{"description": "Enterprise techniques used by WannaCry, ATT&CK software S0366 (v1.1)", "name": "WannaCry (S0366)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) creates the service \"mssecsvc2.0\" with the display name \"Microsoft Security Center (2.0) Service.\"(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) uses [Tor](https://attack.mitre.org/software/S0183) for command and control traffic and routes a custom cryptographic protocol over the [Tor](https://attack.mitre.org/software/S0183) circuit.(Citation: SecureWorks WannaCry Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1210", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) uses an exploit in SMBv1 to spread itself to other remote systems on a network.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: US-CERT WannaCry 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.001", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls.(Citation: LogRhythm WannaCry)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) uses [attrib](https://attack.mitre.org/software/S1176) +h to make some of its files hidden.(Citation: LogRhythm WannaCry)(Citation: Checkpoint WannaCry 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) attempts to copy itself to remote computers after gaining access via an SMB exploit.(Citation: LogRhythm WannaCry)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.(Citation: FireEye WannaCry 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) uses [Tor](https://attack.mitre.org/software/S0183) for command and control traffic.(Citation: SecureWorks WannaCry Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1563", "showSubtechniques": true}, {"techniqueID": "T1563.002", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) enumerates current remote desktop sessions and tries to execute the malware on each session.(Citation: LogRhythm WannaCry)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) scans its local network segment for remote systems to try to exploit and copy itself to.(Citation: SecureWorks WannaCry Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) will attempt to determine the local network segment it is a part of.(Citation: SecureWorks WannaCry Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[WannaCry](https://attack.mitre.org/software/S0366) utilizes wmic to delete shadow copies.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by WannaCry", "color": "#66b1ff"}]}