{"description": "Enterprise techniques used by Black Basta, ATT&CK software S1070 (v1.1)", "name": "Black Basta (S1070)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) has used PowerShell scripts for discovery and to execute files over the network.(Citation: Trend Micro Black Basta May 2022)(Citation: Trend Micro Black Basta Spotlight September 2022)(Citation: NCC Group Black Basta June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can use `cmd.exe` to enable shadow copy deletion.(Citation: Deep Instinct Black Basta August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can create a new service to establish persistence.(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.(Citation: Minerva Labs Black Basta May 2022)(Citation: BlackBerry Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Uptycs Black Basta ESXi June 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Trend Micro Black Basta Spotlight September 2022)(Citation: Check Point Black Basta October 2022) [Black Basta](https://attack.mitre.org/software/S1070) has also encrypted files while the victim system is in safe mode, appending `.basta` upon completion.(Citation: Trend Micro Black Basta May 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "The [Black Basta](https://attack.mitre.org/software/S1070) dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.(Citation: Check Point Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) has set the desktop wallpaper on victims' machines to display a ransom note.(Citation: Minerva Labs Black Basta May 2022)(Citation: BlackBerry Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Check Point Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) will check for the presence of a hard-coded mutex `dsajdhas.0` before executing.(Citation: Deep Instinct Black Basta August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can enumerate specific files for encryption.(Citation: Cyble Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Uptycs Black Basta ESXi June 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Trend Micro Black Basta Spotlight September 2022)(Citation: Check Point Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "The [Black Basta](https://attack.mitre.org/software/S1070) binary can use `chmod` to gain full permissions to targeted files.(Citation: Uptycs Black Basta ESXi June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.009", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can reboot victim machines in safe mode with networking via `bcdedit /set safeboot network`.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: Palo Alto Networks Black Basta August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can delete shadow copies using vssadmin.exe.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Trend Micro Black Basta Spotlight September 2022)(Citation: Trend Micro Black Basta Spotlight September 2022)(Citation: Check Point Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) has established persistence by creating a new service named `FAX` after deleting the legitimate service by the same name.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "The [Black Basta](https://attack.mitre.org/software/S1070) dropper has mimicked an application for creating USB bootable drivers.(Citation: Check Point Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) has modified the Registry to enable itself to run in safe mode, to change the icons and file extensions for encrypted files, and to add the malware path for persistence.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Palo Alto Networks Black Basta August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) has the ability to use native APIs for numerous functions including discovery and defense evasion.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: Check Point Black Basta October 2022)(Citation: Trend Micro Black Basta May 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) had added data prior to the Portable Executable (PE) header to prevent automatic scanners from identifying the payload.(Citation: Check Point Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can use LDAP queries to connect to AD and iterate over connected workstations.(Citation: Check Point Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "The [Black Basta](https://attack.mitre.org/software/S1070) dropper has been digitally signed with a certificate issued by Akeo Consulting for legitimate executables used for creating bootable USB drives.(Citation: Check Point Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can enumerate volumes and collect system boot configuration and CPU information.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can check whether the service name `FAX` is present.(Citation: Cyble Black Basta May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) has used `ShellExecuteA` to shut down and restart the victim system.(Citation: Trend Micro Black Basta May 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) has been downloaded and executed from malicious Excel files.(Citation: Trend Micro Black Basta May 2022)(Citation: Trend Micro Black Basta Spotlight September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can make a random number of calls to the `kernel32.beep` function to hinder log analysis.(Citation: Check Point Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) can check system flags and libraries, process timing, and API's to detect code emulation or sandboxing.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Check Point Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Black Basta](https://attack.mitre.org/software/S1070) has used WMI to execute files over the network.(Citation: NCC Group Black Basta June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Black Basta", "color": "#66b1ff"}]}