Skip to content

Latest commit

 

History

History
82 lines (64 loc) · 6.55 KB

stuxnet.md

File metadata and controls

82 lines (64 loc) · 6.55 KB
ID X0019
Aliases Rootkit.Tmphider, W32.Temphid
Platforms Windows
Year 2010
Associated ATT&CK Software Stuxnet

Stuxnet

Stuxnet is a malicious worm targeting SCADA systems.

ATT&CK Techniques

Name Use
Execution::Shared Modules (T1129) Stuxnet parses PE headers. [2]

See ATT&CK: Stuxnet - Techniques Used.

Enhanced ATT&CK Techniques

Name Use
Defense Evasion::Hijack Execution Flow::Import Address Table Hooking (F0015.003) Stuxnet hooks ntdll.dll to monitor for requests to load specially crafted file names, which are mapped to a location specified by Stuxnet. [1]
Defense Evasion::Process Injection::Dynamic-link Library Injection (E1055.001) Stuxnet injects the entire DLL into another process and then calls the particular export. [1]
Discovery::System Information Discovery (E1082) Stuxnet gathers information (OS version, workgroup status, computer name, domain/workgroup name, file name of infected project file) about each computer in the network to spread itself. [1]
Defense Evasion::Obfuscated Files or Information::Encoding (E1027.m01) The configuration data block is encoded with a NOT XOR 0xFF operation. [1]
Defense Evasion::Rootkit::Kernel Mode Rootkit (E1014.m16) Stuxnet registers custom resource drives signed with a legitimate Realtek digital certificate. [1]
Defense Evasion::Process Injection::Injection and Persistence via Registry Modification (E1055.m02) Stuxnet uses Mrxcls.sys driver for persistence. It is registered as a boot start service by creating the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCIs"ImagePath" = "%System%\drivers\mrxcls.sys". [1]
Exfiltration::Archive Collected Data::Encoding - Custom Encoding (E1560.m04) Stuxnet exfiltrated payloads are XORed with a static 31-byte long byte string found inside Stuxnet and hexified in order to be passed on as an ASCII data parameter in an HTTP request to the C2 servers. [1]
Defense Evasion::Hide Artifacts (E1564) Stuxnet intercepts IRP requests (reads, writes) to devices (NFTS, FAT, CD-ROM). It monitors directory control IRPs, in particular directory query notifications, such that when an application requests the list of files, it returns a Stuxnet-specified subset of the true items. These filters hide the files used by Stuxnet to spread through removable drives. [1]
Execution::Command and Scripting Interpreter (E1059) Stuxnet will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell. [1]
Defense Evasion::Hijack Execution Flow::Procedure Hooking (F0015.007) WTR4141.tmp hooks APIs from kernel32.dll and ntdll.dll and replaces the original code for these functions with code that checks for files with properties pertaining to Stuxnet files. If a request is made to list a file with the specified properties, the response from these APIs is altered to state that the file does not exist, thereby hiding all files with these properties. [1]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) Stuxnet encodes data using XOR. [2]
Discovery::System Information Discovery (E1082) Stuxnet checks OS version. [2]

MBC Behaviors

Name Use
Impact::Destroy Hardware (B0017) Stuxnet made the centrifuges at Iran's nuclear plant spin dangerously fast for 15 minutes, before returning to normal speed. About a month later, it slowed the centrifuges down for 50 minutes. This was repeated for several months, and over time the strain destroyed the machines. [1]
Process::Create Mutex (C0042) Malware creates global mutexes that signal rootkit installation has occurred successfully. [1]
Process::Create Process::Create Process via WMI (C0017.002) Stuxnet will use WMI operations with the explorer.exe token in order to copy itself and execute on the remote share. [1]
Execution::Conditional Execution::Host Fingerprint Check (B0025.004) Stuxnet checks for specific operating systems on 32-bit machines, registry keys, and dates to profile a potential target machine before execution. If the conditions are not met to be considered a viable target, it will exit execution. [1]
Anti-Behavioral Analysis::Emulator Detection (B0004) Stuxnet checks for specific operating systems on 32-bit machines, registry keys, and dates to profile a potential target machine before execution. If the conditions are not met to be considered a viable target, it will exit execution. [1]
Data::Encode Data::XOR (C0026.002) Stuxnet encodes data using XOR. [2]
Discovery::Code Discovery::Enumerate PE Sections (B0046.001) Stuxnet enumerates PE sections. [2]
File System::Delete File (C0047) Stuxnet deletes files. [2]
Memory::Allocate Memory (C0007) Stuxnet allocates RWX memory. [2]
Process::Terminate Process (C0018) Stuxnet terminates processes. [2]

Indicators of Compromise

SHA256 Hashes

  • 1e7d6cb0b1c29bf2caeb6983da647eb253d4764415ae8dfc493a75053dffe85f
  • 9c891edb5da763398969b6aaa86a5d46971bd28a455b20c2067cb512c9f9a0f8

References

[1] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en

[2] capa v4.0, analyzed at MITRE on 10/12/2022