{"description": "Enterprise techniques used by SLOWPULSE, ATT&CK software S1104 (v1.1)", "name": "SLOWPULSE (S1104)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1554", "comment": "[SLOWPULSE](https://attack.mitre.org/software/S1104) is applied in compromised environments through modifications to legitimate Pulse Secure files.(Citation: Mandiant Pulse Secure Update May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[SLOWPULSE](https://attack.mitre.org/software/S1104) can write logged ACE credentials to `/home/perl/PAUS.pm` in append mode, using the format string `%s:%s\\n`.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "showSubtechniques": true}, {"techniqueID": "T1556.004", "comment": "[SLOWPULSE](https://attack.mitre.org/software/S1104) can modify LDAP and two factor authentication flows by inspecting login credentials and forcing successful authentication if the provided password matches a chosen backdoor password.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.006", "comment": "[SLOWPULSE](https://attack.mitre.org/software/S1104) can insert malicious logic to bypass RADIUS and ACE two factor authentication (2FA) flows if a designated attacker-supplied password is provided.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1111", "comment": "[SLOWPULSE](https://attack.mitre.org/software/S1104) can log credentials on compromised Pulse Secure VPNs during the `DSAuth::AceAuthServer::checkUsernamePassword`ACE-2FA authentication procedure.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[SLOWPULSE](https://attack.mitre.org/software/S1104) can hide malicious code in the padding regions between legitimate functions in the Pulse Secure `libdsplibs.so` file.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SLOWPULSE", "color": "#66b1ff"}]}