Meteor

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

“APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security …” / “APT38 clears Window Event logs and Sysmon logs …” / “BlackCat can clear Windows event logs using wevtutil.exe …” / “NotPetya uses wevtutil to clear the Windows event logs …”

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.

Multiple actors and malware are described as concealing execution by spawning PowerShell/console windows with parameters like "-WindowStyle Hidden" / "-W Hidden" / "ProcessWindowStyle.Hidden" or via APIs such as ShowWindow, CreateNoWindow, and CREATE_NO_WINDOW.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.

Research from cybersecurity company SentinelOne revealed that Iran’s train station system was targeted with malware specifically built to delete data (file wiper) called Meteor that had not been seen before.

Examples include 'Avaddon uses wmic.exe to delete shadow copies,' 'BlackCat can use wmic.exe to delete shadow copies on compromised networks,' and 'WannaCry utilizes wmic to delete shadow copies.'

"Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender," "StrongPity can use PowerShell to add files to the Windows Defender exclusions list," and "ZeroCleare can use a malicious PowerShell script to bypass Windows controls."

Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.

BlackByte Ransomware 'adds .JS and .EXE extensions to the Microsoft Defender exclusion list'; PureCrypter 'executed Set-MpPreference -ExclusionPath'; QakBot 'modify the Registry to add its binaries to the Windows Defender exclusion list'; Raspberry Robin 'add an exception to Microsoft Defender that excludes the entire main drive'; StrongPity 'add directories used by the malware to the Windows Defender exclusions list'; XLoader 'can add the path of its executable to the Microsoft Defender exclusion list'; ZIPLINE 'can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool.'