Netscaler Exploitation to Social Engineering: Mapping Convergence of Adversary Tradecraft Across Victims | Huntress
Tags
cmtmf-attack-pattern: Code Injection Process Injection
country: Netherlands
maec-delivery-vectors: Watering Hole
attack-pattern: Data Code Injection - T1540 Credentials - T1589.001 Dll Search Order Hijacking - T1574.001 Malicious File - T1204.002 Malicious Link - T1204.001 Msiexec - T1218.007 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Injection - T1631 Rundll32 - T1218.011 Scheduled Task - T1053.005 Search Engines - T1593.002 Social Media - T1593.001 Web Shell - T1505.003 Tool - T1588.002 Dll Search Order Hijacking - T1038 Powershell - T1086 Process Injection - T1055 Rundll32 - T1085 Scheduled Task - T1053 Web Shell - T1100
Show in Graph
Common Information
Type Value
UUID d12be8de-9e2c-48a8-b2f5-240239769cc4
Fingerprint 3180c39fe5ee8f07
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 1, 2024, midnight
Added to db Aug. 31, 2024, 9:42 a.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Netscaler Exploitation to Social Engineering: Mapping Convergence of Adversary Tradecraft Across Victims
Title Netscaler Exploitation to Social Engineering: Mapping Convergence of Adversary Tradecraft Across Victims | Huntress
Detected Hints/Tags/Attributes 85/4/48
Attributes
Details Type #Events CTI Value
Details CVE 152 
cve-2023-3519
Details Domain 2 
z9x.org
Details Domain 2 
citfix29.zip
Details File 62 
whoami.exe
Details File 40 
wuauclt.exe
Details File 127 
c:\windows\system32\rundll32.exe
Details File 2 
c:\perflogs\ch.dll
Details File 60 
c:\windows\system32\schtasks.exe
Details File 2 
c:\windows\adfs\dllhost.exe
Details File 27 
c:\windows\system32\msiexec.exe
Details File 2 
c:\perflogs\act.msi
Details File 1208 
powershell.exe
Details File 2 
c:\\windows\\temp\\esd.ps1
Details File 3 
ctxheaderlogon.php
Details File 3 
netscaler.php
Details File 5 
username.php
Details File 6 
password.php
Details File 13 
data.php
Details File 2 
password2.php
Details File 6 
adexplorer64.exe
Details File 89 
version.dll
Details File 6 
resmon.exe
Details File 1 
shr.ps1
Details File 1 
ch.dll
Details File 172 
dllhost.exe
Details File 2 
contig.exe
Details File 1 
sqlsrvwr.exe
Details File 2 
citfix29.zip
Details File 3 
sh1.exe
Details File 1 
ctxheaderlogin.php
Details File 2126 
cmd.exe
Details File 1 
c:\programdata\sh1.exe
Details sha1 2 
5ba2c0f4d58d7e124ba23ae4cb3822ecb7990eea
Details sha1 2 
622ddc28910eb5482c0ed8b01b10270a20c25206
Details sha256 2 
5ee3e274a79f6ad79bb43ff193c03fb38f82396dd0a70fb2597ab78497b1a5c2
Details sha256 2 
3c1829079eecd453e28ec3f111a4f98aa05d338787955b33b0c9932aada2c370
Details sha256 2 
3742b9cb7a7e664dbeb4f3b7d350a22bbd008f7698db8679a0764b7bab983025
Details sha256 2 
edd464cd0069324d9b3437126e2c95b903c274ecbb5068b9058d07f0d946ed2c
Details sha256 2 
baf385c3f35a48509114cc39623da8834d37b7afd12ab00b1c3c9d695effca6f
Details sha256 2 
f4dbed01049e169189867713d33c24a4f07954f1c1fdd3bce08afb5aeed38804
Details sha256 2 
cbd2567b61c7be8b92dcd1c5970d7a0a74c59b5d75be889c0a58e18746e7dff6
Details sha256 2 
3ac2d170eeefd5d866ca2285da2a7387c544250d6978bab621c2a80b95946712
Details sha256 2 
06de42d666b3ae548719778445162ddebaa5267b96ceaf5b8c38ed78ead8a148
Details sha256 2 
bbdd3620a67aedec4b9a68b2c9cc880b6631215e129816aea19902a6f4bc6f41
Details sha256 2 
faf37bcbbcaff2de3e4b794bb9eed9e47505cdbed3a35b83ce9a216298779c62
Details sha256 2 
886f3add934cb8e348dcfac78d9e0e50d6d760d065352bc8026529a6bb233279
Details IPv4 2 
91.236.230.111
Details Url 1 
https://91.236.230.111/1/18150e98.highlight