{"description": "Enterprise techniques used by PcShare, ATT&CK software S1050 (v1.1)", "name": "PcShare (S1050)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has used HTTP for C2 communication.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[PcShare](https://attack.mitre.org/software/S1050) can execute `cmd` commands on a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[PcShare](https://attack.mitre.org/software/S1050) can collect files and information from a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has created the `HKCU\\\\Software\\\\Classes\\\\CLSID\\\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\\\InprocServer32` Registry key for persistence.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[PcShare](https://attack.mitre.org/software/S1050) can upload files and information from a compromised host to its C2 servers.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has deleted its files and components from a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has the ability to capture keystrokes.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.001", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has used an invalid certificate in attempt to appear legitimate.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has been named `wuauclt.exe` to appear as the legitimate Windows Update AutoUpdate Client.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[PcShare](https://attack.mitre.org/software/S1050) can delete its persistence mechanisms from the registry.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has used a variety of Windows API functions.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has been encrypted with XOR using different 32-long Base16 strings.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has been compressed with LZW algorithm.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[PcShare](https://attack.mitre.org/software/S1050) can obtain a list of running processes on a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "The [PcShare](https://attack.mitre.org/software/S1050) payload has been injected into the `logagent.exe` and `rdpclip.exe` processes.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[PcShare](https://attack.mitre.org/software/S1050) can search the registry files of a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[PcShare](https://attack.mitre.org/software/S1050) can take screen shots of a compromised machine.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[PcShare](https://attack.mitre.org/software/S1050) has used `rundll32.exe` for execution.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[PcShare](https://attack.mitre.org/software/S1050) can obtain the proxy settings of a compromised machine using `InternetQueryOptionA` and its IP address by running `nslookup myip.opendns.comresolver1.opendns.com\\r\\n`.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1125", "comment": "[PcShare](https://attack.mitre.org/software/S1050) can capture camera video as part of its collection process.(Citation: Bitdefender FunnyDream Campaign November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PcShare", "color": "#66b1ff"}]}