{"description": "Enterprise techniques used by HermeticWiper, ATT&CK software S0697 (v1.1)", "name": "HermeticWiper (S0697)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can use `AdjustTokenPrivileges` to grant itself privileges for debugging with `SeDebugPrivilege`, creating backups with `SeBackupPrivilege`, loading drivers with `SeLoadDriverPrivilege`, and shutting down a local system with `SeShutdownPrivilege`.(Citation: Qualys Hermetic Wiper March 2022)(Citation: Crowdstrike DriveSlayer February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can use `cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1 CSIDL_WINDOWS\\policydefinitions\\postgresql.exe 1> \\\\127.0.0.1\\ADMIN$\\_1636727589.6007507 2>&1` to deploy on an infected system.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can load drivers by creating a new service using the `CreateServiceW` API.(Citation: Crowdstrike DriveSlayer February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can recursively wipe folders and files in `Windows`, `Program Files`, `Program Files(x86)`, `PerfLogs`, `Boot, System`, `Volume Information`, and `AppData` folders using `FSCTL_MOVE_FILE`. [HermeticWiper](https://attack.mitre.org/software/S0697) can also overwrite symbolic links and big files in `My Documents` and on the Desktop with random bytes.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can decompress and copy driver files using `LZCopy`.(Citation: Crowdstrike DriveSlayer February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to corrupt disk partitions and obtain raw disk access to destroy data.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: SentinelOne Hermetic Wiper February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561.002", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to deploy through an infected system's default domain policy.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can enumerate common folders such as My Documents, Desktop, and AppData.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.006", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to set the `HKLM:\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl\\CrashDumpEnabled` Registry key to `0` in order to disable crash dumps.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can overwrite the `C:\\Windows\\System32\\winevt\\Logs` file on a targeted system.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to overwrite its own file with random bites.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can disable the VSS service on a compromised host using the service control manager.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) has used the name `postgressql.exe` to mask a malicious payload.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to use scheduled tasks for execution.(Citation: Symantec Ukraine Wipers February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to stop the Volume Shadow Copy service.(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "The [HermeticWiper](https://attack.mitre.org/software/S0697) executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can determine the OS version, bitness, and enumerate physical drives on a targeted host.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can create system services to aid in executing the payload.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1529", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) can initiate a system shutdown.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.(Citation: Crowdstrike DriveSlayer February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by HermeticWiper", "color": "#66b1ff"}]}