawn processes for code injection.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Bumblebee", "color": "#66b1ff"}]}