Threat Attribution — Chimera “Under the Radar”

Threat Attribution Research Comparison

Conclusions

Source — CyCraft Classroom: MITRE ATT&CK® vs. Cyber Kill Chain vs. Diamond Model

Hash Values

HASHES
4d5440282b69453f4eb6232a1689dd4a
c9b8cab697f23e6ee9b1096e312e8573
133a159e86ff48c59e79e67a3b740c1e
328ba584bd06c3083e3a66cb47779eac
65cf35ddcb42c6ff5dc56d6259cc05f3
90508ff4d2fc7bc968636c716d84e6b4
dd138a8bc1d4254fed9638989da38ab1

IP address & Domain Name

Network & Host Artifacts

RecordedTV.ms
OneDrive.exe
update.exe
jucheck.exe

Tool

Cobalt Strike
OneDrive
Modified RAR
Cloud Service

TTP

T1003.003 OS Credential Dumping: NTDS
T1003.001 OS Credential Dumping: LSASS Memory
T1053.005 Scheduled Task/Job: Scheduled Task
T1078 Valid Accounts

T1574.002 Hijack Execution Flow: DLL Side-Loading
T1111 Two-Factor Authentication Interception
T1550.002 Use Alternate Authentication Material: Pass the Hash

T1055.001 Process Injection: Dynamic-link Library Injection
T1556.001 Modify Authentication Process: Domain Controller Authentication

both         
T1133 External Remote Services
T1078 Valid Accounts
both         
T1059.001 Command and Scripting Interpreter: PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1053.005 Scheduled Task/Job: Scheduled Task
T1569.002 System Services: Service Execution
T1047 Windows Management Instrumentation
both
T1133 External Remote Services
T1078 Valid Accounts
CUTR
T1574.002 Hijack Execution Flow: DLL Side-Loading
both
T1078 Valid Accounts
both
T1140 Deobfuscate/Decode Files or Information
T1036.003 Masquerading: Rename System Utilities
T1036.005 Masquerading: Match Legitimate Name or Location
T1078 Valid Accounts
CHIMERA
T1055.001 Process Injection: Dynamic-link Library Injection
CUTR
T1070.001 Indicator Removal on Host: Clear Windows Event Logs
T1070.004 Indicator Removal on Host: File Deletion
T1070.006 Indicator Removal on Host: Timestomp
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1550.002 Use Alternate Authentication Material: Pass the Hash
both 
T1003.001 OS Credential Dumping: LSASS Memory
T1003.003 OS Credential Dumping: NTDS
CHIMERA
T1556.001 Modify Authentication Process: Domain Controller Authentication
CUTR
T1110.003 Brute Force: Password Spraying
T1110.004 Brute Force: Credential Stuffing
T1111 Two-Factor Authentication Interception
both 
T1087 Account Discovery
T1087.001 Account Discovery: Local Account
T1087.002 Account Discovery: Domain Account
T1083 File and Directory Discovery
T1135 Network Share Discovery
T1057 Process Discovery
T1012 Query Registry
T1082 System Information Discovery
T1016 System Network Configuration Discovery
T1033 System Owner/User Discovery
T1124 System Time Discovery
CUTR
T1217 Browser Bookmark Discovery
T1482 Domain Trust Discovery
T1046 Network Service Scanning
T1069 Permission Groups Discovery
T1018 Remote System Discovery
T1049 System Network Connections Discovery
T1007 System Service Discovery
both 
T1570 Lateral Tool Transfer
T1021.002 Remote Services: SMB/Windows Admin Shares
CHIMERA
T1021.001 Remote Services: Remote Desktop Protocol
CUTR
T1021.004 Remote Services: SSH
T1021.006 Remote Services: Windows Remote Management
T1550.002 Use Alternate Authentication Material: Pass the Hash
both
T1560.001 Archive Collected Data: Archive via Utility
T1119 Automated Collection
T1005 Data from Local System
T1074.001 Data Staged: Local Data Staging
T1074.002 Data Staged: Remote Data Staging
CUTR
T1213.002 Data from Information Repositories: SharePoint
T1039 Data from Network Shared Drive
T1114.001 Email Collection: Local Email Collection
both
T1071.001 Application Layer Protocol: Web Protocols
T1071.004 Application Layer Protocol: DNS
T1573.002 Encrypted Channel: Asymmetric Cryptography
T1572 Protocol Tunneling
both
T1020 Automated Exfiltration
T1030 Data Transfer Size Limits
T1041 Exfiltration Over C2 Channel
T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Summary

Everything Starts From Security

Engage with CyCraft

engage@cycraft.com

Related Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CyCraft Technology Corp

CyCraft automates SOC ops for the Fortune Global 500, national govs, & SMEs with MDR, IR, & threat hunting solutions. Learn more at CyCraft.com