{"description": "Enterprise techniques used by FRAMESTING, ATT&CK software S1120 (v1.1)", "name": "FRAMESTING (S1120)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[FRAMESTING](https://attack.mitre.org/software/S1120) can retrieve C2 commands from values stored in the `DSID` cookie from the current HTTP request or from decompressed zlib data within the request's `POST` data.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[FRAMESTING](https://attack.mitre.org/software/S1120) is a Python web shell that can embed in the Ivanti Connect Secure CAV Python package.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "[FRAMESTING](https://attack.mitre.org/software/S1120) can embed itself in the CAV Python package of an Ivanti Connect Secure VPN located in `/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py.`(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "comment": "[FRAMESTING](https://attack.mitre.org/software/S1120) can send and receive zlib compressed data within `POST` requests.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[FRAMESTING](https://attack.mitre.org/software/S1120) uses a cookie named `DSID` to mimic the name of a cookie used by Ivanti Connect Secure appliances for maintaining VPN sessions.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[FRAMESTING](https://attack.mitre.org/software/S1120) can decompress data received within `POST` requests.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[FRAMESTING](https://attack.mitre.org/software/S1120) is a web shell capable of enabling arbitrary command execution on compromised Ivanti Connect Secure VPNs.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by FRAMESTING", "color": "#66b1ff"}]}