{"description": "Enterprise techniques used by SystemBC, ATT&CK software S9001 (v1.0)", "name": "SystemBC (S9001)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has collected the Windows account username on the victim machine.(Citation: SophosGnGal_SystemBC_Dec2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has used DNS servers to resolve .bit domains to C2 infrastructure.(Citation: HarmonProofpoint_SystemBC_Aug2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has used hidden scheduled tasks to execute PowerShell commands by adding the following: `-WindowStyle Hidden -ep bypass -file `.(Citation: SophosGnGal_SystemBC_Dec2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has used `cmd.exe` to execute VBS scripts, BAT scripts and CMD scripts.(Citation: SophosGnGal_SystemBC_Dec2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has leveraged VBScript to execute malicious code.(Citation: SophosGnGal_SystemBC_Dec2020)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has encoded with XOR and encrypted with RC4 its beacon.(Citation: Lumen_SystemBC_Sept2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1678", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has leveraged the Sleep functions before and after commands to ensure execution using the hexadecimal values within commands to include `Sleep(0x2710u)` that waits 10 seconds, and `Sleep(0xEA60u)` for 60 seconds.(Citation: SophosGnGal_SystemBC_Dec2020)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has the ability to decrypt RC4 encrypted packets and to decode obfuscated data before C2 communication.(Citation: AhnLab_SystemBC_Apr2022) Additionally, [SystemBC](https://attack.mitre.org/software/S9001) has decrypted its config file that was encoded with XOR and a hardcoded 40-byte key.(Citation: Lumen_SystemBC_Sept2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has encrypted its C2 traffic with RC4.(Citation: HarmonProofpoint_SystemBC_Aug2019)(Citation: SophosGnGal_SystemBC_Dec2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has checked if the last characters of DNS server names end in .bit before initializing C2 communication.(Citation: HarmonProofpoint_SystemBC_Aug2019) [SystemBC](https://attack.mitre.org/software/S9001) has identified running processes associated with anti-virus solutions to include `a2guard.exe` to determine whether it executes or not.(Citation: SophosGnGal_SystemBC_Dec2020)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has utilized the `-WindowStyle Hidden -ep bypass -file `to conceal PowerShell windows.(Citation: SophosGnGal_SystemBC_Dec2020)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has downloaded additional files for execution on the victim\u2019s machine.(Citation: SophosGnGal_SystemBC_Dec2020)(Citation: TrumanKroll_SYSTEMBCServer_Jan2024) The server component of [SystemBC](https://attack.mitre.org/software/S9001) has the ability to send additional files to victim machines.(Citation: TrumanKroll_SYSTEMBCServer_Jan2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has utilized native Windows API functions such as `EnumWindows`and `GetVolumeInformationA` during discovery activities.(Citation: SophosGnGal_SystemBC_Dec2020)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has used raw TCP on non-standard ports, such as 4044, for C2 communications and for HTTP communications, which include downloading binaries.(Citation: SophosGnGal_SystemBC_Dec2020)(Citation: AhnLab_SystemBC_Apr2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "The server component of [SystemBC](https://attack.mitre.org/software/S9001) has used various TCP ports for C2 communication.(Citation: TrumanKroll_SYSTEMBCServer_Jan2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has the ability to enumerate running processes.(Citation: SophosGnGal_SystemBC_Dec2020)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has used multiple proxy layers, such as SOCKS5 and [Tor](https://attack.mitre.org/software/S0183), for C2 communication.(Citation: HarmonProofpoint_SystemBC_Aug2019)(Citation: SophosGnGal_SystemBC_Dec2020)(Citation: TrumanKroll_SYSTEMBCServer_Jan2024)(Citation: BlackBasta) [SystemBC](https://attack.mitre.org/software/S9001) has also leveraged [Tor](https://attack.mitre.org/software/S0183) for encrypting and concealing C2 traffic.(Citation: SophosGnGal_SystemBC_Dec2020) The server component of [SystemBC](https://attack.mitre.org/software/S9001) has used SOCKS5 for C2 communication.(Citation: TrumanKroll_SYSTEMBCServer_Jan2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1620", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has downloaded a text file into memory and set the area of memory via the VirtualProtect call. Then, [SystemBC](https://attack.mitre.org/software/S9001) has executed the file via the CreateThread call.(Citation: TrumanKroll_SYSTEMBCServer_Jan2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has executed a copy of itself as a scheduled task with the `start` command. The copy of [SystemBC](https://attack.mitre.org/software/S9001) has random file and directory names within the ProgramData directory.(Citation: SophosGnGal_SystemBC_Dec2020)(Citation: TrumanKroll_SYSTEMBCServer_Jan2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has collected username  , build number and serial number, then sent the information to the C2 server.(Citation: SophosGnGal_SystemBC_Dec2020)(Citation: AhnLab_SystemBC_Apr2022) [SystemBC](https://attack.mitre.org/software/S9001) has also gathered device name, operating system, and processor type.(Citation: HarmonProofpoint_SystemBC_Aug2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[SystemBC](https://attack.mitre.org/software/S9001) has leveraged the time of the device to create a text file with a filename that uses the function of `uniqid(time()).\u2018.txt`, consisting of the 10 character UNIX timestamp and 13 hexadecimal characters.(Citation: TrumanKroll_SYSTEMBCServer_Jan2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SystemBC", "color": "#66b1ff"}]}