{"description":"Enterprise techniques used by Agent Tesla, ATT&CK software S0331 (v1.3)","domain":"enterprise-attack","gradient":{"colors":["#ffffff","#66b1ff"],"maxValue":1,"minValue":0},"legendItems":[{"color":"#66b1ff","label":"used by Agent Tesla"}],"name":"Agent Tesla (S0331)","techniques":[{"showSubtechniques":true,"techniqueID":"T1087"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can collect account information from the victim\u2019s machine.(Citation: DigiTrust Agent Tesla Jan 2017)","score":1,"showSubtechniques":true,"techniqueID":"T1087.001"},{"showSubtechniques":true,"techniqueID":"T1071"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has used HTTP for C2 communications.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)","score":1,"showSubtechniques":true,"techniqueID":"T1071.001"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has used SMTP for C2 communications.(Citation: Cofense Agent Tesla)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)","score":1,"showSubtechniques":true,"techniqueID":"T1071.003"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can encrypt data with 3DES before sending it over to a C2 server.(Citation: Talos Agent Tesla Oct 2018)","score":1,"showSubtechniques":false,"techniqueID":"T1560"},{"showSubtechniques":true,"techniqueID":"T1547"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can add itself to the Registry as a startup program to establish persistence.(Citation: Fortinet Agent Tesla April 2018)(Citation: SentinelLabs Agent Tesla Aug 2020) ","score":1,"showSubtechniques":true,"techniqueID":"T1547.001"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to use form-grabbing to extract data from web data forms.(Citation: Bitdefender Agent Tesla April 2020)","score":1,"showSubtechniques":false,"techniqueID":"T1185"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can steal data from the victim\u2019s clipboard.(Citation: Talos Agent Tesla Oct 2018)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)","score":1,"showSubtechniques":false,"techniqueID":"T1115"},{"comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to steal credentials from FTP clients and wireless profiles.(Citation: Malwarebytes Agent Tesla April 2020)","score":1,"showSubtechniques":true,"techniqueID":"T1555"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can gather credentials from a number of browsers.(Citation: Bitdefender Agent Tesla April 2020) ","score":1,"showSubtechniques":true,"techniqueID":"T1555.003"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.(Citation: Malwarebytes Agent Tesla April 2020)","score":1,"showSubtechniques":false,"techniqueID":"T1140"},{"showSubtechniques":true,"techniqueID":"T1048"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has routines for exfiltration over SMTP, FTP, and HTTP.(Citation: Talos Agent Tesla Oct 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: SentinelLabs Agent Tesla Aug 2020)","score":1,"showSubtechniques":true,"techniqueID":"T1048.003"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery.(Citation: SentinelLabs Agent Tesla Aug 2020) ","score":1,"showSubtechniques":false,"techniqueID":"T1203"},{"showSubtechniques":true,"techniqueID":"T1564"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has created hidden folders.(Citation: SentinelLabs Agent Tesla Aug 2020)","score":1,"showSubtechniques":true,"techniqueID":"T1564.001"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has used ProcessWindowStyle.Hidden to hide windows.(Citation: Malwarebytes Agent Tesla April 2020)","score":1,"showSubtechniques":true,"techniqueID":"T1564.003"},{"showSubtechniques":true,"techniqueID":"T1562"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has the capability to kill any running analysis processes and AV software.(Citation: Fortinet Agent Tesla June 2017)","score":1,"showSubtechniques":true,"techniqueID":"T1562.001"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can download additional files for execution on the victim\u2019s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)","score":1,"showSubtechniques":false,"techniqueID":"T1105"},{"showSubtechniques":true,"techniqueID":"T1056"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can log keystrokes on the victim\u2019s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)(Citation: SentinelLabs Agent Tesla Aug 2020)","score":1,"showSubtechniques":true,"techniqueID":"T1056.001"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can achieve persistence by modifying Registry key entries.(Citation: SentinelLabs Agent Tesla Aug 2020) ","score":1,"showSubtechniques":false,"techniqueID":"T1112"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has had its code obfuscated in an apparent attempt to make analysis difficult.(Citation: Fortinet Agent Tesla April 2018) [Agent Tesla](https://attack.mitre.org/software/S0331) has used the Rijndael symmetric encryption algorithm to encrypt strings.(Citation: Malwarebytes Agent Tesla April 2020)","score":1,"showSubtechniques":false,"techniqueID":"T1027"},{"showSubtechniques":true,"techniqueID":"T1566"},{"color":"#66b1ff","comment":"The primary delivered mechanism for [Agent Tesla](https://attack.mitre.org/software/S0331) is through email phishing messages.(Citation: Bitdefender Agent Tesla April 2020) ","score":1,"showSubtechniques":true,"techniqueID":"T1566.001"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can list the current running processes on the system.(Citation: Fortinet Agent Tesla June 2017)","score":1,"showSubtechniques":false,"techniqueID":"T1057"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can inject into known, vulnerable binaries on targeted hosts.(Citation: SentinelLabs Agent Tesla Aug 2020) ","score":1,"showSubtechniques":true,"techniqueID":"T1055"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code.(Citation: SentinelLabs Agent Tesla Aug 2020) ","score":1,"showSubtechniques":true,"techniqueID":"T1055.012"},{"showSubtechniques":true,"techniqueID":"T1053"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331)  has achieved persistence via scheduled tasks.(Citation: SentinelLabs Agent Tesla Aug 2020) ","score":1,"showSubtechniques":true,"techniqueID":"T1053.005"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can capture screenshots of the victim\u2019s desktop.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)","score":1,"showSubtechniques":false,"techniqueID":"T1113"},{"showSubtechniques":true,"techniqueID":"T1218"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has dropped RegAsm.exe onto systems for performing malicious activity.(Citation: SentinelLabs Agent Tesla Aug 2020) ","score":1,"showSubtechniques":true,"techniqueID":"T1218.009"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Malwarebytes Agent Tesla April 2020)","score":1,"showSubtechniques":false,"techniqueID":"T1082"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: SentinelLabs Agent Tesla Aug 2020) ","score":1,"showSubtechniques":true,"techniqueID":"T1016"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can collect names and passwords of all Wi-Fi networks to which a device has previously connected.(Citation: Malwarebytes Agent Tesla April 2020)","score":1,"showSubtechniques":true,"techniqueID":"T1016.002"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can collect the username from the victim\u2019s machine.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla April 2018)(Citation: Malwarebytes Agent Tesla April 2020)","score":1,"showSubtechniques":false,"techniqueID":"T1033"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can collect the timestamp from the victim\u2019s machine.(Citation: DigiTrust Agent Tesla Jan 2017)","score":1,"showSubtechniques":false,"techniqueID":"T1124"},{"showSubtechniques":true,"techniqueID":"T1552"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to extract credentials from configuration or support files.(Citation: SentinelLabs Agent Tesla Aug 2020) ","score":1,"showSubtechniques":true,"techniqueID":"T1552.001"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to extract credentials from the Registry.(Citation: SentinelLabs Agent Tesla Aug 2020) ","score":1,"showSubtechniques":true,"techniqueID":"T1552.002"},{"showSubtechniques":true,"techniqueID":"T1204"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has been executed through malicious e-mail attachments (Citation: Bitdefender Agent Tesla April 2020)","score":1,"showSubtechniques":true,"techniqueID":"T1204.002"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) can access the victim\u2019s webcam and record video.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Talos Agent Tesla Oct 2018)","score":1,"showSubtechniques":false,"techniqueID":"T1125"},{"color":"#66b1ff","comment":" [Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to perform anti-sandboxing and anti-virtualization checks.(Citation: Malwarebytes Agent Tesla April 2020)","score":1,"showSubtechniques":false,"techniqueID":"T1497"},{"color":"#66b1ff","comment":"[Agent Tesla](https://attack.mitre.org/software/S0331) has used wmi queries to gather information from the system.(Citation: Bitdefender Agent Tesla April 2020) ","score":1,"showSubtechniques":false,"techniqueID":"T1047"}],"versions":{"attack":"16","layer":"4.4","navigator":"4.8.1"}}