Objective:

• Disrupt, destroy, or manipulate systems and data for strategic or tactical gain. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

• ID: TA0040

  • https://attack.mitre.org/tactics/TA0040/

Linux Context:

• Impact tactics on Linux include ransomware encrypting files with tools like openssl or custom Go binaries, wipers overwriting data with shred or dd, and resource hijacking via cryptominers (e.g., XMRig). Attackers may wipe logs rm -rf /var/log/*) or crash systems echo c > /proc/sysrq-trigger). In cloud setups, they delete snapshots or terminate instances. Business disruption (e.g., DDoS from compromised Linux bots) is another goal.

Key Techniques:

• Data Encrypted for Impact (T1486): Locking files with AES.

• Resource Hijacking (T1496): Running a Monero miner.

• Disk Wipe (T1485): Destroying filesystem integrity.

Flow Example:

• Deploying find / -type f -exec openssl enc -aes-256-cbc -in {} -out {}.enc \; or running XMRig via a cron job.

Defender Strategies:

• Back up critical data offsite, monitor CPU spikes with htop, and use filesystem snapshots (e.g., LVM). Deploy IR plans for rapid recovery.

The current list of corresponding EDRmetry test definitions includes:

• EDR-T6240 - Bash Fork Bomb

• EDR-T6005 - Clear kernel ring buffer

• EDR-T6252 - Crypto Mining CPU stress

• EDR-T6018 - Ransomware bash+openssl

• EDR-T6058 - Ransomware Black Basta

• EDR-T6063 - Ransomware C - lokpack