See More

{"description": "Enterprise techniques used by EnvyScout, ATT&CK software S0634 (v1.1)", "name": "EnvyScout (S0634)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) can use cmd.exe to execute malicious files on compromised hosts.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) can write files to disk with JavaScript using a modified version of the open-source tool FileSaver.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) can collect sensitive NTLM material from a compromised host.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) can deobfuscate and write malicious ISO files to disk.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) can call window.location.pathname to ensure that embedded files are being executed from the C: drive, and will terminate if they are not.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1187", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) can use protocol handlers to coax the operating system to send NTLMv2 authentication responses to attacker-controlled infrastructure.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) can use hidden directories and files to hide malicious executables.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) has used folder icons for malicious files to lure victims into opening them.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.006", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) can Base64 encode payloads.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) has been distributed via spearphishing as an email attachment.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) has the ability to proxy execution of malicious files with Rundll32.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) can determine whether the ISO payload was received by a Windows or iOS device.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[EnvyScout](https://attack.mitre.org/software/S0634) has been executed through malicious files attached to e-mails.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by EnvyScout", "color": "#66b1ff"}]}