{"description": "Enterprise techniques used by BUSHWALK, ATT&CK software S1118 (v1.1)", "name": "BUSHWALK (S1118)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1554", "comment": "[BUSHWALK](https://attack.mitre.org/software/S1118) can embed into the legitimate `querymanifest.cgi` file on compromised Ivanti Connect Secure VPNs.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[BUSHWALK](https://attack.mitre.org/software/S1118) can Base64 decode and RC4 decrypt malicious payloads sent through a web request\u2019s command parameter.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[BUSHWALK](https://attack.mitre.org/software/S1118) can write malicious payloads sent through a web request\u2019s command parameter.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[BUSHWALK](https://attack.mitre.org/software/S1118) can encrypt the resulting data generated from C2 commands with RC4.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[BUSHWALK](https://attack.mitre.org/software/S1118) is a web shell that has the ability to execute arbitrary commands or write files.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1205", "comment": "[BUSHWALK](https://attack.mitre.org/software/S1118) can modify the `DSUserAgentCap.pm` Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BUSHWALK", "color": "#66b1ff"}]}