nightspire

T1078Valid Accounts

Compromised RDP credentials used for initial access.

T1110Brute Force

Brute-forcing remote login credentials (RDP) and MFA fatigue attacks.

T1190Exploit Public-Facing Application

Exploitation of CVE-2024-55591 — FortiOS/FortiProxy authentication bypass; unauthenticated attackers gain super-admin privileges via crafted POST requests to /api/v2/cmdb/.

T1566Phishing

Malicious attachments and drive-by downloads.

T1059Command and Scripting Interpreter

PowerShell scripts, batch files, PsExec, WMI; conhost.exe command execution window.

T1072Software Deployment Tools

Abuse of legitimate tools (WinSCP, MEGACmd, 7-Zip, PsExec) across the attack chain.

T1053Scheduled Task/Job

Persistence via Windows Task Scheduler; service creation and modification.

T1136Create Account

Administrative account creation post-exploitation on FortiGate devices.

T1547Boot or Logon Autostart Execution

Reboot persistence mechanisms.

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Persistence via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce.

T1068Exploitation for Privilege Escalation

FortiOS super-admin access via CVE-2024-55591 exploitation.

T1027Obfuscated Files or Information

Obfuscation techniques to evade analysis.

T1036Masquerading

Renamed processes and use of legitimate tools (WinSCP, MEGACmd, 7-Zip, PsExec) blending into normal operations.

T1070Indicator Removal

Removal of forensic indicators from compromised systems.

T1218System Binary Proxy Execution

Execution via legitimate system binaries (LOLBins) to evade detection.

T1003OS Credential Dumping

Credential dumping via Mimikatz.

T1003.001OS Credential Dumping: LSASS Memory

LSASS memory extraction for credential harvesting.

T1552Unsecured Credentials

Harvesting of stored credentials within the environment.

T1046Network Service Discovery

Network scanning to map internal infrastructure using Advanced IP Scanner.

T1057Process Discovery

Process enumeration on compromised systems.

T1082System Information Discovery

Collection of system details from compromised hosts.

T1083File and Directory Discovery

File indexing and enumeration using Everything.exe.

T1021.001Remote Services: Remote Desktop Protocol

RDP-based lateral movement across compromised network.

T1021.002Remote Services: SMB/Windows Admin Shares

Lateral movement via PsExec over SMB.

T1047Windows Management Instrumentation

WMI-based execution and lateral movement.

T1119Automated Collection

Automated sensitive data gathering from compromised systems.

T1560Archive Collected Data

Compression of collected data using 7-Zip (7z2408-x64.exe) prior to exfiltration.

T1560.001Archive Collected Data: Archive via Utility

7-Zip archiving of stolen data prior to exfiltration.

T1041Exfiltration Over C2 Channel

Data exfiltration over C2 channel.

T1048Exfiltration Over Alternative Protocol

Data exfiltration via WinSCP (v6.3.7) and Rclone over encrypted channels.

T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

MEGACmd used to upload stolen data to MEGA cloud storage. Documented exfiltration of 1.5TB from a single healthcare victim.

T1071Application Layer Protocol

Standard web protocols and Tor-based communication. Multi-channel comms: ProtonMail, OnionMail, Gmail, Telegram, qTox.

T1573Encrypted Channel

Asymmetric encrypted non-C2 protocols used to evade IDS.

T1486Data Encrypted for Impact

Hybrid AES-256 (file content) + RSA-2048 (key protection) encryption; appends .nspire extension; processes files in 1MB block chunks. Double extortion model — data theft + encryption.

T1587Develop Capabilities

Custom Go-based ransomware development with modular architecture.