![]() MenuPass has used Ntdsutil to dump credentials. MenuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials. ![]() OS Credential Dumping: Security Account Manager MenuPass has used and modified open-source tools like Impacket, Mimikatz, and pwdump. MenuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40. MenuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest. MenuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile. MenuPass has been seen changing malicious files to appear legitimate. MenuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool. MenuPass has used esentutl to change file extensions to their true type that were masquerading as. MenuPass has used key loggers to steal usernames and passwords. MenuPass has installed updates and new malware on victims. Ī menuPass macro deletes files after it has decoded and decompressed them. MenuPass has used Wevtutil to remove PowerShell execution logs. MenuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT. MenuPass has used DLL search order hijacking. Hijack Execution Flow: DLL Search Order Hijacking MenuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos. MenuPass has used tools to exploit the ZeroLogon vulnerability (CVE-2020-1472). MenuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions. MenuPass has used dynamic DNS service providers to host malicious domains. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT. MenuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. MenuPass has staged data on remote MSP systems or other victim networks prior to exfiltration. MenuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin. MenuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data. MenuPass has collected various files from the compromised computers. menuPass has used malicious macros embedded inside Office documents to execute files. The group has used a modified version of pentesting script wmiexec.vbs to execute commands. MenuPass executes commands using a command-line interface and reverse shell. ![]() Ĭommand and Scripting Interpreter: Windows Command Shell MenuPass uses PowerSploit to inject shellcode into PowerShell. Ĭommand and Scripting Interpreter: PowerShell ![]() MenuPass has used the Csvde tool to collect Active Directory files and data. MenuPass has compressed files before exfiltration using TAR and RAR. ![]() MenuPass has encrypted files and information before exfiltration. MenuPass has registered malicious domains for use in intrusion campaigns. MenuPass has used the Microsoft administration tool csvde.exe to export Active Directory data. Enterprise Layer download view Techniques Used Domain ![]()
0 Comments
Leave a Reply. |