See More

{"description": "Enterprise techniques used by Royal, ATT&CK software S1073 (v1.2)", "name": "Royal (S1073)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.012", "comment": "Royal ransomware uses `esxcli` to gather a list of running VMs and terminate them.(Citation: Trend Micro Royal Linux ESXi February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Royal](https://attack.mitre.org/software/S1073) uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL library and the AES256 algorithm.(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Royal](https://attack.mitre.org/software/S1073) can identify specific files and directories to exclude from the encryption process.(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[Royal](https://attack.mitre.org/software/S1073) can delete shadow copy backups with vssadmin.exe using the command `delete shadows /all /quiet`.(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: CISA Royal AA23-061A March 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": " [Royal](https://attack.mitre.org/software/S1073) can use `GetLogicalDrives` to enumerate logical drives.(Citation: Cybereason Royal December 2022)(Citation: Trend Micro Royal Linux ESXi February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Royal](https://attack.mitre.org/software/S1073) can use multiple APIs for discovery, communication, and execution.(Citation: Cybereason Royal December 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Royal](https://attack.mitre.org/software/S1073) can scan the network interfaces of targeted systems.(Citation: Cybereason Royal December 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Royal](https://attack.mitre.org/software/S1073) can enumerate the shared resources of a given IP addresses using the API call `NetShareEnum`.(Citation: Cybereason Royal December 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Royal](https://attack.mitre.org/software/S1073) establishes a TCP socket for C2 communication using the API `WSASocketW`.(Citation: Cybereason Royal December 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "comment": "[Royal](https://attack.mitre.org/software/S1073) has been spread through the use of phishing campaigns including \"call back phishing\" where victims are lured into calling a number provided through email.(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: CISA Royal AA23-061A March 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Royal](https://attack.mitre.org/software/S1073) can use `GetCurrentProcess` to enumerate processes.(Citation: Cybereason Royal December 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Royal](https://attack.mitre.org/software/S1073) can use SMB to connect to move laterally.(Citation: Cybereason Royal December 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[Royal](https://attack.mitre.org/software/S1073) can use `RmShutDown` to kill applications and services using the resources that are targeted for encryption.(Citation: Cybereason Royal December 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": " [Royal](https://attack.mitre.org/software/S1073) can use `GetNativeSystemInfo` to enumerate system processors.(Citation: Cybereason Royal December 2022)(Citation: Trend Micro Royal Linux ESXi February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Royal](https://attack.mitre.org/software/S1073) can enumerate IP addresses using `GetIpAddrTable`.(Citation: Cybereason Royal December 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Royal", "color": "#66b1ff"}]}