{"description": "Enterprise techniques used by Maze, ATT&CK software S0449 (v1.2)", "name": "Maze (S0449)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Maze](https://attack.mitre.org/software/S0449) has communicated to hard-coded IP addresses via HTTP.(Citation: McAfee Maze March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Maze](https://attack.mitre.org/software/S0449) has created a file named \"startup_vrun.bat\" in the Startup folder of a virtual machine to establish persistence.(Citation: Sophos Maze VM September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "The [Maze](https://attack.mitre.org/software/S0449) encryption process has used batch scripts with various commands.(Citation: FireEye Maze May 2020)(Citation: Sophos Maze VM September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Maze](https://attack.mitre.org/software/S0449) has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. [Maze](https://attack.mitre.org/software/S0449) has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.(Citation: FireEye Maze May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[Maze](https://attack.mitre.org/software/S0449) has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.(Citation: McAfee Maze March 2020) It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.(Citation: Sophos Maze VM September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "comment": "[Maze](https://attack.mitre.org/software/S0449) has forged POST strings with a random choice from a list of possibilities including \"forum\", \"php\", \"view\", etc. while making connection with the C2, hindering detection efforts.(Citation: McAfee Maze March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.006", "comment": "[Maze](https://attack.mitre.org/software/S0449) operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so [Maze](https://attack.mitre.org/software/S0449) can encrypt files on the shared drives as well as the local machine.(Citation: Sophos Maze VM September 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "[Maze](https://attack.mitre.org/software/S0449) has used the \u201cWow64RevertWow64FsRedirection\u201d function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.(Citation: McAfee Maze March 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[Maze](https://attack.mitre.org/software/S0449) has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Maze](https://attack.mitre.org/software/S0449) operators have created scheduled tasks masquerading as \"Windows Update Security\", \"Windows Update Security Patches\", and \"Google Chrome Security Update\" designed to launch the ransomware.(Citation: Sophos Maze VM September 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Maze](https://attack.mitre.org/software/S0449) has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.(Citation: McAfee Maze March 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Maze](https://attack.mitre.org/software/S0449) has decrypted strings and other important information during the encryption process. [Maze](https://attack.mitre.org/software/S0449) also calls certain functions dynamically to hinder analysis.(Citation: McAfee Maze March 2020)\t", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[Maze](https://attack.mitre.org/software/S0449) has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.(Citation: McAfee Maze March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Maze](https://attack.mitre.org/software/S0449) has gathered all of the running system processes.(Citation: McAfee Maze March 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Maze](https://attack.mitre.org/software/S0449) has injected the malware DLL into a target process.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Maze](https://attack.mitre.org/software/S0449) has created scheduled tasks using name variants such as \"Windows Update Security\", \"Windows Update Security Patches\", and \"Google Chrome Security Update\", to launch [Maze](https://attack.mitre.org/software/S0449) at a specific time.(Citation: Sophos Maze VM September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[Maze](https://attack.mitre.org/software/S0449) has stopped SQL services to ensure it can encrypt any database.(Citation: Sophos Maze VM September 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Maze](https://attack.mitre.org/software/S0449) has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using msiexec.(Citation: Sophos Maze VM September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Maze](https://attack.mitre.org/software/S0449) has checked the language of the infected system using the \"GetUSerDefaultUILanguage\" function.(Citation: McAfee Maze March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Maze](https://attack.mitre.org/software/S0449) has checked the language of the machine with function GetUserDefaultUILanguage and terminated execution if the language matches with an entry in the predefined list.(Citation: McAfee Maze March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1049", "comment": "[Maze](https://attack.mitre.org/software/S0449) has used the \"WNetOpenEnumW\", \"WNetEnumResourceW\u201d, \u201cWNetCloseEnum\u201d and \u201cWNetAddConnection2W\u201d functions to enumerate the network resources on the infected machine.(Citation: McAfee Maze March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[Maze](https://attack.mitre.org/software/S0449) has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.(Citation: Sophos Maze VM September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Maze](https://attack.mitre.org/software/S0449) has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Maze", "color": "#66b1ff"}]}