{"description": "Enterprise techniques used by KillDisk, ATT&CK software S0607 (v1.2)", "name": "KillDisk (S0607)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) has attempted to get the access token of a process by calling OpenProcessToken. If [KillDisk](https://attack.mitre.org/software/S0607) gets the access token, then it attempt to modify the token privileges with AdjustTokenPrivileges.(Citation: Trend Micro KillDisk 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1485", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) deletes system files to make the OS unbootable. [KillDisk](https://attack.mitre.org/software/S0607) also targets and deletes files with 35 different file extensions.(Citation: ESEST Black Energy Jan 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1486", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.(Citation: KillDisk Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.002", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) overwrites the first sector of the Master Boot Record with \u201c0x00\u201d.(Citation: Trend Micro KillDisk 1)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) has used the FindNextFile command as part of its file deletion process.(Citation: Trend Micro KillDisk 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) deletes Application, Security, Setup, and System Windows Event Logs.(Citation: ESEST Black Energy Jan 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) has the ability to quit and delete itself.(Citation: ESET Telebots Dec 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) registers as a service under the Plug-And-Play Support name.(Citation: ESET Telebots Dec 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) has called the Windows API to retrieve the hard disk handle and shut down the machine.(Citation: Trend Micro KillDisk 1)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) uses VMProtect to make reverse engineering the malware more difficult.(Citation: Trend Micro KillDisk 1)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) has called GetCurrentProcess.(Citation: Trend Micro KillDisk 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) terminates various processes to get the user to reboot the victim machine.(Citation: Trend Micro KillDisk 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1129", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) loads and executes functions from a DLL.(Citation: Trend Micro KillDisk 1)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) retrieves the hard disk name by calling the CreateFileA to \\\\.\\PHYSICALDRIVE0 API.(Citation: Trend Micro KillDisk 1)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[KillDisk](https://attack.mitre.org/software/S0607) attempts to reboot the machine by terminating specific processes.(Citation: Trend Micro KillDisk 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by KillDisk", "color": "#66b1ff"}]}