{"description": "Enterprise techniques used by Meteor, ATT&CK software S0688 (v1.0)", "name": "Meteor (S0688)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1531", "comment": "[Meteor](https://attack.mitre.org/software/S0688) has the ability to change the password of local users on compromised hosts and can log off users.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can use PowerShell commands to disable the network adapters on a victim machines.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can run `set.bat`, `update.bat`, `cache.bat`, `bcd.bat`, `msrun.bat`, and similar scripts.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can change both the desktop wallpaper and the lock screen image to a custom image.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can use group policy to push a scheduled task from the AD to all network machines.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can hide its console window upon execution to decrease its visibility to a victim.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can use [Wevtutil](https://attack.mitre.org/software/S0645) to remove Security, System and Application Event Viewer logs.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Meteor](https://attack.mitre.org/software/S0688) will delete the folder containing malicious scripts if it detects the hostname as `PIS-APP`, `PIS-MOB`, `WSUSPROXY`, or `PIS-DB`.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Meteor](https://attack.mitre.org/software/S0688) has the ability to download additional files for execution on the victim's machine.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows /all /quiet` and `C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy delete`.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Meteor](https://attack.mitre.org/software/S0688) has been disguised as the Windows Power Efficiency Diagnostics report tool.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can use `WinAPI` to remove a victim machine from an Active Directory domain.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can check if a specific process is running, such as Kaspersky's `avp.exe`.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Meteor](https://attack.mitre.org/software/S0688) execution begins from a scheduled task named `Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeAll` and it creates a separate scheduled task called `mstask` to run the wiper only once at 23:55:00.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can disconnect all network adapters on a compromised host using `powershell -Command \"Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }\" > NUL`.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Meteor](https://attack.mitre.org/software/S0688) has the ability to search for Kaspersky Antivirus on a victim's machine.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Meteor](https://attack.mitre.org/software/S0688) has the ability to discover the hostname of a compromised host.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Meteor](https://attack.mitre.org/software/S0688) can use `wmic.exe` as part of its effort to delete shadow copies.(Citation: Check Point Meteor Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Meteor", "color": "#66b1ff"}]}