{"description": "Enterprise techniques used by Olympic Destroyer, ATT&CK software S0365 (v2.0)", "name": "Olympic Destroyer (S0365)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) contains a module that tries to obtain stored credentials from web browsers.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) overwrites files locally and on remote shares.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) will attempt to clear the System and Security event logs using wevtutil.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) uses the native Windows utilities vssadmin, wbadmin, and bcdedit to delete and disable operating system recovery features such as the Windows backup catalog and Windows Automatic Repair.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) attempts to copy itself to remote machines on the network.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) contains a module that tries to obtain credentials from LSASS, similar to [Mimikatz](https://attack.mitre.org/software/S0002). These credentials are used with [PsExec](https://attack.mitre.org/software/S0029) and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to help the malware propagate itself across a network.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) uses [PsExec](https://attack.mitre.org/software/S0029) to interact with the ADMIN$ network share to execute commands on remote systems.(Citation: Talos Olympic Destroyer 2018)(Citation: PsExec Russinovich)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) uses [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to enumerate all systems in the network.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) uses the API call ChangeServiceConfigW to disable all services on the affected system.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) uses API calls to enumerate the infected system's ARP table.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) utilizes [PsExec](https://attack.mitre.org/software/S0029) to help propagate itself across a network.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1529", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) will shut down the compromised system after it is done modifying system configuration settings.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) uses WMI to help propagate itself across a network.(Citation: Talos Olympic Destroyer 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Olympic Destroyer", "color": "#66b1ff"}]}