{"description": "Enterprise techniques used by SVCReady, ATT&CK software S1064 (v1.0)", "name": "SVCReady (S1064)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can communicate with its C2 servers via HTTP.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) has used VBA macros to execute shellcode.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can collect data from an infected host.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) has created the `HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}` Registry key for persistence.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can send collected data in JSON format to its C2 server.(Citation: HP SVCReady Jun 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) has the ability to download additional tools such as the RedLine Stealer to an infected host.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) has named a task `RecoveryExTask` as part of its persistence activity.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can use Windows API calls to gather information from an infected host.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can encrypt victim data with an RC4 cipher.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can check for the number of devices plugged into an infected host.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) has been distributed via spearphishing campaigns containing malicious Mircrosoft Word documents.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can collect a list of running processes from an infected host.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can search for the `HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System` Registry key to gather system information.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can create a scheduled task named `RecoveryExTask` to gain persistence.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can take a screenshot from an infected host.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can collect a list of installed software from an infected host.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) has used `rundll32.exe` for execution.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of `systeminfo.exe`.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can collect the username from an infected host.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can collect time zone information.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) has relied on users clicking a malicious attachment delivered through spearphishing.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) has the ability to determine if its runtime environment is virtualized.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can enter a sleep stage for 30 minutes to evade detection.(Citation: HP SVCReady Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[SVCReady](https://attack.mitre.org/software/S1064) can use `WMI` queries to detect the presence of a virtual machine environment.(Citation: HP SVCReady Jun 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SVCReady", "color": "#66b1ff"}]}