FRAMESTING - S1120 (bcaae558-9697-47a2-9ec7-c75000ddf58c)

FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.(Citation: Mandiant Cutting Edge Part 2 January 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	FRAMESTING - S1120 (bcaae558-9697-47a2-9ec7-c75000ddf58c)	Malware	1
FRAMESTING - S1120 (bcaae558-9697-47a2-9ec7-c75000ddf58c)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	1
Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	FRAMESTING - S1120 (bcaae558-9697-47a2-9ec7-c75000ddf58c)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	FRAMESTING - S1120 (bcaae558-9697-47a2-9ec7-c75000ddf58c)	Malware	1
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	FRAMESTING - S1120 (bcaae558-9697-47a2-9ec7-c75000ddf58c)	Malware	1
FRAMESTING - S1120 (bcaae558-9697-47a2-9ec7-c75000ddf58c)	Malware	Protocol Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	FRAMESTING - S1120 (bcaae558-9697-47a2-9ec7-c75000ddf58c)	Malware	1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Protocol Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2