{"description": "Enterprise techniques used by Sardonic, ATT&CK software S1085 (v1.0)", "name": "Sardonic (S1085)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to execute PowerShell commands on a compromised machine.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to run `cmd.exe` or other interactive processes on a compromised computer.(Citation: Symantec FIN8 Jul 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) can encode client ID data in 32 uppercase hex characters and transfer to the actor-controlled C2 server.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to collect data from a compromised machine to deliver to the attacker.(Citation: Symantec FIN8 Jul 2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) can first decrypt with the RC4 algorithm using a hardcoded decryption key before decompressing.(Citation: Symantec FIN8 Jul 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to use an RC4 key to encrypt communications to and from actor-controlled C2 servers.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to send a random 64-byte RC4 key to communicate with actor-controlled C2 servers by using an RSA public key.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.003", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) can use a WMI event filter to invoke a command-line event consumer to gain persistence.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to delete created WMI objects to evade detections.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to upload additional malicious files to a compromised machine.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to call Win32 API functions to determine if `powershell.exe` is running.(Citation: Bitdefender Sardonic Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to execute the `net view` command.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) can communicate with actor-controlled C2 servers by using a custom little-endian binary protocol.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string.(Citation: Symantec FIN8 Jul 2023)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) PowerShell scripts can be encrypted with RC4 and compressed using Gzip.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to execute the `tasklist` command.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) can use the `QueueUserAPC` API to execute shellcode on a compromised machine.(Citation: Symantec FIN8 Jul 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1620", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has a plugin system that can load specially made DLLs into memory and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to collect the computer name, CPU manufacturer name, and C:\\ drive serial number from a compromised machine. [Sardonic](https://attack.mitre.org/software/S1085) also has the ability to execute the `ver` and `systeminfo` commands.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to execute the `ipconfig` command.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to execute the `netstat` command.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to execute the `net start` command.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Sardonic](https://attack.mitre.org/software/S1085) can use WMI to execute PowerShell commands on a compromised machine.(Citation: Bitdefender Sardonic Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Sardonic", "color": "#66b1ff"}]}