WIRTE

WIRTE is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.^[1]

ID: G0090

Contributors: Lab52 by S2 Grupo

Version: 1.2

Created: 24 May 2019

Last Modified: 17 October 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	WIRTE has used HTTP for network communication.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	WIRTE has used PowerShell for script execution.^[1]
		.005	Command and Scripting Interpreter: Visual Basic	WIRTE has used VBS scripts throughout its operation.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	WIRTE has decoded a base64 encoded document which was embedded in a VBS script.^[1]
Enterprise	T1105		Ingress Tool Transfer	WIRTE has downloaded PowerShell code from the C2 server to be executed.^[1]
Enterprise	T1588	.002	Obtain Capabilities: Tool	WIRTE has obtained and used Empire for post-exploitation activities.^[1]
Enterprise	T1218	.010	Signed Binary Proxy Execution: Regsvr32	WIRTE has used Regsvr32.exe to trigger the execution of a malicious script.^[1]

Software

ID	Name	References	Techniques
S0363	Empire	^[1]	Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation

References

S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.