GLASSTOKEN
GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.[1]
ID: S1117
ⓘ
Type: MALWARE
ⓘ
Platforms: Network
Version: 1.0
Created: 06 March 2024
Last Modified: 06 March 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
GLASSTOKEN can use PowerShell for command execution.[1] |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
GLASSTOKEN has hexadecimal and Base64 encoded C2 content.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
GLASSTOKEN has the ability to decode hexadecimal and Base64 C2 requests.[1] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
GLASSTOKEN is a web shell capable of tunneling C2 connections and code execution on compromised Ivanti Secure Connect VPNs.[1] |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0029 | Cutting Edge |