{"description": "Enterprise techniques used by Torisma, ATT&CK software S0678 (v1.2)", "name": "Torisma (S0678)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Torisma](https://attack.mitre.org/software/S0678) can use HTTP and HTTPS for C2 communications.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Torisma](https://attack.mitre.org/software/S0678) has encoded C2 communications with Base64.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Torisma](https://attack.mitre.org/software/S0678) has used XOR and Base64 to decode C2 data.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Torisma](https://attack.mitre.org/software/S0678) has encrypted its C2 communications using XOR and VEST-32.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[Torisma](https://attack.mitre.org/software/S0678) is only delivered to a compromised host if the victim's IP address is on an allow-list.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Torisma](https://attack.mitre.org/software/S0678) can send victim data to an actor-controlled C2 server.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "[Torisma](https://attack.mitre.org/software/S0678) can use `GetlogicalDrives` to get a bitmask of all drives available on a compromised system. It can also use `GetDriveType` to determine if a new drive is a CD-ROM drive.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Torisma](https://attack.mitre.org/software/S0678) has used various Windows API calls.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Torisma](https://attack.mitre.org/software/S0678) has been packed with Iz4 compression.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Torisma](https://attack.mitre.org/software/S0678) has been Base64 encoded and AES encrypted.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Torisma](https://attack.mitre.org/software/S0678) can collect the local MAC address using `GetAdaptersInfo` as well as the system's IP address.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Torisma](https://attack.mitre.org/software/S0678) can use `WTSEnumerateSessionsW` to monitor remote desktop connections.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Torisma](https://attack.mitre.org/software/S0678) can collect the current time on a victim machine.(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Torisma", "color": "#66b1ff"}]}