MITRE ATT&CK - Преступная группа Frankenstein

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Frankenstein

Frankenstein is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019)

ID: G0101

Associated Groups:

Version: 1.1

Created: 11 May 2020

Last Modified: 19 Sep 2022

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.(Citation: Talos Frankenstein June 2019)
		.003	Command and Scripting Interpreter: Windows Command Shell	Frankenstein has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.(Citation: Talos Frankenstein June 2019)
		.005	Command and Scripting Interpreter: Visual Basic	Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.(Citation: Talos Frankenstein June 2019)
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.(Citation: Talos Frankenstein June 2019)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents.(Citation: Talos Frankenstein June 2019)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Frankenstein has established persistence through a scheduled task using the command: `/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR` , named "WinUpdate".(Citation: Talos Frankenstein June 2019)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.(Citation: Talos Frankenstein June 2019)
Enterprise	T1127	.001	Trusted Developer Utilities Proxy Execution: MSBuild	Frankenstein has used MSbuild to execute an actor-created file.(Citation: Talos Frankenstein June 2019)
Enterprise	T1204	.002	User Execution: Malicious File	Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.(Citation: Talos Frankenstein June 2019)
Enterprise	T1497	.001	Virtualization/Sandbox Evasion: System Checks	Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.(Citation: Talos Frankenstein June 2019)

ID	Name	References	Techniques
Software
S0363	Empire	(Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: Talos Frankenstein June 2019)	Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket

References

Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Frankenstein

Associated Group Descriptions

Techniques Used

Software

References