FoggyWeb
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests.(Citation: MSTIC FoggyWeb September 2021) |
Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
FoggyWeb can invoke the `Common.Compress` method to compress data with the C# GZipStream compression class.(Citation: MSTIC FoggyWeb September 2021) |
.003 | Archive Collected Data: Archive via Custom Method |
FoggyWeb can use a dynamic XOR key and a custom XOR methodology to encode data before exfiltration. Also, FoggyWeb can encode C2 command output within a legitimate WebP file.(Citation: MSTIC FoggyWeb September 2021) |
||
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications.(Citation: MSTIC FoggyWeb September 2021) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process.(Citation: MSTIC FoggyWeb September 2021) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
FoggyWeb can be disguised as a Visual Studio file such as `Windows.Data.TimeZones.zh-PH.pri` to evade detection. Also, FoggyWeb's loader can mimic a genuine `dll` file that carries out the same import functions as the legitimate Windows `version.dll` file.(Citation: MSTIC FoggyWeb September 2021) |
Enterprise | T1027 | .004 | Obfuscated Files or Information: Compile After Delivery |
FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.(Citation: MSTIC FoggyWeb September 2021) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
FoggyWeb has been XOR-encoded.(Citation: MSTIC FoggyWeb September 2021) |
||
Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.