{"description": "Enterprise techniques used by SUGARDUMP, ATT&CK software S1042 (v1.0)", "name": "SUGARDUMP (S1042)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "A [SUGARDUMP](https://attack.mitre.org/software/S1042) variant has used HTTP for C2.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "A [SUGARDUMP](https://attack.mitre.org/software/S1042) variant used SMTP for C2.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[SUGARDUMP](https://attack.mitre.org/software/S1042) has encrypted collected data using AES CBC mode and encoded it using Base64.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[SUGARDUMP](https://attack.mitre.org/software/S1042) has collected browser bookmark and history information.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[SUGARDUMP](https://attack.mitre.org/software/S1042) variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[SUGARDUMP](https://attack.mitre.org/software/S1042) has stored collected data under `%%\\\\CrashLog.txt`.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[SUGARDUMP](https://attack.mitre.org/software/S1042) has sent stolen credentials and other data to its C2 server.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[SUGARDUMP](https://attack.mitre.org/software/S1042) can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[SUGARDUMP](https://attack.mitre.org/software/S1042)'s scheduled task has been named `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` or `MicrosoftEdgeCrashRepoeterTaskMachineUA`, depending on the Windows OS version.(Citation: Mandiant UNC3890 Aug 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[SUGARDUMP](https://attack.mitre.org/software/S1042) has been named `CrashReporter.exe` to appear as a legitimate Mozilla executable.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[SUGARDUMP](https://attack.mitre.org/software/S1042) has created scheduled tasks called `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` and `MicrosoftEdgeCrashRepoeterTaskMachineUA`, which were configured to execute `CrashReporter.exe` during user logon.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "comment": "[SUGARDUMP](https://attack.mitre.org/software/S1042) can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "Some [SUGARDUMP](https://attack.mitre.org/software/S1042) variants required a user to enable a macro within a malicious .xls file for execution.(Citation: Mandiant UNC3890 Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SUGARDUMP", "color": "#66b1ff"}]}