{"description": "Enterprise techniques used by BlackCat, ATT&CK software S1068 (v1.0)", "name": "BlackCat (S1068)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can bypass UAC to escalate privileges.(Citation: Microsoft BlackCat Jun 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) has the ability modify access tokens.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can utilize `net use` commands to identify domain users.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can execute commands on a compromised network with the use of `cmd.exe`.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) has the ability to encrypt Windows devices, Linux devices, and VMWare instances.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can change the desktop wallpaper on compromised hosts.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) has the ability to wipe VM snapshots on compromised networks.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can enumerate files for encryption.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.001", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can use Windows commands such as `fsutil behavior set SymLinkEvaluation R2L:1` to redirect file system access to a different location after gaining access into compromised networks.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can clear Windows event logs using `wevtutil.exe`.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can delete shadow copies using `vssadmin.exe delete shadows /all /quiet` and `wmic.exe Shadowcopy Delete`; it can also modify the boot loader using `bcdedit /set {default} recoveryenabled No`.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can replicate itself across connected servers via `psexec`.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) has the ability to add the following registry key on compromised networks to maintain persistence: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services \\LanmanServer\\Paramenters`(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) has the ability to discover network shares on compromised networks.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can determine if a user on a compromised host has domain admin privileges.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can broadcasts NetBIOS Name Service (NBNC) messages to search for servers connected to compromised networks.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) has the ability to stop VM services on compromised networks.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can obtain the computer name and UUID, and enumerate local drives.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can utilize `net use` commands to discover the user name on a compromised host.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[BlackCat](https://attack.mitre.org/software/S1068) can use `wmic.exe` to delete shadow copies on compromised networks.(Citation: Microsoft BlackCat Jun 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BlackCat", "color": "#66b1ff"}]}