TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Rapid Response: TrickBoot | Huntress

2020-12-02 · Read original ↗

ATT&CK techniques detected

9 predictions
T1542.001System Firmware
90%
“investments. post exploitation : additional malicious modules are downloaded once access is established. this is where the trickboot payload will be loaded to check for firmware vulnerabilities or write capabilities. filtering tools may block access to known downloader c2 locatio…”
T1542.001System Firmware
88%
“? over the past several years, huntress has discovered and remediated over 14, 000 trickbot infections. this experience formed the foundation of our advanced detection capabilities and detailed remediation guidance. between our existing persistent footholds service and our manage…”
T1542.001System Firmware
86%
“of attacks against bios and secure boot - 2017 — have you scanned your bios recently? - 2017 — the uefi firmware rootkits : myths and reality - 2018 — advancing the state of uefi bootkits fact : malware will continue to adapt and resist our defenses, we see this everyday. also fa…”
T1055.001Dynamic-link Library Injection
84%
“##ctechnic ” or “ systemtechgatservice ”. the presence of the rweverything driver “ rwdrv. sys ” may also be an indicator of compromise. on systems prior to windows 10, trickbot stores its. dll modules and configuration files within a random subdirectory in % appdata %. this prov…”
T1542.001System Firmware
82%
“firmware level threats carry unique strategic importance for attackers. by implanting malicious code in firmware, attackers can ensure their code is the first to run. bootkits allow an attacker to control how the operating system is booted or even directly modify the os to gain c…”
T1542.003Bootkit
75%
“firmware level threats carry unique strategic importance for attackers. by implanting malicious code in firmware, attackers can ensure their code is the first to run. bootkits allow an attacker to control how the operating system is booted or even directly modify the os to gain c…”
T1542.001System Firmware
71%
“rapid response : trickboot | huntress the trickbot malware family has sustained its status as a worthy adversary in the world of cybersecurity since 2016. even after a recent campaign aimed at taking down a significant chunk of trickbot ’ s infrastructure by us cyber command in c…”
T1542.003Bootkit
48%
“rapid response : trickboot | huntress the trickbot malware family has sustained its status as a worthy adversary in the world of cybersecurity since 2016. even after a recent campaign aimed at taking down a significant chunk of trickbot ’ s infrastructure by us cyber command in c…”
T1542.003Bootkit
32%
“investments. post exploitation : additional malicious modules are downloaded once access is established. this is where the trickboot payload will be loaded to check for firmware vulnerabilities or write capabilities. filtering tools may block access to known downloader c2 locatio…”

Summary

TrickBot has unleashed yet another module in its growing arsenal specifically targeting firmware vulnerabilities, named TrickBoot.