Story: Hackers Exploit Zimbra Vulnerability as 0-Day with Weaponized iCalendar Files

Identified Techniques: T1059 - Command and Scripting Interpreter, T1071 - Application Layer Protocol, T1566 - Phishing, T1070 - Indicator Removal, T1040, T1203

Note: Sub-techniques are displayed under their parent techniques in the matrix below.

Legend:

Standard Techniques
Techniques Identified in This Story
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1078
Valid Accounts
T1078.001
Default Accounts
T1078.002
Domain Accounts
T1078.003
Local Accounts
T1078.004
Cloud Accounts
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.002
AppleScript
T1059.003
Windows Command Shell
T1059.004
Unix Shell
T1059.005
Visual Basic
T1059.006
Python
T1059.007
JavaScript
T1059.008
Network Device CLI
T1543
Create or Modify System Process
T1543.001
Launch Agent
T1543.002
Systemd Service
T1543.003
Windows Service
T1543.004
Launch Daemon
T1055
Process Injection
T1055.001
Dynamic-link Library Injection
T1055.002
Portable Executable Injection
T1055.003
Thread Execution Hijacking
T1055.004
Asynchronous Procedure Call
T1027
Obfuscated Files or Information
T1027.001
Binary Padding
T1027.002
Software Packing
T1003
OS Credential Dumping
T1003.001
LSASS Memory
T1003.002
Security Account Manager
T1003.003
NTDS
T1003.004
LSA Secrets
T1003.005
Cached Domain Credentials
T1003.006
DCSync
T1003.007
Proc Filesystem
T1003.008
/etc/passwd and /etc/shadow
T1016
System Network Configuration Discovery
T1016.001
Internet Connection Discovery
T1016.002
Network Service Scanning
T1016.003
Internet Connection Discovery
T1021
Remote Services
T1021.001
Remote Desktop Protocol
T1021.002
SMB/Windows Admin Shares
T1021.003
Distributed Component Object Model
T1021.004
SSH
T1021.005
VNC
T1021.006
Windows Remote Management
T1021.007
Cloud Services
T1021.008
Direct Cloud VM Connections
T1005
Data from Local System
T1005.001
Local Data Staging
T1005.002
Remote Data Staging
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1071.002
File Transfer Protocols
T1071.003
Mail Protocols
T1071.004
DNS
T1071.005
Publish/Subscribe Protocols
T1011
Exfiltration Over Other Network Medium
T1011.001
Exfiltration Over Bluetooth
T1485
Data Destruction
T1485.001
Lifecycle-Triggered Deletion
T1190
Exploit Public-Facing Application
T1106
Native API
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
T1547.002
Authentication Package
T1547.003
Time Providers
T1547.004
Winlogon Helper DLL
T1548
Abuse Elevation Control Mechanism
T1548.001
Setuid and Setgid
T1548.002
Bypass User Account Control
T1548.003
Sudo and Sudo Caching
T1548.004
Elevated Service Execution
T1070
Indicator Removal
T1070.001
Clear Windows Event Logs
T1070.002
Clear Linux or Mac System Logs
T1070.003
Clear Command History
T1070.004
File Deletion
T1070.005
Network Share Connection Removal
T1070.006
Timestomp
T1555
Credentials from Password Stores
T1018
Remote System Discovery
T1210
Exploitation of Remote Services
T1025
Data from Removable Media
T1090
Proxy
T1090.001
Internal Proxy
T1090.002
External Proxy
T1090.003
Multi-hop Proxy
T1020
Automated Exfiltration
T1020.001
Traffic Duplication
T1486
Data Encrypted for Impact
T1566
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
T1566.003
Spearphishing via Service
T1033
System Owner/User Discovery
T1039
Data from Network Shared Drive
T1030
Data Transfer Size Limits
T1491
Defacement
T1491.001
Internal Defacement
T1491.002
External Defacement
T1049
System Network Connections Discovery
T1113
Screen Capture
T1041
Exfiltration Over C2 Channel
T1565
Data Manipulation
T1565.001
Stored Data Manipulation
T1565.002
Transmitted Data Manipulation
T1565.003
Runtime Data Manipulation
T1057
Process Discovery
T1114
Email Collection
T1114.001
Local Email Collection
T1114.002
Remote Email Collection
T1114.003
Email Forwarding Rule
T1048
Exfiltration Over Alternative Protocol
T1048.001
Exfiltration Over Symmetric Encrypted Non-C2 Protocol
T1048.002
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1048.003
Exfiltration Over Unencrypted Non-C2 Protocol
T1082
System Information Discovery
T1083
File and Directory Discovery

🎯 MITRE ATT&CK® Matrix - Full Screen

Standard Techniques
Techniques Identified in This Story
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1078
Valid Accounts
T1078.001
Default Accounts
T1078.002
Domain Accounts
T1078.003
Local Accounts
T1078.004
Cloud Accounts
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.002
AppleScript
T1059.003
Windows Command Shell
T1059.004
Unix Shell
T1059.005
Visual Basic
T1059.006
Python
T1059.007
JavaScript
T1059.008
Network Device CLI
T1543
Create or Modify System Process
T1543.001
Launch Agent
T1543.002
Systemd Service
T1543.003
Windows Service
T1543.004
Launch Daemon
T1055
Process Injection
T1055.001
Dynamic-link Library Injection
T1055.002
Portable Executable Injection
T1055.003
Thread Execution Hijacking
T1055.004
Asynchronous Procedure Call
T1027
Obfuscated Files or Information
T1027.001
Binary Padding
T1027.002
Software Packing
T1003
OS Credential Dumping
T1003.001
LSASS Memory
T1003.002
Security Account Manager
T1003.003
NTDS
T1003.004
LSA Secrets
T1003.005
Cached Domain Credentials
T1003.006
DCSync
T1003.007
Proc Filesystem
T1003.008
/etc/passwd and /etc/shadow
T1016
System Network Configuration Discovery
T1016.001
Internet Connection Discovery
T1016.002
Network Service Scanning
T1016.003
Internet Connection Discovery
T1021
Remote Services
T1021.001
Remote Desktop Protocol
T1021.002
SMB/Windows Admin Shares
T1021.003
Distributed Component Object Model
T1021.004
SSH
T1021.005
VNC
T1021.006
Windows Remote Management
T1021.007
Cloud Services
T1021.008
Direct Cloud VM Connections
T1005
Data from Local System
T1005.001
Local Data Staging
T1005.002
Remote Data Staging
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1071.002
File Transfer Protocols
T1071.003
Mail Protocols
T1071.004
DNS
T1071.005
Publish/Subscribe Protocols
T1011
Exfiltration Over Other Network Medium
T1011.001
Exfiltration Over Bluetooth
T1485
Data Destruction
T1485.001
Lifecycle-Triggered Deletion
T1190
Exploit Public-Facing Application
T1106
Native API
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
T1547.002
Authentication Package
T1547.003
Time Providers
T1547.004
Winlogon Helper DLL
T1548
Abuse Elevation Control Mechanism
T1548.001
Setuid and Setgid
T1548.002
Bypass User Account Control
T1548.003
Sudo and Sudo Caching
T1548.004
Elevated Service Execution
T1070
Indicator Removal
T1070.001
Clear Windows Event Logs
T1070.002
Clear Linux or Mac System Logs
T1070.003
Clear Command History
T1070.004
File Deletion
T1070.005
Network Share Connection Removal
T1070.006
Timestomp
T1555
Credentials from Password Stores
T1018
Remote System Discovery
T1210
Exploitation of Remote Services
T1025
Data from Removable Media
T1090
Proxy
T1090.001
Internal Proxy
T1090.002
External Proxy
T1090.003
Multi-hop Proxy
T1020
Automated Exfiltration
T1020.001
Traffic Duplication
T1486
Data Encrypted for Impact
T1566
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
T1566.003
Spearphishing via Service
T1033
System Owner/User Discovery
T1039
Data from Network Shared Drive
T1030
Data Transfer Size Limits
T1491
Defacement
T1491.001
Internal Defacement
T1491.002
External Defacement
T1049
System Network Connections Discovery
T1113
Screen Capture
T1041
Exfiltration Over C2 Channel
T1565
Data Manipulation
T1565.001
Stored Data Manipulation
T1565.002
Transmitted Data Manipulation
T1565.003
Runtime Data Manipulation
T1057
Process Discovery
T1114
Email Collection
T1114.001
Local Email Collection
T1114.002
Remote Email Collection
T1114.003
Email Forwarding Rule
T1048
Exfiltration Over Alternative Protocol
T1048.001
Exfiltration Over Symmetric Encrypted Non-C2 Protocol
T1048.002
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1048.003
Exfiltration Over Unencrypted Non-C2 Protocol
T1082
System Information Discovery
T1083
File and Directory Discovery

About MITRE ATT&CK®:

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Learn more at attack.mitre.org