{"description": "Enterprise techniques used by ROADSWEEP, ATT&CK software S1150 (v1.0)", "name": "ROADSWEEP (S1150)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) has been placed in the start up folder to trigger execution upon user login.(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) can open cmd.exe to enable command execution.(Citation: Mandiant ROADSWEEP August 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) can RC4 encrypt content in blocks on targeted systems.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) has dropped ransom notes in targeted folders prior to encrypting the files.(Citation: Microsoft Albanian Government Attacks September 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) can decrypt embedded scripts prior to execution.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) requires four command line arguments to execute correctly, otherwise it will produce a message box and halt execution.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) can enumerate files on infected devices and avoid encrypting files with .exe, .dll, \t.sys, .lnk, or . lck extensions.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) can use embedded scripts to remove itself from the infected host.(Citation: Mandiant ROADSWEEP August 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) has the ability to disable `SystemRestore` and Volume Shadow Copies.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) can pipe command output to a targeted process.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "The [ROADSWEEP](https://attack.mitre.org/software/S1150) binary contains RC4 encrypted embedded scripts.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) can identify removable drives attached to the victim's machine.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) can disable critical services and processes.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) has been digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC.(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[ROADSWEEP](https://attack.mitre.org/software/S1150) can enumerate logical drives on targeted devices.(Citation: Mandiant ROADSWEEP August 2022)(Citation: Microsoft Albanian Government Attacks September 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ROADSWEEP", "color": "#66b1ff"}]}