{"description": "Enterprise techniques used by Latrodectus, ATT&CK software S1160 (v1.0)", "name": "Latrodectus (S1160)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can run `C:\\Windows\\System32\\cmd.exe /c net group \"Domain Admins\" /domain` to identify domain administrator accounts.(Citation: Elastic Latrodectus May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can send registration information to C2 via HTTP `POST`.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) can set an AutoRun key to establish persistence.(Citation: Latrodectus APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "The [Latrodectus](https://attack.mitre.org/software/S1160) command handler can use `cmdexe` to run multiple discovery commands.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has used JavaScript files as part its infection chain during malicious spam \n email campaigns.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)(Citation: Palo Alto Latrodectus Activity June 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has Base64-encoded the message body of a HTTP request sent to C2.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can collect data from a compromised host using a stealer module.(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) has the ability to check for the presence of debuggers.(Citation: Latrodectus APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has the ability to deobfuscate encrypted strings.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can run `C:\\Windows\\System32\\cmd.exe /c nltest /domain_trusts` to discover domain trusts.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can send RC4 encrypted data over C2 channels.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) can exfiltrate encrypted system information to the C2 server.(Citation: Latrodectus APR 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can collect desktop filenames.(Citation: Latrodectus APR 2024)(Citation: Bitsight Latrodectus June 2024)(Citation: Elastic Latrodectus May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.004", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can delete itself while its process is still running through the use of an alternate data stream.(Citation: Elastic Latrodectus May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has the ability to delete itself.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can download and execute PEs, DLLs, and shellcode from C2.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can use the Windows Component Object Model (COM) to set scheduled tasks.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has been packed to appear as a component to Bitdefender\u2019s kernel-mode driver, TRUFOS.SYS.(Citation: Elastic Latrodectus May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1104", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure.(Citation: Latrodectus APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has used multiple Windows API post exploitation including `GetAdaptersInfo`, `CreateToolhelp32Snapshot`, and `CreateProcessW`.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) can run `C:\\Windows\\System32\\cmd.exe /c net view /all` to discover network shares.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has been obfuscated with a 129 byte sequence of junk data prepended to the file.(Citation: Elastic Latrodectus May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "The [Latrodectus](https://attack.mitre.org/software/S1160) payload has been packed for obfuscation.(Citation: Elastic Latrodectus May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) can resolve Windows APIs dynamically by hash.(Citation: Latrodectus APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can identify domain groups through `cmd.exe /c net group \"Domain Admins\" /domain`.(Citation: Bitsight Latrodectus June 2024)(Citation: Elastic Latrodectus May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has been distributed through reply-chain phishing emails with malicious attachments.(Citation: Bleeping Computer Latrodectus April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has been distributed to victims through emails containing malicious links.(Citation: Latrodectus APR 2024)(Citation: Bleeping Computer Latrodectus April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) can enumerate running processes including process grandchildren on targeted hosts.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.005", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) has routed C2 traffic using Keyhole VNC.(Citation: Palo Alto Latrodectus Activity June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) can create scheduled tasks for persistence.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has the ability to identify installed antivirus products.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has called `msiexec` to install remotely-hosted MSI files.(Citation: Latrodectus APR 2024)(Citation: Bleeping Computer Latrodectus April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can use rundll32.exe to execute downloaded DLLs.(Citation: Elastic Latrodectus May 2024)(Citation: Bleeping Computer Latrodectus April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) can gather operating system information.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can discover the IP and MAC address of a targeted host.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can discover the username of an infected host.(Citation: Elastic Latrodectus May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "\n[Latrodectus](https://attack.mitre.org/software/S1160) has the ability to restart compromised hosts.(Citation: Elastic Latrodectus May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has been executed through malicious links distributed in email campaigns.(Citation: Latrodectus APR 2024)(Citation: Bleeping Computer Latrodectus April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has lured users into opening malicious email attachments for execution.(Citation: Bleeping Computer Latrodectus April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) can determine if it is running in a virtualized environment by checking the OS version, checking the number of running processes, ensuring a 64-bit application is running on a 64-bit host, and checking if the host has a valid MAC address.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has used Google Firebase to download malicious installation scripts.(Citation: Palo Alto Latrodectus Activity June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Latrodectus](https://attack.mitre.org/software/S1160) has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Latrodectus", "color": "#66b1ff"}]}