{"description": "Enterprise techniques used by Snip3, ATT&CK software S1086 (v1.0)", "name": "Snip3 (S1086)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can create a VBS file in startup to persist after system restarts.(Citation: Telefonica Snip3 December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can use a PowerShell script for second-stage execution.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can use visual basic scripts for first-stage execution.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can decode its second-stage PowerShell script prior to execution.(Citation: Morphisec Snip3 May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1189", "comment": "[Snip3](https://attack.mitre.org/software/S1086) has been delivered to targets via downloads from malicious domains.(Citation: Telefonica Snip3 December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can execute PowerShell scripts in a hidden window.(Citation: Morphisec Snip3 May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can download additional payloads to compromised systems.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1104", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can download and execute additional payloads and modules over separate communication channels.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Snip3](https://attack.mitre.org/software/S1086) has the ability to obfuscate strings using XOR encryption.(Citation: Morphisec Snip3 May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can obfuscate strings using junk Chinese characters.(Citation: Morphisec Snip3 May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Snip3](https://attack.mitre.org/software/S1086) has been delivered to victims through malicious e-mail attachments.(Citation: Telefonica Snip3 December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Snip3](https://attack.mitre.org/software/S1086) has been delivered to victims through e-mail links to malicious files.(Citation: Telefonica Snip3 December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "\n[Snip3](https://attack.mitre.org/software/S1086) can use RunPE to execute malicious payloads within a hollowed Windows process.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Snip3](https://attack.mitre.org/software/S1086) has the ability to query `Win32_ComputerSystem` for system information. (Citation: Morphisec Snip3 May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Snip3](https://attack.mitre.org/software/S1086) has been executed through luring victims into clicking malicious links.(Citation: Telefonica Snip3 December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can gain execution through the download of visual basic files.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Snip3](https://attack.mitre.org/software/S1086) has the ability to detect Windows Sandbox, VMWare, or VirtualBox by querying `Win32_ComputerSystem` to extract the `Manufacturer` string.(Citation: Morphisec Snip3 May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can execute `WScript.Sleep` to delay execution of its second stage.(Citation: Morphisec Snip3 May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can download additional payloads from web services including Pastebin and top4top.(Citation: Morphisec Snip3 May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Snip3](https://attack.mitre.org/software/S1086) can query the WMI class `Win32_ComputerSystem` to gather information.(Citation: Morphisec Snip3 May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Snip3", "color": "#66b1ff"}]}