{"description": "Enterprise techniques used by BOLDMOVE, ATT&CK software S1184 (v1.0)", "name": "BOLDMOVE (S1184)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) uses web services for command and control communication.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) is capable of spawning a remote command shell.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) contains a watchdog-like feature that monitors a particular file for modification. If modification is detected, the legitimate file is backed up and replaced with a trojanized file to allow for persistence through likely system upgrades.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) can free all resources and terminate itself on victim machines.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) uses the WolfSSL library to implement SSL encryption for command and control communication.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) verifies it is executing from a specific path during execution.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) is associated with exploitation of CVE-2022-49475 in FortiOS.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) can list information of all files in the system recursively from the root directory or from a specified directory.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.011", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) calls the signal function to ignore the signals SIGCHLD, SIGHIP, and SIGPIPE prior to starting primary logic.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) can modify proprietary Fortinet logs on victim machines.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.006", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) can disable the Fortinet daemons `moglogd` and `syslogd` to evade detection and logging.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) can remove files on victim systems.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) is capable of relaying traffic from command and control servers to follow-on systems.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) performs system survey actions following initial execution.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[BOLDMOVE](https://attack.mitre.org/software/S1184) enumerates network interfaces on the infected host.(Citation: Google Cloud BOLDMOVE 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BOLDMOVE", "color": "#66b1ff"}]}