HomeLand Justice, Campaign C0038 | MITRE ATT&CK® (original) (raw)
Enterprise
Access Token Manipulation: Token Impersonation/Theft
During HomeLand Justice, threat actors used custom tooling to acquire tokens using ImpersonateLoggedOnUser/SetThreadToken.[2]
Enterprise
Account Discovery: Email Account
During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.[3]
Enterprise
Account Manipulation: Additional Email Delegate Permissions
During HomeLand Justice, threat actors added the ApplicationImpersonation management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.[2]
Enterprise
Command and Scripting Interpreter: PowerShell
During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.[3][2]
Command and Scripting Interpreter: Windows Command Shell
During HomeLand Justice, threat actors used Windows batch files for persistence and execution.[3][2]
Enterprise
During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.[1][3][2]
Enterprise
During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.[2]
Disable or Modify Windows Event Log
During HomeLand Justice, threat actors deleted Windows events and application logs.[2]
Enterprise
Disk Wipe: Disk Structure Wipe
During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.[3][2]
Enterprise
Email Collection: Remote Email Collection
During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.[3]
Enterprise
During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.[3]
Enterprise
Exploit Public-Facing Application
For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.[3]
Enterprise
During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.[2]
Enterprise
During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.[3]
Enterprise
Masquerading: Match Legitimate Resource Name or Location
During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[3][1]
Enterprise
During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.[3][2]
Enterprise
During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.[3][2]
Obtain Capabilities: Code Signing Certificates
During HomeLand Justice, threat actors used tools with legitimate code signing certificates. [3]
Enterprise
OS Credential Dumping: LSASS Memory
During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.[3]
Enterprise
Remote Services: Remote Desktop Protocol
During HomeLand Justice, threat actors primarily used RDP for lateral movement in the victim environment.[3][2]
Remote Services: SMB/Windows Admin Shares
During HomeLand Justice, threat actors used SMB for lateral movement.[3][2]
Enterprise
Server Software Component: Web Shell
For HomeLand Justice, threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.[3][2]
Enterprise
During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts.[3]
During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.[2]
Enterprise
Windows Management Instrumentation
During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.[2]