{"description": "Enterprise techniques used by SocGholish, ATT&CK software S1124 (v1.0)", "name": "SocGholish (S1124)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "The [SocGholish](https://attack.mitre.org/software/S1124) payload is executed as JavaScript.(Citation: SocGholish-update)(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) can send output from `whoami` to a local temp file using the naming convention `rad<5-hex-chars>.tmp`.(Citation: Red Canary SocGholish March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1482", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) can profile compromised systems to identify domain trust relationships.(Citation: SocGholish-update)(Citation: Red Canary SocGholish March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1189", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) has been distributed through compromised websites with malicious content often masquerading as browser updates.(Citation: SocGholish-update)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) can exfiltrate data directly to its C2 domain via HTTP.(Citation: Red Canary SocGholish March 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) can download additional malware to infected hosts.(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) has been named `AutoUpdater.js` to mimic legitimate update files.(Citation: SocGholish-update)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) has single or double Base-64 encoded references to its second-stage server URLs.(Citation: SentinelOne SocGholish Infrastructure November 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "The [SocGholish](https://attack.mitre.org/software/S1124) JavaScript payload has been delivered within a compressed ZIP archive.(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) has been spread via emails containing malicious links.(Citation: SocGholish-update)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) can list processes on targeted hosts.(Citation: Secureworks Gold Prelude Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) can identify the victim's browser in order to serve the correct fake update page.(Citation: Secureworks Gold Prelude Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) has the ability to enumerate system information including the victim computer name.(Citation: SocGholish-update)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.(Citation: Secureworks Gold Prelude Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) has the ability to enumerate the domain name of a victim, as well as if the host is a member of an Active Directory domain.(Citation: SocGholish-update)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) can use `whoami` to obtain the username from a compromised host.(Citation: SocGholish-update)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) has lured victims into interacting with malicious links on compromised websites for execution.(Citation: SocGholish-update)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) has used Amazon Web Services to host second-stage servers.(Citation: SentinelOne SocGholish Infrastructure November 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[SocGholish](https://attack.mitre.org/software/S1124) has used WMI calls for script execution and system profiling.(Citation: SocGholish-update) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SocGholish", "color": "#66b1ff"}]}