Register to stream ATT&CKcon 2.0 October 29-30


BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [1]

ID: S0017
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface BISCUIT has a command to launch a command shell on the system. [2]
Enterprise T1094 Custom Command and Control Protocol BISCUIT communicates to the C2 server using a custom protocol. [2]
Enterprise T1008 Fallback Channels BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server. [1] [2]
Enterprise T1056 Input Capture BISCUIT can capture keystrokes. [2]
Enterprise T1057 Process Discovery BISCUIT has a command to enumerate running processes and identify their owners. [2]
Enterprise T1105 Remote File Copy BISCUIT has a command to download a file from the C2 server. [2]
Enterprise T1113 Screen Capture BISCUIT has a command to periodically take screenshots of the system. [2]
Enterprise T1032 Standard Cryptographic Protocol BISCUIT uses SSL for encrypting C2 communications. [2]
Enterprise T1082 System Information Discovery BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC. [2]
Enterprise T1033 System Owner/User Discovery BISCUIT has a command to gather the username from the system. [2]

Groups That Use This Software

ID Name References
G0006 APT1 [1]