{"description": "Enterprise techniques used by DEADWOOD, ATT&CK software S1134 (v1.0)", "name": "DEADWOOD (S1134)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1531", "comment": "[DEADWOOD](https://attack.mitre.org/software/S1134) changes the password for local and domain users via net.exe to a random 32 character string to prevent these accounts from logging on. Additionally, [DEADWOOD](https://attack.mitre.org/software/S1134) will terminate the winlogon.exe process to prevent attempts to log on to the infected system.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1485", "comment": "[DEADWOOD](https://attack.mitre.org/software/S1134) overwrites files on victim systems with random data to effectively destroy them.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[DEADWOOD](https://attack.mitre.org/software/S1134) XORs some strings within the binary using the value 0xD5, and deobfuscates these items at runtime.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "[DEADWOOD](https://attack.mitre.org/software/S1134) deletes files following overwriting them with random data.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561.002", "comment": "[DEADWOOD](https://attack.mitre.org/software/S1134) opens and writes zeroes to the first 512 bytes of each drive, deleting the MBR. [DEADWOOD](https://attack.mitre.org/software/S1134) then sends the control code IOCTL_DISK_DELETE_DRIVE_LAYOUT to ensure the MBR is removed from the drive.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[DEADWOOD](https://attack.mitre.org/software/S1134) will attempt to masquerade its service execution using benign-looking names such as ScDeviceEnums.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[DEADWOOD](https://attack.mitre.org/software/S1134) contains an embedded, AES-encrypted payload labeled METADATA that provides configuration information for follow-on execution.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[DEADWOOD](https://attack.mitre.org/software/S1134) contains an embedded, AES-encrypted resource named METADATA that contains configuration information for follow-on execution.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[DEADWOOD](https://attack.mitre.org/software/S1134) can be executed as a service using various names, such as ScDeviceEnums.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1124", "comment": "[DEADWOOD](https://attack.mitre.org/software/S1134) will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system, a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past, the wiper will execute immediately.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DEADWOOD", "color": "#66b1ff"}]}