{"description": "Enterprise techniques used by WhisperGate, ATT&CK software S0689 (v1.2)", "name": "WhisperGate (S0689)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "The [WhisperGate](https://attack.mitre.org/software/S0689) third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via `%TEMP%\\AdvancedRun.exe\" /EXEFilename \"C:\\Windows\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run`.(Citation: Cisco Ukraine Wipers January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can make an HTTPS connection to download additional files.(Citation: Unit 42 WhisperGate January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can use PowerShell to support multiple actions including execution and defense evasion.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can use `cmd.exe` to execute commands.(Citation: Unit 42 WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can use a Visual Basic script to exclude the `C:\\` drive from Windows Defender.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can corrupt files by overwriting the first 1 MB with `0xcc` and appending random extensions.(Citation: Microsoft WhisperGate January 2022)(Citation: Crowdstrike WhisperGate January 2022)(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can overwrite sectors of a victim host's hard drive at periodic offsets.(Citation: Crowdstrike WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561.002", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.(Citation: Microsoft WhisperGate January 2022)(Citation: Crowdstrike WhisperGate January 2022)(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can locate files based on hardcoded file extensions.(Citation: Microsoft WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\\ drive.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can delete tools from a compromised host after execution.(Citation: Cisco Ukraine Wipers January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can download additional stages of malware from a Discord CDN channel.(Citation: Microsoft WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) has been disguised as a JPG extension to avoid detection as a malicious PE file.(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) has used the `ExitWindowsEx` to flush file buffers to disk and stop running processes and other API calls.(Citation: Cisco Ukraine Wipers January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can enumerate connected remote logical drives.(Citation: Cisco Ukraine Wipers January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can Base64 encode strings, store downloaded files in reverse byte order,  and use the Eazfuscator tool to obfuscate its third stage.(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542", "showSubtechniques": true}, {"techniqueID": "T1542.003", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.(Citation: Crowdstrike WhisperGate January 2022)(Citation: Cybereason WhisperGate February 2022)(Citation: Microsoft WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility `InstallUtil.exe`.(Citation: Cisco Ukraine Wipers January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1620", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689)'s downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly.(Citation: RecordedFuture WhisperGate Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can recognize the presence of monitoring tools on a target system.(Citation: Unit 42 WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.004", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) has used `InstallUtil.exe` as part of its process to disable Windows Defender.(Citation: Unit 42 WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) has the ability to enumerate fixed logical drives on a targeted system.(Citation: Cisco Ukraine Wipers January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can download and execute AdvancedRun.exe via `sc.exe`.(Citation: Medium S2W WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1529", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can shutdown a compromised host through execution of `ExitWindowsEx` with the `EXW_SHUTDOWN` flag.(Citation: Cisco Ukraine Wipers January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can stop its execution when it recognizes the presence of certain monitoring tools.(Citation: Unit 42 WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can pause for 20 seconds to bypass antivirus solutions.(Citation: Medium S2W WhisperGate January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[WhisperGate](https://attack.mitre.org/software/S0689) can download additional payloads hosted on a Discord channel.(Citation: Crowdstrike WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by WhisperGate", "color": "#66b1ff"}]}