{"description": "Enterprise techniques used by BADHATCH, ATT&CK software S1081 (v1.1)", "name": "BADHATCH (S1081)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can utilize the CMSTPLUA COM interface and the SilentCleanup task to bypass UAC.(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can impersonate a `lsass.exe` or `vmtoolsd.exe` token.(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can use HTTP and HTTPS over port 443 to communicate with actor-controlled C2 servers.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can emulate an FTP server to connect to actor-controlled C2 servers.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can utilize `powershell.exe` to execute commands on a compromised host.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can use `cmd.exe` to execute commands on a compromised host.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1482", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can use `nltest.exe /domain_trusts` to discover domain trust relationships on a compromised machine.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can beacon to a hardcoded C2 IP address using TLS encryption every 5 minutes.(Citation: Gigamon BADHATCH Jul 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.003", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can use WMI event subscriptions for persistence.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can exfiltrate data over the C2 channel.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) has the ability to delete PowerShell scripts from a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) has the ability to load a second stage malicious DLL file onto a compromised machine.(Citation: Gigamon BADHATCH Jul 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can utilize Native API functions such as, `ToolHelp32` and `Rt1AdjustPrivilege` to enable `SeDebugPrivilege` on a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can check for open ports on a computer by establishing a TCP connection.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can check a user's access to the C$ share on a compromised machine.(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) has an embedded second stage DLL payload within the first stage of the malware.(Citation: Gigamon BADHATCH Jul 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) malicious PowerShell commands can be encoded with base64.(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can be compressed with the ApLib algorithm.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can use `net.exe group \"domain admins\" /domain` to identify Domain Administrators.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can retrieve a list of running processes from a compromised machine.(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can inject itself into an existing explorer.exe process by using `RtlCreateUserThread`.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) has the ability to execute a malicious DLL by injecting into `explorer.exe` on a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can inject itself into a new `svchost.exe -k netsvcs` process using the asynchronous procedure call (APC) queue.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can use SOCKS4 and SOCKS5 proxies to connect to actor-controlled C2 servers. [BADHATCH](https://attack.mitre.org/software/S1081) can also emulate a reverse proxy on a compromised machine to connect with actor-controlled C2 servers.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can copy a large byte array of 64-bit shellcode into process memory and execute it with a call to `CreateThread`.(Citation: Gigamon BADHATCH Jul 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can use a PowerShell object such as, `System.Net.NetworkInformation.Ping` to ping a computer.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can use `schtasks.exe` to gain persistence.(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can take screenshots and send them to an actor-controlled C2 server.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can obtain current system information from a compromised machine such as the `SHELL PID`, `PSVERSION`, `HOSTNAME`, `LOGONSERVER`, `LASTBOOTUP`, drive information, OS type/version, bitness, and hostname.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can execute `netstat.exe -f` on a compromised machine.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can obtain logged user information from a compromised machine and can execute the command `whoami.exe`.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can obtain the `DATETIME` and `UPTIME` from a compromised machine.(Citation: BitDefender BADHATCH Mar 2021)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can perform pass the hash on compromised machines with x64 versions.(Citation: BitDefender BADHATCH Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can be utilized to abuse `sslip.io`, a free IP to domain mapping service, as part of actor-controlled C2 channels.(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[BADHATCH](https://attack.mitre.org/software/S1081) can utilize WMI to collect system information, create new processes, and run malicious PowerShell scripts on a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BADHATCH", "color": "#66b1ff"}]}