FRAMESTING

FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.^[1]

ID: S1120

ⓘ

Type: MALWARE

ⓘ

Platforms: Network

Version: 1.0

Created: 08 March 2024

Last Modified: 08 March 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1554		主机软件二进制文件妥协	FRAMESTING can embed itself in the CAV Python package of an Ivanti Connect Secure VPN located in `/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py.`^[1]
Enterprise	T1140		反混淆/解码文件或信息	FRAMESTING can decompress data received within `POST` requests.^[1]
Enterprise	T1059	.006	命令与脚本解释器: Python	FRAMESTING is a Python web shell that can embed in the Ivanti Connect Secure CAV Python package.^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	FRAMESTING can retrieve C2 commands from values stored in the `DSID` cookie from the current HTTP request or from decompressed zlib data within the request's `POST` data.^[1]
Enterprise	T1001		数据混淆	FRAMESTING can send and receive zlib compressed data within `POST` requests.^[1]
		.003	Protocol or Service Impersonation	FRAMESTING uses a cookie named `DSID` to mimic the name of a cookie used by Ivanti Connect Secure appliances for maintaining VPN sessions.^[1]
Enterprise	T1505	.003	服务器软件组件: Web Shell	FRAMESTING is a web shell capable of enabling arbitrary command execution on compromised Ivanti Connect Secure VPNs.^[1]

ID	Name	Description
C0029	Cutting Edge	^[1]