Event Triggered Execution: Unix Shell Configuration Modification # T1546.004 Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment.

Command and Scripting Interpreter: Unix Shell # T1059.004 Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. Invocation # Interactive Shell # An interactive shell is one started without non-option arguments and without the -c option whose standard input and error are both connected to terminals (as determined by isatty), or one started with the -i option.

Hide Artifacts: NTFS File Attributes # T1564.004 Data or executables may be stored in New Technology File System (NTFS) partition metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition.

Honeypot # https://sysdig.com/blog/triaging-malicious-docker-container/ https://www.intezer.com/blog/malware-analysis/how-to-make-malware-honeypot/ https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124 https://hub.docker.com/_/alpine EC2 Instance running Ubuntu Server 18.04 w/ Docker running an Alpine Linux container. Port 22 is locked to my IP only Port 2375 is exposed which is the Docker API. Useful for tools like Portainer. Got an alert for a masscan command searching for port 2375. Another alert was triggered for 2376 as some APIs expose this instead of 2375. Activity between 10pm 2/9 and 04:32 2/10

Executive Summary # In mid-April 2022, Mandiant observed UNC2500 campaigns using MSI packages to distribute Qakbot payloads. This change comes shortly after Microsoft’s announcement that macros from Office documents downloaded from the internet (ZoneIdentifier ADS) will be blocked by default. This new payload uses a botnet ID AA, which is unique from previous campaigns that have used tr, cullinan, and cullinan01. Distribution came from phishing emails containing a malicious link from either OneDrive or files hosted on compromised websites that downloads a ZIP archive.