{"description": "Enterprise techniques used by Stuxnet, ATT&CK software S0603 (v1.4)", "name": "Stuxnet (S0603)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) attempts to impersonate an anonymous token to enumerate bindings in the service control manager.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates user accounts of the local host.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates user accounts of the domain.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) uses HTTP to communicate with a command and control server. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) encrypts exfiltrated data via C2 with static 31-byte long XOR keys.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a driver registered as a boot start service as the main load-point.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) decrypts resources that are loaded into memory and executed.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. [Stuxnet](https://attack.mitre.org/software/S0603) also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) sends compromised victim information via HTTP.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) used MS10-073 and an undisclosed Task Scheduler vulnerability to escalate privileges on local Windows machines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) propagates using the MS10-061 Print Spooler and MS08-067 Windows Server Service vulnerabilities.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) has the ability to generate new C2 domains.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a driver to scan for specific filesystem driver objects.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) reduces the integrity level of objects to allow write actions.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) can delete OLE Automation and SQL stored procedures used to store malicious payloads.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) extracts and writes driver files that match the times of other legitimate files.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1570", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) uses an RPC server that contains a file dropping routine and support for payload version updates for P2P communications within a victim network.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) can create registry keys to load driver files.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) uses the SetSecurityDescriptorDacl API to reduce object integrity levels.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates the directories of a network resource.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) uses encrypted configuration blocks and writes encrypted files to disk.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates removable drives for infection.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) injects an entire DLL into an existing, newly created, or preselected trusted process.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) installs an RPC server for P2P communications.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) searches the Registry for indicators of security programs.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) can propagate via peer-to-peer communication and updates using RPC.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) propagates to available network shares.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1091", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1014", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a Windows rootkit to mask its binaries and other relevant files.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) schedules a network job to execute two minutes after host infection.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.001", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) used xp_cmdshell to store and execute SQL code.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1129", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) calls LoadLibrary then executes exports from a DLL.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates the currently running processes related to a variety of security products.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) used a digitally signed driver with a compromised Realtek certificate.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) collects system information including computer and domain names, OS version, and S7P paths.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) collects the IP address of a compromised system.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) collects the time and date of a system when it is infected.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1080", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) infects remote servers via network shares and by infecting WinCC database views with malicious code.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.001", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) infected WinCC machines via a hardcoded database server password.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) attempts to access network resources with a domain account\u2019s credentials.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Stuxnet](https://attack.mitre.org/software/S0603) used WMI with an explorer.exe token to execute on a remote share.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Stuxnet", "color": "#66b1ff"}]}