Frankenstein
Frankenstein was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including Empire. The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version.[1] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
During Frankenstein, the threat actors used Empire to gather various local system information.[1] |
|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
During Frankenstein, the threat actors named a malicious scheduled task "WinUpdate" for persistence.[1] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
During Frankenstein, the threat actors communicated with C2 via an encrypted RC4 byte stream and AES-CBC.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.[1] |
|
| Enterprise | T1127 | .001 | 可信开发者工具代理执行: MSBuild |
During Frankenstein, the threat actors used MSbuild to execute an actor-created file.[1] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
During Frankenstein, the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts.[1] |
| .003 | 命令与脚本解释器: Windows Command Shell |
During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line [1] |
||
| .005 | 命令与脚本解释器: Visual Basic |
During Frankenstein, the threat actors used Word documents that prompted the victim to enable macros and run a Visual Basic script.[1] |
||
| Enterprise | T1203 | 客户端执行漏洞利用 |
During Frankenstein, the threat actors exploited CVE-2017-11882 to execute code on the victim's machine.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
During Frankenstein, the threat actors used HTTP GET requests for C2.[1] |
| Enterprise | T1221 | 模板注入 |
During Frankenstein, the threat actors used trojanized documents that retrieved remote templates from an adversary-controlled website.[1] |
|
| Enterprise | T1027 | .010 | 混淆文件或信息: Command Obfuscation |
During Frankenstein, the threat actors ran encoded commands from the command line.[1] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
During Frankenstein, the threat actors relied on a victim to enable macros within a malicious Microsoft Word document likely sent via email.[1] |
| Enterprise | T1082 | 系统信息发现 |
During Frankenstein, the threat actors used Empire to obtain the compromised machine's name.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
During Frankenstein, the threat actors used Empire to enumerate hosts and gather username, machine name, and administrative permissions information.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
During Frankenstein, the threat actors used Empire to find the public IP address of a compromised system.[1] |
|
| Enterprise | T1119 | 自动化收集 |
During Frankenstein, the threat actors used Empire to automatically gather the username, domain name, machine name, and other system information.[1] |
|
| Enterprise | T1020 | 自动化渗出 |
During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2.[1] |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
For Frankenstein, the threat actors obtained and used Empire.[1] |
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
During Frankenstein, the threat actors used a script that ran WMI queries to check if a VM or sandbox was running, including VMWare and Virtualbox. The script would also call WMI to determine the number of cores allocated to the system; if less than two the script would stop execution.[1] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
During Frankenstein, the threat actors used WMI queries to determine if analysis tools were running on a compromised system.[1] |
| Enterprise | T1105 | 输入工具传输 |
During Frankenstein, the threat actors downloaded files and tools onto a victim machine.[1] |
|
| Enterprise | T1057 | 进程发现 |
During Frankenstein, the threat actors used Empire to obtain a list of all running processes.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
During Frankenstein, the threat actors collected information via Empire, which sent the data back to the adversary's C2.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
During Frankenstein, the threat actors likely used spearphishing emails to send malicious Microsoft Word documents.[1] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
During Frankenstein, the threat actors established persistence through a scheduled task using the command: |
Software
| ID | Name | Description |
|---|---|---|
| S0363 | Empire |
During Frankenstein the threat actors used Empire for discovery.[1] |