| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.002 |
Archive via Library |
FoggyWeb can invoke the Common.Compress method to compress data with the C# GZipStream compression class. |
| enterprise |
T1560.003 |
Archive via Custom Method |
FoggyWeb can use a dynamic XOR key and a custom XOR methodology to encode data before exfiltration. Also, FoggyWeb can encode C2 command output within a legitimate WebP file. |
| enterprise |
T1005 |
Data from Local System |
FoggyWeb can retrieve configuration data from a compromised AD FS server. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server. |
| enterprise |
T1083 |
File and Directory Discovery |
FoggyWeb‘s loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.001 |
DLL Search Order Hijacking |
FoggyWeb‘s loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate version.dll during the Microsoft.IdentityServer.ServiceHost.exe execution process. |
| enterprise |
T1105 |
Ingress Tool Transfer |
FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server. |
| enterprise |
T1036 |
Masquerading |
FoggyWeb can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file. |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
FoggyWeb can be disguised as a Visual Studio file such as Windows.Data.TimeZones.zh-PH.pri to evade detection. Also, FoggyWeb‘s loader can mimic a genuine dll file that carries out the same import functions as the legitimate Windows version.dll file. |
| enterprise |
T1106 |
Native API |
FoggyWeb‘s loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed. |
| enterprise |
T1040 |
Network Sniffing |
FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor. |
| enterprise |
T1027 |
Obfuscated Files or Information |
FoggyWeb has been XOR-encoded. |
| enterprise |
T1027.004 |
Compile After Delivery |
FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST. |
| enterprise |
T1057 |
Process Discovery |
FoggyWeb‘s loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server’s Microsoft.IdentityServer.ServiceHost.exe process. |
| enterprise |
T1620 |
Reflective Code Loading |
FoggyWeb‘s loader has reflectively loaded .NET-based assembly/payloads into memory. |
| enterprise |
T1129 |
Shared Modules |
FoggyWeb‘s loader can call the load() function to load the FoggyWeb dll into an Application Domain on a compromised AD FS server. |
| enterprise |
T1552 |
Unsecured Credentials |
- |
| enterprise |
T1552.004 |
Private Keys |
FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server. |
| enterprise |
T1550 |
Use Alternate Authentication Material |
FoggyWeb can allow abuse of a compromised AD FS server’s SAML token. |