{"description": "Enterprise techniques used by LazyWiper, ATT&CK software S9039 (v1.0)", "name": "LazyWiper (S9039)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[LazyWiper](https://attack.mitre.org/software/S9039) has used PowerShell to enable data destruction on targeted systems.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[LazyWiper](https://attack.mitre.org/software/S9039) has overwritten files with pseudorandom 32\u2011byte sequences written at 16\u2011byte intervals making the file unrecoverable.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[LazyWiper](https://attack.mitre.org/software/S9039) can disable Microsoft Windows Defender Real-Time Monitoring with the `Set-MpPreference` cmdlet.(Citation: CERT Polska)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[LazyWiper](https://attack.mitre.org/software/S9039) can halt execution if `[System.Net.Dns]::GetHostName()` or `$env:COMPUTERNAME` contains `\u201cpe-dc\u201d`.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[LazyWiper](https://attack.mitre.org/software/S9039) can specifically target multiple files by extension including: .rar, .tar.gz, .zip, .7z, .json, .bcp, .bak, .gho, .erf, .edb, .onepkg, .pst, and .ldiff.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.007", "comment": "[LazyWiper](https://attack.mitre.org/software/S9039) is believed to have been generated by a large language model (LLM) due to the non-sensical comments in the code.(Citation: CERT Polska)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1679", "comment": "[LazyWiper](https://attack.mitre.org/software/S9039) can enumerate the hostname of the system to determine if it is a domain controller and exclude it from being wiped if so.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[LazyWiper](https://attack.mitre.org/software/S9039) has used `[System.Net.Dns]::GetHostName()` and `$env:COMPUTERNAME` to enumerate the hostname of a system and determine if it is a domain controller.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LazyWiper", "color": "#66b1ff"}]}