{"description": "Enterprise techniques used by Samurai, ATT&CK software S1099 (v1.0)", "name": "Samurai (S1099)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can use a .NET HTTPListener class to receive and handle HTTP POST requests.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can use a remote command module for execution via the Windows command line.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can create a service at `HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost` to trigger execution and maintain persistence.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can base64 encode data sent in C2 communications prior to its encryption.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can leverage an exfiltration module to download arbitrary files from compromised machines.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can encrypt C2 communications with AES.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can use a specific module for file enumeration.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Samurai](https://attack.mitre.org/software/S1099) has been used to deploy other malware including [Ninja](https://attack.mitre.org/software/S1100).(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Samurai](https://attack.mitre.org/software/S1099) has created the directory `%COMMONPROGRAMFILES%\\Microsoft Shared\\wmi\\` to contain DLLs for loading successive stages.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "The [Samurai](https://attack.mitre.org/software/S1099) loader component can create multiple Registry keys to force the svchost.exe process to load the final backdoor.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Samurai](https://attack.mitre.org/software/S1099) has the ability to call Windows APIs.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can use a proxy module to forward TCP packets to external hosts.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can encrypt the names of requested APIs.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.004", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can compile and execute downloaded modules at runtime.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can encrypt API name strings with an XOR-based algorithm.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can deliver its final payload as a compressed, encrypted and base64-encoded blob.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[Samurai](https://attack.mitre.org/software/S1099) has the ability to proxy connections to specified remote IPs and ports through a a proxy module.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can query `SOFTWARE\\Microsoft\\.NETFramework\\policy\\v2.0` for discovery.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[Samurai](https://attack.mitre.org/software/S1099) can check for the presence and version of the .NET framework.(Citation: Kaspersky ToddyCat June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Samurai", "color": "#66b1ff"}]}