TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

The Curious Case of the Comburglar

BHIS · 2025-12-18 · Read original ↗

ATT&CK techniques detected

13 predictions
T1053.005Scheduled Task
100%
"ukc - 1230, modified windows scheduled tasks to maintain c2 and access to environment. the attacker replaced the normal execution of msfeedsync. exe in user _ feed _ synchronization - { guid } tasks with a comhandler that invoked malicious surrogate dlls registered as com objects…"
T1053.005Scheduled Task
100%
"scheduled tasks where a comhandler may be used legitimately. bhis found that scanning efforts scoped to target scheduled tasks at c : \ windows \ system32 \ tasks \ user _ feed _ synchronization - { * proved to have the highest fidelity detection from a true positive perspective …"
T1053.005Scheduled Task
100%
"fired in the customer ’ s soc – an alert on a file hash from an incident that occurred a month prior to the engagement with bhis. sha256 hash : 407d179f920342312dd526abc8a194b2620d0b19a95032dd36eeb70ec3bf5d65 filename : c : \ programdata \ microsoft \ windows \ { 0759c13d - 5d0f …"
T1053.005Scheduled Task
99%
"environment, bhis believes these malicious files were likely used by ukc - 1230 in related campaigns, possibly within other victim networks. threat hunting and detection opportunities for ukc - 1230 activity bhis active soc customers are already covered by the activity detailed i…"
T1053.005Scheduled Task
99%
"following powershell query can be used supplementally : - look for file creation events of { guid }. dll : file creation events of dlls with a filename pattern { [ 0 - 9a - fa - f ] { 8 } - [ 0 - 9a - fa - f ] { 4 } - [ 0 - 9a - fa - f ] { 4 } - [ 0 - 9a - fa - f ] { 4 } - [ 0 - …"
T1053.005Scheduled Task
98%
"the curious case of the comburglar the curious case of the comburglar during a recent breach assessment engagement, bhis discovered a highly stealthy and persistent intrusion technique utilized by a threat actor to maintain command - and - control ( c2 ) within the client ’ s net…"
T1053.005Scheduled Task
98%
"can be common in certain scheduled tasks on windows os ’ s, it is atypical for tasks of user _ feed _ synchronization - { guid }. for comparative purposes, a normal / benign user _ feed _ synchronization - { guid } configuration references the windows executable file, msfeedsync.…"
T1036.005Match Legitimate Resource Name or Location
81%
"by virustotal the same day, at 2024 - 01 - 31 11 : 27 : 00 utc : 2 3f5bc475d9394d352341b1f843b85cfb300e363dd27d4ca867e9e6d54317d881 moreover, bhis found three executable files that were identified by virustotal as having contact with one or more domains of techdataservice [. ] us…"
T1053.005Scheduled Task
80%
"following registry path can be used to determine where on disk the associated dll resides : registry : : hkey _ classes _ root \ clsid \ { < classid - value > } \ inprocserver32 the following powershell command was used during the breach assessment to query the registry key ’ s v…"
T1204.002Malicious File
72%
"utc file 2 sha256 hash : 9ed58663f7a0bb91c0d9e058a376e78f6748fa4a88e69a0e4598312b3ba75a0c purported filename : contract _ jbornmann _ fully. exe first seen : 2025 - 03 - 05 20 : 55 : 04 utc compiled date : 2023 - 06 - 20 08 : 00 : 00 utc file 3 sha256 hash : a68bcf09f8c83c67dfe0b…"
T1059.001PowerShell
62%
"following powershell query can be used supplementally : - look for file creation events of { guid }. dll : file creation events of dlls with a filename pattern { [ 0 - 9a - fa - f ] { 8 } - [ 0 - 9a - fa - f ] { 4 } - [ 0 - 9a - fa - f ] { 4 } - [ 0 - 9a - fa - f ] { 4 } - [ 0 - …"
T1574.001DLL
50%
"in all instances but one, the surrogate dll was located at : c : \ programdata \ microsoft \ windows \ { guid }. dll one host was found with the associated dll located at : c : \ users \ < % userprofile % > \ appdata \ local \ microsoft \ windows \ { guid }. dll every surrogate d…"
T1036.005Match Legitimate Resource Name or Location
34%
"in all instances but one, the surrogate dll was located at : c : \ programdata \ microsoft \ windows \ { guid }. dll one host was found with the associated dll located at : c : \ users \ < % userprofile % > \ appdata \ local \ microsoft \ windows \ { guid }. dll every surrogate d…"

Summary

By Troy Wojewoda During a recent Breach Assessment engagement, BHIS discovered a highly stealthy and persistent intrusion technique utilized by a threat actor to maintain Command-and-Control (C2) within the client’s […]

The post The Curious Case of the Comburglar appeared first on Black Hills Information Security, Inc..