← All stories

Huntress

Hiding In Plain Sight | Huntress

2020-06-18 · Read original ↗

ATT&CK techniques detected

6 predictions

T1027Obfuscated Files or Information

95%

“( specifically looking for browsers, financial applications, and security products ), ip addresses, administrative privileges, etc. this particular payload is essentially the same one we wrote about a while back. in that case, the initial payload was stored in a self - referencin…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.001PowerShell

92%

“. chk, converting the hexadecimal - like values into a powershell command which is then executed. these renamed executables serve two purpose, they don ’ t stand out visually, and if you were to monitor running processes specifically looking for powershell. exe and mshta. exe, yo…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1053.005Scheduled Task

92%

“hiding in plain sight | huntress we recently came across something interesting. what do you think this file is? at first glance, it looks like a log for some application. it has timestamps and includes references to os 6. 2, the internal version number for windows 8 and window se…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1053.005Scheduled Task

92%

“$ ( gc ' c : \ windows \ a. chk ' | % { [ char ] [ int ] ( $ _. split ( ' x ' ) [ - 1 ] ) } ) - join ' ' ) \ " \ " \ ", 0, true ) ( window. close ) " upon visual inspection of the the command, there is nothing inherently malicious with it ( someone with programming experience may…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1053.005Scheduled Task

69%

“, the task name and description are essentially a copy of another task on the host, bfeonservicestarttypechange, that has the same description with the command % windir % \ system32 \ rundll32. exe bfe. dll, bfeonservicestarttypechange. this task is in fact the legitimate one. go…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1105Ingress Tool Transfer

35%

“. chk, converting the hexadecimal - like values into a powershell command which is then executed. these renamed executables serve two purpose, they don ’ t stand out visually, and if you were to monitor running processes specifically looking for powershell. exe and mshta. exe, yo…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

There’s no end to the stealthy ways in which attackers develop and execute their tradecraft. In this case, it's as simple as hiding in plain sight.