S1117 GLASSTOKEN
GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.1
| Item | Value |
|---|---|
| ID | S1117 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 06 March 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | GLASSTOKEN can use PowerShell for command execution.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | GLASSTOKEN has hexadecimal and Base64 encoded C2 content.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | GLASSTOKEN has the ability to decode hexadecimal and Base64 C2 requests.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | GLASSTOKEN is a web shell capable of tunneling C2 connections and code execution on compromised Ivanti Secure Connect VPNs.1 |