{"description": "Enterprise techniques used by PHASEJAM, ATT&CK software S9014 (v1.0)", "name": "PHASEJAM (S9014)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.008", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has leveraged native commands associated with the compromised network appliance to execute code.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has modified legitimate components to enable persistence and execution, including inserting a web shell into `getComponent.cgi` and `restAuth.cgi`, modifying `DSUpgrade.pm` to block system upgrades, and overwriting `remotedebug` to execute arbitrary commands when specific parameters are provided.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1565", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has blocked legitimate upgrades of Ivanti Connect Secure systems and falsely indicates a successful upgrade while operating on an older version.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1678", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has used the `sleep` command within its code to generate a fake HTML upgrade progress bar that mimics a running process.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has the ability to decode Base64 commands and data.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has modified Ivanti Connect Secure appliances and blocks the system upgrades by altering the DSUpgrade.pm file.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1685.003", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has prevented legitimate Ivanti Connect Secure system upgrades by intercepting the upgrade command and rendering fake HTML upgrade progress bar through a function called `processUpgradeDisplay()` which allowed the compromised device to remain under the control of the adversary.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.004", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has used a bash script to modify components on Ivanti Connect Secure appliances and execute files via `/bin/bash`.[1] It has also used the Linux stream editor (`sed`) to execute commands.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has the ability to exfiltrate data from the victim appliance.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has the ability to upload files onto the compromised appliance.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.003", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has renamed the file `/home/bin/remotedebug` to `remotedebug.bak`, allowing the threats actors to write a malicious `/home/bin/remotedebug` shell script.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has encoded commands with Base64.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has launched a webshell using the `MIME::Base64` module that encoded and decoded Base64 commands.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has inserted Perl-based web shells into legitimate files that provided threat actors with remote access and code execution capabilities on the compromised network appliance.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[PHASEJAM](https://attack.mitre.org/software/S9014) has disabled the `cgi-server` process on Ivanti Connect Secure appliances.(Citation: Google UNC5221 Ivanti January 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PHASEJAM", "color": "#66b1ff"}]}