Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity

MITRE Techniques

• [T1595.001] Active Scanning – Scanning IP Blocks – Using httpx to scan ASNs; “Using httpx the threat actor conducted large scale scanning across ASNs. The tool httpx aims to identify web services exposed to the internet and fingerprint what is running behind it.”
• [T1595.002] Active Scanning – Vulnerability Scanning – “The threat actor used nuclei to conduct scanning and software identification.”
• [T1595.003] Active Scanning – Wordlist Scanning – “Using subfinder, the threat actor identified the subdomains of their targets before scanning further: subfinder -dL drones -o drone_op -silent”
• [T1596] Search Open Technical Databases – “The threat actor used the OWASP tool amass to conduct reconnaissance on their targets using open-source databases and APIs.”
• [T1190] Exploit Public-Facing Application – “SQL Injection – The threat actor used sqlmap (S0225) and ghauri to conduct SQL injections attacks on target hosts.”
• [T1569.002] Service Execution – “SharPersist was loaded via Sliver to execute a post-exploitation payload.”
• [T1505.003] Web Shell – “The threat actor uploaded a weevely webshell to: http://.gov.bd/img_upload/user/ddos.php”
• [T1569.002] Service Execution – “The threat actor used Sliver’s execute-assembly to load SharPersist.”
• [T1053.005] Scheduled Task/Job: Scheduled Task – “Loaded in the same way as above, SharPersist was used to create a scheduled task to run …”
• [T1546.004] Unix Shell Configuration Modification – “The threat actor used Sliver to upload modified versions of .bashrc to compromised hosts and set up a coin miner.”
• [T1548] Abuse Elevation Control Mechanism – “The built-in Meterpreter getsystem module which uses various techniques to create a payload as SYSTEM.”
• [T1036.004] Masquerade Task or Service – “Masquerading beacon examples” and “Masquerading service example: sc create winmo …”
• [T1003.002] OS Credential Dumping: Security Account Manager – “load kiwi creds_all lsa_dump_sam lsa_dump_secrets creds_livessp hashdump”
• [T1003.003] OS Credential Dumping: NTDS – “ntds.dit” extraction noted in Sliver logs.
• [T1003.006] OS Credential Dumping: DCSync – “dcsync_ntlm “
• [T1558.001] Golden Ticket – “golden_ticket_create”
• [T1552.004] Unsecured Credentials: Private Keys – “Private Keys” discovered/used in targeting and propagation steps.
• [T1087.001] Account Discovery: Local Account – “T1087.001 Local Account”
• [T1087.002] Account Discovery: Domain Account – “T1087.002 Domain Account”
• [T1615] Group Policy Discovery – “Group Policy Discovery”
• [T1083] File and Directory Discovery – “File and Directory Discovery”
• [T1069.001] Permission Groups Discovery: Local Groups – “Local Groups”
• [T1069.002] Permission Groups Discovery: Domain Groups – “Domain Groups”
• [T1016] System Network Configuration Discovery – “System Network Configuration Discovery”
• [T1082] System Information Discovery – “System Information Discovery”
• [T1033] System Owner/User Discovery – “System Owner/User Discovery”
• [T1059.001] PowerShell – “PowerShell”
• [T1572] Protocol Tunneling – “Protocol Tunneling” and port forwarding / torify usage
• [T1071.001] Web Protocols – “Web Protocols”
• [T1041] Exfiltration Over C2 Channel – “Exfiltration over C2 Channel” / observed data exfiltration instances
• [T1496] Resource Hijacking – “Mining activity with XMR”
• [T1068] Exploitation for Privilege Escalation – various exploit paths observed
• [T1090.003] Multi-hop Proxy – “Multi-hop Proxy” via torify / SSH proxies