Threat Research

Exploring Splinter: An Introduction to a New Post-Exploitation Red Team Tool

Unit42

Splinter is a newly discovered post-exploitation red team tool found on customer systems using Advanced WildFire’s memory scanning tools. Built in Rust, it includes standard post-exploitation capabilities and is a potential risk if misused, with Palo Alto Networks offering enhanced protection across its security portfolio. #Splinter #Rust #AdvancedWildFire #CortexXDR #Unit42 #CyberThreatAlliance

Keypoints

  • Discovery of a new post-exploitation tool named Splinter.
  • Identified on customer systems using Advanced WildFire’s memory scanning tools.
  • Splinter is developed in Rust and has a large executable size due to external libraries.
  • Standard post-exploitation features include command execution, file upload/download, and self-deletion.
  • Communication with the C2 server is encrypted using HTTPS.
  • Palo Alto Networks enhances protection through Advanced WildFire, Cortex XDR, and Behavioral Threat Protection.
  • Importance of continuous monitoring and detection of red team tools to prevent misuse.

MITRE Techniques

  • [T1059.003] Windows Command Shell – Execute a Windows command – “Execute a Windows command”
  • [T1055] Process Injection – Remote process injection to run additional modules – “the classic process injection method as an option for running additional modules.”
  • [T1041] Exfiltration Over C2 Channel – Upload a file from the victim’s system to the attacker’s server – “Upload a file from the victim’s system to the attacker’s server”
  • [T1105] Ingress Tool Transfer – Drop a file from the attacker’s server to the victim’s system – “Drop a file from the attacker’s server to the victim’s system”
  • [T1552] Credential Access – Gather information from a certain cloud service account – “Gather information from a certain cloud service account”
  • [T1485] Impact – Self-delete – “Self-delete”

Indicators of Compromise

  • [Hash] SHA-256 – 1962cef10cf737300d04a23139122abcc8e8803e54dfcb63054140fbe549bed0
  • [IP Address] 192.168.5.151 – C2 server address used in the implant configuration sample
  • [Port] 28069 – C2 server port
  • [File name] PDB path – implant_exe.pdb, implant_dll.pdb
  • [URL] C2 task endpoints – /implant/task_created_events, /implant/task_completed_events
  • [URL] Heartbeat endpoint – /implant/heartbeat
  • [Credential] c2_user – BrqUjhYhvRwkKpyQZZKf
  • [Credential] c2_password – JjAxsdEPZqRJuFebHyKQ

Read more: https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint