Living off the land: the exploitation phase
Tags
attack-pattern: Data Models Exploits - T1587.004 Exploits - T1588.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Regsvr32 - T1218.010 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Brute Force - T1110 Powershell - T1086 Regsvr32 - T1117 Scripting - T1064 Scripting
Show in Graph
Common Information
Type Value
UUID c6a4b1b8-e725-4cd4-98f1-6fa4eecbd91f
Fingerprint 86442d54b3174fe6
Analysis status DONE
Considered CTI value 0
Text language
Published May 17, 2022, midnight
Added to db Jan. 18, 2023, 11:10 p.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline Living off the land: the exploitation phase
Title Living off the land: the exploitation phase
Detected Hints/Tags/Attributes 74/1/19
Source URLs
Redirection Url
Details Source https://www.esentire.com/blog/living-off-the-land-the-exploitation-phase/
URL Provider
Details Provider Source level domain
Details esentire.com www.esentire.com
Attributes
Details Type #Events CTI Value
Details CVE 60 
cve-2022-27518
Details Domain 339 
system.net
Details Domain 228 
system.io
Details Domain 31 
www.esentire.com
Details Domain 281 
docs.microsoft.com
Details Domain 4127 
github.com
Details Domain 145 
threatpost.com
Details File 459 
regsvr32.exe
Details File 1 
test2.ps1
Details File 1 
c:\temp\evil2.ps1
Details File 1 
'aringzrqtest2.ps1
Details Github username 4 
api0cradle
Details Github username 4 
danielbohannon
Details IPv4 1 
192.168.0.115
Details Url 1 
https://www.esentire.com/blog/living-off-the-land-the-reconnaissance-phase
Details Url 1 
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
Details Url 1 
https://github.com/api0cradle/lolbas
Details Url 1 
https://github.com/danielbohannon/invoke-obfuscation
Details Url 1 
https://threatpost.com/sanny-malware-updates-delivery-method/130803