{"description": "Enterprise techniques used by Clop, ATT&CK software S0611 (v1.0)", "name": "Clop (S0611)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Clop](https://attack.mitre.org/software/S0611) can use cmd.exe to help execute commands on the system.(Citation: Cybereason Clop Dec 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Clop](https://attack.mitre.org/software/S0611) can encrypt files using AES, RSA, and RC4 and will add the \".clop\" extension to encrypted files.(Citation: Mcafee Clop Aug 2019)(Citation: Unit42 Clop April 2021)(Citation: Cybereason Clop Dec 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Clop](https://attack.mitre.org/software/S0611) has used a simple XOR operation to decrypt strings.(Citation: Mcafee Clop Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[Clop](https://attack.mitre.org/software/S0611) can uninstall or disable security products.(Citation: Cybereason Clop Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Clop](https://attack.mitre.org/software/S0611) has searched folders and subfolders for files to encrypt.(Citation: Mcafee Clop Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[Clop](https://attack.mitre.org/software/S0611) can delete the shadow volumes with vssadmin Delete Shadows /all /quiet and can use bcdedit to disable recovery options.(Citation: Mcafee Clop Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Clop](https://attack.mitre.org/software/S0611) can make modifications to Registry keys.(Citation: Cybereason Clop Dec 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Clop](https://attack.mitre.org/software/S0611) has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Clop](https://attack.mitre.org/software/S0611) can enumerate network shares.(Citation: Mcafee Clop Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Clop](https://attack.mitre.org/software/S0611) has been packed to help avoid detection.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Clop](https://attack.mitre.org/software/S0611) can enumerate all processes on the victim's machine.(Citation: Mcafee Clop Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[Clop](https://attack.mitre.org/software/S0611) can kill several processes and services related to backups and security solutions.(Citation: Unit42 Clop April 2021)(Citation: Mcafee Clop Aug 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Clop](https://attack.mitre.org/software/S0611) can search for processes with antivirus and antimalware product names.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Clop](https://attack.mitre.org/software/S0611) can use code signing to evade detection.(Citation: Unit42 Clop April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Clop](https://attack.mitre.org/software/S0611) can use msiexec.exe to disable security tools on the system.(Citation: Cybereason Clop Dec 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Clop](https://attack.mitre.org/software/S0611) has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the GetTextCharset function.(Citation: Mcafee Clop Aug 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Clop](https://attack.mitre.org/software/S0611) has used the sleep command to avoid sandbox detection.(Citation: Unit42 Clop April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Clop", "color": "#66b1ff"}]}