Ĭhimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs. Ĭhimera has performed file deletion to evade detection. Indicator Removal: Clear Windows Event LogsĬhimera has cleared event logs on compromised hosts. Ĭhimera has used side loading to place malicious DLLs in memory. Gather Victim Identity Information: CredentialsĬhimera has collected credentials for the target organization from previous breaches for use in brute force attacks. Ĭhimera has utilized multiple commands to identify data of interest in file and directory listings. Ĭhimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services. Įxfiltration Over Web Service: Exfiltration to Cloud StorageĬhimera has exfiltrated stolen data to OneDrive accounts. Ĭhimera has used Cobalt Strike C2 beacons for data exfiltration. Įmail Collection: Remote Email CollectionĬhimera has harvested data from remote mailboxes including through execution of \ \c$\Users\ \AppData\Local\Microsoft\Outlook*.ost. Ĭhimera has harvested data from victim's e-mail including through execution of wmic /node: process call create "cmd /c copy c:\Users\ \ \backup.pst c:\windows\temp\backup.pst" copy "i:\ \ \My Documents\.
Ĭhimera has nltest /domain_trusts to identify domain trust relationships. Ĭhimera has staged stolen data on designated servers in the target environment.
Ĭhimera has staged stolen data locally on compromised hosts. Ĭhimera has collected data of interest from network shares. ĭata from Information Repositories: SharepointĬhimera has collected documents from the victim's SharePoint. Ĭommand and Scripting Interpreter: Windows Command ShellĬhimera has used the Windows Command Shell and batch scripts for execution on compromised hosts. Ĭommand and Scripting Interpreter: PowerShellĬhimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features. Ĭhimera has used credential stuffing against victim's remote services to obtain valid accounts. Ĭhimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts. Ĭhimera has used type \ \c$\Users\ \Favorites\Links\Bookmarks bar\Imported From IE*citrix* for bookmark discovery. Ĭhimera has used custom DLLs for continuous retrieval of data from memory. Īrchive Collected Data: Archive via UtilityĬhimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts. Ĭhimera has used Cobalt Strike to encapsulate C2 in DNS traffic. Īpplication Layer Protocol: Web ProtocolsĬhimera has used HTTPS for C2 communications. Ĭhimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts. Enterprise Layer download view Techniques Used DomainĬhimera has used net user for account discovery.
0 kommentar(er)
