{"description": "Enterprise techniques used by LockBit 2.0, ATT&CK software S1199 (v1.0)", "name": "LockBit 2.0 (S1199)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can bypass UAC through creating the Registry key  `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration`.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can use a Registry Run key to establish persistence at startup.(Citation: FBI Lockbit 2.0 FEB 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can use the PowerShell module `InvokeGPUpdate` to modify Group Policy.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can use the Windows command shell for multiple post-compromise actions on objective.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: Cybereason Lockbit 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) has been observed creating accounts for persistence using simple names like \"a\".(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1486", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can use standard AES and elliptic-curve cryptography algorithms to encrypt victim data.(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: SentinelOne LockBit 2.0)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can decode scripts and strings in loaded modules.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can modify Group Policy to disable Windows Defender and to automatically infect devices in Windows domains.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) will not execute on hosts where the system language is set to a language spoken in the Commonwealth of Independent States region.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can exclude files associated with core system functions from encryption.(Citation: FBI Lockbit 2.0 FEB 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can execute command line arguments in a hidden window.(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can disable firewall rules and anti-malware and monitoring software including Windows Defender.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can delete log files through the use of wevtutil.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: Cybereason Lockbit 2.0)(Citation: SentinelOne LockBit 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can delete itself from disk after execution.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: Cybereason Lockbit 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) has the ability to delete volume shadow copies on targeted hosts.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Cybereason Lockbit 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can create Registry keys to bypass UAC and for persistence.(Citation: FBI Lockbit 2.0 FEB 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can discover remote shares.(Citation: FBI Lockbit 2.0 FEB 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) has the ability to identify mounted external storage devices.(Citation: FBI Lockbit 2.0 FEB 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can determine if a running process has administrative privileges and terminate processes that interfere with encryption or exfiltration.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: SentinelOne LockBit 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) has the ability to move laterally via SMB.(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: SentinelOne LockBit 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can be executed via scheduled task.(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can automatically terminate processes that may interfere with the encryption or file extraction processes.(Citation: SentinelOne LockBit 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can enumerate system information including hostname, domain information, and local drive configuration.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can check if a targeted machine is using a set of Eastern European languages and exit without infection if so.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[LockBit 2.0](https://attack.mitre.org/software/S1199) can use wmic.exe to delete volume shadow copies.(Citation: Cybereason Lockbit 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LockBit 2.0", "color": "#66b1ff"}]}