{"description": "Enterprise techniques used by Industroyer, ATT&CK software S0604 (v1.2)", "name": "Industroyer (S0604)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Industroyer](https://attack.mitre.org/software/S0604)\u2019s main backdoor connected to a remote C2 server using HTTPS.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) can use an arbitrary system service to load at system boot for persistence and replaces the ImagePath registry value of a Windows service with a new backdoor binary.(Citation: Dragos Crashoverride 2017) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[Industroyer](https://attack.mitre.org/software/S0604)\u2019s data wiper module clears registry keys and overwrites both ICS configuration and Windows files.(Citation: Dragos Crashoverride 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) decrypts code to connect to a remote C2 server.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1499", "showSubtechniques": true}, {"techniqueID": "T1499.004", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Industroyer](https://attack.mitre.org/software/S0604)\u2019s data wiper component enumerates specific files on all the Windows drives.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) downloads a shellcode payload from a remote C2 server and loads it into memory.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) uses a custom port scanner to map out a network.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) uses heavily obfuscated code in its Windows Notepad backdoor.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1572", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel.(Citation: Dragos Crashoverride 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) used [Tor](https://attack.mitre.org/software/S0183) nodes for C2.(Citation: Dragos Crashoverride 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) has a data wiper component that enumerates keys in the Registry HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) can enumerate remote computers in the compromised network.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[Industroyer](https://attack.mitre.org/software/S0604)\u2019s data wiper module writes zeros into the registry keys in SYSTEM\\CurrentControlSet\\Services to render a system inoperable.(Citation: Dragos Crashoverride 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) collects the victim machine\u2019s Windows GUID.(Citation: Dragos Crashoverride 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Industroyer](https://attack.mitre.org/software/S0604)\u2019s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "comment": "[Industroyer](https://attack.mitre.org/software/S0604) can use supplied user credentials to execute processes and stop services.(Citation: ESET Industroyer)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Industroyer", "color": "#66b1ff"}]}