|
| 1 | +{ |
| 2 | + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", |
| 3 | + "specFormat": "CycloneDX", |
| 4 | + "specVersion": "2.0", |
| 5 | + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", |
| 6 | + "version": 1, |
| 7 | + "blueprints": [ |
| 8 | + { |
| 9 | + "bom-ref": "blueprint-pth-payload", |
| 10 | + "name": "Pass-the-Hash Payload Behavioral Blueprint", |
| 11 | + "modelTypes": [ |
| 12 | + { "type": "behavioral" } |
| 13 | + ], |
| 14 | + "methodologies": [ |
| 15 | + { "type": "MITRE-ATTACK" } |
| 16 | + ], |
| 17 | + "behaviors": { |
| 18 | + "instances": [ |
| 19 | + { |
| 20 | + "bom-ref": "b-startup-exec", |
| 21 | + "behavior": "system:persistence:registersForStartup", |
| 22 | + "trigger": "startup", |
| 23 | + "evidence": { |
| 24 | + "bom-ref": "evidence-1", |
| 25 | + "confidence": 0.95, |
| 26 | + "description": "Persistence registration via Run key write observed in unpacked binary.", |
| 27 | + "methods": [ |
| 28 | + { |
| 29 | + "technique": "binary-analysis", |
| 30 | + "confidence": 0.95, |
| 31 | + "value": "Import of advapi32!RegSetValueExW resolving to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run at 0x00401a20.", |
| 32 | + "tools": [{ "ref": "karambit" }], |
| 33 | + "externalReferences": { |
| 34 | + "type": "formulation", |
| 35 | + "url": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#my-workflow" |
| 36 | + } |
| 37 | + } |
| 38 | + ] |
| 39 | + } |
| 40 | + }, |
| 41 | + { |
| 42 | + "bom-ref": "b-decode", |
| 43 | + "behavior": "evasion:obfuscation:obfuscatesStrings", |
| 44 | + "trigger": "startup", |
| 45 | + "evidence": { |
| 46 | + "confidence": 0.9, |
| 47 | + "description": "Stack-built XOR-decoded strings resolved at runtime.", |
| 48 | + "methods": [ |
| 49 | + { |
| 50 | + "technique": "binary-analysis", |
| 51 | + "confidence": 0.9, |
| 52 | + "value": "XOR decode loop at 0x00403110 with key 0x5A resolving C2 hostnames and API names prior to use." |
| 53 | + } |
| 54 | + ], |
| 55 | + "tools": [ |
| 56 | + { "ref": "karambit" } |
| 57 | + ] |
| 58 | + } |
| 59 | + }, |
| 60 | + { |
| 61 | + "bom-ref": "b-credential-collect", |
| 62 | + "behavior": "privacy:collection:collectsPersonalData", |
| 63 | + "trigger": "startup", |
| 64 | + "evidence": { |
| 65 | + "confidence": 0.92, |
| 66 | + "description": "LSASS memory access to harvest NTLM hashes.", |
| 67 | + "methods": [ |
| 68 | + { |
| 69 | + "technique": "binary-analysis", |
| 70 | + "confidence": 0.92, |
| 71 | + "value": "OpenProcess on lsass.exe with PROCESS_VM_READ followed by MiniDumpWriteDump observed at 0x004044c0." |
| 72 | + } |
| 73 | + ], |
| 74 | + "tools": [ |
| 75 | + { "ref": "karambit" } |
| 76 | + ] |
| 77 | + } |
| 78 | + }, |
| 79 | + { |
| 80 | + "bom-ref": "b-exfil", |
| 81 | + "behavior": "network:transmission:sendsData", |
| 82 | + "trigger": "startup", |
| 83 | + "evidence": { |
| 84 | + "confidence": 0.88, |
| 85 | + "description": "HTTPS POST of collected artifacts to external C2 endpoint.", |
| 86 | + "methods": [ |
| 87 | + { |
| 88 | + "technique": "binary-analysis", |
| 89 | + "confidence": 0.88, |
| 90 | + "value": "WinHttpOpen/WinHttpConnect/WinHttpSendRequest chain at 0x00405e80 posting to 185.x.x.x/gate.php." |
| 91 | + } |
| 92 | + ], |
| 93 | + "tools": [ |
| 94 | + { "ref": "karambit" } |
| 95 | + ] |
| 96 | + } |
| 97 | + } |
| 98 | + ], |
| 99 | + "flows": [ |
| 100 | + { |
| 101 | + "bom-ref": "flow-pth-payload", |
| 102 | + "trigger": "startup", |
| 103 | + "acknowledgment": ["observed"], |
| 104 | + "evidence": { |
| 105 | + "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#evidence-1" |
| 106 | + }, |
| 107 | + "ordering": "unordered", |
| 108 | + "steps": [ |
| 109 | + { "ordinal": 1, "ref": "b-startup-exec" }, |
| 110 | + { "ordinal": 2, "ref": "b-decode" }, |
| 111 | + { "ordinal": 3, "ref": "b-credential-collect" }, |
| 112 | + { "ordinal": 4, "ref": "b-exfil" } |
| 113 | + ] |
| 114 | + } |
| 115 | + ] |
| 116 | + } |
| 117 | + } |
| 118 | + ] |
| 119 | +} |
0 commit comments