Flattened Mitre ATT&CK Matrix
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFHIJKLMNOPQ
1
CategoryTechniqueNameTypeUsageData Sources
Permissions Required
PlatformRequires Network
Supports Remote
System Requirements
Defense BypassedTechnical DescriptionIDMITRE IDCAPEC ID
2
Command and ControlCustom Cryptographic Protocol3PARA RATSoftware
3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS instead if the DES decoding fails.
Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Linux, macOS, Windows
Yes
Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext. Custom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used. Some adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors.60
T1024
S0066
3
DiscoveryFile and Directory Discovery3PARA RATSoftware
3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.1
File monitoring, Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsSome folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Windows Example utilities used to obtain this information are dir and tree.103 Custom tools may also be used to gather file and directory information and interact with the Windows API. Mac and Linux In Mac and Linux, this kind of discovery is accomplished with the ls, find, and locate commands.
T1083
S0066
4
Defense Evasion, Persistence
Redundant Access3PARA RATSoftware
3PARA RAT will sleep until after a date/time value loaded from a .dat file has passed. This allows the RAT to remain dormant until a set date, which could allow a means to regain access if other parts of the actors' toolset are removed from a victim.
Process monitoring, Process use of network, Packet capture, Network protocol analysis, File monitoring, Binary file metadata, Authentication logs
User, Administrator, SYSTEM
Linux, macOS, WindowsAnti-virus, Network intrusion detection system
Adversaries may use more than one remote access tool with varying command and control protocols as a hedge against detection. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network.229 Use of a Web Shell is one such way to maintain access to a network through an externally accessible Web server.
T1108
S0066
5
Command and Control
Standard Application Layer Protocol
3PARA RATSoftware3PARA RAT uses HTTP for command and control.1Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Linux, macOS, Windows
Yes
Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.
T1071
S0066
6
Command and Control
Standard Cryptographic Protocol
3PARA RATSoftware
3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS.
Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring, SSL/TLS inspection
Linux, macOS, Windows
Yes
Adversaries use command and control over an encrypted channel using a known encryption protocol like HTTPS or SSL/TLS. The use of strong encryption makes it difficult for defenders to detect signatures within adversary command and control traffic. Some adversaries may use other encryption protocols and algorithms with symmetric keys, such as RC4, that rely on encryption keys encoded into malware configuration files and not public key cryptography. Such keys may be obtained through malware reverse engineering.
T1032
S0066
7
Defense EvasionTimestomp3PARA RATSoftware
3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.
File monitoring, Process monitoring, Process command-line parameters
User, Administrator, SYSTEM
Linux, WindowsHost forensic analysis
Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools.271
T1099
S0066
8
ExecutionCommand-Line Interface4H RATSoftware4H RAT has the capability to create a remote shell.2Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsNo
Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.44 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task). Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.
T1059
S0065
9
Command and ControlCustom Cryptographic Protocol4H RATSoftware
4H RAT obfuscates C2 communication using a 1-byte XOR with the key 0xBE.
Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Linux, macOS, Windows
Yes
Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext. Custom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used. Some adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors.60
T1024
S0065
10
DiscoveryFile and Directory Discovery4H RATSoftware4H RAT has the capability to obtain file and directory listings.1File monitoring, Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsSome folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Windows Example utilities used to obtain this information are dir and tree.103 Custom tools may also be used to gather file and directory information and interact with the Windows API. Mac and Linux In Mac and Linux, this kind of discovery is accomplished with the ls, find, and locate commands.
T1083
S0065
11
DiscoveryProcess Discovery4H RATSoftware
4H RAT has the capability to obtain a listing of running processes (including loaded modules).1
Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsAdministrator, SYSTEM may provide better process ownership details
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Windows An example command that would obtain details on processes is "tasklist" using the Tasklist utility. Mac and Linux In Mac and Linux, this is accomplished with the ps command.
T1057
S0065
CAPEC-573
12
Command and Control
Standard Application Layer Protocol
4H RATSoftware4H RAT uses HTTP for command and control.1Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Linux, macOS, Windows
Yes
Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.
T1071
S0065
13
DiscoverySystem Information Discovery4H RATSoftware4H RAT sends an OS version identifier in its beacons.1Process command-line parameters, Process monitoringUserLinux, macOS, Windows
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Windows Example commands and utilities that obtain this information include ver, Systeminfo, and dir within cmd for identifying information based on present files and directories. Mac On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.
T1082
S0065
CAPEC-311
14
DiscoveryAccount Discoveryadmin@338Group
admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download
API monitoring, Process command-line parameters, Process monitoringUserLinux, macOS, Windows
Adversaries may attempt to get a listing of local system or domain accounts. Windows Example commands that can acquire this information are net user, net group <groupname>, and net localgroup <groupname> using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply. Mac On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users. Linux On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file. Also, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.
T1087
G0018
CAPEC-575
15
ExecutionCommand-Line Interfaceadmin@338Group
Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.1
Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsNo
Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.44 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task). Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.
T1059
G0018
16
DiscoveryFile and Directory Discoveryadmin@338Group
admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download1
File monitoring, Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsSome folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Windows Example utilities used to obtain this information are dir and tree.103 Custom tools may also be used to gather file and directory information and interact with the Windows API. Mac and Linux In Mac and Linux, this kind of discovery is accomplished with the ls, find, and locate commands.
T1083
G0018
17
Defense EvasionMasqueradingadmin@338Group
admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe1
File monitoring, Process monitoring, Binary file metadataLinux, macOS, WindowsWhitelisting by file name or path
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs. This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate. Windows In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe.161 An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths.162 An example of abuse of trusted locations in Windows would be the C:\Windows\System32 directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe". Linux Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. 163 An example of abuse of trusted locations in Linux would be the /bin directory. Examples of trusted binary names that can be given to malicious binares include "rsyncd" and "dbus-inotifier". 164 165
T1036
G0018
18
DiscoveryPermission Groups Discoveryadmin@338Group
admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download
API monitoring, Process command-line parameters, Process monitoringUserLinux, macOS, Windows
Adversaries may attempt to find local system or domain-level groups and permissions settings. Windows Examples of commands that can list groups are net group /domain and net localgroup using the Net utility. Mac On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups. Linux On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.
T1069
G0018
CAPEC-576
19
DiscoverySystem Information Discoveryadmin@338Group
admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download1
Process command-line parameters, Process monitoringUserLinux, macOS, Windows
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Windows Example commands and utilities that obtain this information include ver, Systeminfo, and dir within cmd for identifying information based on present files and directories. Mac On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.
T1082
G0018
CAPEC-311
20
Discovery
System Network Configuration Discovery
admin@338Group
admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: ipconfig /all >> %temp%\download1
Process command-line parameters, Process monitoringUserLinux, macOS, Windows
Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
T1016
G0018
CAPEC-309
21
Discovery
System Network Connections Discovery
admin@338Group
admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: netstat -ano >> %temp%\download
Process command-line parameters, Process monitoringUser, AdministratorLinux, macOS, Windows
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Windows Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. Mac and Linux In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session".
T1049
G0018
22
DiscoverySystem Service Discoveryadmin@338Group
admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: net start >> %temp%\download
Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Windows
Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well.
T1007
G0018
CAPEC-574
23
ExecutionCommand-Line InterfaceADVSTORESHELLSoftwareADVSTORESHELL can create a remote shell and run a given command.222Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsNo
Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.44 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task). Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.
T1059
S0045
24
Command and ControlCommonly Used PortADVSTORESHELLSoftware
A variant of ADVSTORESHELL attempts communication to the C2 server over HTTP on port 443.
Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring
Linux, macOS, Windows
Yes
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as TCP:80 (HTTP) TCP:443 (HTTPS) TCP:25 (SMTP) TCP/UDP:53 (DNS) They may use the protocol associated with the port or a completely different protocol. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are TCP/UDP:135 (RPC) TCP/UDP:22 (SSH) TCP/UDP:3389 (RDP)
T1043
S0045
25
Defense Evasion, Persistence
Component Object Model Hijacking
ADVSTORESHELLSoftware
Some variants of ADVSTORESHELL achieve persistence by registering the payload as a Shell Icon Overlay handler COM object.
Windows Registry, DLL monitoring, Loaded DLLsUserWindowsAutoruns Analysis
The Microsoft Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system.45 Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.46 An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.
T1122
S0045
26
ExfiltrationData CompressedADVSTORESHELLSoftware
ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm.1
File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Linux, macOS, Windows
No
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
T1002
S0045
27
Command and ControlData EncodingADVSTORESHELLSoftware
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding.
Packet capture, Process use of network, Process Monitoring, Network protocol analysisUser
Linux, macOS, Windows
Yes
Command and control (C2) information is encoded using a standard data encoding system. Use of data encoding may be to adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, UTF-8, or other binary-to-text and character encoding systems.6970 Some data encoding systems may also result in data compression, such as gzip.
T1132
S0045
28
ExfiltrationData EncryptedADVSTORESHELLSoftware
ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.
File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Linux, macOS, Windows
No
Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip. Other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol
T1022
S0045
29
CollectionData StagedADVSTORESHELLSoftware
ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.
File monitoring, Process monitoring, Process command-line parametersLinux, macOS, Windows
Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
T1074
S0045
30
ExecutionExecution through APIADVSTORESHELLSoftwareADVSTORESHELL is capable of starting a process using CreateProcess.API monitoring, Process monitoring
User, Administrator, SYSTEM
WindowsNo
Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.88 Additional Windows API calls that can be used to execute binaries include:89 CreateProcessA() and CreateProcessW(), CreateProcessAsUserA() and CreateProcessAsUserW(), CreateProcessInternalA() and CreateProcessInternalW(), CreateProcessWithLogonW(), CreateProcessWithTokenW(), LoadLibraryA() and LoadLibraryW(), LoadLibraryExA() and LoadLibraryExW(), LoadModule(), LoadPackagedLibrary(), WinExec(), ShellExecuteA() and ShellExecuteW(), ShellExecuteExA() and ShellExecuteExW()
T1106
S0045
31
Exfiltration
Exfiltration Over Command and Control Channel
ADVSTORESHELLSoftwareADVSTORESHELL exfiltrates data over the same channel used for C2.User interface, Process monitoring
Linux, macOS, Windows
Yes
Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.
T1041
S0045
32
Defense EvasionFile DeletionADVSTORESHELLSoftwareADVSTORESHELL can delete files and directories.1File monitoring, Binary file metadata, Process command-line parametersUserLinux, macOS, WindowsHost forensic analysis
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools.47
T1107
S0045
33
DiscoveryFile and Directory DiscoveryADVSTORESHELLSoftwareADVSTORESHELL can list files and directories.151File monitoring, Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsSome folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Windows Example utilities used to obtain this information are dir and tree.103 Custom tools may also be used to gather file and directory information and interact with the Windows API. Mac and Linux In Mac and Linux, this kind of discovery is accomplished with the ls, find, and locate commands.
T1083
S0045
34
Collection, Credential Access
Input CaptureADVSTORESHELLSoftwareADVSTORESHELL can perform keylogging.131Windows Registry, Kernel drivers, Process monitoring, API monitoring
Administrator, SYSTEM
Linux, macOS, Windows
Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception. Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes,131 but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider.132 Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises. Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.93
T1056
S0045
CAPEC-569
35
Defense EvasionModify RegistryADVSTORESHELLSoftwareADVSTORESHELL is capable of setting and deleting Registry values.Windows Registry, File monitoring, Process monitoring, Process command-line parameters
User, Administrator, SYSTEM
WindowsHost forensic analysis
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution. Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification.166 Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples). The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system.167 Often Valid Accounts are required, along with access to the remote system's Windows Admin Shares for RPC communication.
T1112
S0045
36
Defense EvasionObfuscated Files or InformationADVSTORESHELLSoftware
Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.15
Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineeringLinux, macOS, Windows
Host forensic analysis, Signature-based detection, Host intrusion prevention systems
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system. This is common behavior that can be used across different platforms to evade defenses. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery.185
T1027
S0045
37
DiscoveryPeripheral Device DiscoveryADVSTORESHELLSoftwareADVSTORESHELL can list connected devices.
User, Administrator, SYSTEM
Windows
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
T1120
S0045
38
DiscoveryProcess DiscoveryADVSTORESHELLSoftwareADVSTORESHELL can list running processes.1Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsAdministrator, SYSTEM may provide better process ownership details
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Windows An example command that would obtain details on processes is "tasklist" using the Tasklist utility. Mac and Linux In Mac and Linux, this is accomplished with the ps command.
T1057
S0045
CAPEC-573
39
DiscoveryQuery RegistryADVSTORESHELLSoftwareADVSTORESHELL can enumerate registry keys.6Windows Registry, Process monitoring, Process command-line parameters
User, Administrator, SYSTEM
Windows
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security.227 Some of the information may help adversaries to further their operation within a network.
T1012
S0045
40
Persistence
Registry Run Keys / Start Folder
ADVSTORESHELLSoftware
ADVSTORESHELL achieves persistence by adding itself to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.14151
Windows Registry, File monitoringUser, AdministratorWindows
Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.230 The program will be executed under the context of the user and will have the account's associated permissions level. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
T1060
S0045
CAPEC-270
41
Command and Control, Lateral Movement
Remote File CopyADVSTORESHELLSoftware
After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.1 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.
File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoringUser
Linux, macOS, Windows
Yes
Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.
T1105
S0045
42
Command and Control, Lateral Movement
Remote File CopyADVSTORESHELLSoftware
After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.1 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.
File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoringUser
Linux, macOS, Windows
Yes
Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.
T1105
S0045
43
Defense Evasion, ExecutionRundll32ADVSTORESHELLSoftware
ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.
File monitoring, Binary file metadata, Process command-line parameters, Process monitoringUserWindowsNoAnti-virus, Application whitelisting
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.244
T1085
S0045
44
ExfiltrationScheduled TransferADVSTORESHELLSoftware
ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.
Netflow/Enclave netflow, Process use of network, Process monitoring
Linux, macOS, Windows
Yes
Data exfiltration may be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.
T1029
S0045
45
Command and Control
Standard Application Layer Protocol
ADVSTORESHELLSoftwareADVSTORESHELL connects to port 80 of a C2 server using Wininet API.1Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Linux, macOS, Windows
Yes
Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.
T1071
S0045
46
Command and Control
Standard Cryptographic Protocol
ADVSTORESHELLSoftwareA variant of ADVSTORESHELL encrypts some C2 with 3DES and RSA.Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring, SSL/TLS inspection
Linux, macOS, Windows
Yes
Adversaries use command and control over an encrypted channel using a known encryption protocol like HTTPS or SSL/TLS. The use of strong encryption makes it difficult for defenders to detect signatures within adversary command and control traffic. Some adversaries may use other encryption protocols and algorithms with symmetric keys, such as RC4, that rely on encryption keys encoded into malware configuration files and not public key cryptography. Such keys may be obtained through malware reverse engineering.
T1032
S0045
47
DiscoverySystem Information DiscoveryADVSTORESHELLSoftware
ADVSTORESHELL can run Systeminfo to gather information about the victim.171
Process command-line parameters, Process monitoringUserLinux, macOS, Windows
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Windows Example commands and utilities that obtain this information include ver, Systeminfo, and dir within cmd for identifying information based on present files and directories. Mac On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.
T1082
S0045
CAPEC-311
48
ExfiltrationData EncryptedAgent.btzSoftware
Agent.btz saves system information into an XML file that is then XOR-encoded.1
File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Linux, macOS, Windows
No
Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip. Other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol
T1022
S0092
49
Exfiltration
Exfiltration Over Physical Medium
Agent.btzSoftware
Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.
Data loss prevention, File monitoring
Linux, macOS, Windows
NoPresence of physical medium or device
In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
T1052
S0092
50
Command and Control, Lateral Movement
Remote File CopyAgent.btzSoftware
Agent.btz attempts to download an encrypted binary from a specified domain.1
File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoringUser
Linux, macOS, Windows
Yes
Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.
T1105
S0092
51
Credential Access, Lateral Movement
Replication Through Removable Media
Agent.btzSoftware
Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.
File monitoring, Data loss preventionUserWindowsRemovable media allowed, Autorun enabled or vulnerability present that allows for code execution
Adversaries may move to additional systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into another system and executes. This may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system.
T1091
S0092
52
Discovery
System Network Configuration Discovery
Agent.btzSoftware
Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.1
Process command-line parameters, Process monitoringUserLinux, macOS, Windows
Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
T1016
S0092
CAPEC-309
53
DiscoverySystem Owner/User DiscoveryAgent.btzSoftwareAgent.btz obtains the victim username and saves it to a file.1File monitoring, Process monitoring, Process command-line parametersUser, AdministratorLinux, macOS, Windows0
T1033
S0092
CAPEC-577
54
ExecutionCommand-Line InterfaceAPT1GroupAPT1 has used the Windows command shell to execute commands.Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsNo
Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.44 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task). Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.
T1059
G0006
55
Credential AccessCredential DumpingAPT1GroupAPT1 has been known to use credential dumping.1API monitoring, Process command-line parameters, Process monitoring, PowerShell logs
Administrator, SYSTEM
Windows
Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Lateral Movement and access restricted information. Tools may dump credentials in many different ways: extracting credential hashes for offline cracking, extracting plaintext passwords, and extracting Kerberos tickets, among others. Examples of credential dumpers include pwdump7, Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries. Plaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.48 DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API)49505152 to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data 53 from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket54 or change an account's password as noted in Account Manipulation.55 DCSync functionality has been included in the "lsadump" module in Mimikatz.56 Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.57
T1003
G0006
CAPEC-567
56
ExfiltrationData CompressedAPT1Group
APT1 has used RAR to compress files before moving them outside of the victim network.
File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Linux, macOS, Windows
No
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
T1002
G0006
57
CollectionData from Local SystemAPT1GroupAPT1 has collected files from a local victim.File monitoring, Process monitoring, Process command-line parametersLinux, macOS, WindowsPrivileges to access certain files and directories
Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration. Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a Command-Line Interface, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.
T1005
G0006
58
CollectionEmail CollectionAPT1Group
APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files, and MAPIGET steals email still on Exchange servers that has not yet been archived.
Authentication logs, File monitoring, Process monitoring, Process use of networkWindows
Adversaries may target user email to collect sensitive information from a target. Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Some adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.
T1114
G0006
59
Defense EvasionMasqueradingAPT1Group
The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.
File monitoring, Process monitoring, Binary file metadataLinux, macOS, WindowsWhitelisting by file name or path
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs. This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate. Windows In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe.161 An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths.162 An example of abuse of trusted locations in Windows would be the C:\Windows\System32 directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe". Linux Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. 163 An example of abuse of trusted locations in Linux would be the /bin directory. Examples of trusted binary names that can be given to malicious binares include "rsyncd" and "dbus-inotifier". 164 165
T1036
G0006
60
Lateral MovementPass the HashAPT1GroupThe APT1 group is known to have used pass the hash.Authentication logsWindowsRequires Microsoft Windows as target system
Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.193
T1075
G0006
61
Lateral MovementRemote Desktop ProtocolAPT1GroupThe APT1 group is known to have used RDP during operations.Authentication logs, Netflow/Enclave netflow, Process monitoring
User, Remote Desktop Users
WindowsRDP service enabled, account in the Remote Desktop Users group.
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).236 There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.237 Adversaries may also perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.238 This can be done remotely or locally and with active or disconnected sessions.239 It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in RedSnarf.240
T1076
G0006
CAPEC-555
62
Defense Evasion, ExecutionScriptingAPT1GroupAPT1 has used batch scripting to automate execution of commands.Process monitoring, File monitoring, Process command-line parametersLinux, macOS, WindowsProcess whitelisting
Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts. Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit255, Veil256, and PowerSploit208 are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell.257
T1064
G0006
63
Command and Control
Standard Cryptographic Protocol
APT12Group
APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4.2
Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring, SSL/TLS inspection
Linux, macOS, Windows
Yes
Adversaries use command and control over an encrypted channel using a known encryption protocol like HTTPS or SSL/TLS. The use of strong encryption makes it difficult for defenders to detect signatures within adversary command and control traffic. Some adversaries may use other encryption protocols and algorithms with symmetric keys, such as RC4, that rely on encryption keys encoded into malware configuration files and not public key cryptography. Such keys may be obtained through malware reverse engineering.
T1032
G0005
64
PersistenceExternal Remote ServicesAPT18Group
APT18 actors leverage legitimate credentials to log into external remote services.
Authentication logsUserWindows
Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally. Adversaries may use remote services to access and persist within a network.93 Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as part of Redundant Access during an operation.
T1133
G0026
65
Defense EvasionFile DeletionAPT18GroupAPT18 actors deleted tools and batch files from victim systems.File monitoring, Binary file metadata, Process command-line parametersUserLinux, macOS, WindowsHost forensic analysis
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools.47
T1107
G0026
66
Execution, Persistence, Privilege Escalation
Scheduled TaskAPT18Group
APT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.
File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Administrator, SYSTEM
WindowsYes
Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. The account used to create the task must be in the Administrators group on the local system. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on.252 An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
T1053
G0026
CAPEC-557
67
Defense Evasion, Persistence, Privilege Escalation
Valid AccountsAPT18Group
APT18 actors leverage legitimate credentials to log into external remote services.
Authentication logs, Process monitoringUser, AdministratorLinux, macOS, Windows
Anti-virus, Firewall, Host intrusion prevention systems, Network intrusion detection system, Process whitelisting, System access controls
Adversaries may steal the credentials of a specific user or service account using Credential Access techniques. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network and may even be used for persistent access to remote systems. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. Adversaries may also create accounts, sometimes using pre-defined account names and passwords, as a means for persistence through backup access in case other means are unsuccessful. The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.283
T1078
G0026
CAPEC-560
68
Defense Evasion, Privilege Escalation
Access Token ManipulationAPT28Group
APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.
API monitoring, Access TokensUser, AdministratorWindows
Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas. 1 Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.2 Access tokens can be leveraged by adversaries through three methods:3 Token Impersonation/Theft - An adversary creates a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread. This is useful for when the target user has a non-network logon session on the system. Create Process with a Token - An adversary creates a new access token with DuplicateToken(Ex) and uses it with CreateProcessWithTokenW to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user. Make and Impersonate Token - An adversary has a username and password but the user is not logged onto the system. The adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread. Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. Metasploit’s Meterpreter payload allows arbitrary token manipulation and uses token impersonation to escalate privileges. 4 The Cobalt Strike beacon payload allows arbitrary token impersonation and can also create tokens. 5
T1134
G0007
69
PersistenceBootkitAPT28Group
APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.
API monitoring, MBR, VBR
Administrator, SYSTEM
Linux, Windows
A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).15 Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. Master Boot Record The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.16 Volume Boot Record The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
T1067
G0007
70
Command and Control
Communication Through Removable Media
APT28Group
APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.
File monitoring, Data loss prevention
Linux, macOS, Windows
No
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
T1092
G0007
71
Command and Control
Communication Through Removable Media
APT28Group
Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.23
File monitoring, Data loss prevention
Linux, macOS, Windows
No
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
T1092
G0007
72
Defense Evasion, Persistence
Component Object Model Hijacking
APT28Group
APT28 has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.
Windows Registry, DLL monitoring, Loaded DLLsUserWindowsAutoruns Analysis
The Microsoft Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system.45 Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.46 An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.
T1122
G0007
73
Command and ControlConnection ProxyAPT28Group
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.2 The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router.
Process use of network, Process monitoring, Netflow/Enclave netflow, Packet capture, Process monitoring
Linux, macOS, Windows
Yes
A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap.47 The definition of a proxy can also be expanded out to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. The network may be within a single organization or across organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.
T1090
G0007
74
Credential AccessCredential DumpingAPT28Group
APT28 regularly deploys both publicly available and custom password retrieval tools on victims.1
API monitoring, Process command-line parameters, Process monitoring, PowerShell logs
Administrator, SYSTEM
Windows
Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Lateral Movement and access restricted information. Tools may dump credentials in many different ways: extracting credential hashes for offline cracking, extracting plaintext passwords, and extracting Kerberos tickets, among others. Examples of credential dumpers include pwdump7, Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries. Plaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.48 DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API)49505152 to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data 53 from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket54 or change an account's password as noted in Account Manipulation.55 DCSync functionality has been included in the "lsadump" module in Mimikatz.56 Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.57
T1003
G0007
CAPEC-567
75
Credential AccessCredentials in FilesAPT28Group
APT28 has been known to specifically look for Firefox passwords on the file system
File monitoring, Process command-line parameters
User, Administrator, SYSTEM
Linux, macOS, WindowsAccess to files
Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. It is possible to extract passwords from backups or saved virtual machines through Credential Dumping.58 Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.59
T1081
G0007
CAPEC-545
76
Command and ControlData ObfuscationAPT28Group
APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.
Packet capture, Process use of network, Process monitoring, Network protocol analysis
Linux, macOS, Windows
Yes
Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.
T1001
G0007
77
CollectionData StagedAPT28GroupAPT28 has stored captured credential information in a file named pi.log.File monitoring, Process monitoring, Process command-line parametersLinux, macOS, Windows
Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
T1074
G0007
78
CollectionData from Removable MediaAPT28Group
A APT28 backdoor may collect the entire contents of an inserted USB device.
File monitoring, Process monitoring, Process command-line parametersLinux, macOS, WindowsPrivileges to access removable media drive and files
Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Adversaries may search connected removable media on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. Some adversaries may also use Automated Collection on removable media.
T1025
G0007
79
ExecutionDynamic Data ExchangeAPT28Group
APT28 has delivered JHUHUGIT by executing PowerShell commands through DDE in Word documents. 5
API monitoring, DLL monitoring, Process Monitoring, Windows Registry, Windows event logsUserWindowsNo
Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE is still enabled in Windows 10 and most of Microsoft Office 2016 (a December 2017 patch created a Registry key that disables DDE in Word by default).84 Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands8586 and used to deliver execution via spear phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.87 DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.
T1173
G0007
80
Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation
Exploitation of VulnerabilityAPT28Group
APT28 has used CVE-2014-4076, CVE-2015-2387, and CVE-2015-1701 to escalate privileges, as well as CVE-2015-4902 to bypass security features.3
Windows Error Reporting, File monitoring, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, Windows
Unpatched software or otherwise vulnerable target. Depending on the target and goal, the system and exploitable service may need to be remotely accessible from the internal network. In the case of privilege escalation, the adversary likely already has user permissions on the target system.
Anti-virus, System access controls
Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities may allow adversaries to run a command or binary on a remote system for lateral movement, escalate a current process to a higher privilege level, or bypass security mechanisms. Exploits may also allow an adversary access to privileged accounts and credentials. One example of this is MS14-068, which can be used to forge Kerberos tickets using domain user permissions.9192
T1068
G0007
CAPEC-69
81
Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation
Exploitation of VulnerabilityAPT28Group
APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.5
Windows Error Reporting, File monitoring, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, Windows
Unpatched software or otherwise vulnerable target. Depending on the target and goal, the system and exploitable service may need to be remotely accessible from the internal network. In the case of privilege escalation, the adversary likely already has user permissions on the target system.
Anti-virus, System access controls
Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities may allow adversaries to run a command or binary on a remote system for lateral movement, escalate a current process to a higher privilege level, or bypass security mechanisms. Exploits may also allow an adversary access to privileged accounts and credentials. One example of this is MS14-068, which can be used to forge Kerberos tickets using domain user permissions.9192
T1068
G0007
CAPEC-69
82
Defense EvasionFile DeletionAPT28Group
APT28 has deleted files from the system via the NSFileManager:removeFileAtPath method 3
File monitoring, Binary file metadata, Process command-line parametersUserLinux, macOS, WindowsHost forensic analysis
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools.47
T1107
G0007
83
DiscoveryFile and Directory DiscoveryAPT28GroupAPT28 has a utility to list detailed information about files and directoriesFile monitoring, Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsSome folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Windows Example utilities used to obtain this information are dir and tree.103 Custom tools may also be used to gather file and directory information and interact with the Windows API. Mac and Linux In Mac and Linux, this kind of discovery is accomplished with the ls, find, and locate commands.
T1083
G0007
84
Defense EvasionIndicator Removal on HostAPT28Group
APT28 has cleared event logs using the commands wevtutil cl System and wevtutil cl Security.
File monitoring, Process command-line parameters, Process monitoringLinux, macOS, WindowsAnti-virus, Log analysis, Host intrusion prevention systems
Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
T1070
G0007
CAPEC-93
85
Collection, Credential Access
Input CaptureAPT28GroupAPT28 can deploy a tool to perform keylogging.Windows Registry, Kernel drivers, Process monitoring, API monitoring
Administrator, SYSTEM
Linux, macOS, Windows
Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception. Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes,131 but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider.132 Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises. Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.93
T1056
G0007
CAPEC-569
86
Credential AccessNetwork SniffingAPT28Group
APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.
Network device logs, Host network interface, Netflow/Enclave netflow
Administrator, SYSTEM
Linux, macOS, WindowsNetwork interface access and packet capture driver
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. User credentials may be sent over an insecure, unencrypted protocol that can be captured and obtained through network packet analysis. An adversary may place a network interface into promiscuous mode, using a utility to capture traffic in transit over the network or use span ports to capture a larger amount of data. In addition, techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning, can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
T1040
G0007
CAPEC-158
87
Defense EvasionObfuscated Files or InformationAPT28Group
APT28 encrypted a .dll payload using RTL and a custom encryption algorithm.
Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineeringLinux, macOS, Windows
Host forensic analysis, Signature-based detection, Host intrusion prevention systems
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system. This is common behavior that can be used across different platforms to evade defenses. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery.185
T1027
G0007
88
PersistenceOffice Application StartupAPT28Group
APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.
Process monitoring, Process command-line parameters, Windows Registry, File monitoringUser, AdministratorWindowsOffice Test technique: Office 2007, 2010, 2013, 2015 and 2016 Add-ins: some require administrator permissions
Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started. Office Template Macros Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts.186 Office Visual Basic for Applications (VBA) macros187 can inserted into the base templated and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.188189 Word Normal.dotm location:C:\Users\(username)\AppData\Roaming\Microsoft\Templates\Normal.dotm Excel Personal.xlsb location:C:\Users\(username)\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros. Office Test A Registry location was found that when a DLL reference was placed within it the corresponding DLL pointed to by the binary path would be executed every time an Office application is started190 HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf Add-ins Office add-ins can be used to add functionality to Office programs.191 Add-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), and Visual Studio Tools for Office (VSTO) add-ins.192
T1137
G0007
89
Lateral MovementPass the HashAPT28GroupAPT28 has used pass the hash for lateral movement.Authentication logsWindowsRequires Microsoft Windows as target system
Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.193
T1075
G0007
90
DiscoveryPeripheral Device DiscoveryAPT28GroupAPT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.1 They have also looked for the presence of iOS devices by looking for their backups 2
User, Administrator, SYSTEM
Windows
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
T1120
G0007
91
DiscoveryProcess DiscoveryAPT28Group
APT28 has used built-in tools like ps aux on macOS to determine which processes are running 1
Process command-line parameters, Process monitoring
User, Administrator, SYSTEM
Linux, macOS, WindowsAdministrator, SYSTEM may provide better process ownership details
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Windows An example command that would obtain details on processes is "tasklist" using the Tasklist utility. Mac and Linux In Mac and Linux, this is accomplished with the ps command.
T1057
G0007
CAPEC-573
92
Command and Control, Lateral Movement
Remote File CopyAPT28Group
After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.1 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.
File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoringUser
Linux, macOS, Windows
Yes
Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.
T1105
G0007
93
Command and Control, Lateral Movement
Remote File CopyAPT28Group
After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.1 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.
File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoringUser
Linux, macOS, Windows
Yes
Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.
T1105
G0007
94
Credential Access, Lateral Movement
Replication Through Removable Media
APT28Group
APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.
File monitoring, Data loss preventionUserWindowsRemovable media allowed, Autorun enabled or vulnerability present that allows for code execution
Adversaries may move to additional systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into another system and executes. This may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system.
T1091
G0007
95
Credential Access, Lateral Movement
Replication Through Removable Media
APT28Group
Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.4
File monitoring, Data loss preventionUserWindowsRemovable media allowed, Autorun enabled or vulnerability present that allows for code execution
Adversaries may move to additional systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into another system and executes. This may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system.
T1091
G0007
96
Defense Evasion, ExecutionRundll32APT28Group
APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”.2 APT28 also executed a .dll for a first stage dropper using rundll32.exe.
File monitoring, Binary file metadata, Process command-line parameters, Process monitoringUserWindowsNoAnti-virus, Application whitelisting
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.244
T1085
G0007
97
Defense Evasion, ExecutionRundll32APT28Group
APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”.2 APT28 also executed a .dll for a first stage dropper using rundll32.exe.
File monitoring, Binary file metadata, Process command-line parameters, Process monitoringUserWindowsNoAnti-virus, Application whitelisting
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.244
T1085
G0007
98
CollectionScreen CaptureAPT28Group
APT28 regularly deploys a custom tool to take regular screenshots of victims.2
API monitoring, Process monitoring, File monitoringLinux, macOS, Windows
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Mac On OSX, the native command screencapture is used to capture screenshots. Linux On Linux, there is the native command xwd.115
T1113
G0007
99
Command and Control
Standard Application Layer Protocol
APT28Group
APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.
Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Linux, macOS, Windows
Yes
Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.
T1071
G0007
100
DiscoverySystem Information DiscoveryAPT28Group
APT28 has enumerated installed applications on macOS devices with built-in utilities such as ls -al /Applications1
Process command-line parameters, Process monitoringUserLinux, macOS, Windows
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Windows Example commands and utilities that obtain this information include ver, Systeminfo, and dir within cmd for identifying information based on present files and directories. Mac On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.
T1082
G0007
CAPEC-311
Loading...