{"description": "Enterprise techniques used by MultiLayer Wiper, ATT&CK software S1135 (v1.0)", "name": "MultiLayer Wiper (S1135)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) uses a batch script launched via a scheduled task to delete Windows Event Logs.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) deletes files on network drives, but corrupts and overwrites with random data files stored locally.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1565", "showSubtechniques": true}, {"techniqueID": "T1565.001", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) changes the original path information of deleted files to make recovery efforts more difficult.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.002", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) opens a handle to \\\\\\\\\\\\\\\\.\\\\\\\\PhysicalDrive0 and wipes the first 512 bytes of data from this location, removing the boot sector.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) generates a list of all files and paths on the fixed drives of an infected system, enumerating all files on the system except specific folders defined in a hardcoded list.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) removes the Volume Shadow Copy (VSS) service from infected devices along with all present shadow copies.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) uses a batch script to clear file system cache memory via the ProcessIdleTasks export in advapi32.dll as an anti-analysis and anti-forensics technique.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) removes Windows event logs during execution.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) uses a batch file, remover.bat to delete malware artifacts and the batch file itself during execution.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) changes timestamps of overwritten files to either 1601.1.1 for NTFS filesystems, or 1980.1.1 for all other filesystems.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) wipes the boot sector of infected systems to inhibit system recovery.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) contains two binaries in its resources section, MultiList and MultiWip. [MultiLayer Wiper](https://attack.mitre.org/software/S1135) drops and executes each of these items when run, then deletes them after execution.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) creates a malicious scheduled task that launches a batch file to remove Windows Event Logs.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1529", "comment": "[MultiLayer Wiper](https://attack.mitre.org/software/S1135) reboots the infected system following wiping and related tasks to prevent system recovery.(Citation: Unit42 Agrius 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by MultiLayer Wiper", "color": "#66b1ff"}]}