Abusing cloud services to fly under the radar
Tags
cmtmf-attack-pattern: Application Layer Protocol Automated Exfiltration Command And Scripting Interpreter Masquerading Scheduled Task/Job System Network Connections Discovery
attack-pattern: Data Direct Application Layer Protocol - T1437 Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Utility - T1560.001 Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Clear Windows Event Logs - T1070.001 Cloud Services - T1021.007 Command And Scripting Interpreter - T1623 Credential Stuffing - T1110.004 Credentials - T1589.001 Data From Local System - T1533 Dll Side-Loading - T1574.002 Dns - T1071.004 Dns - T1590.002 Domain Account - T1087.002 Domain Account - T1136.002 Domain Trust Discovery - T1482 Domains - T1583.001 Domains - T1584.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Exfiltration Over Web Service - T1567 Exfiltration To Cloud Storage - T1567.002 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Indicator Removal On Host - T1630 Lateral Tool Transfer - T1570 Local Account - T1087.001 Local Account - T1136.001 Local Data Staging - T1074.001 Local Email Collection - T1114.001 System Network Configuration Discovery - T1422 System Network Connections Discovery - T1421 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Network Service Scanning - T1423 Process Discovery - T1424 System Information Discovery - T1426 Ntds - T1003.003 Pass The Hash - T1550.002 Password Spraying - T1110.003 Powershell - T1059.001 Protocol Tunneling - T1572 Python - T1059.006 Remote Data Staging - T1074.002 Rename System Utilities - T1036.003 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Sharepoint - T1213.002 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 Ssh - T1021.004 System Services - T1569 Windows Remote Management - T1021.006 Windows Command Shell - T1059.003 Timestomp - T1070.006 Web Protocols - T1071.001 Web Protocols - T1437.001 Web Service - T1481 Use Alternate Authentication Material - T1550 Web Services - T1583.006 Web Services - T1584.006 Tool - T1588.002 Account Discovery - T1087 Standard Application Layer Protocol - T1071 Automated Collection - T1119 Automated Exfiltration - T1020 Browser Bookmark Discovery - T1217 Brute Force - T1110 Command-Line Interface - T1059 Connection Proxy - T1090 Credential Dumping - T1003 Data From Information Repositories - T1213 Data From Local System - T1005 Data From Network Shared Drive - T1039 Data Staged - T1074 Data Transfer Size Limits - T1030 Deobfuscate/Decode Files Or Information - T1140 Dll Side-Loading - T1073 Email Collection - T1114 Exfiltration Over Command And Control Channel - T1041 External Remote Services - T1133 File And Directory Discovery - T1083 File Deletion - T1107 Indicator Removal On Host - T1070 Masquerading - T1036 Two-Factor Authentication Interception - T1111 Network Service Scanning - T1046 Network Share Discovery - T1135 Pass The Hash - T1075 Permission Groups Discovery - T1069 Powershell - T1086 Process Discovery - T1057 Query Registry - T1012 Remote Services - T1021 Remote System Discovery - T1018 Scheduled Task - T1053 Scripting - T1064 Service Execution - T1035 System Information Discovery - T1082 System Network Configuration Discovery - T1016 System Network Connections Discovery - T1049 System Owner/User Discovery - T1033 System Service Discovery - T1007 System Time Discovery - T1124 Windows Remote Management - T1028 Windows Management Instrumentation - T1047 Valid Accounts - T1078 Timestomp - T1099 Web Service - T1102 Automated Collection Data From Information Repositories External Remote Services Indicator Removal On Host Masquerading Network Service Scanning Remote System Discovery Scripting Valid Accounts
Show in Graph
Common Information
Type Value
UUID d9bcfb4f-3a5a-49d8-8434-1f20c7dc96e6
Fingerprint b530b6d02f82a2c5
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 12, 2021, 3:53 p.m.
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Abusing cloud services to fly under the radar
Title Abusing cloud services to fly under the radar
Detected Hints/Tags/Attributes 264/2/216
Source URLs
Redirection Url
Details Source https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
URL Provider
Details Provider Source level domain
Details fox-it.com blog.fox-it.com
Attributes
Details Type #Events CTI Value
Details File 4 
ntdsaudit.exe
Details File 2 
c:\windows\temp\update.bat
Details File 2 
psloglist.exe
Details File 2 
recordedtv_pdump.txt
Details File 4 
get.exe
Details File 1 
gethttpsinfo.exe
Details File 175 
update.exe
Details File 2 
ak002.bat
Details File 24 
update.bat
Details File 2 
backup.pst
Details File 2 
c:\windows\temp\backup.pst
Details File 96 
rar.exe
Details File 18 
jucheck.exe
Details File 2 
teredo.tmp
Details File 2 
msadcs1.exe
Details File 2 
c:\users\public\libraries\ c:\users\public\videos\ c:\windows\temp\ the following four different variants of the use of rar.exe
Details File 85 
log.txt
Details File 131 
tar.gz
Details File 2 
c:\windows\temp\msadcs.exe
Details File 2 
c:\windows\temp\onedrive.exe
Details File 3 
group_membership.csv
Details File 3 
local_admins.csv
Details File 49 
onedrive.exe
Details File 3 
sessions.csv
Details File 218 
min.js
Details File 2 
msadcs.dmp
Details File 4 
update.rar
Details File 2 
update12321312.rar
Details md5 3 
133a159e86ff48c59e79e67a3b740c1e
Details md5 3 
328ba584bd06c3083e3a66cb47779eac
Details md5 3 
65cf35ddcb42c6ff5dc56d6259cc05f3
Details md5 4 
4d5440282b69453f4eb6232a1689dd4a
Details md5 3 
90508ff4d2fc7bc968636c716d84e6b4
Details md5 5 
c9b8cab697f23e6ee9b1096e312e8573
Details md5 3 
dd138a8bc1d4254fed9638989da38ab1
Details IPv4 2 
47.75.0.147
Details IPv4 2 
59.47.4.27
Details IPv4 2 
45.9.248.74
Details IPv4 2 
172.111.210.53
Details IPv4 2 
103.51.145.123
Details IPv4 2 
119.39.248.32
Details IPv4 2 
120.227.35.98
Details IPv4 2 
14.229.140.66
Details IPv4 2 
188.72.99.41
Details IPv4 2 
5.254.112.226
Details IPv4 2 
5.254.64.234
Details IPv4 2 
39.109.5.135
Details IPv4 2 
43.250.200.106
Details IPv4 2 
119.39.248.101
Details IPv4 2 
220.202.152.47
Details IPv4 2 
119.39.248.20
Details IPv4 2 
185.170.210.84
Details IPv4 2 
43.250.201.71
Details IPv4 2 
23.236.77.94
Details MITRE ATT&CK Techniques 179 
T1087
Details MITRE ATT&CK Techniques 118 
T1570
Details MITRE ATT&CK Techniques 191 
T1133
Details MITRE ATT&CK Techniques 306 
T1078
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 695 
T1059
Details MITRE ATT&CK Techniques 333 
T1059.003
Details MITRE ATT&CK Techniques 275 
T1053.005
Details MITRE ATT&CK Techniques 480 
T1053
Details Domain 6 
recordedtv.ms
Details Domain 29 
appspot.com
Details Domain 14 
azureedge.net
Details Domain 2 
eudbsyncup.com
Details Domain 2 
usmobilesos.com
Details Domain 2 
officeeuupdate.appspot.com
Details Domain 2 
mscupdb.com
Details Domain 2 
officeeuropupd.appspot.com
Details Domain 2 
platform-appses.appspot.com
Details Domain 2 
watson-telemetry.azureedge.net
Details Domain 2 
europe-s03213.appspot.com
Details Domain 2 
eustylejssync.appspot.com
Details Domain 2 
fsdafdsfdsaflkjkxvzcuifsad.azureedge.net
Details Domain 2 
ictsyncserver.appspot.com
Details Domain 2 
sowfksiw38f2aflwfif.azureedge.net
Details Domain 360 
attack.mitre.org
Details File 2 
msadcs.exe
Details File 2 
recordedtv_pdmp.txt
Details File 2 
recordedtv_users.csv
Details MITRE ATT&CK Techniques 174 
T1569.002
Details MITRE ATT&CK Techniques 78 
T1569
Details MITRE ATT&CK Techniques 310 
T1047
Details MITRE ATT&CK Techniques 227 
T1574.002
Details MITRE ATT&CK Techniques 164 
T1574
Details MITRE ATT&CK Techniques 504 
T1140
Details MITRE ATT&CK Techniques 92 
T1070.001
Details MITRE ATT&CK Techniques 247 
T1070
Details MITRE ATT&CK Techniques 297 
T1070.004
Details MITRE ATT&CK Techniques 93 
T1070.006
Details MITRE ATT&CK Techniques 32 
T1036.003
Details MITRE ATT&CK Techniques 348 
T1036
Details MITRE ATT&CK Techniques 183 
T1036.005
Details MITRE ATT&CK Techniques 38 
T1550.002
Details MITRE ATT&CK Techniques 33 
T1550
Details MITRE ATT&CK Techniques 49 
T1110.003
Details MITRE ATT&CK Techniques 125 
T1110
Details MITRE ATT&CK Techniques 12 
T1110.004
Details MITRE ATT&CK Techniques 173 
T1003.001
Details MITRE ATT&CK Techniques 289 
T1003
Details MITRE ATT&CK Techniques 67 
T1003.003
Details MITRE ATT&CK Techniques 25 
T1111
Details MITRE ATT&CK Techniques 72 
T1087.001
Details MITRE ATT&CK Techniques 99 
T1087.002
Details MITRE ATT&CK Techniques 29 
T1217
Details MITRE ATT&CK Techniques 124 
T1482
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 168 
T1046
Details MITRE ATT&CK Techniques 176 
T1135
Details MITRE ATT&CK Techniques 65 
T1069
Details MITRE ATT&CK Techniques 433 
T1057
Details MITRE ATT&CK Techniques 501 
T1012
Details MITRE ATT&CK Techniques 243 
T1018
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 245 
T1016
Details MITRE ATT&CK Techniques 119 
T1049
Details MITRE ATT&CK Techniques 230 
T1033
Details MITRE ATT&CK Techniques 100 
T1007
Details MITRE ATT&CK Techniques 86 
T1124
Details MITRE ATT&CK Techniques 139 
T1021.002
Details MITRE ATT&CK Techniques 159 
T1021
Details MITRE ATT&CK Techniques 59 
T1021.004
Details MITRE ATT&CK Techniques 30 
T1021.006
Details MITRE ATT&CK Techniques 116 
T1560.001
Details MITRE ATT&CK Techniques 157 
T1560
Details MITRE ATT&CK Techniques 111 
T1119
Details MITRE ATT&CK Techniques 16 
T1213.002
Details MITRE ATT&CK Techniques 56 
T1213
Details MITRE ATT&CK Techniques 534 
T1005
Details MITRE ATT&CK Techniques 67 
T1039
Details MITRE ATT&CK Techniques 49 
T1074.001
Details MITRE ATT&CK Techniques 67 
T1074
Details MITRE ATT&CK Techniques 20 
T1074.002
Details MITRE ATT&CK Techniques 34 
T1114.001
Details MITRE ATT&CK Techniques 89 
T1114
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 444 
T1071
Details MITRE ATT&CK Techniques 52 
T1071.004
Details MITRE ATT&CK Techniques 74 
T1573.002
Details MITRE ATT&CK Techniques 163 
T1573
Details MITRE ATT&CK Techniques 95 
T1572
Details MITRE ATT&CK Techniques 102 
T1020
Details MITRE ATT&CK Techniques 36 
T1030
Details MITRE ATT&CK Techniques 422 
T1041
Details MITRE ATT&CK Techniques 100 
T1567.002
Details MITRE ATT&CK Techniques 126 
T1567
Details Url 4 
https://attack.mitre.org/tactics/ta0001
Details Url 7 
https://attack.mitre.org/techniques/t1133
Details Url 7 
https://attack.mitre.org/techniques/t1078
Details Url 3 
https://attack.mitre.org/tactics/ta0002
Details Url 7 
https://attack.mitre.org/techniques/t1059/001
Details Url 7 
https://attack.mitre.org/techniques/t1059/003
Details Url 6 
https://attack.mitre.org/techniques/t1053/005
Details Url 2 
https://attack.mitre.org/techniques/t1569/002
Details Url 5 
https://attack.mitre.org/techniques/t1047
Details Url 6 
https://attack.mitre.org/tactics/ta0003
Details Url 13 
https://attack.mitre.org/techniques/t1574/002
Details Url 4 
https://attack.mitre.org/tactics/ta0004
Details Url 4 
https://attack.mitre.org/tactics/ta0005
Details Url 7 
https://attack.mitre.org/techniques/t1140
Details Url 3 
https://attack.mitre.org/techniques/t1070/001
Details Url 5 
https://attack.mitre.org/techniques/t1070/004
Details Url 3 
https://attack.mitre.org/techniques/t1070/006
Details Url 2 
https://attack.mitre.org/techniques/t1036/003
Details Url 4 
https://attack.mitre.org/techniques/t1036/005
Details Url 3 
https://attack.mitre.org/techniques/t1550/002
Details Url 7 
https://attack.mitre.org/tactics/ta0006
Details Url 3 
https://attack.mitre.org/techniques/t1110/003
Details Url 3 
https://attack.mitre.org/techniques/t1110/004
Details Url 3 
https://attack.mitre.org/techniques/t1003/001
Details Url 4 
https://attack.mitre.org/techniques/t1003/003
Details Url 3 
https://attack.mitre.org/techniques/t1111
Details Url 3 
https://attack.mitre.org/tactics/ta0007
Details Url 3 
https://attack.mitre.org/techniques/t1087/001
Details Url 4 
https://attack.mitre.org/techniques/t1087/002
Details Url 2 
https://attack.mitre.org/techniques/t1217
Details Url 5 
https://attack.mitre.org/techniques/t1482
Details Url 7 
https://attack.mitre.org/techniques/t1083
Details Url 2 
https://attack.mitre.org/techniques/t1046
Details Url 4 
https://attack.mitre.org/techniques/t1135
Details Url 2 
https://attack.mitre.org/techniques/t1069
Details Url 5 
https://attack.mitre.org/techniques/t1057
Details Url 9 
https://attack.mitre.org/techniques/t1012
Details Url 3 
https://attack.mitre.org/techniques/t1018
Details Url 12 
https://attack.mitre.org/techniques/t1082
Details Url 4 
https://attack.mitre.org/techniques/t1016
Details Url 4 
https://attack.mitre.org/techniques/t1049
Details Url 4 
https://attack.mitre.org/techniques/t1033
Details Url 3 
https://attack.mitre.org/techniques/t1007
Details Url 4 
https://attack.mitre.org/techniques/t1124
Details Url 2 
https://attack.mitre.org/tactics/ta0008
Details Url 5 
https://attack.mitre.org/techniques/t1570
Details Url 4 
https://attack.mitre.org/techniques/t1021/002
Details Url 3 
https://attack.mitre.org/techniques/t1021/004
Details Url 2 
https://attack.mitre.org/techniques/t1021/006
Details Url 3 
https://attack.mitre.org/tactics/ta0009
Details Url 4 
https://attack.mitre.org/techniques/t1560/001
Details Url 3 
https://attack.mitre.org/techniques/t1119
Details Url 2 
https://attack.mitre.org/techniques/t1213/002
Details Url 7 
https://attack.mitre.org/techniques/t1005
Details Url 3 
https://attack.mitre.org/techniques/t1039
Details Url 2 
https://attack.mitre.org/techniques/t1074/001
Details Url 3 
https://attack.mitre.org/techniques/t1074/002
Details Url 2 
https://attack.mitre.org/techniques/t1114/001
Details Url 5 
https://attack.mitre.org/tactics/ta0011
Details Url 6 
https://attack.mitre.org/techniques/t1071/001
Details Url 4 
https://attack.mitre.org/techniques/t1071/004
Details Url 4 
https://attack.mitre.org/techniques/t1573/002
Details Url 2 
https://attack.mitre.org/techniques/t1572
Details Url 3 
https://attack.mitre.org/tactics/ta0010
Details Url 3 
https://attack.mitre.org/techniques/t1020
Details Url 4 
https://attack.mitre.org/techniques/t1030
Details Url 7 
https://attack.mitre.org/techniques/t1041
Details Url 2 
https://attack.mitre.org/techniques/t1567/002