Double-Tap Campaign by UAC-0063

Name:
Double-Tap Campaign by UAC-0063

TTP:
T1059.005 Command and Scripting Interpreter: Visual Basic, T1566.001 Phishing: Spearphishing Attachment, T1218.005 System Binary Proxy Execution: Mshta

Hypothesis:

The threat actor is conducting a spearphishing campaign to deliver malicious attachments, maintain persistence, and establish command and control.

Campaign Type:
Data Driven

Data Sources:

Microsoft Windows Security Event Logs
Sysmon Logs
Network Share Logs

Tools:

Network Share Analysis Tools
Powershell
Mimikatz
Empire
CobaltStrike
Rubeus

Scenario:

Initial Access: Attacker sends a spearphishing email with a malicious attachment.
Execution: The victim opens the attachment, which executes malicious code.
Defense Evasion: The malware uses various techniques to evade detection.
Persistence: The malware establishes persistence on the victim’s machine.
Command and Control: The malware communicates with a command and control server.
Lateral Movement: The attacker moves laterally through the network to other machines.
Exfiltration: The attacker exfiltrates sensitive data from the network.

Hunting Strategy:

Analyze Windows Security Event Logs and Sysmon logs for suspicious process creation events, looking for unusual command line parameters or parent-child process relationships.
Correlate process creation events with network share logs to identify any unusual file transfers or access patterns.
Investigate any outliers or suspicious events further, looking for indicators of compromise (IOCs) or other suspicious activity.
Validate potential threats by analyzing additional data sources, such as network traffic logs or endpoint security logs.
Remediate threats by isolating affected machines, removing malware, and patching vulnerabilities.
Report findings and recommendations to improve security controls and prevent future attacks.

False Positive Consideration:

Legitimate system administration activity.
Software updates or installations.
User activity involving unusual but benign applications or scripts.

Recommendations:

Implement robust email filtering and anti-malware solutions to prevent malicious attachments from reaching users.
Educate users about the risks of spearphishing and how to identify suspicious emails.
Monitor network share activity for unusual access patterns or file transfers.
Implement strong endpoint security controls to prevent malware execution and persistence.
Regularly review and update security policies and procedures to address emerging threats.

D3 Diagram:

### D3 Diagram (Spearphishing Link)

**T1566.002 - Phishing: Spearphishing Link** [Implementation of T1566 - Phishing]

**Implementations**
1. Malicious link delivered via email [cite: 6]
2. Malicious link shared through a social media post [cite: 6]
3. Malicious link sent via an SMS message [cite: 6]
4. Malicious link shared through a messaging application [cite: 6]
5. Malicious link embedded in a malicious document or file [cite: 6]
6. Malicious link hosted on a compromised website [cite: 6]
7. Malicious link delivered through a watering hole attack [cite: 6]

**Observables**

| Observable | Value | Robustness Level | Rationale |
|---|---|---|---|
| Email Subject | Varies | Level 1: Ephemeral Values [cite: 1612] | Easily modified by the attacker |
| Email Sender | Varies | Level 1: Ephemeral Values [cite: 1612] | Easily spoofed or modified |
| Link URL | Varies | Level 2: Core to Adversary-Brought Tool or Outside Boundary [cite: 1613] | Specific to the attacker's infrastructure but can be changed |
| Link Content | Varies | Level 1: Ephemeral Values [cite: 1612] | Easily modified by the attacker |
| Social Media Post Title | Varies | Level 1: Ephemeral Values [cite: 1612] | Easily modified by the attacker |
| Social Media Post Author | Varies | Level 2: Core to Adversary-Brought Tool or Outside Boundary [cite: 1613] | Specific to the attacker's account but can be changed |
| SMS Message Sender | Varies | Level 1: Ephemeral Values [cite: 1612] | Easily spoofed or modified |
| Document/File Content | Varies | Level 2: Core to Adversary-Brought Tool or Outside Boundary [cite: 1613] | Specific to the attacker's tools but can be modified |
| Website Content | Varies | Level 2: Core to Adversary-Brought Tool or Outside Boundary [cite: 1613] | Specific to the compromised website but can be changed |

**Scoring Notes**

* Observables related to the delivery mechanism (email, social media, SMS) are generally ephemeral as the attacker can easily modify them.
* The content of the link itself is also ephemeral.
* The presence of a malicious link, regardless of the specific URL, is core to the technique but may not be observable depending on the data sources available.
* The specific URL of the malicious link is specific to the attacker's infrastructure but can be changed, placing it at Level 2.
* For some implementations, such as embedding the link in a malicious document or hosting it on a compromised website, the content of the document or website may be more robust, potentially reaching Level 3 or 4 if it contains specific attacker tools or infrastructure.

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense