SafeBreach Hacker's Playbook Updated with TTPs from Advisory issued by Australian Cyber Security Center


SafeBreach Labs has updated the Hacker's Playbook™ with new simulations for TTPs (tactics, techniques, and procedures) described in Advisory 2020-008: Copy-Paste Compromises issued by ACSC.

This advisory from the Australian government is to alert of widespread and significant cyberattacks by state-based actors against the Australian government, institutions, and private companies. The attacks have crippled networks across the country. The attacks are so prevalent that the Defence Minister announced a $15 billion package to tackle the increasingly sophisticated cyberattacks. The ACSC titled the advisory Copy-Paste Compromises because the threat actors relied heavily on copies of open source tools.

SafeBreach Labs is dedicated to updating the SafeBreach Hacker’s Playbook with the most sophisticated attacks seen in the wild. Our team has a 48-hour SLA on US-Cert Alerts and addresses major threats, such as this advisory, to our customers to ensure they can quickly and effectively know their security posture against sophisticated attack methods such as the following.

Newly developed playbook methods related to ACSC Advisory 2020-008:

#4918 - Write AwenWebShell malware to disk (Host-Level)

#4919 - Transfer of AwenWebShell malware over HTTP/S (Lateral Movement)

#4920 - Transfer of AwenWebShell malware over HTTP/S (Infiltration)

#4921 - Email AwenWebShell malware as a ZIP attachment (Lateral Movement)

#4922 - Email AwenWebShell malware as a ZIP attachment (Infiltration)

#4923 - Write TwoFaceWebShell (496fcb) malware to disk (Host-Level)

#4924 - Transfer of TwoFaceWebShell (496fcb) malware over HTTP/S (Lateral Movement)

#4925 - Transfer of TwoFaceWebShell (496fcb) malware over HTTP/S (Infiltration)

#4926 - Email TwoFaceWebShell (496fcb) malware as a ZIP attachment (Lateral Movement)

#4927 - Email TwoFaceWebShell (496fcb) malware as a ZIP attachment (Infiltration)

#4928 - Write BehinderWebShell (d9d820) malware to disk (Host-Level)

#4929 - Transfer of BehinderWebShell (d9d820) malware over HTTP/S (Lateral Movement)

#4930 - Transfer of BehinderWebShell (d9d820) malware over HTTP/S (Infiltration)

#4931 - Email BehinderWebShell (d9d820) malware as a ZIP attachment (Lateral Movement)

#4932 - Email BehinderWebShell (d9d820) malware as a ZIP attachment (Infiltration)

#4933 - Write AssemblerWebShell (3c020b) malware to disk (Host-Level)

#4934 - Transfer of AssemblerWebShell (3c020b) malware over HTTP/S (Lateral Movement)

#4935 - Transfer of AssemblerWebShell (3c020b) malware over HTTP/S (Infiltration)

#4936 - Email AssemblerWebShell (3c020b) malware as a ZIP attachment (Lateral Movement)

#4937 - Email AssemblerWebShell (3c020b) malware as a ZIP attachment (Infiltration)

#4938 - Write HTTPCoreWebShell (d231ac) malware to disk (Host-Level)

#4939 - Transfer of HTTPCoreWebShell (d231ac) malware over HTTP/S (Lateral Movement)

#4940 - Transfer of HTTPCoreWebShell (d231ac) malware over HTTP/S (Infiltration)

#4941 - Email HTTPCoreWebShell (d231ac) malware as a ZIP attachment (Lateral Movement)

#4942 - Email HTTPCoreWebShell (d231ac) malware as a ZIP attachment (Infiltration)

#4943 - Write JScriptEvalShell (954de1) malware to disk (Host-Level)

#4944 - Transfer of JScriptEvalShell (954de1) malware over HTTP/S (Lateral Movement)

#4945 - Transfer of JScriptEvalShell (954de1) malware over HTTP/S (Infiltration)

#4946 - Email JScriptEvalShell (954de1) malware as a ZIP attachment (Lateral Movement)

#4947 - Email JScriptEvalShell (954de1) malware as a ZIP attachment (Infiltration)

The new attack methods for the Australian Advisory 2020:008 Copy-Paste Compromises are already in the SafeBreach Hacker’s Playbook and ready to be run across your simulators. The Known Attack Series report is being updated so you can run just the specific attacks from this advisory. From the Known Attack Series report, select the ACSC Advisory 2020-008: Copy-Paste Compromises report and there is an option to Run Simulations which will run all these attack methods across your SafeBreach simulators and report on the security posture against these new attacks.

ACSA_Advisory_report.png

Related Posts