{"description": "Enterprise techniques used by DUSTTRAP, ATT&CK software S1159 (v1.0)", "name": "DUSTTRAP (S1159)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate local user accounts.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate domain accounts.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate running application windows.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can execute commands via `cmd.exe`.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can gather data from infected systems.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) deobfuscates embedded payloads.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can identify Active Directory information and related items.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can exfiltrate collected data over C2 channels.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate files and directories.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1615", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can identify victim environment Group Policy information.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) restores the `.text` section of compromised DLLs after malicious code is loaded into memory and before the file is closed.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can delete infected system log information.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.005", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can remove network shares from infected systems.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can retrieve and load additional payloads.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can perform keylogging operations.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1654", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can identify infected system log information.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can identify and enumerate victim system network shares.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) contains additional embedded DLLs and configuration files that are loaded into memory during execution.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) begins with an initial launcher that decrypts an AES-128-CFB encrypted file on disk and executes it in memory.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate running processes.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) compromises the `.text` section of a legitimate system DLL in `%windir%` to hold the contents of retrieved plug-ins.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate Registry items.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can use `ping` to identify remote hosts within the victim network.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can capture screenshots.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can identify security software.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) reads the value of the infected system's `HKLM\\SYSTEM\\Microsoft\\Cryptography\\MachineGUID` value.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate infected system network information.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) reads the infected system's current time and writes it to a log file during execution.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[DUSTTRAP](https://attack.mitre.org/software/S1159) decryption relies on the infected machine's `HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGUID` value.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DUSTTRAP", "color": "#66b1ff"}]}