Unwrapping Ursnifs Gifts

MITRE Techniques

• [T1218.005] Mshta – The oneliner launched mshta.exe to create an ActiveX object and read a registry value, effectively feeding the payload: ‘…the oneliner created a new ActiveX object to eval() the content stored in the registry key in the users registry hive.’
• [T1059.001] PowerShell – The payload used PowerShell to create new aliases (gp and iex) and execute content, e.g. ‘PowerShell command created additional aliases of common default PowerShell aliases gp (Get-ItemProperty) and iex (Invoke-Expression).’
• [T1027.004] Compile After Delivery – The Add-Type path invoked csc.exe to compile a class definition during payload execution: ‘the C# compiler csc.exe is invoked by PowerShell to compile this class definition, which results in the creation of temporary files in %APPDATA%LocalTemp.’
• [T1547.001] Registry Run Keys / Startup Folder – Persistence via Run key named ManagerText that executes a LNK to run a PowerShell script.
• [T1055] Process Injection – The attacker injected into various processes and performed shellcode injection: ‘QueueUserAPC, GetCurrentThreadId, OpenThread, and VirtualAlloc to perform process injection of shellcode stored in Base64.’
• [T1021.001] Remote Desktop Protocol – Proxied RDP via the Cobalt Strike beacon to the domain controller and then to other hosts.
• [T1047] Windows Management Instrumentation – wmiexec.py was used to run commands on remote hosts (semi-interactive shell) and to pivot to the domain controller: ‘Impacket wmiexec.py to execute commands with a semi-interactive shell.’
• [T1082] System Information Discovery – Automated discovery using commands like ipconfig and systeminfo: ‘built-in Windows utilities like ipconfig, systeminfo, net, and ping.’
• [T1057] Process Discovery – Discovery of running processes during hands-on keyboard activity; e.g., ‘checking running processes on the accessed hosts via taskmanager.’
• [T1087.002] Domain Account – Use of a Domain Admin-privileged support account observed during the engagement.
• [T1219] Remote Access Software – Atera and Splashtop MSI installers were used in the attack path.
• [T1553.005] Mark-of-the-Web Bypass – The ISO/attachment delivery and execution flow included mechanisms commonly used to bypass how files are treated on arrival (implicit in ISO/LNK execution).
• [T1041] Exfiltration Over C2 Channel – C2 communication and data exfiltration observed via HTTP POSTs/HTTPS beacon activity to C2.
• [T1071.001] Web Protocols – Cobalt Strike beacon and HTTP/S interactions observed (HTTP POSTs and domain lookups to *.top domains).