Skip to content

G0101 Frankenstein

Frankenstein is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors’ ability to piece together several unrelated components.1

Item Value
ID G0101
Associated Names
Version 1.1
Created 11 May 2020
Last Modified 26 May 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1119 Automated Collection Frankenstein has enumerated hosts via Empire, gathering the username, domain name, machine name, and other system information.1
enterprise T1020 Automated Exfiltration Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary’s C2.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.1
enterprise T1059.003 Windows Command Shell Frankenstein has run a command script to set up persistence as a scheduled task named “WinUpdate”, as well as other encoded commands from the command-line.1
enterprise T1059.005 Visual Basic Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.1
enterprise T1005 Data from Local System Frankenstein has enumerated hosts via Empire, gathering various local system information.1
enterprise T1140 Deobfuscate/Decode Files or Information Frankenstein has deobfuscated base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.1
enterprise T1041 Exfiltration Over C2 Channel Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary’s C2.1
enterprise T1203 Exploitation for Client Execution Frankenstein has used CVE-2017-11882 to execute code on the victim’s machine.1
enterprise T1105 Ingress Tool Transfer Frankenstein has uploaded and downloaded files to utilize additional plugins.1
enterprise T1027 Obfuscated Files or Information Frankenstein has run encoded commands from the command line.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Frankenstein has obtained and used Empire to deploy agents.1
enterprise T1003 OS Credential Dumping Frankenstein has harvested credentials from the victim’s machine using Empire.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents.1
enterprise T1057 Process Discovery Frankenstein has enumerated hosts, looking to obtain a list of all currently running processes.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Frankenstein has established persistence through a scheduled task using the command: /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR , named “WinUpdate”.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.1
enterprise T1082 System Information Discovery Frankenstein has enumerated hosts, looking for the system’s machine name.1
enterprise T1016 System Network Configuration Discovery Frankenstein has enumerated hosts, looking for the public IP address of the system.1
enterprise T1033 System Owner/User Discovery Frankenstein has enumerated hosts, gathering username, machine name, and administrative permissions information.1
enterprise T1221 Template Injection Frankenstein has used trojanized documents that retrieve remote templates from an adversary-controlled website.1
enterprise T1127 Trusted Developer Utilities Proxy Execution -
enterprise T1127.001 MSBuild Frankenstein has used MSbuild to execute an actor-created file.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.1
enterprise T1047 Windows Management Instrumentation Frankenstein has used WMI queries to check if various security applications were running, as well as the operating system version.1

Software

ID Name References Techniques
S0363 Empire 1 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Shortcut Modification:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Bookmark Discovery Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Exfiltration to Code Repository:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Timestomp:Indicator Removal on Host Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Golden Ticket:Steal or Forge Kerberos Tickets Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Private Keys:Unsecured Credentials Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation

References

Back to top