{"description": "Enterprise techniques used by J-magic, ATT&CK software S1203 (v1.0)", "name": "J-magic (S1203)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "The [J-magic](https://attack.mitre.org/software/S1203) agent is executed through a command line argument which specifies an interface and listening port.(Citation: Lumen J-Magic JAN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[J-magic](https://attack.mitre.org/software/S1203) can communicate back to send a challenge to C2 infrastructure over SSL.(Citation: Lumen J-Magic JAN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.003", "comment": "[J-magic](https://attack.mitre.org/software/S1203) can overwrite previously executed command line arguments.(Citation: Lumen J-Magic JAN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[J-magic](https://attack.mitre.org/software/S1203) can rename itself as \u201c[nfsiod 0]\u201d to masquerade as the local Network File System (NFS) asynchronous I/O server.(Citation: Lumen J-Magic JAN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1040", "comment": "[J-magic](https://attack.mitre.org/software/S1203) has a pcap listener function that can create an Extended Berkley Packet Filter (eBPF) on designated interfaces and ports.(Citation: Lumen J-Magic JAN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[J-magic](https://attack.mitre.org/software/S1203) can monitor incoming C2 communications sent over TCP to the compromised host.(Citation: Lumen J-Magic JAN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[J-magic](https://attack.mitre.org/software/S1203) can compare the host and remote IPs to check if a received packet is from the infected machine.(Citation: Lumen J-Magic JAN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "[J-magic](https://attack.mitre.org/software/S1203) can monitor TCP traffic for packets containing one of five different predefined parameters and will spawn a reverse shell if one of the parameters and the proper response string to a subsequent challenge is received.(Citation: Lumen J-Magic JAN 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by J-magic", "color": "#66b1ff"}]}