Siloscape
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
Siloscape impersonates the main thread of |
| Enterprise | T1071 | Application Layer Protocol | ||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1609 | Container Administration Command |
Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the |
|
| Enterprise | T1611 | Escape to Host |
Siloscape maps the host’s C drive to the container by creating a global symbolic link to the host through the calling of |
|
| Enterprise | T1190 | Exploit Public-Facing Application |
Siloscape is executed after the attacker gains initial access to a Windows container using a known vulnerability.[1] |
|
| Enterprise | T1068 | Exploitation for Privilege Escalation |
Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
Siloscape searches for the Kubernetes config file and other related files using a regular expression.[1] |
|
| Enterprise | T1106 | Native API | ||
| Enterprise | T1027 | Obfuscated Files or Information |
Siloscape itself is obfuscated and uses obfuscated API calls.[1] |
|
| Enterprise | T1069 | Permission Groups Discovery | ||
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy | |
| Enterprise | T1518 | Software Discovery | ||