{"description": "Enterprise techniques used by MarkiRAT, ATT&CK software S0652 (v1.0)", "name": "MarkiRAT (S0652)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can initiate communication over HTTP/HTTPS for its C2 server.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1197", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can use BITS Utility to connect with the C2 server.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can capture clipboard content.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can utilize cmd.exe to execute commands in a victim's environment.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.005", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can gather information from the Keepass password manager.(Citation: Kaspersky Ferocious Kitten Jun 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can upload data from the victim's machine to the C2 server.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can store collected data locally in a created .nfo file.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can exfiltrate locally stored data via its C2.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can download additional files and tools from its C2 server, including through the use of [BITSAdmin](https://attack.mitre.org/software/S0190).(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can capture all keystrokes on a compromised host.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can masquerade as update.exe and svehost.exe; it has also mimicked legitimate Telegram and Chrome files.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can run the ShellExecuteW API via the Windows Command Shell.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can search for different processes on a system.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can capture screenshots that are initially saved as \u2018scr.jpg\u2019.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can check for the Telegram installation directory by enumerating the files on disk.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can check for running processes on the victim\u2019s machine to look for Kaspersky and Bitdefender antivirus products.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can obtain the computer name from a compromised host.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can use the GetKeyboardLayout API to check if a compromised host's keyboard is set to Persian.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[MarkiRAT](https://attack.mitre.org/software/S0652) can retrieve the victim\u2019s username.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by MarkiRAT", "color": "#66b1ff"}]}