S0140: Shamoon
Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.[1] The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[2][3][4][5]
Analyst context for executives and security teams
Shamoon matters because it is identified by ATT&CK as Windows wiper malware associated with destructive outcomes, including data wiping using tools such as RawDisk and Filerase. For leaders, the key issue is not just malware detection; it is whether the organization can withstand and investigate a fast-moving destructive event that may combine discovery, credentialed lateral movement, service or scheduled-task execution, registry changes, and disk/data destruction.
Executive priority
Prioritize Shamoon as a resilience and incident-readiness scenario for Windows environments. The ATT&CK relationships tie it to domain account abuse, SMB/admin-share lateral movement, tool transfer, Windows services, scheduled tasks, registry activity, and impact techniques such as data destruction, disk structure wiping, encryption for impact, and reboot/shutdown. Executives should ask whether backups are recoverable, privileged/domain account use is monitored, destructive activity is escalated quickly, and SOC/IR teams have evidence to reconstruct lateral movement before systems become unavailable.
Technical view
SOC and IR teams should validate coverage across the full behavior chain represented by the relationships: Windows discovery activity, registry query/modify behavior, network and remote system discovery, domain account use, SMB/admin-share access, lateral and ingress tool transfer, creation or abuse of services and scheduled tasks, possible masquerading or obfuscation, timestomping indicators, web-protocol command-and-control, and impact-stage wiping, encryption, shutdown, or reboot events. Because ATT&CK provides no official detection text for this malware object, detection engineering should be mapped to the related techniques rather than relying on a single Shamoon-specific analytic.
Likely telemetry
- Windows endpoint process execution and command-line telemetry
- Windows Registry query and modification events
- Windows service creation, modification, and execution telemetry
- Scheduled task creation and execution logs
- Authentication logs for domain accounts, especially privileged or unusual use
Detection direction
- Build detections around combinations of related behaviors rather than isolated events, such as discovery followed by SMB lateral movement, service execution, tool transfer, and destructive file or disk activity.
- Tune for administrative false positives: registry access, services, scheduled tasks, SMB, and shutdown commands can be legitimate, so correlate with unusual account, host, timing, volume, or sequence.
- Validate visibility before tuning: destructive incidents can erase local evidence, so ensure centralized logging and time synchronization are sufficient for reconstruction.
- Use relationship-driven context to prioritize high-risk alerts involving domain accounts, Windows admin shares, service control activity, and rapid spread across multiple systems.
- Account for blind spots where endpoint logging, SMB monitoring, registry auditing, or disk-level activity telemetry is incomplete.
Mitigation priorities
- Confirm offline, immutable, or otherwise resilient backups and test restoration for critical Windows systems because the object is tied to data destruction and disk wiping behavior.
- Restrict and monitor privileged domain account use, local administrator rights, and access to Windows admin shares.
- Harden and audit Windows services, scheduled tasks, and registry locations used for persistence, execution, or defense impairment.
- Segment critical systems and limit unnecessary SMB paths to reduce lateral movement and tool transfer opportunities.
- Maintain centralized logging and incident response playbooks for destructive malware scenarios, including rapid isolation, evidence preservation, and recovery decision points.
Analyst notes and limits
ATT&CK identifies Shamoon as wiper malware first used in 2012, with later Shamoon 2 and Shamoon 3 observations, and notes links to RawDisk, Filerase, and shared artifacts with Kwampirs. The term Shamoon may sometimes refer to the group as well as the malware, so reporting should distinguish software behavior from actor attribution unless separate evidence supports attribution.
The supplied ATT&CK object has no official detection section and no object-level tactics listed. This take is therefore derived from the official description, external references, Windows platform field, and the supplied technique relationships. Local detections, risk priority, and exposure depend on the organization’s Windows estate, identity architecture, logging coverage, backup posture, and incident response maturity.
Shamoon
Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.[1] The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1124 | System Time Discovery | |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1012 | Query Registry | |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.[5] |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.” Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."[2]CitationMcAfee Shamoon December 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1485 | Data Destruction | |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | Shamoon can impersonate tokens using |
| Enterprise | T1570 | Lateral Tool Transfer | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.[5][2] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1112 | Modify Registry | Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | |
| Enterprise | T1529 | System Shutdown/Reboot | |
| Enterprise | T1486 | Data Encrypted for Impact | |
| Enterprise | T1018 | Remote System Discovery | |
| Enterprise | T1070.006 | Timestomp Sub-technique | Shamoon can change the modified time for files to evade forensic detection.CitationMcAfee Shamoon December 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 36c912778ed1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylera Kwampirs 2022
Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.
Open source URL -
[2]
Palo Alto Shamoon Nov 2016
Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
Open source URL -
[3]
Unit 42 Shamoon3 2018
Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
Open source URL -
[4]
Symantec Shamoon 2012
Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.
Open source URL -
[5]
FireEye Shamoon Nov 2016
FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024.
Open source URL -
[6]
Disttrack
(Citation: Palo Alto Shamoon Nov 2016)
-
[7]
mitre-attack S0140Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.