Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Frankenstein
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Frankenstein
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Frankenstein

Frankenstein is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019)
ID: G0101
Associated Groups: 
Version: 1.1
Created: 11 May 2020
Last Modified: 19 Sep 2022

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.(Citation: Talos Frankenstein June 2019)

.003 Command and Scripting Interpreter: Windows Command Shell

Frankenstein has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.(Citation: Talos Frankenstein June 2019)

.005 Command and Scripting Interpreter: Visual Basic

Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.(Citation: Talos Frankenstein June 2019)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.(Citation: Talos Frankenstein June 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents.(Citation: Talos Frankenstein June 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Frankenstein has established persistence through a scheduled task using the command: /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR , named "WinUpdate".(Citation: Talos Frankenstein June 2019)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.(Citation: Talos Frankenstein June 2019)
Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

Frankenstein has used MSbuild to execute an actor-created file.(Citation: Talos Frankenstein June 2019)
Enterprise T1204 .002 User Execution: Malicious File

Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.(Citation: Talos Frankenstein June 2019)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.(Citation: Talos Frankenstein June 2019)

Software
ID Name References Techniques
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: Talos Frankenstein June 2019) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket

References

  1. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.