Use a powershell to install a WMI event subscription persistence mechanism. This technique requires setting the #{staging_dir} fact to specify the path the Pneuma agent.
A VBS file located in the Windows StartUp folder may be used for persistence. This procedure generates a VBS file and places it in the StartUp folder. On startup, the file will execute a spawn a new Pneuma agent.
'This TTP will stage a UPX packed .wll file in the Microsoft\Word\STARTUP directory and then start Word to execute the Word Add-in and dump SAM registry hive into c:\temp\folder.'
WannaCry installs a copy of the decryptor, @WanaDecryptor@.exe, in each folder along with a ransom note. This technique stages and writes a PneumaEX agent and corresponding .lnk file.
The Windows ASSOC command can be used to display or change the association between a file extension and fileType. This
procedure uses the command to associate the .ppts extension with the VBSFile type.
The bash profile is a configuration file for bash (or zsh) shell. When bash is invoked as an interactive login
shell it first reads and executes commands from ~/. bash_profile. This procedure adds the agent executable to the
file, ensuring that it will start the agent as soon as the terminal is opened.
This is the exact same registry changes made by the GOP attackers to have their agent stay persistent throughout the attack.
In this case, the staged PneumaEX will be persistent.
Create and install a plist file for the current user that launches every time the user logs in. This launches the Hush
stager code to dynamically pull down and launch a new agent.
A batch file (.bat) located in the Windows StartUp folder may be used for persistence. This procedure generates a batch file and places it in the StartUp folder. On startup, the file will execute a spawn a new Pneuma agent.
APT40 is known to use .LNK files in the Windows StartUp folder for persistence. This procedure generates a link file using VBA and executes it. On startup, the link will execute a Pneuma agent.
Using a locally generated key pair, create a new SSH keypair resource on the Azure account to allow VM creation with the key and
replacement keys on existing VMs.
Scheduled tasks enables an administrator schedule actions at specific times or to launch programs if a set event
has occurred. The SCHTASKS utility allows the administrator to create, delete, query, change, run, and end scheduled
tasks on a local or remote computer. This procedure schedules a task to start the agent every time the computer reboots.
Persistence may be established by modifying a user's shell to execute arbitrary commands. This TTP searches for a mounted root directory and establishes Pneuma persistence via Unix shell configuration modification. It is important that containers cannot mount the host filesystem, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container.
Bitsadmin is used for managing background intelligent transfer. This leverages bitsadmins to create a job and ingress
tools on the local system out of band from the C2 channel.
This TTP untars the payload containing PneumaEX and a shell script. The shell script checks for deep learning python
frameworks then upgrades the agent to PneumaEX. If it doesn't detect deep learning frameworks it will delete all elevation
artifacts.
Place a PowerShell file on disk that new agent can reference when launching. These facts must be declared in Operator before running this procedure and each fact must contain Operator's routable IP address and relevent contact port. For example, '#{operator.public.http}' should map to a value such as 'http://10.0.0.2:3391'.
CertReq.exe is used for requesting and managing certificates, but can also be used to ingress tools to the local system.
By passing a remote HTTP/S file path, the results of a POST requests can be saved to the console or a file.
BITSAdmin is used for managing background intelligent transfer. This leverages BITSAdmin to create a job and ingress
tools on the local system out of band from the C2 channel. This techniques requires defining the #{staging_dir} fact - the path where the agent is located.