You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The scenario begins with initial breach, where a legitimate user clicks (T1204) a link file payload, which executes an alternate data stream (ADS) hidden on another dummy file (T1096) delivered as part of the spearphishing campaign. The ADS performs a series of enumeration commands to ensure it is not executing in a virtualized analysis environment (T1497, T1082, T1120, T1033, T1016, T1057, T1083) before establishing persistence via a Windows Registry Run key entry (T1060) pointing to an embedded DLL payload that was decoded and dropped to disk (T1140). The ADS then executes a PowerShell stager (T1086) which creates a C2 connection over port 443 (T1043) using the HTTPS protocol (T1071, T1032).
The text was updated successfully, but these errors were encountered:
Description
The scenario begins with initial breach, where a legitimate user clicks (T1204) a link file payload, which executes an alternate data stream (ADS) hidden on another dummy file (T1096) delivered as part of the spearphishing campaign. The ADS performs a series of enumeration commands to ensure it is not executing in a virtualized analysis environment (T1497, T1082, T1120, T1033, T1016, T1057, T1083) before establishing persistence via a Windows Registry Run key entry (T1060) pointing to an embedded DLL payload that was decoded and dropped to disk (T1140). The ADS then executes a PowerShell stager (T1086) which creates a C2 connection over port 443 (T1043) using the HTTPS protocol (T1071, T1032).
The text was updated successfully, but these errors were encountered: