- SilkSpecter used spearphishing emails with malicious attachments (T1566) to target Black Friday shoppers.
- The attachments likely contained malware, which, when executed, established a connection to the threat actor’s command-and-control (C2) server using common protocols like HTTP or HTTPS (T1071).
- This allowed the attackers to steal sensitive information like credit card details and personally identifiable information (PII) and send it back to their C2 server (T1041).
Fake Privilege Boundaries
Goal: Confuse and misdirect attackers by creating the illusion of different privilege levels or access restrictions.
Approach: Presenting attackers with a misleading view of privilege boundaries.
Manipulate system responses or network configurations to create the perception of different privilege levels or access restrictions. This can lead attackers down unproductive paths or reveal their intentions.
Honeytokened Administrative Tools
Goal: Detect and track the usage of administrative tools by unauthorized users.
Approach: Monitoring access to and usage of honeytokened tools.
Deploy decoy versions of administrative tools (e.g., PowerShell, PsExec) that mimic their legitimate counterparts but log usage, trigger alerts, or provide misleading information.
Deceptive Privilege Escalation Paths
Goal: Identify attackers attempting privilege escalation and gather information about their techniques.
Approach: Creating enticing but fake privilege escalation vulnerabilities.
Introduce seemingly vulnerable services or configurations that appear to allow privilege escalation. These paths lead to controlled environments or trigger alerts upon exploitation, revealing attacker TTPs.
CVE-2024-38178 MS Scripting Engine
- The attacker targeted Windows users running specific software with a built-in web viewer.
- They created a domain similar to a legitimate ad agency, serving malicious JavaScript code within their ads.
- This domain was then registered with the targeted software vendor, rendering the malicious ads in the software’s ad pop-up process.
- When users launched the software, the malicious ads would trigger a type confusion vulnerability (CVE-2024-38178) in the JScript9.dll engine, leading to remote code execution.
Image-Based Malware Delivery
Goal: Deliver deceptive payloads or disrupt attacker operations through manipulated images.
Approach: Hiding malicious or disruptive code within images.
Embed malicious or disruptive code within images that are designed to be downloaded or processed by attackers. This code can trigger alerts, collect information about the attacker’s environment, or even disrupt their tools and infrastructure.
Deceptive Metadata in Multimedia Files
Goal: Gather information about attacker activity by embedding deceptive metadata in multimedia files.
Approach: Hiding misleading or enticing information within metadata fields.
Embed deceptive metadata within multimedia files, such as images, videos, or audio recordings. This metadata can contain false information, misleading clues, or even links to honeypots or decoy websites.
Deceptive Document Watermarks
Goal: Track the dissemination of sensitive documents and identify potential leaks.
Approach: Embedding hidden watermarks in documents to track their movement.
Embed hidden watermarks within documents that reveal themselves only under specific conditions or when accessed by unauthorized parties. These watermarks can contain tracking information, decoy data, or even trigger alerts upon discovery.
Fake Software Updates
Goal: Gather information about attacker activity by offering deceptive software updates.
Approach: Luring attackers to download and execute fake updates.
Create fake software updates that appear legitimate but contain tracking mechanisms or deceptive payloads. When an attacker downloads and executes these updates, valuable information about their tools, techniques, and objectives can be gathered.
Deceptive Beacons
Goal: Confuse and misdirect attackers by deploying deceptive beacons.
Approach: Emitting misleading signals to divert attackers.
Deploy beacons that mimic the network traffic of vulnerable or compromised systems. These beacons can lead attackers towards honeypots, decoy networks, or even trigger automated responses.