S1120 FRAMESTING
FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.1
| Item | Value |
|---|---|
| ID | S1120 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 08 March 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | FRAMESTING can retrieve C2 commands from values stored in the DSID cookie from the current HTTP request or from decompressed zlib data within the request’s POST data.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.006 | Python | FRAMESTING is a Python web shell that can embed in the Ivanti Connect Secure CAV Python package.1 |
| enterprise | T1554 | Compromise Host Software Binary | FRAMESTING can embed itself in the CAV Python package of an Ivanti Connect Secure VPN located in /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py.1 |
| enterprise | T1001 | Data Obfuscation | FRAMESTING can send and receive zlib compressed data within POST requests.1 |
| enterprise | T1001.003 | Protocol or Service Impersonation | FRAMESTING uses a cookie named DSID to mimic the name of a cookie used by Ivanti Connect Secure appliances for maintaining VPN sessions.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | FRAMESTING can decompress data received within POST requests.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | FRAMESTING is a web shell capable of enabling arbitrary command execution on compromised Ivanti Connect Secure VPNs.1 |