{"description": "Enterprise techniques used by Akira, ATT&CK software S1129 (v2.0)", "name": "Akira (S1129)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Akira](https://attack.mitre.org/software/S1129) will execute PowerShell commands to delete system volume shadow copies.(Citation: Kersten Akira 2023)(Citation: CISA Akira Ransomware APR 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Akira](https://attack.mitre.org/software/S1129) executes from the Windows command line and can take various arguments for execution.(Citation: Kersten Akira 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Akira](https://attack.mitre.org/software/S1129) can encrypt victim filesystems for financial extortion purposes including through the use of the ChaCha20 and ChaCha8 stream ciphers.(Citation: Kersten Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Akira](https://attack.mitre.org/software/S1129) examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as GetFileAttributesW.(Citation: Kersten Akira 2023)(Citation: Cisco Akira Ransomware OCT 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[Akira](https://attack.mitre.org/software/S1129) will delete system volume shadow copies via PowerShell commands.(Citation: Kersten Akira 2023)(Citation: CISA Akira Ransomware APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Akira](https://attack.mitre.org/software/S1129) executes native Windows functions such as GetFileAttributesW and `GetSystemInfo`.(Citation: Kersten Akira 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Akira](https://attack.mitre.org/software/S1129) can identify remote file shares for encryption.(Citation: Kersten Akira 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Akira](https://attack.mitre.org/software/S1129) verifies the deletion of volume shadow copies by checking for the existence of the process ID related to the process created to delete these items.(Citation: Kersten Akira 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Akira](https://attack.mitre.org/software/S1129) uses the GetSystemInfo Windows function to determine the number of processors on a victim machine.(Citation: Kersten Akira 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Akira](https://attack.mitre.org/software/S1129) will leverage COM objects accessed through WMI during execution to evade detection.(Citation: Kersten Akira 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Akira", "color": "#66b1ff"}]}