A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | AD | AE | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | X = macos | y=crossover | |||||||||||||||||||||||||||||
2 | |||||||||||||||||||||||||||||||
3 | Techniques Used | ||||||||||||||||||||||||||||||
4 | Domain | Tactic | ID | Hunter | MacOS | CrossOver | Technique Page | Sub | Name | Use | |||||||||||||||||||||
5 | Enterprise | T1087 | plug | x | 0.001 | Account Discovery: Local Account | APT32 enumerated administrative users using the commands net localgroup administrators.[5] | ||||||||||||||||||||||||
6 | Enterprise | C2 | T1071 | ahhh | x | https://docs.google.com/document/d/1vV88RCStP1I2d5A96y3JjUfDGkH9iASL6XG8woO0MXc/edit#heading=h.9f3a0bh8fut6 | 0.001 | Application Layer Protocol: Web Protocols | APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.[2][5] | ||||||||||||||||||||||
7 | C2 | T1071 | ahhh | x | https://docs.google.com/document/d/1vV88RCStP1I2d5A96y3JjUfDGkH9iASL6XG8woO0MXc/edit#heading=h.9f3a0bh8fut6 | 0.003 | Application Layer Protocol: Mail Protocols | APT32 has used email for C2 via an Office macro.[4][5] | |||||||||||||||||||||||
8 | Enterprise | T1560 | Archive Collected Data | APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration.[6] | |||||||||||||||||||||||||||
9 | Enterprise | T1547 | 0.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.[4][5][6] | ||||||||||||||||||||||||||
10 | Enterprise | T1059 | https://docs.google.com/document/d/1jCCG4NFQ_uNnwqI4uQp8uQ7A1acK5F0ku8LX4a6whx8/edit#heading=h.6n0037mkfgsj | Command and Scripting Interpreter | APT32 has used COM scriptlets to download Cobalt Strike beacons.[5] | ||||||||||||||||||||||||||
11 | T1059 | PowerShell | APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.[1][4][5] | ||||||||||||||||||||||||||||
12 | T1059 | Windows Command Shell | APT32 has used cmd.exe for execution.[5] | ||||||||||||||||||||||||||||
13 | T1059 | Visual Basic | APT32 has used macros, COM scriptlets, and VBS scripts.[4][5] | ||||||||||||||||||||||||||||
14 | T1059 | JavaScript/JScript | APT32 has used JavaScript for drive-by downloads and C2 communications.[5] | ||||||||||||||||||||||||||||
15 | Enterprise | T1543 | 0.003 | Create or Modify System Process: Windows Service | APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence.[3][5][6] | ||||||||||||||||||||||||||
16 | Enterprise | T1189 | ahhh | https://docs.google.com/document/d/1jsme-JI9W6PfS3BgQ5yzFcbN9LLAj9Rk0eqNaBH9Rtc/edit | Drive-by Compromise | APT32 has infected victims by tricking them into visiting compromised watering hole websites.[3] | |||||||||||||||||||||||||
17 | Enterprise | T1048 | 0.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | APT32's backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets.[6] | ||||||||||||||||||||||||||
18 | Enterprise | T1041 | Exfiltration Over C2 Channel | APT32's backdoor has exfiltrated data using the already opened channel with its C&C server.[6] | |||||||||||||||||||||||||||
19 | Enterprise | Execution | T1203 | ahhh | X | https://docs.google.com/document/d/10v4CS7UL2wnVX8LdnYhFrwRmMoPf_dfBq8WlOUS2xjM/edit?usp=sharing | Exploitation for Client Execution | APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)[6] | |||||||||||||||||||||||
20 | Enterprise | T1203 | Exploitation for Client Execution | APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)[6] | |||||||||||||||||||||||||||
21 | Enterprise | T1068 | Exploitation for Privilege Escalation | APT32 has used CVE-2016-7255 to escalate privileges.[1] | |||||||||||||||||||||||||||
22 | Enterprise | T1083 | File and Directory Discovery | APT32's backdoor possesses the capability to list files and directories on a machine. [6] | |||||||||||||||||||||||||||
23 | Enterprise | T1222 | https://docs.google.com/document/d/12BGcnY0H1bhGaGkEfOAIKajgyOs0Dhtmt58Ou03ywNA/edit# | 0.002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification | APT32's macOS backdoor changes the permission of the file it wants to execute to 755.[7] | |||||||||||||||||||||||||
24 | Enterprise | T1564 | 0.004 | Hide Artifacts: NTFS File Attributes | APT32 used NTFS alternate data streams to hide their payloads.[5] | ||||||||||||||||||||||||||
25 | Defensive Evasion | T1564 | ahhh | x | https://docs.google.com/document/d/1jCZY_gNJopwNpJjqNWT3yUSNErM8ZZ-TONu-21pzu_o/edit?usp=sharing | 0.001 | Hide Artifacts: Hidden Files and Directories | APT32's macOS backdoor hides the clientID file via a chflags function.[7] | |||||||||||||||||||||||
26 | T1564 | 0.003 | Hide Artifacts: Hidden Window | APT32 has used the WindowStyle parameter to conceal PowerShell windows. [1] [5] | |||||||||||||||||||||||||||
27 | Enterprise | T1574 | 0.002 | Hijack Execution Flow: DLL Side-Loading | APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).[4][5][6] | ||||||||||||||||||||||||||
28 | Enterprise | T1070 | 0.006 | Indicator Removal on Host: Timestomp | APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.[1][6][7] | ||||||||||||||||||||||||||
29 | T1070 | 0.001 | Indicator Removal on Host: Clear Windows Event Logs | APT32 has cleared select event log entries.[1] | |||||||||||||||||||||||||||
30 | T1070 | 0.004 | Indicator Removal on Host: File Deletion | APT32's macOS backdoor can receive a "delete" command.[7] | |||||||||||||||||||||||||||
31 | Enterprise | C2 | T1105 | Ingress Tool Transfer | APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[2] | ||||||||||||||||||||||||||
32 | Enterprise | T1056 | 0.001 | Input Capture: Keylogging | APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.[5] | ||||||||||||||||||||||||||
33 | Enterprise | T1056 | BenJAMIN | X | Lateral Tool Transfer | APT32 has deployed tools after moving laterally using administrative accounts.[5] | |||||||||||||||||||||||||
34 | Enterprise | T1036 | ahhh | x | https://docs.google.com/document/d/1wl6Ak4cvpsGXOkj2rJ_KulQe46JpNzHJt8UzgpnGytQ/edit#heading=h.9f3a0bh8fut6 | Masquerading | APT32 has disguised a Cobalt Strike beacon as a Flash Installer.[5] | ||||||||||||||||||||||||
35 | T1036 | Match Legitimate Name or Location | APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. [5] | ||||||||||||||||||||||||||||
36 | T1036 | Masquerade Task or Service | APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".[1] | ||||||||||||||||||||||||||||
37 | T1036 | Rename System Utilities | APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.[8] | ||||||||||||||||||||||||||||
38 | Enterprise | T1112 | Modify Registry | APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. [6] | |||||||||||||||||||||||||||
39 | Enterprise | T1046 | Network Service Scanning | APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.[5] | |||||||||||||||||||||||||||
40 | Enterprise | T1135 | Network Share Discovery | APT32 used the net view command to show all shares available, including the administrative shares such as C$ and ADMIN$.[5] | |||||||||||||||||||||||||||
41 | Enterprise | C2 | T1571 | Non-Standard Port | An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.[6] | ||||||||||||||||||||||||||
42 | Enterprise | Defense Evasion | T1027 | wildphish | X | https://docs.google.com/document/d/1KGdlnzzEcmtyqz1_iHO9hIyGOTpE0ptpdV2P4lBlxLI/edit#heading=h.9f3a0bh8fut6 | Obfuscated Files or Information | APT32 uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. APT32 has also encoded payloads using Base64 and a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.[1][9][3][4][5][6][7] | |||||||||||||||||||||||
43 | T1027 | Binary Padding | APT32 includes garbage code to mislead anti-malware software and researchers.[3][6] | ||||||||||||||||||||||||||||
44 | Enterprise | T1137 | Office Application Startup | APT32 have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence.[4][5] | |||||||||||||||||||||||||||
45 | Enterprise | T1003 | OS Credential Dumping | APT32 used GetPassword_x64 to harvest credentials.[4][5] | |||||||||||||||||||||||||||
46 | T1003 | LSASS Memory | APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.[4][5] | ||||||||||||||||||||||||||||
47 | Enterprise | T1566 | 0.002 | Phishing: Spearphishing Link | APT32 has sent spearphishing emails containing malicious links.[3][4][10] | ||||||||||||||||||||||||||
48 | Initial Execution | T1566 | ahhh | X | https://docs.google.com/document/d/1TCVn-5Cu83BZZUSUM9VYPm0AkaXs5akUQZMcPBIqfRE/edit | 0.001 | Phishing: Spearphishing Attachment | APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.[3][4][5][6][10] | |||||||||||||||||||||||
49 | Enterprise | T1055 | Process Injection | APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe.[5] | |||||||||||||||||||||||||||
50 | Enterprise | T1012 | Query Registry | APT32's backdoor can query the Windows Registry to gather system information. [6] | |||||||||||||||||||||||||||
51 | Enterprise | T1021 | 0.002 | Remote Services: SMB/Windows Admin Shares | APT32 used Net to use Windows' hidden network shares to copy their tools to remote machines for execution.[5] | ||||||||||||||||||||||||||
52 | Enterprise | T1018 | Remote System Discovery | APT32 has enumerated DC servers using the command net group "Domain Controllers" /domain. The group has also used the ping command.[5] | |||||||||||||||||||||||||||
53 | Enterprise | T1053 | 0.005 | Scheduled Task/Job: Scheduled Task | APT32 has used scheduled tasks to persist on victim systems.[1][4][5][6] | ||||||||||||||||||||||||||
54 | Enterprise | T1505 | 0.003 | Server Software Component: Web Shell | APT32 has used Web shells to maintain access to victim websites.[2] | ||||||||||||||||||||||||||
55 | Enterprise | T1218 | 0.01 | Signed Binary Proxy Execution: Regsvr32 | APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.[6][1][5] | ||||||||||||||||||||||||||
56 | T1218 | 0.005 | Signed Binary Proxy Execution: Mshta | APT32 has used mshta.exe for code execution.[4][5] | |||||||||||||||||||||||||||
57 | T1218 | 0.011 | Signed Binary Proxy Execution: Rundll32 | APT32 malware has used rundll32.exe to execute an initial infection process.[5] | |||||||||||||||||||||||||||
58 | Enterprise | T1216 | 0.001 | Signed Script Proxy Execution: PubPrn | APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.[11] | ||||||||||||||||||||||||||
59 | Enterprise | T1072 | Software Deployment Tools | APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.[1] | |||||||||||||||||||||||||||
60 | Enterprise | T1082 | https://docs.google.com/document/d/1hL-l-nXVadnKoQ394i7NBofHbyn1OEbhjK3nSM_Ige8/edit# | System Information Discovery | APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.[3][6][7][10] | ||||||||||||||||||||||||||
61 | Enterprise | T1016 | System Network Configuration Discovery | APT32 used the ipconfig /all command to gather the IP address from the system.[5] | |||||||||||||||||||||||||||
62 | Enterprise | T1049 | System Network Connections Discovery | APT32 used the netstat -anpo tcp command to display TCP connections on the victim's machine.[5] | |||||||||||||||||||||||||||
63 | Enterprise | T1033 | System Owner/User Discovery | APT32 collected the victim's username and executed the whoami command on the victim's machine. APT32 executed shellcode to collect the username on the victim's machine. [10][3][5] | |||||||||||||||||||||||||||
64 | Enterprise | T1569 | 0.002 | System Services: Service Execution | APT32's backdoor has used Windows services as a way to execute its malicious payload. [6] | ||||||||||||||||||||||||||
65 | Enterprise | T1552 | 0.002 | Unsecured Credentials: Credentials in Registry | APT32 used Outlook Credential Dumper to harvest credentials stored in Windows registry.[4][5] | ||||||||||||||||||||||||||
66 | Enterprise | T1550 | 0.002 | Use Alternate Authentication Material: Pass the Hash | APT32 has used pass the hash for lateral movement.[5] | ||||||||||||||||||||||||||
67 | 0.003 | Use Alternate Authentication Material: Pass the Ticket | APT32 successfully gained remote access by using pass the ticket.[5] | ||||||||||||||||||||||||||||
68 | Enterprise | T1204 | 0.002 | User Execution: Malicious File | APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.[3][4][6][10] | ||||||||||||||||||||||||||
69 | 0.001 | User Execution: Malicious Link | APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.[5] | ||||||||||||||||||||||||||||
70 | Enterprise | T1078 | 0.003 | Valid Accounts: Local Accounts | APT32 has used legitimate local admin account credentials.[1] | ||||||||||||||||||||||||||
71 | Enterprise | T1047 | Windows Management Instrumentation | APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.[5] | |||||||||||||||||||||||||||
72 | Enterprise | Defense Evasion | T1554 | ahhh | x | https://docs.google.com/document/d/17lUFUbU3SYQV4Um46rj2L0LWDxY-SiHR91SMevFULqc/edit# | 0.001 | Subvert Trust Controls: Gatekeeper Bypass | Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution. | ||||||||||||||||||||||
73 | |||||||||||||||||||||||||||||||
74 | |||||||||||||||||||||||||||||||
75 | New Items | ||||||||||||||||||||||||||||||
76 | |||||||||||||||||||||||||||||||
77 | |||||||||||||||||||||||||||||||
78 | |||||||||||||||||||||||||||||||
79 | |||||||||||||||||||||||||||||||
80 | |||||||||||||||||||||||||||||||
81 | |||||||||||||||||||||||||||||||
82 | |||||||||||||||||||||||||||||||
83 | |||||||||||||||||||||||||||||||
84 | |||||||||||||||||||||||||||||||
85 | |||||||||||||||||||||||||||||||
86 | |||||||||||||||||||||||||||||||
87 | |||||||||||||||||||||||||||||||
88 | |||||||||||||||||||||||||||||||
89 | |||||||||||||||||||||||||||||||
90 | |||||||||||||||||||||||||||||||
91 | |||||||||||||||||||||||||||||||
92 | |||||||||||||||||||||||||||||||
93 | |||||||||||||||||||||||||||||||
94 | |||||||||||||||||||||||||||||||
95 | |||||||||||||||||||||||||||||||
96 | |||||||||||||||||||||||||||||||
97 | |||||||||||||||||||||||||||||||
98 | |||||||||||||||||||||||||||||||
99 | |||||||||||||||||||||||||||||||
100 |