S0140: Shamoon
Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.[1] The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[2][3][4][5]
Analyst context for executives and security teams
Shamoon matters because it is identified by ATT&CK as Windows wiper malware associated with destructive outcomes, including data wiping using tools such as RawDisk and Filerase. For leaders, the key issue is not just malware detection; it is whether the organization can withstand and investigate a fast-moving destructive event that may combine discovery, credentialed lateral movement, service or scheduled-task execution, registry changes, and disk/data destruction.
Executive priority
Prioritize Shamoon as a resilience and incident-readiness scenario for Windows environments. The ATT&CK relationships tie it to domain account abuse, SMB/admin-share lateral movement, tool transfer, Windows services, scheduled tasks, registry activity, and impact techniques such as data destruction, disk structure wiping, encryption for impact, and reboot/shutdown. Executives should ask whether backups are recoverable, privileged/domain account use is monitored, destructive activity is escalated quickly, and SOC/IR teams have evidence to reconstruct lateral movement before systems become unavailable.
Technical view
SOC and IR teams should validate coverage across the full behavior chain represented by the relationships: Windows discovery activity, registry query/modify behavior, network and remote system discovery, domain account use, SMB/admin-share access, lateral and ingress tool transfer, creation or abuse of services and scheduled tasks, possible masquerading or obfuscation, timestomping indicators, web-protocol command-and-control, and impact-stage wiping, encryption, shutdown, or reboot events. Because ATT&CK provides no official detection text for this malware object, detection engineering should be mapped to the related techniques rather than relying on a single Shamoon-specific analytic.
Likely telemetry
- Windows endpoint process execution and command-line telemetry
- Windows Registry query and modification events
- Windows service creation, modification, and execution telemetry
- Scheduled task creation and execution logs
- Authentication logs for domain accounts, especially privileged or unusual use
Detection direction
- Build detections around combinations of related behaviors rather than isolated events, such as discovery followed by SMB lateral movement, service execution, tool transfer, and destructive file or disk activity.
- Tune for administrative false positives: registry access, services, scheduled tasks, SMB, and shutdown commands can be legitimate, so correlate with unusual account, host, timing, volume, or sequence.
- Validate visibility before tuning: destructive incidents can erase local evidence, so ensure centralized logging and time synchronization are sufficient for reconstruction.
- Use relationship-driven context to prioritize high-risk alerts involving domain accounts, Windows admin shares, service control activity, and rapid spread across multiple systems.
- Account for blind spots where endpoint logging, SMB monitoring, registry auditing, or disk-level activity telemetry is incomplete.
Mitigation priorities
- Confirm offline, immutable, or otherwise resilient backups and test restoration for critical Windows systems because the object is tied to data destruction and disk wiping behavior.
- Restrict and monitor privileged domain account use, local administrator rights, and access to Windows admin shares.
- Harden and audit Windows services, scheduled tasks, and registry locations used for persistence, execution, or defense impairment.
- Segment critical systems and limit unnecessary SMB paths to reduce lateral movement and tool transfer opportunities.
- Maintain centralized logging and incident response playbooks for destructive malware scenarios, including rapid isolation, evidence preservation, and recovery decision points.
Analyst notes and limits
ATT&CK identifies Shamoon as wiper malware first used in 2012, with later Shamoon 2 and Shamoon 3 observations, and notes links to RawDisk, Filerase, and shared artifacts with Kwampirs. The term Shamoon may sometimes refer to the group as well as the malware, so reporting should distinguish software behavior from actor attribution unless separate evidence supports attribution.
The supplied ATT&CK object has no official detection section and no object-level tactics listed. This take is therefore derived from the official description, external references, Windows platform field, and the supplied technique relationships. Local detections, risk priority, and exposure depend on the organization’s Windows estate, identity architecture, logging coverage, backup posture, and incident response maturity.
Shamoon
Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.[1] The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1124 | System Time Discovery | Shamoon obtains the system time and will only activate if it is greater than a preset date.CitationPalo Alto Shamoon Nov 2016CitationUnit 42 Shamoon3 2018 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | Shamoon has been seen overwriting features of disk structure such as the MBR.CitationSymantec Shamoon 2012CitationFireEye Shamoon Nov 2016CitationPalo Alto Shamoon Nov 2016CitationUnit 42 Shamoon3 2018 |
| Enterprise | T1082 | System Information Discovery | Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.CitationPalo Alto Shamoon Nov 2016CitationUnit 42 Shamoon3 2018 |
| Enterprise | T1012 | Query Registry | Shamoon queries several Registry keys to identify hard disk partitions to overwrite.CitationPalo Alto Shamoon Nov 2016 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.CitationFireEye Shamoon Nov 2016 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.” Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."CitationPalo Alto Shamoon Nov 2016CitationMcAfee Shamoon December 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Shamoon can download an executable to run on the victim.CitationPalo Alto Shamoon Nov 2016 |
| Enterprise | T1485 | Data Destruction | Shamoon attempts to overwrite operating system files and disk structures with image files.CitationSymantec Shamoon 2012CitationFireEye Shamoon Nov 2016CitationPalo Alto Shamoon Nov 2016 In a later variant, randomly generated data was used for data overwrites.CitationUnit 42 Shamoon3 2018CitationMcAfee Shamoon December 2018 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Shamoon creates a new service named “ntssrv” to execute the payload. Newer versions create the "MaintenaceSrv" and "hdv_725x" services.CitationPalo Alto Shamoon Nov 2016CitationUnit 42 Shamoon3 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | Shamoon obtains the target's IP address and local network segment.CitationPalo Alto Shamoon Nov 2016CitationMcAfee Shamoon December 2018 |
| Enterprise | T1027 | Obfuscated Files or Information | Shamoon contains base64-encoded strings.CitationPalo Alto Shamoon Nov 2016 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.CitationFireEye Shamoon Nov 2016CitationUnit 42 Shamoon3 2018 |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | Shamoon can impersonate tokens using |
| Enterprise | T1570 | Lateral Tool Transfer | Shamoon attempts to copy itself to remote machines on the network.CitationPalo Alto Shamoon Nov 2016 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.CitationFireEye Shamoon Nov 2016CitationPalo Alto Shamoon Nov 2016 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string.CitationUnit 42 Shamoon3 2018 |
| Enterprise | T1112 | Modify Registry | Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Shamoon attempts to disable UAC remote restrictions by modifying the Registry.CitationPalo Alto Shamoon Nov 2016 |
| Enterprise | T1529 | System Shutdown/Reboot | Shamoon will reboot the infected system once the wiping functionality has been completed.CitationUnit 42 Shamoon3 2018CitationMcAfee Shamoon December 2018 |
| Enterprise | T1486 | Data Encrypted for Impact | Shamoon has an operational mode for encrypting data instead of overwriting it.CitationPalo Alto Shamoon Nov 2016CitationUnit 42 Shamoon3 2018 |
| Enterprise | T1018 | Remote System Discovery | Shamoon scans the C-class subnet of the IPs on the victim's interfaces.CitationFireEye Shamoon Nov 2016 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Shamoon can change the modified time for files to evade forensic detection.CitationMcAfee Shamoon December 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Shamoon has used HTTP for C2.CitationPalo Alto Shamoon Nov 2016 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 36c912778ed1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylera Kwampirs 2022
Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.
Open source URL -
[2]
Palo Alto Shamoon Nov 2016
Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
Open source URL -
[3]
Unit 42 Shamoon3 2018
Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
Open source URL -
[4]
Symantec Shamoon 2012
Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.
Open source URL -
[5]
FireEye Shamoon Nov 2016
FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024.
Open source URL -
[6]
Disttrack
(Citation: Palo Alto Shamoon Nov 2016)
-
[7]
mitre-attack S0140Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.