Akira
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Akira will leverage COM objects accessed through WMI during execution to evade detection.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Akira will execute PowerShell commands to delete system volume shadow copies.[1] |
| .003 | 命令与脚本解释器: Windows Command Shell |
Akira executes from the Windows command line and can take various arguments for execution.[1] |
||
| Enterprise | T1486 | 数据加密以实现影响 |
Akira encrypts victim filesystems for financial extortion purposes.[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as |
|
| Enterprise | T1106 | 本机API |
Akira executes native Windows functions such as |
|
| Enterprise | T1082 | 系统信息发现 |
Akira uses the |
|
| Enterprise | T1490 | 系统恢复抑制 |
Akira will delete system volume shadow copies via PowerShell commands.[1] |
|
| Enterprise | T1135 | 网络共享发现 | ||
| Enterprise | T1057 | 进程发现 |
Akira verifies the deletion of volume shadow copies by checking for the existence of the process ID related to the process created to delete these items.[1] |
|