{"description": "Enterprise techniques used by Avaddon, ATT&CK software S0640 (v1.0)", "name": "Avaddon (S0640)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) bypasses UAC using the CMSTPLUA COM interface.(Citation: Arxiv Avaddon Feb 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) uses registry run keys for persistence.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) has been executed through a malicious JScript downloader.(Citation: Hornet Security Avaddon June 2020)(Citation: Awake Security Avaddon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) encrypts the victim system using a combination of AES256 and RSA encryption schemes.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) has decrypted encrypted strings.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) has searched for specific files prior to encryption.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) looks for and attempts to stop anti-malware solutions.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) deletes backups and shadow copies using native system tools.(Citation: Hornet Security Avaddon June 2020)(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) modifies several registry keys for persistence and UAC bypass.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) has used the Windows Crypto API to generate an AES key.(Citation: Hornet Security Avaddon June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) has enumerated shared folders and mapped volumes.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) has used encrypted strings.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) has collected information about running processes.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) looks for and attempts to stop database processes.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.(Citation: Arxiv Avaddon Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) can collect the external IP address of the victim.(Citation: Awake Security Avaddon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Avaddon](https://attack.mitre.org/software/S0640) uses wmic.exe to delete shadow copies.(Citation: Hornet Security Avaddon June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Avaddon", "color": "#66b1ff"}]}