1. Home
  2. Software
  3. Stuxnet

Stuxnet

Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

ID: S0603
Associated Software: W32.Stuxnet
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 14 December 2020
Last Modified: 12 October 2021

Associated Software Descriptions

Name Description
W32.Stuxnet

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.[1]
Enterprise T1087 .001 Account Discovery: Local Account

Stuxnet enumerates user accounts of the local host.[1]
.002 Account Discovery: Domain Account

Stuxnet enumerates user accounts of the domain.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Stuxnet uses HTTP to communicate with a command and control server. [1]
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Stuxnet encrypts exfiltrated data via C2 with static 31-byte long XOR keys.[1]
Enterprise T1547 .009 Boot or Logon Autostart Execution: Shortcut Modification

Stuxnet used copies of .lnk shortcuts to propagate through removable media.[1]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Stuxnet uses a driver registered as a boot start service as the main load-point.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Stuxnet transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Stuxnet decrypts resources that are loaded into memory and executed.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.[1]

Enterprise T1480 Execution Guardrails

Stuxnet checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Stuxnet sends compromised victim information via HTTP.[1]
Enterprise T1068 Exploitation for Privilege Escalation

Stuxnet used MS10-073 and an undisclosed Task Scheduler vulnerability to escalate privileges on local Windows machines.[1]
Enterprise T1210 Exploitation of Remote Services

Stuxnet propagates using the MS10-061 Print Spooler and MS08-067 Windows Server Service vulnerabilities.[1]
Enterprise T1008 Fallback Channels

Stuxnet has the ability to generate new C2 domains.[1]
Enterprise T1083 File and Directory Discovery

Stuxnet uses a driver to scan for specific filesystem driver objects.[1]
Enterprise T1562 Impair Defenses

Stuxnet reduces the integrity level of objects to allow write actions.[1]
Enterprise T1070 Indicator Removal on Host

Stuxnet removes itself from the system through a DLL export by deleting specific files and stored procedures.[1]
.004 File Deletion

Stuxnet uses an RPC server that contains a routine for file deletion.[1]
.006 Timestomp

Stuxnet extracts and writes driver files that match the times of other legitimate files.[1]
Enterprise T1570 Lateral Tool Transfer

Stuxnet uses an RPC server that contains a file dropping routine and support for payload version updates for P2P communications within a victim network.[1]
Enterprise T1112 Modify Registry

Stuxnet can create registry keys to load driver files.[1]
Enterprise T1106 Native API

Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels.[1]
Enterprise T1135 Network Share Discovery

Stuxnet enumerates the directories of a network resource.[1]
Enterprise T1027 Obfuscated Files or Information

Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.[1]
Enterprise T1120 Peripheral Device Discovery

Stuxnet enumerates removable drives for infection.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process.[1]
Enterprise T1090 .001 Proxy: Internal Proxy

Stuxnet installs an RPC server for P2P communications.[1]
Enterprise T1012 Query Registry

Stuxnet searches the Registry for indicators of security programs.[1]
Enterprise T1021 Remote Services

Stuxnet can propagate via peer-to-peer communication and updates using RPC.[1]
.002 SMB/Windows Admin Shares

Stuxnet propagates to available network shares.[1]
Enterprise T1091 Replication Through Removable Media

Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability.[1]
Enterprise T1014 Rootkit

Stuxnet uses a Windows rootkit to mask its binaries and other relevant files.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Stuxnet schedules a network job to execute two minutes after host infection.[1]
Enterprise T1505 .001 Server Software Component: SQL Stored Procedures

Stuxnet used xp_cmdshell to store and execute SQL code.[1]
Enterprise T1129 Shared Modules

Stuxnet calls LoadLibrary then executes exports from a DLL.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Stuxnet enumerates the currently running processes related to a variety of security products.[1]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Stuxnet used a digitally signed driver with a compromised Realtek certificate.[1]
Enterprise T1082 System Information Discovery

Stuxnet collects system information including computer and domain names, OS version, and S7P paths.[1]
Enterprise T1016 System Network Configuration Discovery

Stuxnet collects the IP address of a compromised system.[1]
Enterprise T1124 System Time Discovery

Stuxnet collects the time and date of a system when it is infected.[1]
Enterprise T1080 Taint Shared Content

Stuxnet infects remote servers via network shares and by infecting WinCC database views with malicious code.[1]
Enterprise T1078 .001 Valid Accounts: Default Accounts

Stuxnet infected WinCC machines via a hardcoded database server password.[1]
.002 Valid Accounts: Domain Accounts

Stuxnet attempts to access network resources with a domain account’s credentials.[1]
Enterprise T1047 Windows Management Instrumentation

Stuxnet used WMI with an explorer.exe token to execute on a remote share.[1]

References

  1. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  2. CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.
  1. Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.
  2. Ralph Langner. (2013, November). Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.