{"description": "Enterprise techniques used by OilBooster, ATT&CK software S1172 (v1.0)", "name": "OilBooster (S1172)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can send HTTP `GET`, `POST`, `PUT`, and `DELETE` requests to the Microsoft Graph API over port 443 for C2 communication.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) has the ability to execute shell commands and exfiltrate the results.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can stage files in the `tempFiles` directory for exfiltration.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can Base64-decode and XOR-decrypt C2 commands taken from JSON files.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can use the OpenSSL library to encrypt C2 communications.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can use an actor-controlled OneDrive account for C2 communication and exfiltration.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can exfiltrate files to an actor-controlled OneDrive account via the Microsoft Graph API.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can use a backup channel to request a new refresh token from its C2 server after 10 consecutive unsuccessful connections to the primary OneDrive C2 server.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can hide its console window upon execution through the `ShowWindow` API. (Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can download and execute files from an actor-controlled OneDrive account.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can read the results of command line execution via an unnamed pipe connected to the process.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) has used the `ShowWindow` and `CreateProcessW` APIs.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can identify the compromised system's hostname which is used to create a unique identifier.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) can identify the compromised system's username which is then used as part of a unique identifier.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[OilBooster](https://attack.mitre.org/software/S1172) uses the Microsoft Graph API to connect to an actor-controlled OneDrive account to download and execute files and shell commands, and to create directories to share exfiltrated data.(Citation: ESET OilRig Downloaders DEC 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by OilBooster", "color": "#66b1ff"}]}