WhisperGate
The snippet can be accessed without any authentication.
Authored by
Kir
APT attack13. WhisperGate - Destructive Malware Targeting Ukrainian Government
- YARA rules
- Cleaning up the stage 3 sample
Samples and papers. Password for each archive: infected
ATT&CK Matrix
Matrix.json 39.46 KiB
{
"name": "WhisperGate",
"versions": {
"attack": "10",
"navigator": "4.5.5",
"layer": "4.3"
},
"domain": "enterprise-attack",
"description": "DEV-0586 APT attack13",
"filters": {
"platforms": [
"Windows",
"Network",
"PRE"
]
},
"sorting": 0,
"layout": {
"layout": "side",
"aggregateFunction": "average",
"showID": true,
"showName": true,
"showAggregateScores": false,
"countUnscored": false
},
"hideDisabled": true,
"techniques": [
{
"techniqueID": "T1134",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134",
"tactic": "privilege-escalation",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1087",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1583",
"tactic": "resource-development",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1595",
"tactic": "reconnaissance",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1071",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1010",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1560",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1123",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1119",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1020",
"tactic": "exfiltration",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1197",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1197",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547",
"tactic": "privilege-escalation",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037",
"tactic": "privilege-escalation",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1217",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1176",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1185",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1110",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1115",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1580",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1538",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1526",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1619",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059",
"tactic": "execution",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": true
},
{
"techniqueID": "T1059.001",
"tactic": "execution",
"color": "#e60d0d",
"comment": "The second stage of WhisperGate malware uses PowerShell commands to connect its Command and Control (C2) server and download additional payloads [2].\n\npowershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==\n\nDecoded: `Start-Sleep -s 10`",
"enabled": true,
"metadata": [],
"links": [
{
"label": "TTPs used by DEV-0586 APT Group in WhisperGate Attack Targeting Ukraine",
"url": "https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine"
},
{
"label": "MSTIC: Destructive malware targeting Ukrainian organizations ",
"url": "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
},
{
"label": "CrowdStrice: Technical Analysis of the WhisperGate Malicious Bootloader",
"url": "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/"
}
],
"showSubtechniques": false
},
{
"techniqueID": "T1059.003",
"tactic": "execution",
"color": "#e60d0d",
"comment": "The first stage of WhisperGate malware uses the following Windows Command Shell command to execute the destructive malware:\n\n`cmd.exe /Q /c start c:\\stage1.exe 1> \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2>&1`\n",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.005",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.006",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.007",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.008",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1092",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1586",
"tactic": "resource-development",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1554",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1584",
"tactic": "resource-development",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1613",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1136",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543",
"tactic": "privilege-escalation",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1555",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1132",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1001",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1074",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1030",
"tactic": "exfiltration",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1530",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1602",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1213",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1005",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1039",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1025",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1140",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1587",
"tactic": "resource-development",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1006",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1561",
"tactic": "impact",
"color": "#e60d0d",
"comment": "The first stage of WhisperGate overwrites the Master Boot Record for impact. When the MBR is overwritten, the infected system does not boot up after power down.\n\nThe second stage of WhisperGate overwrites files and adversely affects their integrity. Also, the malware renames the files to further its impact.",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484",
"tactic": "privilege-escalation",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1482",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1568",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1114",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1573",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1499",
"tactic": "impact",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1585",
"tactic": "resource-development",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546",
"tactic": "privilege-escalation",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1480",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1048",
"tactic": "exfiltration",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1041",
"tactic": "exfiltration",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1011",
"tactic": "exfiltration",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1052",
"tactic": "exfiltration",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1567",
"tactic": "exfiltration",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1203",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1212",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1211",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1133",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1133",
"tactic": "initial-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1008",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1083",
"tactic": "discovery",
"color": "#e60d0d",
"comment": "The second stage of WhisperGate searches for specific file extensions in certain directories to alter their content.",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1222",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1495",
"tactic": "impact",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1187",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1606",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1589",
"tactic": "reconnaissance",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1590",
"tactic": "reconnaissance",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1591",
"tactic": "reconnaissance",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1615",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574",
"tactic": "privilege-escalation",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1202",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1105",
"tactic": "command-and-control",
"color": "#e60d0d",
"comment": "The second stage of WhisperGate download file corruptor payload from Discord channel hosted by the APT group. The download link for the malicious executable is hardcoded in the stage2.exe. ",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1490",
"tactic": "impact",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1559",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1112",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1601",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1104",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1106",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1599",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1498",
"tactic": "impact",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1046",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1135",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1040",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1040",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1095",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1571",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027",
"tactic": "defense-evasion",
"color": "#e60d0d",
"comment": "The second stage of WhisperGate malware delivers PowerShell commands in Base64 ",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1588",
"tactic": "resource-development",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1201",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1120",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1069",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1598",
"tactic": "reconnaissance",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542",
"tactic": "defense-evasion",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": true
},
{
"techniqueID": "T1542",
"tactic": "persistence",
"color": "#e60d0d",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": true
},
{
"techniqueID": "T1542.001",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.001",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.002",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.002",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.003",
"tactic": "persistence",
"color": "#e60d0d",
"comment": "The first stage of WhisperGate modifies the Master Boot Record (MBR). Since the altered MBR is the first section of the disk after completing hardware initialization by the BIOS, the malware evades defense.",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.003",
"tactic": "defense-evasion",
"color": "#e60d0d",
"comment": "The first stage of WhisperGate modifies the Master Boot Record (MBR). Since the altered MBR is the first section of the disk after completing hardware initialization by the BIOS, the malware evades defense.",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.004",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.004",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.005",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.005",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1057",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055",
"tactic": "privilege-escalation",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1572",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1012",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1620",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1219",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1018",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1496",
"tactic": "impact",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1207",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053",
"tactic": "privilege-escalation",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1029",
"tactic": "exfiltration",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1113",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1597",
"tactic": "reconnaissance",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1596",
"tactic": "reconnaissance",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1593",
"tactic": "reconnaissance",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1594",
"tactic": "reconnaissance",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1489",
"tactic": "impact",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1129",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1216",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1072",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1072",
"tactic": "lateral-movement",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1518",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1608",
"tactic": "resource-development",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1539",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1558",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1195",
"tactic": "initial-access",
"color": "#e6d60d",
"comment": "",
"enabled": true,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1082",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1614",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1016",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1049",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1033",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1007",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1569",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1529",
"tactic": "impact",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1124",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1221",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1205",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1205",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1205",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1537",
"tactic": "exfiltration",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1127",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1111",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552",
"tactic": "credential-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550",
"tactic": "lateral-movement",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1204",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "persistence",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "privilege-escalation",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "initial-access",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1125",
"tactic": "collection",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497",
"tactic": "discovery",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1600",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1102",
"tactic": "command-and-control",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1047",
"tactic": "execution",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
},
{
"techniqueID": "T1220",
"tactic": "defense-evasion",
"color": "",
"comment": "",
"enabled": false,
"metadata": [],
"links": [],
"showSubtechniques": false
}
],
"gradient": {
"colors": [
"#ff6666ff",
"#ffe766ff",
"#8ec843ff"
],
"minValue": 0,
"maxValue": 100
},
"legendItems": [],
"metadata": [
{
"name": "APT",
"value": "attack13"
}
],
"links": [],
"showTacticRowBackground": false,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": true,
"selectSubtechniquesWithParent": false
} clean_stage3.py 146 B
wiper_whispergate.yar 4.81 KiB
Please register or sign in to comment