Subject: Harnessing Chisel for Covert Operations
Tactics: TA0011 Command and Control
Technique: T1071.001 Application Layer Protocol: Web Protocols
Procedure:
The attacker utilizes Chisel, a tunneling tool, to establish a covert communication channel with the C2 server over HTTP. This allows them to bypass firewalls and security measures that might detect traditional C2 traffic.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.
Engagement Opportunity:
Deploy a network sensor that can detect anomalous HTTP traffic patterns, such as those associated with Chisel. This could trigger an alert and allow for further investigation of potentially malicious activity.
Threat Actor: Potentially Sandworm APT, Lorenz Ransomware, or Pysa Ransomware, given their known use of Chisel. Further investigation is needed to confirm.
Threat Objective:
Likely to establish persistent access, conduct lateral movement, and potentially exfiltrate data or deploy additional payloads.
Deception Opportunity:
Set up a honeypot that mimics a vulnerable server. Configure it to respond to Chisel connection attempts, allowing you to engage with the attacker and gather intelligence on their tools and techniques.
Sensor Data Placement: Application
Observable Level: Core to Adversary-Brought Tool
Scoring Rationale:
Detecting Chisel traffic relies on recognizing patterns specific to this tool. While attackers may modify Chisel to some extent, its underlying communication characteristics are likely to remain consistent.
Link to Report: https://cyble.com/blog/dissecting-a-multi-stage-powershell-campaign-using-chisel/
Link to Report II.:
Additional Comments:
The use of Chisel in conjunction with a Netskope proxy demonstrates the attacker’s intent to evade detection and maintain persistent access. This suggests a sophisticated adversary with a strong understanding of network security and evasion techniques.
Possible elements:
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# Example: Chisel PowerShell Campaign Attack Graph
: Initial Access - Phishing - Malicious LNK file executes PowerShell (Core to Adversary-Brought Tool)[1]
: Execution - Command and Scripting Interpreter: PowerShell - Obfuscated PowerShell script downloads and executes payloads (Core to Pre-Existing Tool)
: Persistence - Boot or Logon Autostart Execution: Startup Folder - Batch file in startup folder executes PowerShell script (Core to Some Implementations of (Sub-)Technique)
: Command and Control - Application Layer Protocol: Web Protocols - Chisel client communicates with C2 via Netskope proxy (Core to Adversary-Brought Tool)
: Lateral Movement - Use of legitimate tools and binaries: Chisel - Chisel used for lateral movement and internal network access (Core to Adversary-Brought Tool)
1 --> 2 (Lack of User Awareness)
2 --> 3 (Lack of System Monitoring)
3 --> 4 (Lack of Network Monitoring)
4 --> 5 (Lack of Network Segmentation)
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# Example: Chisel PowerShell Campaign Pseudocode
function TA0027_T1660(user): # Initial Access - Phishing
# User executes malicious LNK file
return powershell_process
function TA0041_T1059.001(powershell_process): # Execution - Command and Scripting Interpreter: PowerShell
# Download and execute obfuscated PowerShell script
return persistence_mechanism
function TA0028_T1547.001(persistence_mechanism): # Persistence - Boot or Logon Autostart Execution: Startup Folder
# Create batch file to execute PowerShell and place it in startup folder
return chisel_client
function TA0011_T1071.001(chisel_client): # Command and Control - Application Layer Protocol: Web Protocols
# Establish connection to C2 server using Chisel and Netskope proxy
return lateral_movement_capability
function TA0008_T1071.001(lateral_movement_capability): # Lateral Movement - Use of legitimate tools and binaries: Chisel
# Use Chisel to access and move laterally within the network
return compromised_systems