The scenario begins with initial breach, where a legitimate user clicks (T1204) a link file payload, which executes an alternate data stream (ADS) hidden on another dummy file (T1096) delivered as part of the spearphishing campaign. The ADS performs a series of enumeration commands to ensure it is not executing in a virtualized analysis environment (T1497, T1082, T1120, T1033, T1016, T1057, T1083) before establishing persistence via a Windows Registry Run key entry (T1060) pointing to an embedded DLL payload that was decoded and dropped to disk (T1140). The ADS then executes a PowerShell stager (T1086) which creates a C2 connection over port 443 (T1043) using the HTTPS protocol (T1071, T1032).
Description
The scenario begins with initial breach, where a legitimate user clicks (T1204) a link file payload, which executes an alternate data stream (ADS) hidden on another dummy file (T1096) delivered as part of the spearphishing campaign. The ADS performs a series of enumeration commands to ensure it is not executing in a virtualized analysis environment (T1497, T1082, T1120, T1033, T1016, T1057, T1083) before establishing persistence via a Windows Registry Run key entry (T1060) pointing to an embedded DLL payload that was decoded and dropped to disk (T1140). The ADS then executes a PowerShell stager (T1086) which creates a C2 connection over port 443 (T1043) using the HTTPS protocol (T1071, T1032).