{"description": "Enterprise techniques used by CreepySnail, ATT&CK software S1024 (v1.0)", "name": "CreepySnail (S1024)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[CreepySnail](https://attack.mitre.org/software/S1024) can use HTTP for C2.(Citation: Microsoft POLONIUM June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[CreepySnail](https://attack.mitre.org/software/S1024) can use PowerShell for execution, including the cmdlets `Invoke-WebRequst` and `Invoke-Expression`.(Citation: Microsoft POLONIUM June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[CreepySnail](https://attack.mitre.org/software/S1024) can use Base64 to encode its C2 traffic.(Citation: Microsoft POLONIUM June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[CreepySnail](https://attack.mitre.org/software/S1024) can connect to C2 for data exfiltration.(Citation: Microsoft POLONIUM June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[CreepySnail](https://attack.mitre.org/software/S1024) can use `getmac` and `Get-NetIPAddress` to enumerate network settings.(Citation: Microsoft POLONIUM June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[CreepySnail](https://attack.mitre.org/software/S1024) can execute `getUsername` on compromised systems.(Citation: Microsoft POLONIUM June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "[CreepySnail](https://attack.mitre.org/software/S1024) can use stolen credentials to authenticate on target networks.(Citation: Microsoft POLONIUM June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CreepySnail", "color": "#66b1ff"}]}