{"description": "Enterprise techniques used by Prestige, ATT&CK software S1058 (v1.0)", "name": "Prestige (S1058)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Prestige](https://attack.mitre.org/software/S1058) can use PowerShell for payload execution on targeted systems.(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Prestige](https://attack.mitre.org/software/S1058) has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with `.enc`.(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "[Prestige](https://attack.mitre.org/software/S1058) has been deployed using the Default Domain Group Policy Object from an Active Directory Domain Controller.(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Prestige](https://attack.mitre.org/software/S1058) can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list.(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[Prestige](https://attack.mitre.org/software/S1058) can delete the backup catalog from the target system using: `c:\\Windows\\System32\\wbadmin.exe delete catalog -quiet` and can also delete volume shadow copies using: `\\Windows\\System32\\vssadmin.exe delete shadows /all /quiet`.(Citation: Microsoft Prestige ransomware October 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Prestige](https://attack.mitre.org/software/S1058) has the ability to register new registry keys for a new extension handler via `HKCR\\.enc` and `HKCR\\enc\\shell\\open\\command`.(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Prestige](https://attack.mitre.org/software/S1058) has used the `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()` functions to disable and restore file system redirection.(Citation: Microsoft Prestige ransomware October 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Prestige](https://attack.mitre.org/software/S1058) has been executed on a target system through a scheduled task created by [Sandworm Team](https://attack.mitre.org/groups/G0034) using [Impacket](https://attack.mitre.org/software/S0357).(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[Prestige](https://attack.mitre.org/software/S1058) has attempted to stop the MSSQL Windows service to ensure successful encryption using `C:\\Windows\\System32\\net.exe stop MSSQLSERVER`.(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Prestige", "color": "#66b1ff"}]}