{"description": "Enterprise techniques used by Gootloader, ATT&CK software S1138 (v1.0)", "name": "Gootloader (S1138)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can create an autorun entry for a PowerShell script to run at reboot.(Citation: Sophos Gootloader)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can use an encoded PowerShell stager to write to the Registry for persistence.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can execute a Javascript file for initial infection.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.001", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) has used compromised legitimate domains to as a delivery network for malicious payloads.(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584.006", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can insert malicious scripts to compromise vulnerable content management systems (CMS).(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can retrieve a Base64 encoded stager from C2.(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) has the ability to decode and decrypt malicious payloads prior to execution.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can fetch second stage code from hardcoded web domains.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "\nThe [Gootloader](https://attack.mitre.org/software/S1138) first stage script is obfuscated using random alpha numeric strings.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can determine if a targeted system is part of an Active Directory domain by  expanding the %USERDNSDOMAIN%  environment variable.(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "\n[Gootloader](https://attack.mitre.org/software/S1138) can use its own PE loader to execute payloads in memory.(Citation: Sophos Gootloader)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can inject its Delphi executable into ImagingDevices.exe using a process hollowing technique.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems.(Citation: Sophos Gootloader)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[Gootloader](https://attack.mitre.org/software/S1138)  can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea.(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can determine if a victim's computer is running an operating system with specific language preferences.(Citation: Sophos Gootloader)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can use an embedded script to check the IP address of potential victims visiting compromised websites.(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) has been executed through malicious links presented to users as internet search results.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Gootloader](https://attack.mitre.org/software/S1138) can designate a sleep period of more than 22 seconds between stages of infection.(Citation: Sophos Gootloader)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Gootloader", "color": "#66b1ff"}]}