{"description": "Enterprise techniques used by Spica, ATT&CK software S1140 (v1.0)", "name": "Spica (S1140)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1560", "comment": "[Spica](https://attack.mitre.org/software/S1140) can archive collected documents for exfiltration.(Citation: Google TAG COLDRIVER January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Spica](https://attack.mitre.org/software/S1140) can use an obfuscated PowerShell command to create a scheduled task for persistence.(Citation: Google TAG COLDRIVER January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "Upon execution [Spica](https://attack.mitre.org/software/S1140) can decode an embedded .pdf and write it to the desktop as a decoy document.(Citation: Google TAG COLDRIVER January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Spica](https://attack.mitre.org/software/S1140) can list filesystem contents on targeted systems.(Citation: Google TAG COLDRIVER January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Spica](https://attack.mitre.org/software/S1140) can upload and download files to and from compromised hosts.(Citation: Google TAG COLDRIVER January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Spica](https://attack.mitre.org/software/S1140) has created a scheduled task named `CalendarChecker` for persistence on compromised hosts.(Citation: Google TAG COLDRIVER January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1095", "comment": "[Spica](https://attack.mitre.org/software/S1140) can use JSON over WebSockets for C2 communications.(Citation: Google TAG COLDRIVER January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Spica](https://attack.mitre.org/software/S1140) has created a scheduled task named `CalendarChecker` to establish persistence.(Citation: Google TAG COLDRIVER January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[Spica](https://attack.mitre.org/software/S1140) has the ability to steal cookies from Chrome, Firefox, Opera, and Edge browsers.(Citation: Google TAG COLDRIVER January 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Spica", "color": "#66b1ff"}]}