{"description": "Enterprise techniques used by MgBot, ATT&CK software S1146 (v1.0)", "name": "MgBot (S1146)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules for identifying local administrator accounts on victim systems.(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules for collecting information on Active Directory domain accounts.(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[MgBot](https://attack.mitre.org/software/S1146) can capture input and output audio streams from infected devices.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[MgBot](https://attack.mitre.org/software/S1146) can capture clipboard data.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1555", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules for stealing stored credentials from Outlook and Foxmail email client software.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.(Citation: ESET EvasivePanda 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules for collecting files from local systems based on a given set of properties and filenames.(Citation: ESET EvasivePanda 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules capable of gathering information from USB thumb drives and CD-ROMs on the victim machine given a list of provided criteria.(Citation: ESET EvasivePanda 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules for collecting information on local domain users and permissions.(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes keylogger payloads focused on the QQ chat application.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1046", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules for performing HTTP and server service scans.(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules for dumping and capturing credentials from process memory.(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes a module for establishing a process watchdog for itself, identifying if the [MgBot](https://attack.mitre.org/software/S1146) process is still running.(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules for performing ARP scans of local connected systems.(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1539", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.(Citation: ESET EvasivePanda 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[MgBot](https://attack.mitre.org/software/S1146) includes modules for identifying local users and administrators on victim machines.(Citation: Symantec Daggerfly 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by MgBot", "color": "#66b1ff"}]}