Roberto Rodriguez
Roberto Rodriguez
# Description The attacker uses Lightweight Directory Access Protocol (LDAP) queries to enumerate other hosts in the domain (T1018) before creating a remote PowerShell session to a secondary victim (T1028)....
# Description Finally, the attacker launches a PowerShell script that performs a wide variety of reconnaissance commands (T1083, T1033, T1082, T1016, T1057, T1063, T1069), some of which are done by...
# Description The attacker collects screenshots (T1113), data from the user’s clipboard (T1115), and keystrokes (T1056).
# Description The attacker then harvests password hashes (T1003). ``` Dump password hashes: [meterpreter\*] > run post/windows/gather/credentials/credential_collector ```
# Description The attacker then harvests private keys (T1145) ``` Steal PFX certificate: [meterpreter (PowerShell)\*] > Get-PrivateKeys [meterpreter (PowerShell)\*] > exit ```
# Description The attacker accesses credentials stored in a local web browser (T1081, T1003) using a tool renamed to masquerade as a legitimate utility (T1036).
# Description The attacker establishes persistent access to the victim by creating a malicious payload in the Windows Startup folder (T1060)
# Description The attacker establishes persistent access to the victim by creating a new service (T1050)
The attacker then enumerates running processes (T1057) to discover/terminate the initial access from Step 1 (Pupy Agent) before deleting various files (T1107) associated with that access.
# Description The attacker uploads additional tools (T1086) through the new, elevated access before spawning an interactive powershell.exe shell (T1086). The additional tools are decompressed (T1140) and positioned on the...