ZxShell

Earlier campaigns used legacy Poison Ivy RAT shellcode variants and ZxShell via spear-phishing and watering hole attacks.

Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices and SQL injection activity.

Initial Access Vectors: Spear-phishing with weaponized documents...

The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

Catchamas creates three Registry keys to establish persistence by adding a Windows Service; TEARDROP modified the Registry to create a Windows service for itself; NightClub set the ServiceDLL for a service created by the malware.

Catchamas creates three Registry keys to establish persistence by adding a Windows Service; TEARDROP modified the Registry to create a Windows service for itself; NightClub set the ServiceDLL for a service created by the malware.

“APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security …” / “APT38 clears Window Event logs and Sysmon logs …” / “BlackCat can clear Windows event logs using wevtutil.exe …” / “NotPetya uses wevtutil to clear the Windows event logs …”

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.

The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."

“APT39 has been seen using RDP for lateral movement and persistence… APT41 used RDP for lateral movement… FIN7 has used RDP to move laterally… During the SolarWinds Compromise, APT29 used RDP sessions from public-facing systems to internal servers… Wizard Spider has used RDP for lateral movement and to deploy ransomware interactively.”

"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

"Aria-body has the ability to use a reverse SOCKS proxy module." / "BADHATCH can use SOCKS4 and SOCKS5 proxies..." / "Neo-reGeorg... establish a SOCKS5 proxy" / "Remcos uses the infected hosts as SOCKS5 proxies"

"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."

Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...

4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.

Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.