{"description": "Enterprise techniques used by MegaCortex, ATT&CK software S0576 (v1.1)", "name": "MegaCortex (S0576)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) can enable SeDebugPrivilege and adjust token privileges.(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1531", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) has changed user account passwords and logged users off the system.(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) has used .cmd scripts on the victim's system.(Citation: IBM MegaCortex) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.(Citation: IBM MegaCortex)(Citation: mbed-crypto)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) has used a Base64 key to decode its components.(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) can wipe deleted data from all drives using [cipher.exe](https://attack.mitre.org/software/S1205).(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) can parse the available drives and directories to determine which files to encrypt.(Citation: IBM MegaCortex) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) was used to kill endpoint security processes.(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) has deleted volume shadow copies using vssadmin.exe.(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) has added entries to the Registry for ransom contact information.(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "After escalating privileges, [MegaCortex](https://attack.mitre.org/software/S0576) calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs.(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.003", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) has used code signing certificates issued to fake companies to bypass security controls.(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) loads injecthelper.dll into a newly created rundll32.exe process.(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) can stop and disable services on the system.(Citation: IBM MegaCortex) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) has used rundll32.exe to load a DLL for file encryption.(Citation: IBM MegaCortex)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[MegaCortex](https://attack.mitre.org/software/S0576) has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.(Citation: IBM MegaCortex) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by MegaCortex", "color": "#66b1ff"}]}