{"description": "Enterprise techniques used by Diavol, ATT&CK software S0659 (v2.0)", "name": "Diavol (S0659)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Diavol](https://attack.mitre.org/software/S0659) has used HTTP GET and POST requests for C2.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[Diavol](https://attack.mitre.org/software/S0659) can delete specified files from a targeted system.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1486", "comment": "[Diavol](https://attack.mitre.org/software/S0659) has encrypted files using an RSA key though the `CryptEncrypt` API and has appended filenames with \".lock64\". (Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": " After encryption, [Diavol](https://attack.mitre.org/software/S0659) will capture the desktop background window, set the background color to black, and change the desktop wallpaper to a newly created bitmap image with the text \u201cAll your files are encrypted! For more information see \u201cREADME-FOR-DECRYPT.txt\".(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Diavol](https://attack.mitre.org/software/S0659) has a command to traverse the files and directories in a given path.(Citation: Fortinet Diavol July 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Diavol](https://attack.mitre.org/software/S0659) can attempt to stop security software.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Diavol](https://attack.mitre.org/software/S0659) can receive configuration updates and additional payloads including wscpy.exe from C2.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[Diavol](https://attack.mitre.org/software/S0659) can delete shadow copies using the `IVssBackupComponents` COM object to call the `DeleteSnapshots` method.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Diavol](https://attack.mitre.org/software/S0659) has used several API calls like `GetLogicalDriveStrings`, `SleepEx`, `SystemParametersInfoAPI`, `CryptEncrypt`, and others to execute parts of its attack.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Diavol](https://attack.mitre.org/software/S0659) has a `ENMDSKS` command to enumerates available network shares.(Citation: Fortinet Diavol July 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Diavol](https://attack.mitre.org/software/S0659) has Base64 encoded the RSA public key used for encrypting files.(Citation: Fortinet Diavol July 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "[Diavol](https://attack.mitre.org/software/S0659) has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.(Citation: Fortinet Diavol July 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Diavol](https://attack.mitre.org/software/S0659) has used `CreateToolhelp32Snapshot`, `Process32First`, and `Process32Next` API calls to enumerate the running processes in the system.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Diavol](https://attack.mitre.org/software/S0659) can spread throughout a network via SMB prior to encryption.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Diavol](https://attack.mitre.org/software/S0659) can use the ARP table to find remote hosts to scan.(Citation: Fortinet Diavol July 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[Diavol](https://attack.mitre.org/software/S0659) will terminate services using the Service Control Manager (SCM) API.(Citation: Fortinet Diavol July 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Diavol](https://attack.mitre.org/software/S0659) can collect the computer name and OS version from the system.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Diavol](https://attack.mitre.org/software/S0659) can enumerate victims' local and external IPs when registering with C2.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Diavol](https://attack.mitre.org/software/S0659) can collect the username from a compromised host.(Citation: Fortinet Diavol July 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Diavol", "color": "#66b1ff"}]}