TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Netscaler Exploitation to Social Engineering | Huntress

2023-09-26 · Read original ↗

ATT&CK techniques detected

21 predictions
T1059.001PowerShell
99%
“##a35b83ce9a216298779c62 - name : ctxheaderlogin. php - description : web shell component - indicator : 886f3add934cb8e348dcfac78d9e0e50d6d760d065352bc8026529a6bb233279 - name : netscaler. php - description : credential harvesting web shell component. shell commands of interest t…”
T1059.001PowerShell
98%
“##lous powershell activity such as : wmic / node : [ redacted ] process call create \ " cmd / c powershell. exe - nop - ep bypass - c c : \ \ windows \ \ temp \ \ esd. ps1 622ddc28910eb5482c0ed8b01b10270a20c25206 - fbf201cb - s \ " when identified, powershell scripts were typical…”
T1059.001PowerShell
97%
“perspective, such convergence offers opportunities in that adversaries are placing most ( if not all ) of their proverbial “ eggs ” in a few, known baskets. through continuous striving to improve visibility, map our environments, and profile legitimate use of certain tools and te…”
T1059.001PowerShell
97%
“bypass - c c : \ \ windows \ \ temp \ \ [ three - character name ]. ps1 [ likely rc4 key string ] while the above have some overlap with legitimate administrator and programmatic activity, identifying the context in which these items run — such as anomalous parent processes or un…”
T1574.001DLL
97%
“##eeefd5d866ca2285da2a7387c544250d6978bab621c2a80b95946712 - name : citfix29. zip - description : password - protected zip archive containing lnk and other objects. - indicator : 06de42d666b3ae548719778445162ddebaa5267b96ceaf5b8c38ed78ead8a148 - name : version. dll - description …”
T1190Exploit Public-Facing Application
97%
“significant shortly. overall, huntress identified evidence of compromise based on multiple examples of the above commands and behaviors. however, at the time of initial discovery, it was not clear whether this activity aligned with any known threat activity or historical actions.…”
T1053.005Scheduled Task
96%
“##fca6f - name : dllhost. exe - description : renamed sysinternals contig. exe tool. - indicator : f4dbed01049e169189867713d33c24a4f07954f1c1fdd3bce08afb5aeed38804 - name : spaceagenttaskmgrlld - description : “ space agent ” persistence item created as scheduled task. - indicato…”
T1059.001PowerShell
88%
“significant shortly. overall, huntress identified evidence of compromise based on multiple examples of the above commands and behaviors. however, at the time of initial discovery, it was not clear whether this activity aligned with any known threat activity or historical actions.…”
T1505.003Web Shell
80%
“focus in a cisa - issued alert. multiple identified victims were running vulnerable netscaler equipment at the time of initial access. based on intrusion information, huntress identified two web shell items. first, the following one - liner at / vpn / themes / imgs / ctxheaderlog…”
T1059.001PowerShell
79%
“##r. ps1 script. - indicator : 3742b9cb7a7e664dbeb4f3b7d350a22bbd008f7698db8679a0764b7bab983025 - name : n / a - description : embedded dll in shr. ps1 script. - indicator : 91. 236. 230 [. ] 111 - name : n / a - description : remote resource hosting next - stage content for comp…”
T1053.005Scheduled Task
74%
“##e " / comment : " defaultservice " net localgroup " administrators " defaultservice / add " c : \ windows \ system32 \ rundll32. exe " c : \ perflogs \ ch. dll, start " c : \ windows \ system32 \ schtasks. exe " / create / sc onstart / tn \ microsoft \ windows \ spaceport \ spa…”
T1190Exploit Public-Facing Application
71%
“focus in a cisa - issued alert. multiple identified victims were running vulnerable netscaler equipment at the time of initial access. based on intrusion information, huntress identified two web shell items. first, the following one - liner at / vpn / themes / imgs / ctxheaderlog…”
T1598Phishing for Information
64%
“netscaler exploitation to social engineering | huntress the following write - up and analysis is thanks to matthew brennan, harlan carvey, anthony smith, craig sweeney, and joe slowik. background huntress periodically performs reviews of identified incidents for pattern analysis,…”
T1204.002Malicious File
59%
“the sysinternals ad explorer tool for gathering active directory information, with a process lineage that suggests user interaction via an lnk object. the execution is paired with the use of the windows msg command, including content ( in dutch ) communicating the successful appl…”
T1204.002Malicious File
58%
“social media remarks from sophos. but further review, such as the zip to lnk object observation, indicates different tradecraft ( even if echoing similar themes ) from this observation. even though subsequent actions appear similar, differences in observations and advances in tim…”
T1204.002Malicious File
57%
“. with persistent access, the threat actor can continuously gather and exfiltrate user login credentials to enable alternative routes to victim networks. while exploitation may define many of these potential intrusions, two clear outliers existed for initial access activity. the …”
T1055.001Dynamic-link Library Injection
51%
“exe 16df573d - 988d - 4f48 - 9bae - 66fb6a32f821 f821 given the available information, the observed behavior represents dll search order hijacking or sideloading attempts, as seen in examples ranging from state - sponsored threat actor nobelium ’ s foggyweb backdoor installation …”
T1055.001Dynamic-link Library Injection
47%
“mechanisms for initial network access, as seen in the mgm ransomware case, the described activity is both concerning and representative of new trends in adversary activity to compromise victim organizations. fortunately, as noted earlier in this discussion, huntress has been unab…”
T1059.003Windows Command Shell
40%
“- standard means to induce victim personnel to interact with malicious resources. initial intrusion signs huntress engages in periodic threat hunting across monitored endpoints for signs of malicious ( or suspicious ) activity not previously identified through existing detections…”
T1589Gather Victim Identity Information
38%
“netscaler exploitation to social engineering | huntress the following write - up and analysis is thanks to matthew brennan, harlan carvey, anthony smith, craig sweeney, and joe slowik. background huntress periodically performs reviews of identified incidents for pattern analysis,…”
T1505.004IIS Components
32%
“exe 16df573d - 988d - 4f48 - 9bae - 66fb6a32f821 f821 given the available information, the observed behavior represents dll search order hijacking or sideloading attempts, as seen in examples ranging from state - sponsored threat actor nobelium ’ s foggyweb backdoor installation …”

Summary

The following is an analysis by the Huntress team of several recent intrusions connected to the Netscaler exploitation.