| ID | X0019 |
| Aliases | Rootkit.Tmphider, W32.Temphid |
| Platforms | Windows |
| Year | 2010 |
| Associated ATT&CK Software | Stuxnet |
Stuxnet is a malicious worm targeting SCADA systems.
| Name | Use |
|---|---|
| Execution::Shared Modules (T1129) | Stuxnet parses PE headers. [2] |
See ATT&CK: Stuxnet - Techniques Used.
| Name | Use |
|---|---|
| Defense Evasion::Hijack Execution Flow::Import Address Table Hooking (F0015.003) | Stuxnet hooks ntdll.dll to monitor for requests to load specially crafted file names, which are mapped to a location specified by Stuxnet. [1] |
| Defense Evasion::Process Injection::Dynamic-link Library Injection (E1055.001) | Stuxnet injects the entire DLL into another process and then calls the particular export. [1] |
| Discovery::System Information Discovery (E1082) | Stuxnet gathers information (OS version, workgroup status, computer name, domain/workgroup name, file name of infected project file) about each computer in the network to spread itself. [1] |
| Defense Evasion::Obfuscated Files or Information::Encoding (E1027.m01) | The configuration data block is encoded with a NOT XOR 0xFF operation. [1] |
| Defense Evasion::Rootkit::Kernel Mode Rootkit (E1014.m16) | Stuxnet registers custom resource drives signed with a legitimate Realtek digital certificate. [1] |
| Defense Evasion::Process Injection::Injection and Persistence via Registry Modification (E1055.m02) | Stuxnet uses Mrxcls.sys driver for persistence. It is registered as a boot start service by creating the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCIs"ImagePath" = "%System%\drivers\mrxcls.sys". [1] |
| Exfiltration::Archive Collected Data::Encoding - Custom Encoding (E1560.m04) | Stuxnet exfiltrated payloads are XORed with a static 31-byte long byte string found inside Stuxnet and hexified in order to be passed on as an ASCII data parameter in an HTTP request to the C2 servers. [1] |
| Defense Evasion::Hide Artifacts (E1564) | Stuxnet intercepts IRP requests (reads, writes) to devices (NFTS, FAT, CD-ROM). It monitors directory control IRPs, in particular directory query notifications, such that when an application requests the list of files, it returns a Stuxnet-specified subset of the true items. These filters hide the files used by Stuxnet to spread through removable drives. [1] |
| Execution::Command and Scripting Interpreter (E1059) | Stuxnet will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell. [1] |
| Defense Evasion::Hijack Execution Flow::Procedure Hooking (F0015.007) | WTR4141.tmp hooks APIs from kernel32.dll and ntdll.dll and replaces the original code for these functions with code that checks for files with properties pertaining to Stuxnet files. If a request is made to list a file with the specified properties, the response from these APIs is altered to state that the file does not exist, thereby hiding all files with these properties. [1] |
| Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | Stuxnet encodes data using XOR. [2] |
| Discovery::System Information Discovery (E1082) | Stuxnet checks OS version. [2] |
| Name | Use |
|---|---|
| Impact::Destroy Hardware (B0017) | Stuxnet made the centrifuges at Iran's nuclear plant spin dangerously fast for 15 minutes, before returning to normal speed. About a month later, it slowed the centrifuges down for 50 minutes. This was repeated for several months, and over time the strain destroyed the machines. [1] |
| Process::Create Mutex (C0042) | Malware creates global mutexes that signal rootkit installation has occurred successfully. [1] |
| Process::Create Process::Create Process via WMI (C0017.002) | Stuxnet will use WMI operations with the explorer.exe token in order to copy itself and execute on the remote share. [1] |
| Execution::Conditional Execution::Host Fingerprint Check (B0025.004) | Stuxnet checks for specific operating systems on 32-bit machines, registry keys, and dates to profile a potential target machine before execution. If the conditions are not met to be considered a viable target, it will exit execution. [1] |
| Anti-Behavioral Analysis::Emulator Detection (B0004) | Stuxnet checks for specific operating systems on 32-bit machines, registry keys, and dates to profile a potential target machine before execution. If the conditions are not met to be considered a viable target, it will exit execution. [1] |
| Data::Encode Data::XOR (C0026.002) | Stuxnet encodes data using XOR. [2] |
| Discovery::Code Discovery::Enumerate PE Sections (B0046.001) | Stuxnet enumerates PE sections. [2] |
| File System::Delete File (C0047) | Stuxnet deletes files. [2] |
| Memory::Allocate Memory (C0007) | Stuxnet allocates RWX memory. [2] |
| Process::Terminate Process (C0018) | Stuxnet terminates processes. [2] |
SHA256 Hashes
- 1e7d6cb0b1c29bf2caeb6983da647eb253d4764415ae8dfc493a75053dffe85f
- 9c891edb5da763398969b6aaa86a5d46971bd28a455b20c2067cb512c9f9a0f8
[1] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[2] capa v4.0, analyzed at MITRE on 10/12/2022