{ "name": "BOOSTWRITE", "version": "2.1", "domain": "mitre-enterprise", "description": "", "filters": { "stages": [ "act" ], "platforms": [ "windows", "linux", "mac" ] }, "sorting": 0, "viewMode": 0, "hideDisabled": false, "techniques": [ { "techniqueID": "T1116", "tactic": "defense-evasion", "color": "#e60d0d", "comment": "BOOSTWRITE variants were observed signed by a valid CA", "enabled": true, "metadata": [] }, { "techniqueID": "T1038", "tactic": "persistence", "color": "#e60d0d", "comment": "BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll", "enabled": true, "metadata": [] }, { "techniqueID": "T1038", "tactic": "privilege-escalation", "color": "#e60d0d", "comment": "BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll", "enabled": true, "metadata": [] }, { "techniqueID": "T1038", "tactic": "defense-evasion", "color": "#e60d0d", "comment": "BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll", "enabled": true, "metadata": [] }, { "techniqueID": "T1022", "tactic": "exfiltration", "color": "#e60d0d", "comment": "BOOSTWRITE encodes its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit IV to evade detection", "enabled": true, "metadata": [] }, { "techniqueID": "T1140", "tactic": "defense-evasion", "color": "#e60d0d", "comment": "BOOSTWRITE decodes its payloads at runtime using using a ChaCha stream cipher with a 256-bit key and 64-bit IV", "enabled": true, "metadata": [] }, { "techniqueID": "T1129", "tactic": "execution", "color": "#e60d0d", "comment": "BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll", "enabled": true, "metadata": [] }, { "techniqueID": "T1027", "tactic": "defense-evasion", "color": "#e60d0d", "comment": "BOOSTWRITE encodes its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit IV to evade detection", "enabled": true, "metadata": [] } ], "gradient": { "colors": [ "#ff6666", "#ffe766", "#8ec843" ], "minValue": 0, "maxValue": 100 }, "legendItems": [], "metadata": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true }