{"description": "Enterprise techniques used by LockBit 3.0, ATT&CK software S1202 (v1.0)", "name": "LockBit 3.0 (S1202)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can bypass UAC to execute code with elevated privileges through an elevated Component Object Model (COM) interface.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can use HTTP to send victim host information to C2.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.004", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can enable automatic logon through the `SOFTWARE\\Microsoft\\Windows\nNT\\CurrentVersion\\Winlogon` Registry key.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can use PowerShell to apply Group Policy changes.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can install system services for persistence.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can Base64-encode C2 communication.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can encrypt targeted data using the AES-256, ChaCha20, or RSA-2048 algorithms.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "The [LockBit 3.0](https://attack.mitre.org/software/S1202) payload is decrypted at runtime.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can enable options for propogation through Group Policy Objects.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can encrypt C2 communications with AES.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can make execution dependent on specific parameters including a unique passphrase and the system language of the targeted host not being found on a set exclusion list. (Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can create and check for a mutex containing a hash of the `MachineGUID` value at execution to prevent running more than one instance.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can exclude files associated with core system functions from encryption.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can disable security tools to evade detection including Windows Defender.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.009", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can reboot the infected host into Safe Mode.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can delete log files on targeted systems.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can delete itself from disk.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can delete volume shadow copies.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can change the Registry values for Group Policy refresh time, to disable SmartScreen, and to disable Windows Defender.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)\n\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) has the ability to directly call native Windows API items during execution.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: INCIBE-CERT LockBit MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can identify network shares on compromised systems.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can use code packing to hinder analysis.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: INCIBE-CERT LockBit MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "The [LockBit 3.0](https://attack.mitre.org/software/S1202) payload includes an encrypted main component.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) has the ability to discover external storage devices.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can identify and terminate specific services.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can use SMB for lateral movement.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can terminate targeted processes and services related to security, backup, database management, and other applications that could stop or interfere with encryption.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.003", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can attempt a CMSTP UAC bypass if it does not have administrative privileges.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can enumerate system hostname, domain, and local drive configuration.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) will not affect machines with language settings matching a defined exlusion list of mainly Eastern European languages.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can use [PsExec](https://attack.mitre.org/software/S0029) to execute commands and payloads.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "[LockBit 3.0](https://attack.mitre.org/software/S1202) can use a compromised local account for lateral movement.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LockBit 3.0", "color": "#66b1ff"}]}