We went ahead and documented this in our Community Threats GitHub under the Compound Actions folder and also committed the test to the Atomic Red Team project as it did not have any tests for T1553.005. As we like to map to MITRE ATT&CK, this technique most closely resembles T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass. Packaging a payload in an ISO image file is interesting because when downloaded from the internet, it will bypass the Mark-of-the-Web security controls. T1071 - Application Layer Protocol: HTTPS heartbeat of 62 seconds and jitter of 39% T1204.002 - User Execution: Malicious File (Windows Explorer Shortcut) T1218.011 - Signed Binary Proxy Execution: Rundll32 T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass (ISO Image) T1566.002 - Phishing: Spearphishing Link (Link downloads ISO image) T1566.003 - Phishing: Spearphishing via Service (Constant Contact) T1584.006 - Compromise Infrastructure: Web Services (compromised the Constant Contact account of USAID) NOBELIUM, the Russian threat actor behind SolarWinds compromised Constant Contact to send malicious emails with a weaponized ISO file
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |