Roberto Rodriguez
Roberto Rodriguez
# Description The attacker uses the renewed access to generate a Kerberos Golden Ticket (T1097), using materials from the earlier breach, which is used to establish a remote PowerShell session...
7.B) Data from Local System, Data Compressed, Data Encrypted, Exfiltration Over Alternative Protocol
The attacker then collects files (T1005), which are compressed (T1002) and encrypted (T1022), before being exfiltrated to an attacker-controlled WebDAV share (T1048).
# Description The payload in the Startup folder executes a follow-on payload using a stolen token (T1106, T1134).
# Description The attacker then elevates privileges via a user account control (UAC) bypass (T1122, T1088), which executes the newly added payload. A new C2 connection is established over port...
# Description The original victim is rebooted and the legitimate user logs in, emulating ordinary usage and a passage of time. This activity triggers the previously established persistence mechanisms, namely...
# Description Finally, the attacker deletes various files (T1107) associated with that access
# Description The attacker runs a PowerShell one-liner command (T1086) to search for filesystem for document and media files (T1083, T1119). Files of interested are collected (T1005) then encrypted (T1022)...
# Description The attacker uploads additional utilities to the secondary victim (T1105)
# Description This new payload is executed on the secondary victim via the PSExec utility (T1077, T1035) using the previously stolen credentials (T1078).
# Description Next, the attacker uploads a new UPX-packed payload (T1045) to the secondary victim. ``` [meterpreter (PowerShell)\*] > Invoke-SeaDukeStage -ComputerName NASHUA ```