TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Bullseye: A Story of a Targeted Cyberattack | Huntress

2021-08-24 · Read original ↗

ATT&CK techniques detected

19 predictions
T1059.001PowerShell
100%
“further analysis. it seems that the listening beacon was no longer active — and we can now explore why we say that. this final stage of powershell code is a bit lengthy, so for brevity ’ s sake it is accessible in this gist and we will share a snippet in the screenshot below. the…”
T1059.001PowerShell
99%
“a new endpoint, “ / login / product. php ”.... however, the name “ product ” was the name of the real software solution that this organization actually used. again, this information is redacted for customer confidentiality. the latter half of the powershell code looks to prepare …”
T1059.001PowerShell
98%
“and tab indentation after opening logic blocks ( i. e., a curly brace { ) - adding whitespace and newlines for easier visual flow with that complete, we now have a much more readable powershell script that we can begin to understand. the first thing the powershell code does is de…”
T1055.001Dynamic-link Library Injection
98%
“] type casting. watching how this plays out, we see the code... - load the amsi. dll library into a variable with loadlibrary - find the amsiscanbuffer function with getprocessaddress - make the memory space of amsiscanbuffer writable with virtualprotect finally, some new unique …”
T1059.001PowerShell
98%
“. this domain — and the malicious code itself — would make repeated reference to one specific product or legitimate software solution that this company really used in their technology stack. considering this seemed to be inside information for the organization, it is clear the ha…”
T1059.001PowerShell
97%
“i found that a lot of generated powershell payloads were not successful in bypassing amsi, but this specific technique ( using a c # stub to load in the win32 api calls ) was successful. you can see the effect of this in the live demonstration video below. what happens next? so f…”
T1059.001PowerShell
95%
“real organization - masquerades as a legitimate vendor solution, a product the target organization actually uses after we unravel each stage of the malware and put the puzzle pieces together, we find that this prepares command - and - control functionality with an empire beacon —…”
T1059.001PowerShell
95%
“bullseye : a story of a targeted cyberattack | huntress at huntress, we work to understand hackers ’ nefarious activities and analyze a lot of malware. and i mean, a lot of malware. at the time of writing, the huntress threatops team has responded to and sent incident reports for…”
T1053.005Scheduled Task
95%
“present in this file location : c : \ windows \ system32 \ tasks \ microsoft \ windows \ enterprisemgmt \ ltsvc the scheduled task looked to be invoking powershell. when we see powershell being started by an autorun, we take extra precaution because sometimes the code could be a …”
T1053.005Scheduled Task
94%
“##rk in the environment however long they would like to, and then easily get back to compromising the target. but truthfully, this is a double - edged sword … persistence mechanisms, by nature, have to be persistent. that means they remain on the computer somehow, someway, and th…”
T1055.001Dynamic-link Library Injection
94%
“) following these, we see a very large blob of base64 encoded data. there is one unique telltale here, as the beginning characters are “ tvqq ”... this is one rendition of how an executable windows binary might look when base64 encoded! carving out and decoding that first blob of…”
T1059.001PowerShell
92%
“invoke - expression will execute and evaluate the data passed in as real powershell code. it is the equivalent of an “ eval ” statement in other languages, where the raw string supplied will then be invoked and run as a new part of the program. invoke - expression is often seen a…”
T1059.001PowerShell
91%
“present in this file location : c : \ windows \ system32 \ tasks \ microsoft \ windows \ enterprisemgmt \ ltsvc the scheduled task looked to be invoking powershell. when we see powershell being started by an autorun, we take extra precaution because sometimes the code could be a …”
T1055.001Dynamic-link Library Injection
90%
“stub, loading in and importing those same three functions from kernel32. dll. this class is named asbbapi, and we can keep that in mind, as we may certainly see that as we continue on through the powershell code. what this means is that the first base64 blob is this compiled dll,…”
T1059.001PowerShell
64%
“one line, but there don ’ t seem to be any tricks used to “ obfuscate ” or hide segments of the code … it just needs to be cleaned. the process of “ cleaning ” to look more readable is often called “ beautifying ” or “ prettifying. ” doing this manually can be time - consuming an…”
T1620Reflective Code Loading
45%
“stub, loading in and importing those same three functions from kernel32. dll. this class is named asbbapi, and we can keep that in mind, as we may certainly see that as we continue on through the powershell code. what this means is that the first base64 blob is this compiled dll,…”
T1059.001PowerShell
39%
“##malware scan interface. ” it is a security mechanism put in place within modern versions of the windows operating system that looks for nefarious or malicious code within. net assemblies, powershell code or other native languages. essentially, before a line of code is executed,…”
T1564.003Hidden Window
36%
“invoke - expression will execute and evaluate the data passed in as real powershell code. it is the equivalent of an “ eval ” statement in other languages, where the raw string supplied will then be invoked and run as a new part of the program. invoke - expression is often seen a…”
T1053Scheduled Task/Job
35%
“##rk in the environment however long they would like to, and then easily get back to compromising the target. but truthfully, this is a double - edged sword … persistence mechanisms, by nature, have to be persistent. that means they remain on the computer somehow, someway, and th…”

Summary

Dive into a cyber threat analysis that details a sneaky enabler of a targeted cyberattack: persistence.