Skip to content

Hide Navigation Hide TOC

CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1)

CASTLETAP is an ICMP port knocking backdoor that has been installed on compromised FortiGate firewalls by UNC3886.(Citation: Mandiant Fortinet Zero Day)

Cluster A Galaxy A Cluster B Galaxy B Level
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1) Malware 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1) Malware 1
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 1
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1) Malware Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520) Attack Pattern 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1) Malware 1
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1) Malware Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 1
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520) Attack Pattern 2