Frankenstein

Frankenstein is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.[1]

ID: G0101
Version: 1.1
Created: 11 May 2020
Last Modified: 26 May 2021

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

Frankenstein has enumerated hosts via Empire, gathering the username, domain name, machine name, and other system information.[1]

Enterprise T1020 Automated Exfiltration

Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Frankenstein has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.[1]

.005 Command and Scripting Interpreter: Visual Basic

Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.[1]

Enterprise T1005 Data from Local System

Frankenstein has enumerated hosts via Empire, gathering various local system information.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Frankenstein has deobfuscated base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.[1]

Enterprise T1203 Exploitation for Client Execution

Frankenstein has used CVE-2017-11882 to execute code on the victim's machine.[1]

Enterprise T1105 Ingress Tool Transfer

Frankenstein has uploaded and downloaded files to utilize additional plugins.[1]

Enterprise T1027 Obfuscated Files or Information

Frankenstein has run encoded commands from the command line.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

Frankenstein has obtained and used Empire to deploy agents.[1]

Enterprise T1003 OS Credential Dumping

Frankenstein has harvested credentials from the victim's machine using Empire.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents.[1]

Enterprise T1057 Process Discovery

Frankenstein has enumerated hosts, looking to obtain a list of all currently running processes.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Frankenstein has established persistence through a scheduled task using the command: /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR , named "WinUpdate".[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.[1]

Enterprise T1082 System Information Discovery

Frankenstein has enumerated hosts, looking for the system's machine name.[1]

Enterprise T1016 System Network Configuration Discovery

Frankenstein has enumerated hosts, looking for the public IP address of the system.[1]

Enterprise T1033 System Owner/User Discovery

Frankenstein has enumerated hosts, gathering username, machine name, and administrative permissions information.[1]

Enterprise T1221 Template Injection

Frankenstein has used trojanized documents that retrieve remote templates from an adversary-controlled website.[1]

Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

Frankenstein has used MSbuild to execute an actor-created file.[1]

Enterprise T1204 .002 User Execution: Malicious File

Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.[1]

Enterprise T1047 Windows Management Instrumentation

Frankenstein has used WMI queries to check if various security applications were running, as well as the operating system version.[1]

Software

ID Name References Techniques
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation

References