FoggyWeb
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests.[1] |
| Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
FoggyWeb can invoke the |
| .003 | Archive Collected Data: Archive via Custom Method |
FoggyWeb can use a dynamic XOR key and a custom XOR methodology to encode data before exfiltration. Also, FoggyWeb can encode C2 command output within a legitimate WebP file.[1] |
||
| Enterprise | T1005 | Data from Local System |
FoggyWeb can retrieve configuration data from a compromised AD FS server.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.[1] |
|
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate |
| Enterprise | T1105 | Ingress Tool Transfer |
FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.[1] |
|
| Enterprise | T1036 | Masquerading |
FoggyWeb can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file.[1] |
|
| .005 | Match Legitimate Name or Location |
FoggyWeb can be disguised as a Visual Studio file such as |
||
| Enterprise | T1106 | Native API |
FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed.[1] |
|
| Enterprise | T1040 | Network Sniffing |
FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.[1] |
|
| Enterprise | T1027 | .004 | Obfuscated Files or Information: Compile After Delivery |
FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.[1] |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File | |||
| Enterprise | T1057 | Process Discovery |
FoggyWeb's loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server's |
|
| Enterprise | T1620 | Reflective Code Loading |
FoggyWeb's loader has reflectively loaded .NET-based assembly/payloads into memory.[1] |
|
| Enterprise | T1129 | Shared Modules |
FoggyWeb's loader can call the |
|
| Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.[1] |
| Enterprise | T1550 | Use Alternate Authentication Material |
FoggyWeb can allow abuse of a compromised AD FS server's SAML token.[1] |
|