{"description": "Enterprise techniques used by DRYHOOK, ATT&CK software S9013 (v1.0)", "name": "DRYHOOK (S9013)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) is a Python-based script that executes within the victim environment.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.008", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) has the ability to interact with Ivanti Connect Secure environments and to modify system components.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) has stored stolen credentials for future use in the temp folder of a victimized Ivanti Connect Secure VPN device, specifically in the file location `/tmp/cmmmap.kumMW`.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) has killed all instances of the `cgi-server` process in order for the modified Perl module to be activated.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) has the ability to remount the filesystem as \u201cread-write\u201d to make changes and then restores it to \u201cread-only\u201d prior to killing processes to apply the modifications.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) has captured user credentials and passwords in plaintext and has encrypted them in a stored file on the network device.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) has intercepted and logged user credentials by modifying the Perl module in Ivanti Connect Secure VPN edge-devices located within `/home/perl/DSAuth.pm`.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.004", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) has patched victim appliances authentication routines to capture credentials in plaintext as users log in.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1601", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) has modified the Ivanti Connect Secure VPN authentication Perl module `DSAuth.pm` by reading its contents in the buffer, then finding and replacing select lines of code.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) has encrypted stolen credentials strings within a file using both Base64 and RC4 with a hard-coded key.(Citation: Google UNC5221 Ivanti January 2025)(Citation: Picus Security UNC5221 Ivanti May 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[DRYHOOK](https://attack.mitre.org/software/S9013) has terminated all instances of the `cgi-server` process before activating the modified DSAuth.pm file.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DRYHOOK", "color": "#66b1ff"}]}