Stuxnet

Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

ID: S0603
Associated Software: W32.Stuxnet
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 14 December 2020
Last Modified: 12 October 2021

Associated Software Descriptions

Name Description
W32.Stuxnet

[1]

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.[1]

Enterprise T1087 .001 Account Discovery: Local Account

Stuxnet enumerates user accounts of the local host.[1]

.002 Account Discovery: Domain Account

Stuxnet enumerates user accounts of the domain.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Stuxnet uses HTTP to communicate with a command and control server. [1]

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Stuxnet encrypts exfiltrated data via C2 with static 31-byte long XOR keys.[1]

Enterprise T1547 .009 Boot or Logon Autostart Execution: Shortcut Modification

Stuxnet used copies of .lnk shortcuts to propagate through removable media.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Stuxnet uses a driver registered as a boot start service as the main load-point.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Stuxnet transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Stuxnet decrypts resources that are loaded into memory and executed.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.[1]

Enterprise T1480 Execution Guardrails

Stuxnet checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Stuxnet sends compromised victim information via HTTP.[1]

Enterprise T1068 Exploitation for Privilege Escalation

Stuxnet used MS10-073 and an undisclosed Task Scheduler vulnerability to escalate privileges on local Windows machines.[1]

Enterprise T1210 Exploitation of Remote Services

Stuxnet propagates using the MS10-061 Print Spooler and MS08-067 Windows Server Service vulnerabilities.[1]

Enterprise T1008 Fallback Channels

Stuxnet has the ability to generate new C2 domains.[1]

Enterprise T1083 File and Directory Discovery

Stuxnet uses a driver to scan for specific filesystem driver objects.[1]

Enterprise T1562 Impair Defenses

Stuxnet reduces the integrity level of objects to allow write actions.[1]

Enterprise T1070 Indicator Removal on Host

Stuxnet removes itself from the system through a DLL export by deleting specific files and stored procedures.[1]

.004 File Deletion

Stuxnet uses an RPC server that contains a routine for file deletion.[1]

.006 Timestomp

Stuxnet extracts and writes driver files that match the times of other legitimate files.[1]

Enterprise T1570 Lateral Tool Transfer

Stuxnet uses an RPC server that contains a file dropping routine and support for payload version updates for P2P communications within a victim network.[1]

Enterprise T1112 Modify Registry

Stuxnet can create registry keys to load driver files.[1]

Enterprise T1106 Native API

Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels.[1]

Enterprise T1135 Network Share Discovery

Stuxnet enumerates the directories of a network resource.[1]

Enterprise T1027 Obfuscated Files or Information

Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.[1]

Enterprise T1120 Peripheral Device Discovery

Stuxnet enumerates removable drives for infection.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process.[1]

Enterprise T1090 .001 Proxy: Internal Proxy

Stuxnet installs an RPC server for P2P communications.[1]

Enterprise T1012 Query Registry

Stuxnet searches the Registry for indicators of security programs.[1]

Enterprise T1021 Remote Services

Stuxnet can propagate via peer-to-peer communication and updates using RPC.[1]

.002 SMB/Windows Admin Shares

Stuxnet propagates to available network shares.[1]

Enterprise T1091 Replication Through Removable Media

Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability.[1]

Enterprise T1014 Rootkit

Stuxnet uses a Windows rootkit to mask its binaries and other relevant files.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Stuxnet schedules a network job to execute two minutes after host infection.[1]

Enterprise T1505 .001 Server Software Component: SQL Stored Procedures

Stuxnet used xp_cmdshell to store and execute SQL code.[1]

Enterprise T1129 Shared Modules

Stuxnet calls LoadLibrary then executes exports from a DLL.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Stuxnet enumerates the currently running processes related to a variety of security products.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Stuxnet used a digitally signed driver with a compromised Realtek certificate.[1]

Enterprise T1082 System Information Discovery

Stuxnet collects system information including computer and domain names, OS version, and S7P paths.[1]

Enterprise T1016 System Network Configuration Discovery

Stuxnet collects the IP address of a compromised system.[1]

Enterprise T1124 System Time Discovery

Stuxnet collects the time and date of a system when it is infected.[1]

Enterprise T1080 Taint Shared Content

Stuxnet infects remote servers via network shares and by infecting WinCC database views with malicious code.[1]

Enterprise T1078 .001 Valid Accounts: Default Accounts

Stuxnet infected WinCC machines via a hardcoded database server password.[1]

.002 Valid Accounts: Domain Accounts

Stuxnet attempts to access network resources with a domain account’s credentials.[1]

Enterprise T1047 Windows Management Instrumentation

Stuxnet used WMI with an explorer.exe token to execute on a remote share.[1]

References