| ID | X0019 |
| Aliases | Rootkit.Tmphider, W32.Temphid |
| Platforms | Windows |
| Year | 2010 |
| Associated ATT&CK Software | Stuxnet |
A malicious worm targeting SCADA systems.
See ATT&CK: Stuxnet - Techniques Used.
| Name | Use |
|---|---|
| Defense Evasion::Hijack Execution Flow::Import Address Table Hooking (F0015.003) | Stuxnet hooks ntdll.dll to monitor for requests to load specially crafted file names which are mapped to a location specified by Stuxnet. [1] |
| Defense Evasion::Process Injection::Dynamic-link Library Injection (E1055.001) | Stuxnet injects the entire DLL into another process and then just calls the particular export [1] |
| Discovery::System Information Discovery (E1082) | Gathers information (OS version, workgroup status, computer name, domain/workgroup name, file name of infected project file) about each computer in the net to spread itself [1] |
| Anti-Static Analysis::Obfuscated Files or Information::Encoding (E1027.m01) | The configuration data block is encoded with a NOT XOR 0xFF operation [1] |
| Defense Evasion::Rootkit::Kernel Mode Rootkit (E1014.m17) | Stuxnet registers custom resource drives signed with a legitimate Realtek digital certificate [1] |
| Defense Evasion::Process Injection::Injection and Persistence via Registry Modification (E1055.m05) | The driver Stuxnet uses for persistence Mrxcls.sys is registered as a boot start service creating the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCIs"ImagePath" = "%System%\drivers\mrxcls.sys" [1] |
| Exfiltration::Archive Collected Data::Encoding - Custom Encoding (E1560.m04) | Exfiltrated payloads are XORed with a static 31-byte long byte string found inside Stuxnet and hexified in order to be passed on as an ASCII data parameter in an HTTP request to the C2 servers [1] |
| Defense Evasion::Hide Artifacts (E1564) | Stuxnet intercepts IRP requests (reads, writes) to devices (NFTS, FAT, CD-ROM). It monitors directory control IRPs, in particular directory query notifications such that when an application requests the list of files, it returns a Stuxnet-specified subset of the true items. These filters hide the files used by Stuxnet to spread through removalbe drives [1] |
| Execution::Command and Scripting Interpreter (E1059) | Stuxnet will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell [1] |
| Defense Evasion::Hijack Execution Flow::Procedure Hooking (F0015.007) | WTR4141.tmp hooks APIs from kernel32.dll and Ntdll.dll and replaces the original code for these functions with code that checks for files with properties pertaining to Stuxnet files. If a request is made to list a file with the specified properties, the response from these APIs is altered to state that the file does not exist, thereby hiding all files with these properties. [1] |
| Name | Use |
|---|---|
| Impact::Destroy Hardware (B0017) | Stuxnet made the centrifuges at Iran's nuclear plant spin dangerously fast for 15 minutes, before returning to normal speed. About a month later, it slowed the centrifuges down for 50 minutes. This was repeated for several months, and over the strain destroyed the machines [1] |
| Micro-Objective::Process::Create Mutex (C0042) | Creates global mutexes signal that rootkit installation has occurred successfully [1] |
| Micro-Objective::Process::Create Process::Create Process via WMI (C0017.002) | Stuxnet will use WMI operations with the explorere.exe token in order to copy itself and exscute on the remote share [1] |
| Anti-Behavioral Analysis::Conditional Execution::Host Fingerprint Check (B0025.004) | Stuxnet checks for specific operating systems on 32-bit machines, registry keys, and dates to profile a potential target machine before execution. If the conditions are not met to be considered a viable target, it will exit execution [1] |
SHA256 Hashes
- 1e7d6cb0b1c29bf2caeb6983da647eb253d4764415ae8dfc493a75053dffe85f
[1] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en