Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Frankenstein
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Frankenstein
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Frankenstein

Frankenstein is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019)
ID: G0101
Associated Groups: 
Version: 1.1
Created: 11 May 2020
Last Modified: 18 Apr 2025

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.(Citation: Talos Frankenstein June 2019)

.003 Command and Scripting Interpreter: Windows Command Shell

Frankenstein has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.(Citation: Talos Frankenstein June 2019)

.005 Command and Scripting Interpreter: Visual Basic

Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.(Citation: Talos Frankenstein June 2019)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.(Citation: Talos Frankenstein June 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents.(Citation: Talos Frankenstein June 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Frankenstein has established persistence through a scheduled task using the command: /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR , named "WinUpdate".(Citation: Talos Frankenstein June 2019)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.(Citation: Talos Frankenstein June 2019)
Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

Frankenstein has used MSbuild to execute an actor-created file.(Citation: Talos Frankenstein June 2019)
Enterprise T1204 .002 User Execution: Malicious File

Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.(Citation: Talos Frankenstein June 2019)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.(Citation: Talos Frankenstein June 2019)

Software
ID Name References Techniques
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: Talos Frankenstein June 2019) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking

References

  1. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.