{"description": "Enterprise techniques used by DarkTortilla, ATT&CK software S1066 (v1.0)", "name": "DarkTortilla (S1066)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) has used HTTP and HTTPS for C2.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) has established persistence via the `Software\\Microsoft\\Windows NT\\CurrentVersion\\Run` registry key and by creating a .lnk shortcut file in the Windows startup folder.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.004", "comment": " [DarkTortilla](https://attack.mitre.org/software/S1066) has established persistence via the `Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon` registry key.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can download a clipboard information stealer module.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can use `cmd.exe` to add registry keys for persistence.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can detect debuggers by using functions such as `DebuggerIsAttached` and `DebuggerIsLogging`. [DarkTortilla](https://attack.mitre.org/software/S1066) can also detect profilers by verifying the `COR_ENABLE_PROFILING` environment variable is present and active.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can decrypt its payload and associated configuration elements using the Rijndael cipher.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) has used `%HiddenReg%` and `%HiddenKey%` as part of its persistence via the Windows registry.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.012", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can detect profilers by verifying the `COR_ENABLE_PROFILING` environment variable is present and active.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as [Agent Tesla](https://attack.mitre.org/software/S0331), AsyncRat, [NanoCore](https://attack.mitre.org/software/S0336), RedLine, [Cobalt Strike](https://attack.mitre.org/software/S0154), and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can download a keylogging module.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) has used the `WshShortcut` COM object to create a .lnk shortcut file in the Windows startup folder.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066)'s payload has been renamed `PowerShellInfo.exe`.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) has modified registry keys for persistence.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can use a variety of API calls for persistence and defense evasion.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) has been distributed via spearphishing emails containing archive attachments, with file types such as .iso, .zip, .img, .dmg, and .tar, as well as through malicious documents.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can enumerate a list of running processes on a compromised system.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can use a .NET-based DLL named `RunPe6` for process injection.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can check for the Kaspersky Anti-Virus suite.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can obtain system information by querying the `Win32_ComputerSystem`, `Win32_BIOS`, `Win32_MotherboardDevice`, `Win32_PnPEntity`, and `Win32_DiskDrive` WMI objects.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can check for internet connectivity by issuing HTTP GET requests.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1007", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can retrieve information about a compromised system's running services.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) has relied on a user to open a malicious document or archived file delivered via email for initial execution.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can search a compromised system's running processes and services to detect Hyper-V, QEMU, Virtual PC, Virtual Box, and VMware, as well as Sandboxie.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can implement the `kernel32.dll` Sleep function to delay execution for up to 300 seconds before implementing persistence or processing an addon package.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can retrieve its primary payload from public sites such as Pastebin and Textbin.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[DarkTortilla](https://attack.mitre.org/software/S1066) can use WMI queries to obtain system information.(Citation: Secureworks DarkTortilla Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DarkTortilla", "color": "#66b1ff"}]}