Name | Description |
---|---|
ZEROCLEAR |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | Command and Scripting Interpreter |
ZeroCleare can receive command line arguments from an operator to corrupt the file system using the RawDisk driver.[3] |
|
.001 | PowerShell |
ZeroCleare can use a malicious PowerShell script to bypass Windows controls.[4] |
||
Enterprise | T1561 | .002 | Disk Wipe: Disk Structure Wipe |
ZeroCleare can corrupt the file system and wipe the system drive on targeted hosts.[3][2][4] |
Enterprise | T1068 | Exploitation for Privilege Escalation |
ZeroCleare has used a vulnerable signed VBoxDrv driver to bypass Microsoft Driver Signature Enforcement (DSE) protections and subsequently load the unsigned RawDisk driver.[4] |
|
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
ZeroCleare has the ability to uninstall the RawDisk driver and delete the |
Enterprise | T1106 | Native API |
ZeroCleare can call the |
|
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
ZeroCleare can deploy a vulnerable, signed driver on a compromised host to bypass operating system safeguards.[4] |
Enterprise | T1082 | System Information Discovery |
ZeroCleare can use the |
ID | Name | References |
---|---|---|
G0049 | OilRig |
OilRig collaborated on the destructive portion of the ZeroCleare attack.[4] |
G1001 | HEXANE |
HEXANE probed victim infrastructure in support of HomeLand Justice.[1] |
ID | Name | Description |
---|---|---|
C0038 | HomeLand Justice |