{"description": "Enterprise techniques used by LP-Notes, ATT&CK software S9036 (v1.0)", "name": "LP-Notes (S9036)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has impersonated the security context of the taskhostw.exe process via the `ImpersonateLoggedOnUser` API.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has encrypted collected credentials using AES-CBC from the CNG API and the key ED15C8344B45DAED1E0578F8BC1A32411812C61F4CB45D89B107287DE0E09FFC\nand the initialization vector 91A4E6F6D51DAEE773A8F00279792578.(Citation: ESET_MuddyWater_Dec2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has been downloaded and executed by PowerShell\u2019s`Invoke-WebRequest` and `Invoke-Expression` cmdlets.(Citation: ESET_MuddyWater_Dec2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has stored collected credentials in ` C:\\Users\\Public\\Downloads\\lp-notes.txt`.(Citation: ESET_MuddyWater_Dec2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has decrypted strings with lengths ranging from 15 to 19 characters using the same decryption key for each string.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.002", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has displayed a fake Windows Security dialog box to prompt for Windows credentials.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has used the `ImpersonateLoggedOnUser` API to impersonate the security context of the taskhostw.exe process.(Citation: ESET_MuddyWater_Dec2025) Additionally, [LP-Notes](https://attack.mitre.org/software/S9036) has also used the `CredUIPromptForWindowsCredentialsW` API to obtain Windows credentials.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has dynamically resolved API functions during the C runtime startup.(Citation: ESET_MuddyWater_Dec2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has used a custom addition-based function and a string stacking function for string encryption.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has searched for the process taskhostw.exe.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "comment": "[LP-Notes](https://attack.mitre.org/software/S9036) has used stolen Windows credentials to log in as the users.(Citation: ESET_MuddyWater_Dec2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LP-Notes", "color": "#66b1ff"}]}