UNC4393 Goes Gently into the SILENTNIGHT, UNC4393 Goes Gently into the SILENTNIGHT

MITRE Techniques

• [T1566] Phishing – Initial access via phishing emails delivering QAKBOT payloads. Quote: “Phishing: Technique ID: T1566”
• [T1059] Command-Line Interface – Execution via command-line to run or drop payloads. Quote: “Command-Line Interface: Technique ID: T1059”
• [T1203] Malicious File – Execution by dropping or executing a malicious file. Quote: “Malicious File: Technique ID: T1203”
• [T1547] Registry Run Keys / Startup Folder – Persistence by registry-based startup execution. Quote: “Registry Run Keys / Startup Folder: Technique ID: T1547”
• [T1203] Exploitation for Client Execution – Privilege escalation through exploitation techniques. Quote: “Exploitation for Client Execution: Technique ID: T1203”
• [T1027] Obfuscated Files or Information – Defense evasion via obfuscated components. Quote: “Obfuscated Files or Information: Technique ID: T1027”
• [T1003] Credential Dumping – Credential access via credential dumping. Quote: “Credential Dumping: Technique ID: T1003”
• [T1046] Network Service Scanning – Discovery by scanning network services. Quote: “Network Service Scanning: Technique ID: T1046”
• [T1021] Remote Services – Lateral movement via remote services (e.g., SMB, RDP). Quote: “Remote Services: Technique ID: T1021”
• [T1213] Data from Information Repositories – Data collection from information repositories. Quote: “Data from Information Repositories: Technique ID: T1213”
• [T1041] Exfiltration Over C2 Channel – Exfiltration conducted over C2 channel. Quote: “Exfiltration Over Command and Control Channel: Technique ID: T1041”
• [T1486] Data Encrypted for Impact – Data encryption for impact as part of ransomware. Quote: “Data Encrypted for Impact: Technique ID: T1486”
• [T1071.004] Application Layer Protocol: DNS – DNS-based C2 beacons and malleable profiles. Quote: “DNS beacons and listeners can be customized… Malleable C2 profiles.”