WIRTE is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.(Citation: Lab52 WIRTE Apr 2019)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Windows | defense-evasion | Deobfuscate/Decode Files or Information | WIRTE has decoded a base64 encoded document which was embedded in a VBS script. | File monitoring, Process monitoring, Process command-line parameters |
| Windows | defense-evasion, execution | Regsvr32 | WIRTE has used Regsvr32.exe to trigger the execution of a malicious script. | Loaded DLLs, Process monitoring, Windows Registry, Process command-line parameters |
| Linux, macOS, Windows | command-and-control, lateral-movement | Remote File Copy | WIRTE has downloaded PowerShell code from the C2 server to be executed. | File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring |
| Windows | execution | PowerShell | WIRTE has used PowerShell for script execution. | PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion, execution | Scripting | WIRTE has used VBS and PowerShell scripts throughout its operation. | Process monitoring, File monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Standard Application Layer Protocol | WIRTE has used HTTP for network communication. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |