TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Ave Maria and the Chambers of Warzone RAT | Huntress

2023-01-31 · Read original ↗

ATT&CK techniques detected

9 predictions
T1059.001PowerShell
99%
". 201 ). review elk for the process notepad. exe that is spawned by the parent process powershell. exe with the command from the user ' s environment. note : it ’ s important to remove this process from the client as this is a cobalt strike beacon. tldr : the initial payload for …"
T1059.001PowerShell
98%
"ave maria and the chambers of warzone rat | huntress friday, september 30, 2022, seemed a day like any other - - until a large amount of powershell malware came charging through seeking immediate attention. sparing no time, i jumped right in. at first, this was troubling. are the…"
T1547.001Registry Run Keys / Startup Folder
97%
"##dcfbcabe ', ' user ' ) along with the user run key name. they both use a base - 16 ( hex ) formatting, which means alphabetic characters of a - f and numbers 0 - 9 with a length of 12 to 18. using regex we can use [ a - f0 - 9 ] { 12, 18 }. now, on to implementing our findings …"
T1027Obfuscated Files or Information
96%
". this should grab the majority of strings but will still need some manual intervention. this is where analysts come into play. after replacing the encoded base64 script, we quickly see it has a key, padding, iv, and other common encryption functions. let ’ s replace the variable…"
T1059.001PowerShell
85%
"process. command _ line. text : " getenvironmentvariable " + process. command _ line. text : / [ a - f0 - 9 ] { 12, 18 } / + process. name : notepad. exe + process. parent. name : powershell. exe + process. parent. args _ count : 7 + process. cleartext : ( cdn. discordapp. com an…"
T1059.001PowerShell
78%
"##vokes expressions in the host ' s environments registry with the value 60493fbacedcfbcabe. from here we will take to tasking the user ' s hive current users environment : ( hku \ sid \ environment ). we obtain the next stage within the registry location hku \ sid \ software \ <…"
T1059.001PowerShell
69%
"the decryption piece of the software. copy the thread 0x1da52c4acdf. go ahead. it ' s okay. now attach the notepad. exe process to x64dbg and go to expression with ctrl + g. now paste the thread address 0x1da52c4acdf and set an execution breakpoint. we ' ll wait. change the threa…"
T1012Query Registry
46%
"malware in a safe environment, the better they can become at spotting the nastier, greasier, well - hidden activity lurking within environments. discord urls https : / / cdn [. ] discordapp [. ] com / attachments / 1004902785772441697 / 1004915801771495495 / ppp https : / / cdn […"
T1027.002Software Packing
31%
"netloaderdll. we also see the entropy is only 2. 980, showing this payload may not be packed. inspecting the netloaderdll within dnspy we see a few classes : main, runpayload and stringtobytearray. this application stores the next stage of the malware within main ( ), which we se…"

Summary

Helping analysts develop a better understanding of the elastic search syntax.