{"description": "Enterprise techniques used by NightClub, ATT&CK software S1090 (v1.0)", "name": "NightClub (S1090)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can use emails for C2 communications.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can use a DNS tunneling plugin to exfiltrate data by adding it to the subdomain portion of a DNS request.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can use `GetForegroundWindow` to enumerate the active window.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1123", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can load a module to leverage the LAME encoder and `mciSendStringW` to control and capture audio.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[NightClub](https://attack.mitre.org/software/S1090) has created a Windows service named `WmdmPmSp` to establish persistence.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[NightClub](https://attack.mitre.org/software/S1090) has used a non-standard encoding in DNS tunneling removing any `=` from the result of base64 encoding, and replacing `/` characters with `-s` and `+` characters with `-p`.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can use a file monitor to steal specific files from targeted systems.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[NightClub](https://attack.mitre.org/software/S1090) has copied captured files and keystrokes to the `%TEMP%` directory of compromised hosts.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can use SMTP and DNS for file exfiltration and C2.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can modify the Creation, Access, and Write timestamps for malicious DLLs to match those of the genuine Windows DLL user32.dll.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can load multiple additional plugins on an infected host.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can use a plugin for keylogging.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[NightClub](https://attack.mitre.org/software/S1090) has created a service named `WmdmPmSp` to spoof a Windows Media service.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[NightClub](https://attack.mitre.org/software/S1090) has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can modify the Registry to set the ServiceDLL for a service created by the malware for persistence.(Citation: MoustachedBouncer ESET August 2023)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can use multiple native APIs including `GetKeyState`, `GetForegroundWindow`, `GetWindowThreadProcessId`, and `GetKeyboardLayout`.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can obfuscate strings using the congruential generator `(LCG): staten+1 = (690069 \u00d7 staten + 1) mod 232`.(Citation: MoustachedBouncer ESET August 2023)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[NightClub](https://attack.mitre.org/software/S1090) has the ability to monitor removable drives.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[NightClub](https://attack.mitre.org/software/S1090) has the ability to use `GetWindowThreadProcessId` to identify the process behind a specified window.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[NightClub](https://attack.mitre.org/software/S1090) can load a module to call `CreateCompatibleDC` and `GdipSaveImageToStream` for screen capture.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by NightClub", "color": "#66b1ff"}]}