{"description": "Enterprise techniques used by Cardinal RAT, ATT&CK software S0348 (v1.2)", "name": "Cardinal RAT (S0348)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) is downloaded using HTTP over port 443.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) applies compression to C2 traffic using the ZLIB library.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) establishes Persistence by setting the  HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load Registry key to point to its executable.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) can execute commands.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) decodes many of its artifacts and is decrypted (AES-128) after being downloaded.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) can communicate over multiple C2 host and port combinations.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) can uninstall itself, including deleting its executable.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) can download and execute additional payloads.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) can log keystrokes.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) sets HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load to point to its executable.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.004", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) encodes many of its artifacts and is encrypted (AES-128) when downloaded.(Citation: PaloAlto CardinalRat Apr 2017) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) contains watchdog functionality that ensures its process is always running, else spawns a new instance.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) injects into a newly spawned process created from a native Windows executable.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) can act as a reverse proxy.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) contains watchdog functionality that periodically ensures HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load is set to point to its executable.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) can capture screenshots.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) can collect the username from a victim machine.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Cardinal RAT](https://attack.mitre.org/software/S0348) lures victims into executing malicious macros embedded within Microsoft Excel documents.(Citation: PaloAlto CardinalRat Apr 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Cardinal RAT", "color": "#66b1ff"}]}