Hildegard

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.

APT3 has been known to create or enable accounts, such as support_388945a0 . ... APT5 has created Local Administrator accounts to maintain access ... DarkGate creates a local user account, SafeMode, via net user commands.

APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263, and CVE-2022-38028 to escalate privileges.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

"Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens." / "TeamTNT has searched for unsecured AWS credentials and Docker API credentials." | "...extract credentials from configuration or support files." / "...search for files containing passwords." / "...obtained administrative credentials by browsing through local files..."

Ebury has intercepted unencrypted private keys as well as private key pass-phrases. Hildegard has searched for private keys in .ssh. jRAT can steal keys for VPNs and cryptocurrency wallets. Kinsing has searched for private keys. Machete has scanned and looked for cryptographic keys and certificate file extensions. TeamTNT has searched for unsecured SSH keys. Troll Stealer collects all data in victim .ssh folders by creating a compressed copy that is subsequently exfiltrated.

AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine. Agent Tesla has the ability to extract credentials from configuration or support files. APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.

The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

Hildegard has established tmate sessions for C2 communications. TeamTNT has established tmate sessions for C2 communications.

“APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads… EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads… Bumblebee has been downloaded… from OneDrive… Operation Spalax… used OneDrive and MediaFire to host payloads… Raspberry Robin… payloads… on Discord servers.”

Akira uses legitimate utilities such as AnyDesk and PuTTy for maintaining remote access to victim environments. BlackByte has used tools such as AnyDesk in victim environments. Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.

Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. One common purpose for Compute Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency.