{"description": "Enterprise techniques used by Misdat, ATT&CK software S0083 (v1.2)", "name": "Misdat (S0083)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1547", "comment": "[Misdat](https://attack.mitre.org/software/S0083) has created registry keys for persistence, including `HKCU\\Software\\dnimtsoleht\\StubPath`, `HKCU\\Software\\snimtsOleht\\StubPath`, `HKCU\\Software\\Backtsaleht\\StubPath`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed. Components\\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`.(Citation: Cylance Dust Storm) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Misdat](https://attack.mitre.org/software/S0083) is capable of providing shell functionality to the attacker to execute commands.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Misdat](https://attack.mitre.org/software/S0083) network traffic is Base64-encoded plaintext.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Misdat](https://attack.mitre.org/software/S0083) has collected files and data from a compromised host.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Misdat](https://attack.mitre.org/software/S0083) has uploaded files and data to its C2 servers.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Misdat](https://attack.mitre.org/software/S0083) is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Misdat](https://attack.mitre.org/software/S0083) is capable of deleting the backdoor file.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "Many [Misdat](https://attack.mitre.org/software/S0083) samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "[Misdat](https://attack.mitre.org/software/S0083) is capable of deleting Registry keys used for persistence.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Misdat](https://attack.mitre.org/software/S0083) is capable of downloading files from the C2.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Misdat](https://attack.mitre.org/software/S0083) saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.(Citation: Cylance Dust Storm)(Citation: Microsoft DTC)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Misdat](https://attack.mitre.org/software/S0083) has used Windows APIs, including `ExitWindowsEx` and `GetKeyboardType`.(Citation: Cylance Dust Storm) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Misdat](https://attack.mitre.org/software/S0083) network traffic communicates over a raw socket.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Misdat](https://attack.mitre.org/software/S0083) was typically packed using UPX.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "The initial beacon packet for [Misdat](https://attack.mitre.org/software/S0083) contains the operating system version of the victim.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Misdat](https://attack.mitre.org/software/S0083) has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call `GetKeyboardType`.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Misdat", "color": "#66b1ff"}]}