{"description": "Enterprise techniques used by MagicRAT, ATT&CK software S1182 (v1.0)", "name": "MagicRAT (S1182)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) uses HTTP POST communication for command and control.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) can persist using malicious LNK objects in the victim machine Startup folder.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) allows for the execution of arbitrary commands on the victim system.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) stores command and control URLs using base64 encoding in the malware's configuration file.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) exfiltrates data via HTTP over existing command and control channels.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) can delete files on victim systems, including itself.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) can import and execute additional payloads.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) stores configuration data in files and file paths mimicking legitimate operating system resources.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) can download additional executable payloads that masquerade as GIF files.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) stores base64 encoded command and contorl URLs in a configuraiton file, with each URL prefixed with the value `LR02DPt22R`.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) can persist via scheduled tasks.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) collects basic system information from victim machines.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[MagicRAT](https://attack.mitre.org/software/S1182) collects system network information using commands such as `ipconfig /all`.(Citation: Cisco MagicRAT 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by MagicRAT", "color": "#66b1ff"}]}