{"description": "Enterprise techniques used by Nightdoor, ATT&CK software S1147 (v1.0)", "name": "Nightdoor (S1147)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) uses TCP and UDP communication for command and control traffic.(Citation: ESET EvasivePanda 2024)(Citation: Symantec Daggerfly 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) creates a cmd.exe shell to send and receive commands from the command and control server via open pipes.(Citation: Symantec Daggerfly 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) stores network configuration data in a file XOR encoded with the key value of `0x7A`.(Citation: Symantec Daggerfly 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) uses a legitimate executable to load a malicious DLL file for installation.(Citation: Symantec Daggerfly 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) can self-delete.(Citation: ESET EvasivePanda 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) can collect information on installed applications via Windows registry keys, as well as collecting information on running processes.(Citation: ESET EvasivePanda 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) uses scheduled tasks for persistence to load the final malware payload into memory.(Citation: Symantec Daggerfly 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) gathers information on the victim system such as CPU and Computer name as well as device drivers. [Nightdoor](https://attack.mitre.org/software/S1147) can also collect information about disk drives, their total and free space, and file system type.(Citation: ESET EvasivePanda 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) gathers information on victim system network configuration such as MAC addresses.(Citation: ESET EvasivePanda 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) gathers information on victim system users and usernames.(Citation: ESET EvasivePanda 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) can identify the system local time information.(Citation: ESET EvasivePanda 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) embeds code from the public `al-khaser` project, a repository that works to detect virtual machines, sandboxes, and malware analysis environments.(Citation: Symantec Daggerfly 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[Nightdoor](https://attack.mitre.org/software/S1147) can utilize Microsoft OneDrive or Google Drive for command and control purposes.(Citation: ESET EvasivePanda 2024)(Citation: Symantec Daggerfly 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Nightdoor", "color": "#66b1ff"}]}