| enterprise |
T1134 |
Access Token Manipulation |
Blue Mockingbird has used JuicyPotato to abuse the SeImpersonate token privilege to escalate from web application pool accounts to NT Authority\SYSTEM. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection. |
| enterprise |
T1059.003 |
Windows Command Shell |
Blue Mockingbird has used batch script files to automate execution and deployment of payloads. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service. |
| enterprise |
T1546 |
Event Triggered Execution |
- |
| enterprise |
T1546.003 |
Windows Management Instrumentation Event Subscription |
Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file. |
| enterprise |
T1190 |
Exploit Public-Facing Application |
Blue Mockingbird has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.012 |
COR_PROFILER |
Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file. |
| enterprise |
T1112 |
Modify Registry |
Blue Mockingbird has used Windows Registry modifications to specify a DLL payload. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Blue Mockingbird has obfuscated the wallet address in the payload binary. |
| enterprise |
T1588 |
Obtain Capabilities |
- |
| enterprise |
T1588.002 |
Tool |
Blue Mockingbird has obtained and used tools such as Mimikatz. |
| enterprise |
T1003 |
OS Credential Dumping |
- |
| enterprise |
T1003.001 |
LSASS Memory |
Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory. |
| enterprise |
T1090 |
Proxy |
Blue Mockingbird has used frp, ssf, and Venom to establish SOCKS proxy connections. |
| enterprise |
T1021 |
Remote Services |
- |
| enterprise |
T1021.001 |
Remote Desktop Protocol |
Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts. |
| enterprise |
T1021.002 |
SMB/Windows Admin Shares |
Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB. |
| enterprise |
T1496 |
Resource Hijacking |
Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.010 |
Regsvr32 |
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe. |
| enterprise |
T1218.011 |
Rundll32 |
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe. |
| enterprise |
T1082 |
System Information Discovery |
Blue Mockingbird has collected hardware details for the victim’s system, including CPU and memory information. |
| enterprise |
T1569 |
System Services |
- |
| enterprise |
T1569.002 |
Service Execution |
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the “wercplsupport” service. |
| enterprise |
T1047 |
Windows Management Instrumentation |
Blue Mockingbird has used wmic.exe to set environment variables. |