{"description": "Enterprise techniques used by ZeroCleare, ATT&CK software S1151 (v1.0)", "name": "ZeroCleare (S1151)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "comment": "[ZeroCleare](https://attack.mitre.org/software/S1151) can receive command line arguments from an operator to corrupt the file system using the [RawDisk](https://attack.mitre.org/software/S0364) driver.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[ZeroCleare](https://attack.mitre.org/software/S1151) can use a malicious PowerShell script to bypass Windows controls.(Citation: IBM ZeroCleare Wiper December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.002", "comment": "[ZeroCleare](https://attack.mitre.org/software/S1151) can corrupt the file system and wipe the system drive on targeted hosts.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: IBM ZeroCleare Wiper December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1068", "comment": "[ZeroCleare](https://attack.mitre.org/software/S1151) has used a vulnerable signed VBoxDrv driver to bypass Microsoft Driver Signature Enforcement (DSE) protections and subsequently load the unsigned [RawDisk](https://attack.mitre.org/software/S0364) driver.(Citation: IBM ZeroCleare Wiper December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[ZeroCleare](https://attack.mitre.org/software/S1151) has the ability to uninstall the [RawDisk](https://attack.mitre.org/software/S0364) driver and delete the `rwdsk` file on disk.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[ZeroCleare](https://attack.mitre.org/software/S1151) can call the `GetSystemDirectoryW` API to locate the system directory.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[ZeroCleare](https://attack.mitre.org/software/S1151) can deploy a vulnerable, signed driver on a compromised host to bypass operating system safeguards.(Citation: IBM ZeroCleare Wiper December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[ZeroCleare](https://attack.mitre.org/software/S1151) can use the `IOCTL_DISK_GET_DRIVE_GEOMETRY_EX`, `IOCTL_DISK_GET_DRIVE_GEOMETRY`, and `IOCTL_DISK_GET_LENGTH_INFO` system calls to compute disk size.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ZeroCleare", "color": "#66b1ff"}]}