Egregor

"After the hacker gained access to a Windows domain administrator account..."

"Prophet Spider has also been seen using older Oracle CVEs such as CVE-2016-0545, as well as gaining initial access via SQL injection." | "attackers exploit Oracle WebLogic server flaws to access target environments" ... "uses CVE-2020-14882 and CVE-2020-14750 to get a foothold" ... "path traversal vulnerabilities that enable an attacker to access the WebLogic administrative console, which then allows for unauthenticated remote code execution."

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

The content repeatedly mentions '.bat', '.cmd', and 'batch scripts' used to automate execution, persistence, cleanup, deployment, disabling security tools, and ransomware operations. Examples: 'APT1 has used ... batch scripting to automate execution', 'Blue Mockingbird has used batch script files to automate execution and deployment of payloads', and 'Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.' | The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.'

Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request ... allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software ... and gain unauthorized access to the OS.

"After the hacker gained access to a Windows domain administrator account..."

The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.

The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability ... An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.

"After the hacker gained access to a Windows domain administrator account..."

"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."

The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.

"After the hacker gained access to a Windows domain administrator account..."

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

AppleSeed can call regsvr32.exe for execution. APT19 used Regsvr32 to bypass application control techniques. APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. ... Raspberry Robin uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with Tor nodes.

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.

Multiple tools/actors are described using Active Directory/domain group enumeration, e.g., “AdFind can enumerate domain groups”, “net group "domain admins" /domain to enumerate domain groups”, “BloodHound can collect information about domain groups and members”, and “AD Explorer tool to enumerate groups on a victim's network.”

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.

Examples include: “Bazar … check if the Russian language is installed … and terminate if it is found.”; “DropBook … checked for the presence of Arabic language …”; “Maze … checked the language … GetUserDefaultUILanguage”; “SynAck … checks installed keyboard layouts to estimate … countries.”

Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."

"During the 2022 Ukraine Electric Power Attack, Sandworm Team utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy," and "Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts."

“APT28 has collected files from network shared drives… BADNEWS crawls the victim's mapped drives and collects documents… BRONZE BUTLER has exfiltrated files stolen from file shares… menuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data… Ramsay can collect data from network drives and stage it for exfiltration… Sowbug extracted Word documents from a file server on a victim network.”

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key.

Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.

Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.