Summiting the Pyramid

Used for the single post page

Att&ck TTP:

Let’s break down each technique and sub-technique:

  • Execution
    • T1047: Windows Management Instrumentation (WMI): WMI is a powerful native Windows tool used for managing and monitoring systems. Attackers often abuse WMI to execute commands, gather system information, or perform other malicious activities. Common TTPs include using wmic.exe or PowerShell cmdlets to interact with WMI objects. Potential IOCs include suspicious WMI queries, script execution via WMI, and creation of WMI events or filters.
    • T1129: Shared Modules: This technique involves loading malicious code into legitimate processes by exploiting shared libraries or modules. This allows attackers to hide their activity and potentially bypass security controls. Common TTPs include DLL injection and reflective DLL loading. IOCs may include unexpected DLL dependencies, modified import tables, and suspicious process behavior.
  • Defense Evasion
    • T1140: Deobfuscate/Decode Files or Information: Attackers often obfuscate or encode their code to avoid detection. This technique involves decoding or deobfuscating the malicious code before execution. Common TTPs include using Base64 encoding, XOR encryption, or custom algorithms. IOCs may include encoded or obfuscated code, suspicious strings or commands, and the use of decoding functions or tools.
    • T1112: Modify Registry: The Windows Registry stores system and application settings. Attackers may modify registry keys to achieve persistence, disable security controls, or manipulate system behavior. Common TTPs include modifying startup entries, changing file associations, and altering system policies. IOCs may include unusual registry key modifications, creation of suspicious keys or values, and changes to system settings.
    • T1027: Obfuscated Files or Information: This technique involves obfuscating files or information to evade detection. Common TTPs include encryption, packing, and steganography. IOCs may include encrypted or packed files, unusual file sizes or extensions, and the use of obfuscation tools.
    • T1497.001: Virtualization/Sandbox Evasion: System Checks: Attackers often use virtualization or sandboxing techniques to analyze malware. This sub-technique involves checking for the presence of virtual environments or sandboxes to avoid analysis. Common TTPs include checking for specific hardware or software configurations, timing analysis, and detecting debugging tools. IOCs may include specific code or strings related to virtualization or sandboxing, unusual system behavior, and attempts to detect analysis tools.
  • Discovery
    • T1082: System Information Discovery: This technique involves gathering information about the target system, such as operating system version, hardware configuration, and installed software. Common TTPs include using system commands, WMI queries, and registry searches. IOCs may include suspicious system queries, access to sensitive system files, and enumeration of system information.
    • T1057: Process Discovery: Attackers may enumerate running processes to identify potential targets for injection or to detect security tools. Common TTPs include using tasklist, wmic.exe, or PowerShell cmdlets. IOCs may include suspicious process queries, attempts to access process information, and enumeration of running processes.
    • T1033: System Owner/User Discovery: This technique involves identifying the owner or user of the system. Common TTPs include checking environment variables, querying the registry, and using system commands. IOCs may include suspicious queries for user information, access to user profiles, and enumeration of user accounts.
    • T1087: Account Discovery: Attackers may attempt to discover user accounts on the system. Common TTPs include enumerating local or domain accounts, brute-forcing passwords, and exploiting vulnerabilities in authentication mechanisms. IOCs may include suspicious account queries, attempts to access user credentials, and enumeration of user accounts.
    • T1083: File and Directory Discovery: This technique involves searching for files and directories on the system. Common TTPs include using file system commands, searching for specific file types, and traversing directories. IOCs may include suspicious file system access, enumeration of files and directories, and attempts to locate sensitive files.
    • T1012: Query Registry: This technique involves querying the Windows Registry for information. Common TTPs include using reg.exe, PowerShell cmdlets, and WMI queries. IOCs may include suspicious registry queries, access to sensitive registry keys, and enumeration of registry values.
    • T1518: Software Discovery: Attackers may enumerate installed software to identify potential vulnerabilities or targets for exploitation. Common TTPs include checking the registry, file system, and WMI. IOCs may include suspicious software queries, access to software information, and enumeration of installed applications.
    • T1016: System Network Configuration Discovery: This technique involves gathering information about the system’s network configuration, such as IP addresses, network adapters, and routing tables. Common TTPs include using ipconfig, wmic.exe, and PowerShell cmdlets. IOCs may include suspicious network queries, access to network configuration files, and enumeration of network interfaces.
  • Collection
    • T1113: Screen Capture: This technique involves capturing screenshots of the victim’s screen. Common TTPs include using native screen capture tools, third-party software, or malicious code. IOCs may include suspicious screen capture activity, storage of screenshots, and transmission of screen data.
  • Command and Control
    • T1105: Ingress Tool Transfer: This technique involves transferring tools or other files to the victim’s system. Common TTPs include downloading files from the internet, receiving files via email, and copying files from external devices. IOCs may include suspicious network connections, downloads from unknown sources, and execution of transferred files.

Research:

Obserables:

Based on the research and the context of the report, here are potential observables for each technique and sub-technique:

  • Execution
    • T1047: Windows Management Instrumentation (WMI): Suspicious WMI queries, script execution via WMI, creation of WMI events or filters.
    • T1129: Shared Modules: Unexpected DLL dependencies, modified import tables, suspicious process behavior.
  • Defense Evasion
    • T1140: Deobfuscate/Decode Files or Information: Encoded or obfuscated code, suspicious strings or commands, use of decoding functions or tools.
    • T1112: Modify Registry: Unusual registry key modifications, creation of suspicious keys or values, changes to system settings.
    • T1027: Obfuscated Files or Information: Encrypted or packed files, unusual file sizes or extensions, use of obfuscation tools.
    • T1497.001: Virtualization/Sandbox Evasion: System Checks: Specific code or strings related to virtualization or sandboxing, unusual system behavior, attempts to detect analysis tools.
  • Discovery
    • T1082: System Information Discovery: Suspicious system queries, access to sensitive system files, enumeration of system information.
    • T1057: Process Discovery: Suspicious process queries, attempts to access process information, enumeration of running processes.
    • T1033: System Owner/User Discovery: Suspicious queries for user information, access to user profiles, enumeration of user accounts.
    • T1087: Account Discovery: Suspicious account queries, attempts to access user credentials, enumeration of user accounts.
    • T1083: File and Directory Discovery: Suspicious file system access, enumeration of files and directories, attempts to locate sensitive files.
    • T1012: Query Registry: Suspicious registry queries, access to sensitive registry keys, enumeration of registry values.
    • T1518: Software Discovery: Suspicious software queries, access to software information, enumeration of installed applications.
    • T1016: System Network Configuration Discovery: Suspicious network queries, access to network configuration files, enumeration of network interfaces.
  • Collection
    • T1113: Screen Capture: Suspicious screen capture activity, storage of screenshots, transmission of screen data.
  • Command and Control
    • T1105: Ingress Tool Transfer: Suspicious network connections, downloads from unknown sources, execution of transferred files.

Mapping:

Observable Level Column
Suspicious WMI queries Level 2: Adversary-Brought Tools Data
Script execution via WMI Level 4: Core to Some Implementations of (Sub-)Technique Activity
Creation of WMI events or filters Level 4: Core to Some Implementations of (Sub-)Technique Activity
Unexpected DLL dependencies Level 3: Some Implementations of (Sub-)Technique Data
Modified import tables Level 3: Some Implementations of (Sub-)Technique Data
Suspicious process behavior Level 1: Ephemeral Values Activity
Encoded or obfuscated code Level 1: Ephemeral Values Data
Suspicious strings or commands Level 1: Ephemeral Values Data
Use of decoding functions or tools Level 2: Adversary-Brought Tools Activity
Unusual registry key modifications Level 4: Core to Some Implementations of (Sub-)Technique Data
Creation of suspicious keys or values Level 4: Core to Some Implementations of (Sub-)Technique Data
Changes to system settings Level 4: Core to Some Implementations of (Sub-)Technique Data
Encrypted or packed files Level 1: Ephemeral Values Data
Unusual file sizes or extensions Level 1: Ephemeral Values Data
Use of obfuscation tools Level 2: Adversary-Brought Tools Activity
Specific code or strings related to virtualization or sandboxing Level 2: Adversary-Brought Tools Data
Unusual system behavior Level 1: Ephemeral Values Activity
Attempts to detect analysis tools Level 2: Adversary-Brought Tools Activity
Suspicious system queries Level 1: Ephemeral Values Activity
Access to sensitive system files Level 4: Core to Some Implementations of (Sub-)Technique Activity
Enumeration of system information Level 3: Some Implementations of (Sub-)Technique Activity
Suspicious process queries Level 1: Ephemeral Values Activity
Attempts to access process information Level 3: Some Implementations of (Sub-)Technique Activity
Enumeration of running processes Level 3: Some Implementations of (Sub-)Technique Activity
Suspicious queries for user information Level 1: Ephemeral Values Activity
Access to user profiles Level 4: Core to Some Implementations of (Sub-)Technique Activity
Enumeration of user accounts Level 3: Some Implementations of (Sub-)Technique Activity
Suspicious account queries Level 1: Ephemeral Values Activity
Attempts to access user credentials Level 4: Core to Some Implementations of (Sub-)Technique Activity
Suspicious file system access Level 1: Ephemeral Values Activity
Enumeration of files and directories Level 3: Some Implementations of (Sub-)Technique Activity
Attempts to locate sensitive files Level 4: Core to Some Implementations of (Sub-)Technique Activity
Suspicious registry queries Level 1: Ephemeral Values Activity
Access to sensitive registry keys Level 4: Core to Some Implementations of (Sub-)Technique Activity
Enumeration of registry values Level 3: Some Implementations of (Sub-)Technique Activity
Suspicious software queries Level 1: Ephemeral Values Activity
Access to software information Level 3: Some Implementations of (Sub-)Technique Activity
Enumeration of installed applications Level 3: Some Implementations of (Sub-)Technique Activity
Suspicious network queries Level 1: Ephemeral Values Activity
Access to network configuration files Level 4: Core to Some Implementations of (Sub-)Technique Activity
Enumeration of network interfaces Level 3: Some Implementations of (Sub-)Technique Activity
Suspicious screen capture activity Level 1: Ephemeral Values Activity
Storage of screenshots Level 4: Core to Some Implementations of (Sub-)Technique Data
Transmission of screen data Level 4: Core to Some Implementations of (Sub-)Technique Activity
Suspicious network connections Level 1: Ephemeral Values Activity
Downloads from unknown sources Level 4: Core to Some Implementations of (Sub-)Technique Activity
Execution of transferred files Level 4: Core to Some Implementations of (Sub-)Technique Activity

Detection Analysis:

Based on the most robust observables, here are suggestions for detection analytics:

  • Monitor for suspicious WMI activity: Create alerts for unusual WMI queries, script execution via WMI, and creation of WMI events or filters. Consider using baselines of normal WMI activity to improve accuracy and reduce false positives.
  • Detect DLL injection and modification: Implement detection rules to identify unexpected DLL dependencies, modified import tables, and suspicious process behavior. Utilize behavioral analysis and machine learning to detect anomalies in process execution.
  • Analyze registry modifications: Monitor for unusual registry key modifications, creation of suspicious keys or values, and changes to system settings. Focus on critical registry keys related to persistence, security controls, and system behavior.
  • Detect obfuscated or encoded files: Create alerts for encrypted or packed files, unusual file sizes or extensions, and the use of obfuscation tools. Consider using sandboxing and dynamic analysis to detonate suspicious files and analyze their behavior.
  • Identify suspicious network connections: Monitor for network connections to known malicious domains or IP addresses, as well as unusual network activity.

Environment setup:

Environment Setup:

  1. Set up a Windows 10 virtual machine with the following installed:
    • Popular browsers: Chrome (version 131 or later), Firefox, Edge, Brave, and Opera.
    • Communication platforms: Signal and Telegram.
    • Debugging tools: Wireshark and HttpDebuggerUI.
    • Virtualization software: VirtualBox or VMware.
  2. Configure the virtual machine to have internet connectivity.
  3. Install various input languages on the system, including those from the CIS countries (e.g., Russian, Ukrainian, Kazakh) and others.
  4. Create user accounts with varying privileges.
  5. Set up monitoring tools to capture network traffic, system events, process activity, registry changes, and file system activity.

Attack Steps:

  1. Delivery and Execution:
    • Deliver the Flesh Stealer malware to the virtual machine via a phishing email with a malicious attachment (e.g., Word document with embedded macros) or by hosting it on a compromised website.
    • Execute the malware by opening the attachment or visiting the malicious website.
  2. Anti-VM and Anti-Debugging Checks:
    • Observe the malware’s execution and monitor its attempts to detect the virtual environment and debugging tools.
    • Verify that the malware terminates its activity if it detects a virtual environment or debugger.
  3. System and Network Reconnaissance:
    • Monitor the malware’s execution of commands or WMI queries to gather system information, including OS version, disk information, hostname, number of processors, and networking interfaces details.
    • Observe the malware’s attempts to discover user accounts and their privileges.
  4. Browser and Application Targeting:
    • Monitor the malware’s interaction with installed browsers and applications like Chrome, Firefox, Edge, Opera, Brave, Signal, and Telegram.
    • Observe the malware’s attempts to steal cookies, credentials, browsing history, and chat databases.
  5. Data Exfiltration:
    • Monitor the malware’s network connections to its command-and-control (C2) infrastructure, potentially hosted on bulletproof VPS or using Telegram bots or webhooks.
    • Observe the exfiltration of stolen data to the C2 server.

Verification:

  1. Detection Analytics Effectiveness:
    • Analyze the logs and alerts generated by your detection analytics to verify that they successfully detected the malicious activities performed by Flesh Stealer.
    • Identify any gaps or weaknesses in your detection rules and refine them accordingly.
  2. Observable Validation:
    • Confirm that the observed activities and artifacts match the potential observables identified during the Summiting the Pyramid analysis.
    • Update your list of observables based on the emulation results.
  3. Scenario Refinement:
    • Modify the emulation scenario to test different attack vectors, evasion techniques, and persistence mechanisms.
    • Continuously update the scenario to reflect the latest TTPs and IOCs associated with Flesh Stealer.

Additional Considerations:

  • Network Monitoring: Use network monitoring tools like Wireshark to capture and analyze network traffic generated by the malware, including DNS queries, HTTP requests, and C2 communication.
  • Memory Analysis: Perform memory analysis to identify injected code, unpacked malware components, and hidden processes.
  • Behavioral Analysis: Utilize behavioral analysis tools to detect anomalies in process execution, file system activity, and registry modifications.
  • Threat Intelligence: Integrate threat intelligence feeds to identify known Flesh Stealer IOCs and update your detection rules accordingly.