Frankenstein, Campaign C0001 | MITRE ATT&CK®

Frankenstein

Frankenstein was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including Empire. The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.[1]

ID: C0001
First Seen:  January 2019 [1]
Last Seen:  April 2019 [1]
Version: 1.1
Created: 07 September 2022
Last Modified: 22 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

During Frankenstein, the threat actors used HTTP GET requests for C2.[1]

Enterprise T1119 Automated Collection

During Frankenstein, the threat actors used Empire to automatically gather the username, domain name, machine name, and other system information.[1]

Enterprise T1020 Automated Exfiltration

During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

During Frankenstein, the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line [1]

.005 Command and Scripting Interpreter: Visual Basic

During Frankenstein, the threat actors used Word documents that prompted the victim to enable macros and run a Visual Basic script.[1]

Enterprise T1005 Data from Local System

During Frankenstein, the threat actors used Empire to gather various local system information.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

During Frankenstein, the threat actors communicated with C2 via an encrypted RC4 byte stream and AES-CBC.[1]

Enterprise T1041 Exfiltration Over C2 Channel

During Frankenstein, the threat actors collected information via Empire, which sent the data back to the adversary's C2.[1]

Enterprise T1203 Exploitation for Client Execution

During Frankenstein, the threat actors exploited CVE-2017-11882 to execute code on the victim's machine.[1]

Enterprise T1105 Ingress Tool Transfer

During Frankenstein, the threat actors downloaded files and tools onto a victim machine.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

During Frankenstein, the threat actors named a malicious scheduled task "WinUpdate" for persistence.[1]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

During Frankenstein, the threat actors ran encoded commands from the command line.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

For Frankenstein, the threat actors obtained and used Empire.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

During Frankenstein, the threat actors likely used spearphishing emails to send malicious Microsoft Word documents.[1]

Enterprise T1057 Process Discovery

During Frankenstein, the threat actors used Empire to obtain a list of all running processes.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

During Frankenstein, the threat actors established persistence through a scheduled task using the command: /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR, named "WinUpdate" [1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

During Frankenstein, the threat actors used WMI queries to determine if analysis tools were running on a compromised system.[1]

Enterprise T1082 System Information Discovery

During Frankenstein, the threat actors used Empire to obtain the compromised machine's name.[1]

Enterprise T1016 System Network Configuration Discovery

During Frankenstein, the threat actors used Empire to find the public IP address of a compromised system.[1]

Enterprise T1033 System Owner/User Discovery

During Frankenstein, the threat actors used Empire to enumerate hosts and gather username, machine name, and administrative permissions information.[1]

Enterprise T1221 Template Injection

During Frankenstein, the threat actors used trojanized documents that retrieved remote templates from an adversary-controlled website.[1]

Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

During Frankenstein, the threat actors used MSbuild to execute an actor-created file.[1]

Enterprise T1204 .002 User Execution: Malicious File

During Frankenstein, the threat actors relied on a victim to enable macros within a malicious Microsoft Word document likely sent via email.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

During Frankenstein, the threat actors used a script that ran WMI queries to check if a VM or sandbox was running, including VMWare and Virtualbox. The script would also call WMI to determine the number of cores allocated to the system; if less than two the script would stop execution.[1]

Enterprise T1047 Windows Management Instrumentation

During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version.[1]

Software

ID Name Description
S0363 Empire

During Frankenstein the threat actors used Empire for discovery.[1]

References