ATI Update ATI-2021-15

New Protocols & Applications (4)

Name Category Info
C2 PoshC2 Security PoshC2 is a C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. It is primarily written in Python3 and supports PowerShell based payloads. PoshC2 uses AES encryption and Steganography for C2 communication. The implementation here is based on PoshC2 version - 7.4.0
Citrix Web Client Remote Access Citrix is a virtualization application which allows users to launch remote applications from a local desktop environment. This implementation particularly simulates a web version of the citrix application where the remote applications are launched from a HTML5 client.
IRIG 106 Chapter 10 SCADA This simulates the IRIG (Inter-Range Instrumentation Group) 106 Chapter 10 (Digital Recording Standard). IRIG 106 is a comprehensive telemetry standard to ensure interoperability in aeronautical telemetry application at RCC member ranges. It is developed and maintained by the Telemetry Group of the Range Commanders Council.
PUBG Game Games PUBG Game is used to provide UDP traffic generated for playing game.

New Superflows (11)

Name Category Tags Info
C2 PoshC2 Security C2-Framework Simulates the scenario in PoshC2 communication over HTTP where the victim and server completes the staging phase. Then the server asks the victim to perform a task, victim executes the task and returns the results. Then server asks the victim to exfiltrate a file present on the victim machine. Victim then returns the file asked over the network. AES Encryption and Steganography is used in the communication.
C2 PoshC2 File Exfiltration Security C2-Framework Simulates the scenario in Posh C2 communication over HTTP where the server asks the victim to perform a task, victim executes the task and returns the results. Then server asks the victim to exfiltrate a file present on the victim machine. Victim then returns the file asked over the network. AES Encryption and Steganography is used in the communication.
C2 PoshC2 HTTPS Security C2-Framework Simulates the scenario in PoshC2 communication over HTTPS where the victim and server completes the staging phase. Then the server asks the victim to perform a task, victim executes the task and returns the results. Then server asks the victim to exfiltrate a file present on the victim machine. Victim then returns the file asked over the network. AES Encryption and Steganography is used in the communication.
C2 PoshC2 Post Exploitation Modules Security C2-Framework Simulates the scenario in Koadic C2 communication over HTTP where the victim sends beacon to the server. Server asks the victim to perform one of the post-exploitation modules supported by the server. Victim executes that and returns the results. AES Encryption and Steganography is used in the communication.
C2 PoshC2 Staging Security C2-Framework Simulates the scenario in Posh C2 communication over HTTP where the victim and server goes through the staging phases. In this phase the server and client exchanges request and responses AES encrypted, the victim sends various host related info and the server sends secondary payloads used for further communication.
Citrix Web Client Remote Access Simulates a web version of the Citrix application where the remote applications are launched from a HTML5 client.
Google QUIC Q043 - 1 RTT Bandwidth Data Transfer/File Sharing Security
HTTP/3
Simulates generic Google QUIC Q043 handshake and payload session in 1 RTT scenario and generates around 10MB of data.
IRIG 106 Chapter 10 SCADA ICS This simulates the IRIG (Inter-Range Instrumentation Group) 106 Chapter 10 (Digital Recording Standard) with the packets containing Time Data Format 1 type of data.
IRIG 106 Chapter 10 Time Data Format 0 SCADA ICS This simulates the IRIG (Inter-Range Instrumentation Group) 106 Chapter 10 (Digital Recording Standard) with the packets containing Time Data Format 0 type of data.
PUBG Jun21 Initialization Games ChinaApp Simulates login and initializing game PUBG as of June 2021. The user logs onto STEAM platform and loads the game.
PUBG Jun21 Game Games ChinaApp Simulates playing game PUBG as of June 2021. The user searches for equipment, escapes to safe area and shoots at others.

New Security Tests (1)

Name Info
Hancitor July 2021 Campaign First observed in 2014, Hancitor (also known as Chanitor and Tordal) is a downloader trojan that has been used to deliver multiple different malware such as Pony, Vawtrak, and DELoader.

* https://digital.nhs.uk/cyber-alerts/2016/cc-678

This strikelist contains 6 strikes simulating the 'Hancitor July 2021 Campaign'.

1. The first strike simulates the download of a Word document. This is the first infection vector for this campaign in which a malicious Hancitor binary loads from the malicious document after execution.
2. The second strike simulates the traffic that occurs after the execution of the Hancitor malware. The victim sends an HTTP GET request to the attacker to query the external IP address, and the attacker sends an HTTP reply message that contains the IP address of the victim. Next, the victim sends an HTTP GET request that contains host information includes username, hostname, IP address, and operating system version.
3. The third strike simulates the download of the Cobalt Strike first stager binary file.
4. The fourth strike simulates the download of the Cobalt Strike second stager binary file.
5. The fifth strike simulates the download of the Ficker Stealer. This is the fifth infection vector for this campaign in which a malicious Ficker Stealer binary is downloaded and executes.
6. The sixth strike simulates the traffic that occurs after the execution of the Cobalt Strike Stagers. The victim sends an HTTP POST request that contains encrypted data to the attacker, and the attacker sends an HTTP reply message.

It contains the following sequence of strikes:
1) /strikes/malware/apt/hancitor_july_2021_campaign/malware_9744884a328416906de484acbe1200a83cb7b5fa.xml
2) /strikes/botnets/apt/hancitor_july_2021_campaign/hancitor_july_2021_campaign_hancitor_command_control.xml
3) /strikes/malware/apt/hancitor_july_2021_campaign/malware_8cf0dfa7a777a83cc3af6512c53fa61411f4257e.xml
4) /strikes/malware/apt/hancitor_july_2021_campaign/malware_881791ef05d510ec9b0c4b3f638029bfdb77d6d6.xml
5) /strikes/malware/apt/hancitor_july_2021_campaign/malware_7394632d8cfc00c35570d219e49de63076294b6b.xml
6) /strikes/botnets/apt/hancitor_july_2021_campaign/hancitor_july_2021_campaign_cobaltstrike_command_control.xml

# Strike ID Name Description
1 M21-uae01 Hancitor July 2021 Campaign - Word Document File Transfer This strike simulates the download of a malicious Word document via an HTTP GET request. This document runs a macro and drops a Hancitor binary in the victim machine and starts the binary file.
2 B21-ou501 Hancitor July 2021 Campaign - Hancitor Command and Control This strike simulates the 'Hancitor July 2021 Campaign - Hancitor Command and Control' traffic that occurs after executing the Hancitor malware.
3 M21-ygp01 Hancitor July 2021 Campaign - Cobalt Strike stager 1 File Transfer This strike simulates the download of a malicious binary file via an HTTP GET request. This file is a malicious Cobalt Strike first stager binary which sends command control traffic after execution.
4 M21-rva01 Hancitor July 2021 Campaign - Cobalt Strike stager 2 File Transfer This strike simulates the download of a malicious binary file via an HTTP GET request. This file is a malicious Cobalt Strike second stager binary which sends command control traffic after execution.
5 M21-lft01 Hancitor July 2021 Campaign - Ficker Stealer File Transfer This strike simulates the download of a malicious binary file via an HTTP GET request. This file is a malicious Ficker Stealer executable binary which steals victim information after execution.
6 B21-gp501 Hancitor July 2021 Campaign - Cobalt Strike Command and Control This strike simulates the 'Hancitor July 2021 Campaign - Cobalt Strike Command and Control' traffic that occurs after executing the Cobalt Strike stagers.

Defects Resolved

Component Info
Security Updated description and references for strike D11-xik01 to more clearly point that the exploit does not need to send valid FTP-specific traffic.