Dissecting A Multi-Stage PowerShell Campaign Using Chisel
Tags
cmtmf-attack-pattern: Application Layer Protocol Boot Or Logon Autostart Execution Command And Scripting Interpreter Obfuscated Files Or Information
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Application Layer Protocol - T1437 Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Registry Run Keys / Startup Folder - T1547.001 Server - T1583.004 Server - T1584.004 Ssh - T1021.004 Web Protocols - T1071.001 Web Protocols - T1437.001 Tool - T1588.002 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Connection Proxy - T1090 Obfuscated Files Or Information - T1027 Powershell - T1086 Registry Run Keys / Start Folder - T1060 Scripting - T1064 Scripting
Show in Graph
Common Information
Type Value
UUID 22a6ab9a-a304-4bcb-ac68-f84f525c5e7d
Fingerprint e4e52d2a1b39cbe3
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 12, 2024, 3:30 a.m.
Added to db Nov. 12, 2024, 9:53 a.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Harnessing Chisel for Covert Operations: Dissecting a Multi-Stage PowerShell Campaign
Title Dissecting A Multi-Stage PowerShell Campaign Using Chisel
Detected Hints/Tags/Attributes 85/3/26
Source URLs
Redirection Url
Details Source https://cyble.com/blog/dissecting-a-multi-stage-powershell-campaign-using-chisel/
URL Provider
Details Provider Source level domain
Details cyble.com cyble.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 98 Cyble https://cyble.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 2 
c2.innov-eula.com
Details Domain 4 
google.es
Details Domain 1 
credit-agricole.webdev.innov-eula.com
Details Domain 2 
ligolo.innov-eula.com
Details Domain 2 
credit-agricole.webdav.innov-eula.com
Details File 1208 
powershell.exe
Details File 1 
log_29109314.ps1
Details File 1 
log_29109317.bat
Details File 1 
log_29109318.bat
Details File 1 
chisolo.dll
Details sha256 2 
6c7636e21311a2c5ab024599060d468e03d8975096c0eb923048ad89f372469e
Details sha256 2 
8e812bb7fde8c451d2a5efc1a303f2512804f87f041b1afe2d20046d36e64830
Details sha256 2 
319beca16c766f5b9f8cc4ba25f0b99f1b4769d119eb74dfd694d3f49a23a5b9
Details sha256 2 
0169283f9df2d7ba84516b3cce50d93dbb6445cc6b2201459fa8a2bc3e319ea3
Details sha256 2 
6332d328a6ddaa8f0c1b3353ee044df18e7867d80a0558823480bd17c14a24bc
Details IPv4 1 
163.116.128.80
Details MITRE ATT&CK Techniques 17 
T1660
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 380 
T1547.001
Details MITRE ATT&CK Techniques 627 
T1027
Details MITRE ATT&CK Techniques 442 
T1071.001
Details Url 2 
https://c2.innov-eula.com/feibfiuzbdofinza
Details Url 1 
http://google.es
Details Url 2 
https://c2.innov-eula.com
Details Url 2 
https://ligolo.innov-eula.com
Details Url 2 
https://credit-agricole.webdav.innov-eula.com