{"description": "Enterprise techniques used by StealBit, ATT&CK software S1200 (v1.0)", "name": "StealBit (S1200)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can use HTTP to exfiltrate files to actor-controlled infrastructure.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can upload data and files to the LockBit victim-shaming site.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1030", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can be configured to exfiltrate files at a specified rate to evade network detection mechanisms.(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can detect it is being run in the context of a debugger.(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can deobfuscate loaded modules prior to execution.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[StealBit](https://attack.mitre.org/software/S1200) will execute an empty infinite loop if it detects it is being run in the context of a debugger.(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can be configured to exfiltrate specific file types.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.006", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can configure processes to not display certain Windows error messages by through use of the `NtSetInformationProcess`.(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can self-delete its executable file from the compromised system.(Citation: Cybereason StealBit Exfiltration Tool)(Citation: FBI Lockbit 2.0 FEB 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can use interprocess communication (IPC) to enable the designation of multiple files for exfiltration in a scalable manner.(Citation: Cybereason StealBit Exfiltration Tool)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can use native APIs including `LoadLibraryExA` for execution and `NtSetInformationProcess` for defense evasion purposes.(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can use the Windows Socket networking library to communicate with attacker-controlled endpoints.(Citation: Cybereason StealBit Exfiltration Tool)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[StealBit](https://attack.mitre.org/software/S1200) stores obfuscated DLL file names in its executable.(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can enumerate the computer name and domain membership of the compromised system.(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[StealBit](https://attack.mitre.org/software/S1200) can determine system location based on the default language setting and will not execute on systems located in former Soviet countries.(Citation: Cybereason StealBit Exfiltration Tool)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by StealBit", "color": "#66b1ff"}]}