Subject: Engage Report: VEILDrive
Tactics: TA0001 Initial Access
Technique: T1566.003 Phishing: Spearphishing via Service
Procedure:
The attacker impersonated an IT team member from a previously compromised organization (Org A) and used Microsoft Teams to send spearphishing messages to four employees at the targeted organization (Org C). The messages requested access to the employees’ devices via the Quick Assist remote utility tool.
Vulnerability: EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked.
Engagement Opportunity:
Deploy a decoy system with a user account that appears to have access to sensitive information. Monitor the decoy system for any attempts to access it via Quick Assist or other remote administration tools. If the attacker attempts to access the decoy system, engage with them to gather intelligence on their tools, techniques, and procedures (TTPs).
Threat Actor: Threat actor originates from Russia.
Threat Objective:
The threat actor’s objective appears to be persistent access to the victim’s device and subsequent command execution.
Deception Opportunity:
Deploy a honeypot designed to mimic a critical system within the organization. Plant false credentials within the honeypot to lure the attacker into attempting to use them for lateral movement or privilege escalation. Monitor the honeypot for any suspicious activity and gather intelligence on the attacker’s TTPs.
Sensor Data Placement: Application
Observable Level: Core to Pre-Existing Tool
Scoring Rationale:
The scoring reflects the attacker’s use of custom tools and unique implementations of techniques, while also relying on pre-existing tools and common system features.
- Sensor Data Placement:
- Application: Microsoft Teams, SharePoint, OneDrive
- User-Mode: PowerShell execution, scheduled tasks
- Kernel-Mode: Not applicable
- Observable Level:
- Ephemeral Values: Not applicable
- Core to Adversary-Brought Tool:
- The specific PowerShell commands used to interact with OneDrive
- The custom Java malware
- Core to Pre-Existing Tool: PowerShell execution
- Core to Some Implementations of (Sub-)Technique:
- The use of OneDrive for C2
- The use of scheduled tasks for persistence
- Core to Sub-Technique or Technique: Not applicable
Link to Report: https://www.google.com/url?sa=E&source=gmail&q=https://www.hunters.ai/blog/unmasking-veildrive-threat-actors-exploit-microsoft-services-for-c2
Link to Report II.:
Additional Comments:
The extensive use of Microsoft services and infrastructure highlights the importance of monitoring and securing these platforms. Organizations should consider implementing additional security measures, such as multi-factor authentication and conditional access policies, to mitigate the risk of similar attacks.
Possible elements:
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# VEILDrive Attack Graph
[1]: Initial Access (TA0001) - Phishing: Spearphishing via Service (T1566.002) - Spearphishing messages sent via Microsoft Teams from a compromised user account in Org A to users in Org C (Core to Adversary-Brought Tool)
[2]: Command and Control (TA0011) - Application Layer Protocol: Web Protocols (T1071.001): HTTPS - Establish HTTPS C2 channel with Azure VM (Core to Adversary-Brought Tool)
[3]: Command and Control (TA0011) - Application Layer Protocol: Web Protocols (T1071.001): HTTPS - Use OneDrive and Microsoft Graph API for C2 communications (Core to Some Implementations of (Sub-)Technique)
[4]: Execution (TA0002) - Command and Scripting Interpreter: PowerShell (T1059.001) - Execute PowerShell commands received from C2 (Core to Pre-Existing Tool)
[5]: Persistence (TA0003) - Scheduled Task/Job: Scheduled Task (T1053.005) - Create scheduled task to execute malicious RMM tool (Core to Some Implementations of (Sub-)Technique)
[6]: Persistence (TA0003) - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) - Add malicious JAR binary as a runkey in the registry for persistence (Core to Some Implementations of (Sub-)Technique)
[7]: Defense Evasion (TA0005) - Deobfuscate/Decode Files or Information (T1140) - Utilize non-obfuscated Java malware (Core to Adversary-Brought Tool)
[8]: Collection (TA0009) - System Information Discovery (T1082) - Execute commands to collect system information (Core to Pre-Existing Tool)
1 --> 2 (Lack of User Awareness (EAV0004))
1 --> 3 (Lack of User Awareness (EAV0004))
2 --> 4 (Lack of Network Monitoring (EAV0002))
3 --> 4 (Lack of Network Monitoring (EAV0002))
4 --> 5 (Lack of System Monitoring (EAV0001))
4 --> 6 (Lack of System Monitoring (EAV0001))
4 --> 7 (Lack of Tool-Based Anomaly Detection (EAV0006))
4 --> 8 (Lack of System Monitoring (EAV0001))
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# VEILDrive Pseudocode
function Initial_Access_Spearphishing_via_Service(target_emails):
# Impersonate IT team member from compromised Org A
# Send spearphishing messages via Microsoft Teams to target_emails in Org C
# Request access to devices via Quick Assist
return remote_access
function Command_and_Control_Web_Protocols_HTTPS_Azure_VM(remote_access):
# Establish HTTPS connection to Azure VM C2 server
return command_execution_module
function Command_and_Control_Web_Protocols_HTTPS_OneDrive(remote_access):
# Utilize OneDrive and Microsoft Graph API for C2 communication
return command_execution_module
function Execution_PowerShell(command_execution_module):
# Execute PowerShell commands received from C2
return persistence_payload, system_information
function Persistence_Scheduled_Task(persistence_payload):
# Create scheduled task to execute malicious RMM tool
return persistent_access
function Persistence_Run_Key(persistence_payload):
# Add malicious JAR binary as a runkey for persistence
return persistent_access
function Defense_Evasion_Deobfuscate_Decode_Files(remote_access):
# Download and execute non-obfuscated Java malware
return command_execution
function Collection_System_Information_Discovery(command_execution):
# Execute commands to collect system information
return system_information