TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Bring Your Own Command & Control (BYOC2)

2022-04-26 · Read original ↗

ATT&CK techniques detected

5 predictions
T1053.005Scheduled Task
97%
"prepare both an execcommand and taskcommand separately, using the windows management instrumentation ( wmi ) and a “ task ” to execute the code. this preparation of a time variable, adding an extra minute to the current time and the creation of a “ task ” variable leads us to bel…"
T1041Exfiltration Over C2 Channel
97%
"be stopped at the source. dragging ourselves through code and looking under the hood to see how some malware works? that helps us find those indicators of compromise, the tradecraft and techniques the bad actors use and what defensive safeguards we can put in place to mitigate at…"
T1059.007JavaScript
48%
"safely say this is jscript ( the microsoft - specific dialect of javascript, that can access more windows internals via internet explorer ). it uses this wscript. shell in an inline loadlibraryreg function, which we can see reads the contents out of a windows registry value. this…"
T1059.007JavaScript
46%
"gain code execution and operate on the target — all within jscript. there are a lot of other peculiar and interesting functions, especially within the loaded registry code. some that may be worth your eyes : - loader. deployclient, establishing the target - loader. persist, placi…"
T1132Data Encoding
35%
"bring your own command & control ( byoc2 ) sometimes the malware we find here at huntress just makes us laugh. not because it ’ s funny ( is malware ever funny? ) — but because the code we review sometimes makes no effort to hide its actions. we talk about obfuscation in a lot of…"

Summary

Sometimes hackers can be overly confident in their malware. Take a journey with us through a malware sample that contains no obfuscation whatsoever.