1. Home
  2. Groups
  3. Frankenstein

Frankenstein

Frankenstein is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.[1]

ID: G0101
Version: 1.1
Created: 11 May 2020
Last Modified: 26 May 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

Frankenstein has enumerated hosts via Empire, gathering the username, domain name, machine name, and other system information.[1]
Enterprise T1020 Automated Exfiltration

Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Frankenstein has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.[1]
.005 Command and Scripting Interpreter: Visual Basic

Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.[1]
Enterprise T1005 Data from Local System

Frankenstein has enumerated hosts via Empire, gathering various local system information.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Frankenstein has deobfuscated base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.[1]
Enterprise T1203 Exploitation for Client Execution

Frankenstein has used CVE-2017-11882 to execute code on the victim's machine.[1]
Enterprise T1105 Ingress Tool Transfer

Frankenstein has uploaded and downloaded files to utilize additional plugins.[1]
Enterprise T1027 Obfuscated Files or Information

Frankenstein has run encoded commands from the command line.[1]
Enterprise T1588 .002 Obtain Capabilities: Tool

Frankenstein has obtained and used Empire to deploy agents.[1]
Enterprise T1003 OS Credential Dumping

Frankenstein has harvested credentials from the victim's machine using Empire.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents.[1]

Enterprise T1057 Process Discovery

Frankenstein has enumerated hosts, looking to obtain a list of all currently running processes.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Frankenstein has established persistence through a scheduled task using the command: /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR , named "WinUpdate".[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.[1]
Enterprise T1082 System Information Discovery

Frankenstein has enumerated hosts, looking for the system's machine name.[1]
Enterprise T1016 System Network Configuration Discovery

Frankenstein has enumerated hosts, looking for the public IP address of the system.[1]
Enterprise T1033 System Owner/User Discovery

Frankenstein has enumerated hosts, gathering username, machine name, and administrative permissions information.[1]
Enterprise T1221 Template Injection

Frankenstein has used trojanized documents that retrieve remote templates from an adversary-controlled website.[1]
Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

Frankenstein has used MSbuild to execute an actor-created file.[1]
Enterprise T1204 .002 User Execution: Malicious File

Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.[1]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.[1]
Enterprise T1047 Windows Management Instrumentation

Frankenstein has used WMI queries to check if various security applications were running, as well as the operating system version.[1]

Software

ID Name References Techniques
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation, Access Token Manipulation: SID-History Injection, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Domain Account, Create Account: Local Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Credential API Hooking, Input Capture: Keylogging, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Private Keys, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation

References

  1. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.