Frankenstein
| Associated Group Descriptions | |
| Name | Description | 
|---|---|
| Techniques Used | ||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell | Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.(Citation: Talos Frankenstein June 2019) | 
| .003 | Command and Scripting Interpreter: Windows Command Shell | Frankenstein has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.(Citation: Talos Frankenstein June 2019) | ||
| .005 | Command and Scripting Interpreter: Visual Basic | Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.(Citation: Talos Frankenstein June 2019) | ||
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.(Citation: Talos Frankenstein June 2019) | 
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment | Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents.(Citation: Talos Frankenstein June 2019) | 
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task | Frankenstein has established persistence through a scheduled task using the command:  | 
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery | Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.(Citation: Talos Frankenstein June 2019) | 
| Enterprise | T1127 | .001 | Trusted Developer Utilities Proxy Execution: MSBuild | Frankenstein has used MSbuild to execute an actor-created file.(Citation: Talos Frankenstein June 2019) | 
| Enterprise | T1204 | .002 | User Execution: Malicious File | Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.(Citation: Talos Frankenstein June 2019) | 
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks | Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.(Citation: Talos Frankenstein June 2019) | 
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.
 
                            