Empire

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

Windows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.

References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.

Alternatively PowerShell can be used to create schedule tasks that will executed either at logon of a user or at a specific time and date.

EncodedCommand for those that are not familiar is a way to execute base64 encoded powershell code and have it execute which skirts (by design) around the Execution Policies in PowerShell. | This allows us to execute EncodedCommand without having to actually use -ec anywhere in our PowerShell command and circumvent detection rules.

AppleScript offers offensive actors a plethora of ways to execute. In addition to simply executing a .scrpt file, you can run AppleScripts from Mail rules, from a shell script, in memory, from the command line, from within a MachO, in a plain text, uncompiled file, from an Automator workflow, from a Folder Action, a Finder Service or from a Calendar event.

Prompted by this discovery, the author began researching obfuscation techniques supported by cmd.exe... The goal of this research is to enumerate the problem space of cmd.exe-supported obfuscation techniques...

Windows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.

References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

FIN12 has used EMPIRE configured to maintain persistence through reboot via a service named "Updater."

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

Windows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.

References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.

FIN12 has also used process injection to execute payloads in a more privileged context.

FIN12 has used EMPIRE configured to maintain persistence through reboot via a service named "Updater."

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

Skilled attackers continually seek out new attack vectors while employing evasion techniques to maintain the effectiveness of old vectors in an ever-changing defensive landscape... numerous threat actors employ obfuscation frameworks... In June 2017, the Advanced Practices Team identified FIN7 ... testing a novel obfuscation technique native to cmd.exe.

FIN12 has also used process injection to execute payloads in a more privileged context.

APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.

APT32 ... often downloads this second stage using the regsvr32.exe remote download technique known as “Squiblydoo”. To evade rigid signatures for this technique that rely on command line argument values /i:http:// or /i:https:// being present, APT32 first used cmd.exe’s escape character, the caret (^), and then in this later example used double quotes to break up these arguments.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine. Agent Tesla has the ability to extract credentials from configuration or support files. APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

there are cases when we would like to fetch the user’s password, or their TGT (Ticket Granting Ticket) for Kerberos.

AS-REP Roasting Attack Explained - MITRE ATT&CK T1558.004 ... It exploits a vulnerability in Kerberos when the 'Do not require Kerberos preauthentication' setting is enabled. This vulnerability allows adversaries to extract user hashes, enabling them to decrypt passwords offline.

Use in conjunction with other contextual indicators, for example detect Network discovery and Lateral movement attempts by unusual hassh such as those used by Paramiko, Powershell, Ruby, Meterpreter, Empire.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Ember Bear gathers victim system information such as enumerating the volume of a given device; Frankenstein used Empire to gather various local system information; many malware entries state they collect system information from compromised hosts.

APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.

"CrackMapExec can execute PowerShell commands via WMI," "Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module," and "In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant."

Use in conjunction with other contextual indicators, for example detect Network discovery and Lateral movement attempts by unusual hassh such as those used by Paramiko, Powershell, Ruby, Meterpreter, Empire.

And if everything works well, we’ll get that beacon communicating to our front end servers.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

The adversaries had communicated to both Dropbox and Pastebin. APT28 has used Google Drive for C2. APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.

The decrypted payload executes regsvr32.exe to download the secondary payload, an SCT file, from one domain. The SCT file then executes a PowerShell encoded command to download a staged Empire agent from a second domain.

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

Akira will exfiltrate victim data using applications such as Rclone. APT41 DUST exfiltrated collected information to OneDrive. BoomBox can upload data to dedicated per-victim folders in Dropbox. During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command.