{"description": "Enterprise techniques used by NotPetya, ATT&CK software S0368 (v2.0)", "name": "NotPetya (S0368)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1486", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) encrypts user files and disk structures like the MBR with 2048-bit RSA.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) searches for files ending with dozens of different file extensions prior to encryption.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) uses wevtutil to clear the Windows event logs.(Citation: Talos Nyetya June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) drops [PsExec](https://attack.mitre.org/software/S0029) with the filename dllhost.dat.(Citation: Talos Nyetya June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) contains a modified version of [Mimikatz](https://attack.mitre.org/software/S0002) to help gather credentials that are later used for lateral movement.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: NCSC Joint Report Public Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) can use [PsExec](https://attack.mitre.org/software/S0029), which interacts with the ADMIN$ network share to execute commands on remote systems.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: PsExec Russinovich)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) creates a task to reboot the system one hour after infection.(Citation: Talos Nyetya June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) determines if specific antivirus programs are running on an infected host machine.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) uses rundll32.exe to install itself on remote systems when accessed via [PsExec](https://attack.mitre.org/software/S0029) or wmic.(Citation: Talos Nyetya June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) can use [PsExec](https://attack.mitre.org/software/S0029) to help propagate itself across a network.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1529", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) will reboot the system one hour after infection.(Citation: Talos Nyetya June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) can use valid credentials with [PsExec](https://attack.mitre.org/software/S0029) or wmic to spread itself to remote systems.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[NotPetya](https://attack.mitre.org/software/S0368) can use wmic to help propagate itself across a network.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by NotPetya", "color": "#66b1ff"}]}