{"description": "Enterprise techniques used by Pysa, ATT&CK software S0583 (v1.0)", "name": "Pysa (S0583)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1110", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has used brute force attempts against a central management console, as well as some Active Directory accounts.(Citation: CERT-FR PYSA April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has used Powershell scripts to deploy its ransomware.(Citation: CERT-FR PYSA April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has used Python scripts to deploy ransomware.(Citation: CERT-FR PYSA April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.(Citation: CERT-FR PYSA April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has the capability to stop antivirus services and disable Windows Defender.(Citation: CERT-FR PYSA April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has deleted batch files after execution. (Citation: CERT-FR PYSA April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has the functionality to delete shadow copies.(Citation: CERT-FR PYSA April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has executed a malicious executable by naming it svchost.exe.(Citation: CERT-FR PYSA April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has modified the registry key \u201cSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\u201d and added the ransom note.(Citation: CERT-FR PYSA April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Pysa](https://attack.mitre.org/software/S0583) can perform network reconnaissance using the Advanced Port Scanner tool.(Citation: CERT-FR PYSA April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Pysa](https://attack.mitre.org/software/S0583) can perform OS credential dumping using [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: CERT-FR PYSA April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has laterally moved using RDP connections.(Citation: CERT-FR PYSA April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[Pysa](https://attack.mitre.org/software/S0583) can stop services and processes.(Citation: CERT-FR PYSA April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Pysa](https://attack.mitre.org/software/S0583) can perform network reconnaissance using the Advanced IP Scanner tool.(Citation: CERT-FR PYSA April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has used [PsExec](https://attack.mitre.org/software/S0029) to copy and execute the ransomware.(Citation: CERT-FR PYSA April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Pysa](https://attack.mitre.org/software/S0583) has extracted credentials from the password database before encrypting the files.(Citation: CERT-FR PYSA April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Pysa", "color": "#66b1ff"}]}