{"description": "Enterprise techniques used by TAMECAT, ATT&CK software S1193 (v1.0)", "name": "TAMECAT (S1193)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[TAMECAT](https://attack.mitre.org/software/S1193) has used HTTP for C2 communications.(Citation: Mandiant APT42-untangling) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[TAMECAT](https://attack.mitre.org/software/S1193) has used PowerShell to download and run additional content.(Citation: Mandiant APT42-untangling) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[TAMECAT](https://attack.mitre.org/software/S1193) has used `cmd.exe` to run the `curl` command.(Citation: Mandiant APT42-untangling) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[TAMECAT](https://attack.mitre.org/software/S1193) has used VBScript to query anti-virus products.(Citation: Mandiant APT42-untangling) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[TAMECAT](https://attack.mitre.org/software/S1193) has encoded C2 traffic with Base64.(Citation: Mandiant APT42-untangling) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[TAMECAT](https://attack.mitre.org/software/S1193) has used AES to encrypt C2 traffic.(Citation: Mandiant APT42-untangling)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[TAMECAT](https://attack.mitre.org/software/S1193) has used `wget` and `curl` to download additional content.(Citation: Mandiant APT42-untangling) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[TAMECAT](https://attack.mitre.org/software/S1193) has used Windows Management Instrumentation (WMI) to check for anti-virus products.(Citation: Mandiant APT42-untangling) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[TAMECAT](https://attack.mitre.org/software/S1193) has used Windows Management Instrumentation (WMI) to query anti-virus products.(Citation: Mandiant APT42-untangling) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TAMECAT", "color": "#66b1ff"}]}