Frankenstein
Frankenstein was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including Empire. The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
During Frankenstein, the threat actors used HTTP GET requests for C2.[1] |
| Enterprise | T1119 | Automated Collection |
During Frankenstein, the threat actors used Empire to automatically gather the username, domain name, machine name, and other system information.[1] |
|
| Enterprise | T1020 | Automated Exfiltration |
During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2.[1] |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
During Frankenstein, the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts.[1] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line [1] |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
During Frankenstein, the threat actors used Word documents that prompted the victim to enable macros and run a Visual Basic script.[1] |
||
| Enterprise | T1005 | Data from Local System |
During Frankenstein, the threat actors used Empire to gather various local system information.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
During Frankenstein, the threat actors communicated with C2 via an encrypted RC4 byte stream and AES-CBC.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
During Frankenstein, the threat actors collected information via Empire, which sent the data back to the adversary's C2.[1] |
|
| Enterprise | T1203 | Exploitation for Client Execution |
During Frankenstein, the threat actors exploited CVE-2017-11882 to execute code on the victim's machine.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
During Frankenstein, the threat actors downloaded files and tools onto a victim machine.[1] |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
During Frankenstein, the threat actors named a malicious scheduled task "WinUpdate" for persistence.[1] |
| Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
During Frankenstein, the threat actors ran encoded commands from the command line.[1] |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
For Frankenstein, the threat actors obtained and used Empire.[1] |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
During Frankenstein, the threat actors likely used spearphishing emails to send malicious Microsoft Word documents.[1] |
| Enterprise | T1057 | |||