{"description": "Enterprise techniques used by C0018, ATT&CK campaign C0018 (v1.0)", "name": "C0018 (C0018)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors used HTTP for C2 communications.(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors used encoded PowerShell scripts for execution.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors used [AvosLocker](https://attack.mitre.org/software/S1053) ransomware to encrypt files on the compromised network.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors exploited VMWare Horizon Unified Access Gateways that were vulnerable to several Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.(Citation: Cisco Talos Avos Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors downloaded additional tools, such as [Mimikatz](https://attack.mitre.org/software/S0002) and [Sliver](https://attack.mitre.org/software/S0633), as well as [Cobalt Strike](https://attack.mitre.org/software/S0154) and [AvosLocker](https://attack.mitre.org/software/S1053) ransomware onto the victim network.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors transferred the SoftPerfect Network Scanner and other tools to machines in the network using AnyDesk and PDQ Deploy.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), [AvosLocker](https://attack.mitre.org/software/S1053) was disguised using the victim company name as the filename.(Citation: Cisco Talos Avos Jun 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "For [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors renamed a [Sliver](https://attack.mitre.org/software/S0633) payload to `vmware_kb.exe`.(Citation: Cisco Talos Avos Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1046", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors used the SoftPerfect Network Scanner for network scanning.(Citation: Cisco Talos Avos Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors used Base64 to encode their PowerShell scripts.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "For [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors acquired a variety of open source tools, including [Mimikatz](https://attack.mitre.org/software/S0002), [Sliver](https://attack.mitre.org/software/S0633), SoftPerfect Network Scanner, AnyDesk, and PDQ Deploy.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1219", "showSubtechniques": true}, {"techniqueID": "T1219.002", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors used AnyDesk to transfer tools between systems.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors opened a variety of ports to establish RDP connections, including ports 28035, 32467, 41578, and 46892.(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1072", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors used PDQ Deploy to move [AvosLocker](https://attack.mitre.org/software/S1053) and tools across the network.(Citation: Cisco Talos Avos Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors used `rundll32` to run [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors ran `nslookup` and Advanced IP Scanner on the target network.(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors collected `whoami` information via PowerShell scripts.(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (`wmiprvse.exe`) to execute a variety of encoded PowerShell scripts using the `DownloadString` method.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by C0018", "color": "#66b1ff"}]}