NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to passenger data from the airline industry.
In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals. NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020. Our threat intelligence analysts noticed clear overlap between the various cases in infrastructure and capabilities, and as a result we assess with moderate confidence that one group was carrying out the intrusions across multiple victims operating in Chinese interests.
In open source this actor is referred to as Chimera by CyCraft.
NCC Group and Fox-IT have seen this actor remain undetected, their dwell time, for up to three years. As such, if you were a victim, they might still be active in your network looking for your most recent crown jewels.
We contained and eradicated the threat from our client’s networks during incident response whilst our Managed Detection and Response (MDR) clients automatically received detection logic.
With this publication, NCC Group and Fox-IT aim to provide the wider community with information and intelligence that can be used to hunt for this threat in historic data and improve detections for intrusions by this intrusion set.
Throughout we use terminology to describe the various phases, tactics, and techniques of the intrusions standardized by MITRE with their ATT&CK framework . Near the end of this article all the tactics and techniques used by the adversary are listed with links to the MITRE website with more information.
From initial access to defense evasion: how it is done
In all the intrusions we have observed they are performed in similar ways by the adversary: from initial access all the way to actions on objectives. The objective in these cases appear to be stealing sensitive data from the victim’s networks.
Credential theft and password spraying to Cobalt Strike
This adversary starts with obtaining usernames and passwords of their victim from previous breaches. These credentials are used in a credential stuffing or password spraying attack against the victim’s remote services, such as webmail or other internet reachable mail services. After obtaining a valid account, they use this account to access the victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised. With this valid admin account, a Cobalt Strike beacon is loaded into memory of patient zero. From here on the adversary stops using the victim’s remote service to access the victim’s network, and starts using the Cobalt Strike beacon for remote access and command and control.
Network discovery and lateral movement
The adversary continues their discovery of the victim’s network from patient zero. Various scans and queries are used to find proxy settings, domain controllers, remote desktop services, Citrix services, and network shares. If the obtained valid account is already member of the domain admins group, the first lateral move in the network is usually to a domain controller where the adversary also deploys a Cobalt Strike beacon. Otherwise, a jump host or other system likely used by domain admins is found and equipped with a Cobalt Strike beacon. After this the adversary dumps the domain admin credentials from the memory of this machine, continues lateral moving through the network, and places Cobalt Strike beacons on servers for increased persistent access into the victim’s network. If the victim’s network contains other Windows domains or different network security zones, the adversary scans and finds the trust relationships and jump hosts, attempting to move into the other domains and security zones. The adversary is typically able to perform all the steps described above within one day.
During this process, the adversary identifies data of interest from the network of the victim. This can be anything from file and directory-listings, configuration files, manuals, email stores in the guise of OST- and PST-files, file shares with intellectual property (IP), and personally identifiable information (PII) scraped from memory. If the data is small enough, it is exfiltrated through the command and control channel of the Cobalt Strike beacons. However, usually the data is compressed with WinRAR, staged on another system of the victim, and from there copied to a OneDrive-account controlled by the adversary.
After the adversary completes their initial exfiltration, they return every few weeks to check for new data of interest and user accounts. At times they have been observed attempting to perform a degree of anti-forensic activities including clearing event logs, time stomping files, and removing scheduled tasks created for some objectives. But this isn’t done consistently across their engagements.
Framing the adversary’s work in the MITRE ATT&CK framework
Credential access (TA0006)
The earliest and longest lasting intrusion by this threat we observed, was at a company in the semiconductors industry in Europe and started early Q4 2017. The more recent intrusions took place in 2019 at companies in the aviation industry. The techniques used to achieve access at the companies in the aviation industry closely resembles techniques used at victims in the semiconductors industry.
The threat used valid accounts against remote services: Cloud-based applications utilizing federated authentication protocols. Our incident responders analysed the credentials used by the adversary and the traces of the intrusion in log files. They uncovered an obvious overlap in the credentials used by this threat and the presence of those same accounts in previously breached databases. Besides that, the traces in log files showed more than usual login attempts with a username formatted as email address, e.g.<username>@<email domain>. While usernames for legitimate logins at the victim’s network were generally formatted like <domain>\<username>. And attempted logins came from a relative small set of IP-addresses.
For the investigators at NCC Group and Fox-IT these pieces of evidence supported the hypothesis of the adversary achieving credentials access by brute force, and more specifically by credential stuffing or password spraying.
Initial access (TA0001)
In some of the intrusions the adversary used the valid account to directly login to a Citrix environment and continued their work from there.
In one specific case, the adversary now armed with the valid account, was able to access a document stored in SharePoint Online, part of Microsoft Office 365. This specific document described how to access the internet facing company portal and the web-based VPN client into the company network. Within an hour after grabbing this document, the adversary accessed the company portal with the valid account.
From this portal it was possible to launch the web-based VPN. The VPN was protected by two-factor authentication (2FA) by sending an SMS with a one-time password (OTP) to the user account’s primary or alternate phone number. It was possible to configure an alternate phone number for the logged in user account at the company portal. The adversary used this opportunity to configure an alternate phone number controlled by the adversary.
By performing two-factor authentication interception by receiving the OTP on their own telephone number, they gained access to the company network via the VPN. However, they also made a mistake during this process within one incident. Our hypothesis is that they tested the 2FA-system first or selected the primary phone number to send a SMS to. However the European owner of the account received a text message with Simplified Chinese characters on the primary phone number in the middle of the night Eastern European Time (EET). NCC Group and Fox-IT identified that the language in the text-message for 2FA is based on the web browser’s language settings used during the authentication flow. Thus the 2FA code was sent with supporting Chinese text.
Account discovery (T1087)
With access into the network of the victim, the adversary finds a way to install a Cobalt Strike beacon on a system of the victim (see Execution). But before doing so, we observed the adversary checking the current permissions of the obtained user account with the following commands:
net user net user Administrator net user <username> /domain net localgroup administrators
If the user account doesn’t have local administrative or domain administrative permissions, the adversary attempts to discover which local or domain admin accounts exist, and exfiltrates the admin’s usernames. To identify if privileged users are active on remote servers, the adversary makes use of PsLogList from Microsoft Sysinternals to retrieve the Security event logs. The built-in Windows quser-command to show logged on users is also heavily used by them. If such a privileged user was recently active on a server the adversary executes Cobalt Strike’s built-in Mimikatz to dump its password hashes.
Privilege escalation (TA0004)
The adversary started a password spraying attack against those domain admin accounts, and successfully got a valid domain admin account this way. In other cases, the adversary moved laterally to another system with a domain admin logged in. We observed the use of Mimikatz on this system and saw the hashes of the logged in domain admin account going through the command and control channel of the adversary. The adversary used a tool called NtdsAudit to dump the password hashes of domain users as well as we observed the following command:
msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv
Note: the adversary renamed ntdsaudit.exe to msadcs.exe.
But we also observed the adversary using the tool ntdsutil to create a copy of the Active Directory database NTDS.dit followed by a repair action with esentutl to fix a possible corrupt NTDS.dit:
ntdsutil "ac i ntds" "ifm" "create full C:\Windows\Temp\tmp" q q esentutl /p /o ntds.dit
Both ntdsutil and esentutl are by default installed on a domain controller.
A tool used by the adversary which wasn’t installed on the servers by default, was DSInternals. DSInternals is a PowerShell module that makes use of internal Active Directory features. The files and directories found on various systems of a victim match with DSInternals version 2.16.1. We have found traces that indicate DSInternals was executed and at which time, which match with the rest of the traces of the intrusion. We haven’t recovered traces of how the adversary used DSInternals, but considering the phase of the intrusion the adversary used the tool, it is likely they used it for either account discovery or privilege escalation, or both.
The adversary installs a hackers best friend during the intrusion: Cobalt Strike. Cobalt Strike is a framework designed for adversary simulation intended for penetration testers and red teams. It has been widely adopted by malicious threats as well.
The Cobalt Strike beacon is installed in memory by using a PowerShell one-liner. At least the following three versions of Cobalt Strike have been in use by the adversary:
- Cobalt Strike v3.8, observed Q2 2017
- Cobalt Strike v3.12, observed Q3 2018
- Cobalt Strike v3.14, observed Q2 2019
Fox-IT has been collecting information about Cobalt Strike team servers since January 2015. This research project covers the fingerprinting of Cobalt Strike servers and is described in Fox-IT blog “Identifying Cobalt Strike team servers in the wild”. The collected information allows Fox-IT to correlate Cobalt Strike team servers, based on various configuration settings. Because of this, historic information was available during this investigation. Whenever a Cobalt Strike C2 channel was identified, Fox-IT performed lookups into the collection database. If a match was found, the configuration of the Cobalt Strike team server was analysed. This configuration was then compared against the other Cobalt Strike team servers to check for similarities in for example domain names, version number, URL, and various other settings.
The adversary heavily relies on scheduled tasks for executing a batch-file (.bat) to perform their tasks. An example of the creation of such a scheduled task by the adversary:
schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st 06:59:00
The batch-files appear to be used to load the Cobalt Strike beacon, but also to perform discovery commands on the compromised system.
The adversary loads the Cobalt Strike beacon in memory, without any persistence mechanisms on the compromised system. Once the system is rebooted, the beacon is gone. The adversary is still able to have persistent access by installing the beacon on systems with high uptimes, such as server. Besides using the Cobalt Strike beacon, the adversary also searches for VPN and firewall configs, possibly to function as a backup access into the network. We haven’t seen the adversary use those access methods after the first Cobalt Strike beacons were installed. Maybe because it was never necessary.
After the first bulk of data is exfiltrated, the persistent access into the victim’s network is periodically used by the adversary to check if new data of interest is available. They also create a copy of the NTDS.dit and SYSTEM-registry hive file for new credentials to crack.
The adversary applied a wide range of discovery tactics. In the list below we have highlighted a few specific tools the adversary used for discovery purposes. You can find a summary of most of the commands used by the adversary to perform discovery at the end of this article.
Account discovery tool: PsLogList
psloglist.exe -accepteula -x security -s -a <date>
This command exports a text file with comma separated fields. The text files contain the contents of the Security Event log after the specified date.
Psloglist is part of the Sysinternals toolkit from Mark Russinovich (Microsoft). The tool was used by the adversary on various systems to write events from the Windows Security Event Log to a text file. A possible intent of the adversary could be to identify if privileged users are active on the systems. If such a privileged user was recently active on a server the actor executes Cobalt Strike’s built-in Mimikatz to dump its credentials or password hash.
Account discovery tool: NtdsAudit
msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv
It imports the specified Active Directory database NTDS.dit and registry file SYSTEM and exports the found password hashes into RecordedTV_pdump.txt and user details in RecordedTV_users.csv.
The NtdsAudit utility is an auditing tool for Active Directory databases. It allows the user to collect useful statistics related to accounts and passwords. The utility was found on various systems of a victim and matches the NtdsAudit.exe program file version v2.0.5 published on the GitHub project page.
Network service scanning
get -b <start ip> -e <end ip> -p get -b <start ip> -e <end ip>
Get.exe appears to be a custom tool used to scan IP-ranges for HTTP service information. NCC Group and Fox-IT decompiled the tool for analysis. This showed the tool was written in the Python scripting language and packed into a Windows executable file. Though Fox-IT didn’t find any direct occurrences of the tool on the internet, the decompiled code showed strong similarities with the source code of a tool named GetHttpsInfo. GetHttpsInfo scans the internal network for HTTP & HTTPS services. The reconnaissance tool getHttpsInfo is able to discover HTTP servers within the range of a network.
The tool was shared on a Chinese forum around 2016.
Figure 1: Example of a download location for GetHttpsInfo.exe
Lateral movement (TA0008)
The adversary used the built-in lateral movement possibilities in Cobalt Strike. Cobalt Strike has various methods for deploying its beacons at newly compromised systems. We have seen the adversary using SMB, named pipes, PsExec, and WinRM. The adversary attempts to move to a domain controller as soon as possible after getting foothold into the victim’s network. They continue lateral movement and discovery in an attempt to identify the data of interest. This could be a webserver to carve PII from memory, or a fileserver to copy IP, as we have both observed.
At one customer, the data of interest was stored in a separate security zone. The adversary was able to find a dual homed system and compromise it. From there on they used it as a jump host into the higher security zone and started collecting the intellectual property stored on a file server in that zone.
In one event we saw the adversary compromise a Linux-system through SSH. The user account was possibly compromised on the Linux server by using credential stuffing or password spraying: Logfiles on the Linux-system show traces which can be attributed to a credential stuffing or password spraying attack.
Lateral tool transfer (T1570)
The adversary is applying living off the land techniques very well by incorporating default Windows tools in its arsenal. But not all tools used by the adversary are so called lolbins: As said before, they use Cobalt Strike. But they also rely on a custom tool for network scanning (get.exe), carving data from memory, compression of data, and exfiltrating data.
But first: How did they get the tools on the victim’s systems? The adversary copied those tools over SMB from compromised system to compromised system wherever they needed these tools. A few examples of commands we observed:
copy get.exe \\<ip>\c$\windows\temp\ copy msadc* \\<hostname>\c$\Progra~1\Common~1\System\msadc\ copy update.exe \\<ip>\c$\windows\temp\ move ak002.bat \\<ip>\c$\windows\temp\update.bat
In preparation of exfiltration of the data needed for their objective, the adversary collected the data from various sources within the victim’s network. As described before, the adversary collected data from an information repository, Microsoft SharePoint Online in this case. This document was exfiltrated and used to continue the intrusion via a company portal and VPN.
In all cases we’ve seen the adversary copying results of the discovery phase, like file- and directory lists from local systems, network shared drives, and file shares on remote systems. But email collection is also important for this adversary: with every intrusion we saw the mailbox of some users being copied, from both local and remote systems:
wmic /node:<ip> process call create "cmd /c copy c:\Users\<username>\<path>\backup.pst c:\windows\temp\backup.pst" copy "i:\<path>\<username>\My Documents\<filename>.pst" copy \\<hostname>\c$\Users\<username>\AppData\Local\Microsoft\Outlook*.ost
Files and folders of interest are collected as well and staged for exfiltration.
The goal of targeting some victims appears to be to obtain Passenger Name Records (PNR). How this PNR data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve PNR data from memory of systems where such data is typically processed, such as flight booking servers.
The DLL’s used were side-loaded in memory on compromised systems. After placing the DLL in the appropriate directory, the actor would change the date and time stamps on the DLL files to blend in with the other legitimate files in the directory.
Adversaries aiming to exfiltrate large amounts of data will often use one or more systems or storage locations for intermittent storage of the collected data. This process is called staging and is one of the of the activities that NCC Group and Fox-IT has observed in the analysed C2 traffic.
We’ve seen the adversary staging data on a remote system or on the local system. Most of the times the data is compressed and copied at the same time. Only a handful of times the adversary copies the data first before compressing (archive collected data) and exfiltrating it. The adversary compresses and encrypts the data by using WinRAR from the command-line. The filename of the command-line executable for WinRAR is RAR.exe by default.
This activity group always uses a renamed version of rar.exe. We have observed the following filenames overlapping all intrusions:
The adversary typically places the executables in the following folders:
The following four different variants of the use of rar.exe as update.exe we have observed:
update a -m5 -hp<password> <target_filename> <source> update a -m5 -r -hp<password> <target_filename> <source> update a -m5 -inul -hp<password> <target_filename> <source> update a -m5 -r -inul -hp<password> <target_filename> <source>
The command lines parameters have the following effect:
- a = add to archive.
- m5 = use compression level 5.
- r = recurse subfolders.
- inul = suppress error messages.
- hp<password> = encrypt both file data and headers with password.
The used password, file extensions for the staged data differ per intrusion. We’ve seen the use of .css, .rar, .log.txt, and no extension for staged pieces of data.
After compromising a host with a Linux operating systems, data is also compressed. This time the adversary compresses the data as a gzipped tar-file: tar.gz. Sometimes no file extension is used, or the file extension is .il. Most of the times the files names are prepended with adsDL_ or contain the word “list”. The files are staged in the home folder of the compromised user account: /home/<username>/
Command and control (TA0011)
The adversary uses Cobalt Strike as framework to manage their compromised systems. We observed the use of Cobalt Strike’s C2 protocol encapsulated in DNS by the adversary in 2017 and 2018. They switched to C2 encapsulated in HTTPS in Q3 2019. An interesting observation is they made use of a cracked/patched trial version of Cobalt Strike. This is important to note because the functionalities of Cobalt Strike’s trial version are limited. More importantly: the trial version doesn’t support encryption of command and control traffic in cases where the protocol itself isn’t encrypted, such as DNS. In one intrusion we investigated, the victim had years of logging available of outgoing DNS-requests. The DNS-responses weren’t logged. This means that only the DNS C2 leaving the victim’s network was logged. We developed a Python script that decoded and combined most of the logged C2 communication into a human readable format. As the adversary used Cobalt Strike with DNS as command & control protocol, we were able to reconstruct more than two years of adversary activity. With all this activity data, it was possible for us to create some insight into the ‘office’-hours of this adversary. The activity took place six days a week, rarely on Sundays. The activity started on average at 02:36 UTC and ended rarely after 13:00 UTC. We observed some periods where we expected activity of the adversary, but almost none was observed. These periods match with the Chinese Golden Week holiday.
Figure 2: Heatmap of activity. Times on the X-axis are in UTC.
The adversary also changed their domains for command & control around the same time they switched C2 protocols. They used a subdomain under a regular parent domain with a .com TLD in 2017 and 2018, but they started using sub-domains under the parent domain appspot.com and azureedge.net in 2019. The parent domain appspot.com is a domain owned by Google, and part of Google’s App Engine platform as a service. Azureedge.net is a parent domain owned by Microsoft, and part of Microsoft’s Azure content delivery network.
The adversary uses the command and control channel to exfiltrate small amounts of data. This is usually information containing account details. For large amounts of data, such as the mailboxes and network shares with intellectual property, they use something else.
Once the larger chunks of data are compressed, encrypted, and staged, the data is exfiltrated using a custom built tool. This tool exfiltrates specified files to cloud storage web services. The following cloud storage web services are supported by the malware:
- Google Drive
The actor specifies the following arguments when running the exfiltration tool:
- Name of the web service to be used
- Parameters used for the web service, such as a client ID and/or API key
- Path of the file to read and exfiltrate to the web service
We have observed the exfiltration tool in the following locations:
Hashes of these files are listed at the end of this article.
Defense evasion (TA0005)
The adversary attempts to clean-up some of the traces from their intrusions. While we don’t know what was deleted and we were unable to recover, we did see some of their anti-forensics activity:
- Windows event logs clearing,
- File deletion,
An overview of the observed commands can be found in the appendix.
For indicator removal on host: Timestomp the adversary uses a Windows version of the Linux touch command. This tool is included in the UnxUtils repository. This makes sure the used tools by the adversary blend in with the other files in the directory when shown in a timeline. Creating a timeline is a common thing to do for forensic analysts to get a chronological view of events on a system.
The same activity group?
A number of our intrusions involved tips from an industry partner who was able to correlate some of their upstream activity.
Our threat intelligence analysts observed clear overlap between the various cases that NCC Group and Fox-IT worked in the threat’s infrastructure and capabilities, and as a result we assess with moderate confidence one activity group was carrying out the intrusions across the different type of victims.
Some overlap is very generic for a lot for a lot of groups, like the use of Cobalt Strike, or exfiltration to OneDrive. But the tool used for exfiltration to OneDrive is very specific for this adversary. The use of appspot and azureedge domains as well. The naming convention for their subdomains, tools and scripts overlap too. In summary:
The adversary: Working hours match with GMT+8.
Infrastructure: appspot.com and azureedge.net for C2 with a strong overlap in naming convention for subdomains and actual overlap in some subdomains between intrusions.
Capability: Password spraying/credential stuffing. Cobalt Strike. Copy NTDS.dit. Use scheduled tasks and batch files for automation. The use of LOLBins. WinRAR. Cloud exfil tool and exfil to OneDrive. Erasing Windows Event Logs, files and tasks. Overlap in filenames for tools, staged data, and folders.
Victim: Semiconductors and aviation industry.
We considered labelling them as two activity groups, as of the difference in victims between various intrusions. But all the other overlap is strong enough for us to consider it as one group right now. This group might have gotten a new customer interested in different data which changed the intent and victims of the adversary.
But most importantly: The largest overlap is in the top half of the pyramid of pain: domain names, host artifacts, tools, and TTPs. And these are the hardest for the adversary to change, and most effective for long-lasting detection!
Figure 3: Pyramid of pain by David J Bianco
Fox-IT and NCC Group found some very strong overlap between what we’ve seen in our intrusion, and what Cycraft describes in their APT Group Chimera report and Blackhat presentation. The bulk of the victims they describe are in different regions than we observed which is likely caused by field of view bias. SentinelOne also describes an attack and shares IOC’s that show strong overlap with the intrusions we investigated.
At this moment we believe based on the evidence observed that the various intrusions were performed by the same group. We can only report what we observed: first they stole intellectual property in the high tech sector, later they stole passenger name records (PNR) from airlines, both across geographical locations. Both types of stolen data are very useful for nation states.
Answering if this group has an advanced persistent threat (APT) technique, has some sort of state affiliation, or where they come from goes beyond the scope of this write-up. The threat intelligence and IOC’s we are sharing are intended to help discover and present intrusions by this and adversaries.
A word of thanks goes out to all the forensic experts, incident responders, and threat intelligence analysts who helped victims identifying and eradicating the adversary. And everybody from NCC Group and Fox-IT (part of NCC Group) for all the contributions to this article.
|Binary MD5||133a159e86ff48c59e79e67a3b740c1e||–||get.exe (GetHttpsInfo)|
|Binary MD5||65cf35ddcb42c6ff5dc56d6259cc05f3||–||update.exe (WinRAR)|
|Binary MD5||4d5440282b69453f4eb6232a1689dd4a||–||msadcs.exe (Cloud exfil tool)|
|Binary MD5||90508ff4d2fc7bc968636c716d84e6b4||–||msadcs.exe (Cloud exfil tool)|
|Binary MD5||c9b8cab697f23e6ee9b1096e312e8573||–||jucheck.exe (WinRAR)|
|Binary MD5||dd138a8bc1d4254fed9638989da38ab1||–||msadcs.exe (NTDSAudit)|
|C2 domain||EuDbSyncUp[.]com||Q4 2017 – Q4 0218||–|
|C2 domain||UsMobileSos[.]com||Q4 2017 – Q4 2018||–|
|C2 domain||officeeuupdate.appspot[.]com||Q4 2017 – Q4 2018||–|
|C2 domain||MsCupDb[.]com||Q4 2017 – Q4 2018||–|
|C2 domain||officeeuropupd.appspot[.]com||Q3 2019 – Q1 2020||–|
|C2 domain||platform-appses.appspot[.]com||Q4 2019 – Q1 2020||–|
|C2 domain||watson-telemetry.azureedge[.]net||Q4 2019 – Q1 2020||–|
|Filename||*dsinternals*.dll||–||Dsinternals lib files|
|Filename||OneDrive.exe||–||Cloud data exfil|
|Filename||hsperfdata.sqm||–||Archive with tools|
|Hostname||DESKTOP-0FVJ37C||–||Origin of login to Exchange|
|IPv4 address||47.75.0[.]147||Q2 2019||Password spray|
|IPv4 address||59.47.4[.]27||Q2 2019||ADFS login|
|IPv4 address||45.9.248[.]74||Q2 2019||Citrix login|
|IPv4 address||172.111.210[.]53||Q2 2019||Citrix login|
|IPv4 address||103.51.145[.]123||2019||Initial access|
|IPv4 address||119.39.248[.]32||2019||Initial access|
|IPv4 address||120.227.35[.]98||2019||Initial access|
|IPv4 address||14.229.140[.]66||2019||Mount the file-share|
|IPv4 address||172.111.210[.]53||2019||Initial access|
|IPv4 address||188.72.99[.]41||2019||Initial access|
|IPv4 address||45.9.248[.]74||2019||Initial access|
|IPv4 address||47.75.0[.]147||2019||Password spray|
|IPv4 address||5.254.112[.]226||2019||Initial access|
|IPv4 address||5.254.64[.]234||2019||Initial access|
|IPv4 address||59.47.4[.]27||2019||Initial access|
|IPv4 address||39.109.5[.]135||Q3 2017||VPN server login|
|IPv4 address||43.250.200[.]106||Q3 2017||VPN server login|
|IPv4 address||119.39.248[.]101||Q3 2017||VPN server login|
|IPv4 address||220.202.152[.]47||Q3 2017||VPN server login|
|IPv4 address||119.39.248[.]20||Q3 2017||VPN server login|
|IPv4 address||185.170.210[.]84||Q3 2017||VPN server login|
|IPv4 address||43.250.201[.]71||Q3 2017||VPN server login|
|IPv4 address||23.236.77[.]94||Q3 2017||ADFS login|
|Path||C:\Users\Public\Appdata\Local\||–||Staging and tools|
|Path||C:\Users\Public\Appdata\Local\Microsoft\Windows\INetCache||–||Staging and tools|
|Path||C:\Users\Public\Libraries\||–||Staging and tools|
|Path||C:\Users\Public\Videos\||–||Staging and tools|
|Path||C:\Windows\Temp\||–||Staging and tools|
|Path||C:\Windows\Temp\tmp||–||Staging and tools|
|URI in CS beacon||/externalscripts/jquery/jquery-3.3.1.min.js||Q3 2019 – Q1 2020||–|
|URI in CS beacon||/externalscripts/jquery/jquery-3.3.2.min.js||Q2 2019 – Q3 2019||–|
|URI in CS beacon||/jquery-3.3.2.slim.min.js||Q1 2020||–|
|User-agent||Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko||–||Web VPN login|
|User-agent||Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko||–||Cobalt Strike beacon|
Observed discovery commands
|Account discovery||net user|
|Account discovery||net user Administrator|
|Account discovery||net user /domain|
|Account discovery||dir \\<hostname>\c$\users|
|Account discovery||dsquery user -limit 0 -s <hostname>|
|Account discovery||psloglist.exe -accepteula -x security -s -a <current_date>|
|Account discovery||msadcs.exe “NTDS.dit” -s “SYSTEM” -p RecordedTV_pdmp.txt –users-csv RecordedTV_users.csv|
|Browser bookmark discovery||type \\<hostname>\c$\Users\<username>\Favorites\Links\Bookmarks bar\Imported From IE\*citrix*|
|Domain trust discovery||nltest /domain_trusts|
|File and directory discovery||dir \\<hostname>\c$\|
|File and directory discovery||dir /o:d /x /s c:\|
|File and directory discovery||dir /o:d /x \\<hostname>\<fileshare>|
|File and directory discovery||cacl <path to file>|
|Network service scanning||get -b <start ip> -e <end ip> -p|
|Network service scanning||get -b <start ip> -e <end ip>|
|Network share discovery||net share|
|Network share discovery||net view \\<hostname>|
|Permission groups discovery||net localgroup administrators|
|Process discovery||tasklist /v |findstr explorer|
|Process discovery||tasklist /v |findstr taskhost|
|Process discovery||tasklist /v |findstr 1716|
|Process discovery||tasklist /v /s <hostname/ip>|
|Query registry||reg query \\<host>\HKU\<SID>\SOFTWARE\Microsoft\Terminal Server Client\Servers|
|Query registry||reg query \\<host>\HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings|
|Remote system discovery||type \\<host>\c$\Users\<username>\Favorites\Links\Bookmarks bar\Imported From IE\*citrix*|
|Remote system discovery||type \\<host>\<path>\Cookies\*ctx*|
|Remote system discovery||reg query \\<host>\HKU\<SID>\SOFTWARE\Microsoft\Terminal Server Client\Servers|
|Remote system discovery||dir /o:d /x \\<hostname>\c$\users\<username>\Favorites|
|Remote system discovery||net view \\hostname|
|Remote system discovery||dsquery server -limit 0|
|System information discovery||fsutil fsinfo drives|
|System information discovery||systeminfo|
|System information discovery||vssadmin list shadows|
|System network configuration discovery||ipconfig|
|System network configuration discovery||ipconfig /all|
|System network configuration discovery||ping -n 1 -a <ip>|
|System network configuration discovery||ping -n 1 <hostname>|
|System network configuration discovery||tracert <ip>|
|System network configuration discovery||pathping <ip>|
|System network connections discovery||netstat -ano | findstr EST|
|System Owner/User Discovery||quser|
|System service discovery||net start|
|System service discovery||net use|
|System time discovery||time /t|
|System time discovery||net time \\<ip/hostname>|
Observed Defense evasion commands
Indicator Removal on Host: Clear Windows Event Logs
wevtutil cl "Windows PowerShell" wevtutil cl application wevtutil cl security wevtutil cl setup wevtutil cl system
Indicator Removal on Host: File Deletion
del /f/q *.csv *.bin del /f/q *.exe del /f/q *.exe *log.txt del /f/q *.ost del /f/q .rar update .txt del /f/q \\c$\windows\temp*.txt del /f/q \\c$\Progra~1\Common~1\System\msadc\msadcs.dmp del /f/q msadcs* del /f/q psloglist.exe del /f/q update* del /f/q update* .txt del /f/q update.rar del /f/q update*rar del /f/q update12321312.rarschtasks /delete /s /tn "update" /f schtasks /delete /tn "update" /f shred -n 123 -z -u .tar.gz
MITRE ATT&CK references
|External Remote Services||Technique||T1133||https://attack.mitre.org/techniques/T1133/|
|Command and Scripting Interpreter: PowerShell||Technique||T1059.001||https://attack.mitre.org/techniques/T1059/001/|
|Command and Scripting Interpreter: Windows Command Shell||Technique||T1059.003||https://attack.mitre.org/techniques/T1059/003/|
|Scheduled Task/Job: Scheduled Task||Technique||T1053.005||https://attack.mitre.org/techniques/T1053/005/|
|System Services: Service Execution||Technique||T1569.002||https://attack.mitre.org/techniques/T1569/002/|
|Windows Management Instrumentation||Technique||T1047||https://attack.mitre.org/techniques/T1047/|
|External Remote Services||Technique||T1133||https://attack.mitre.org/techniques/T1133/|
|Hijack Execution Flow: DLL Side-Loading||Technique||T1574.002||https://attack.mitre.org/techniques/T1574/002/|
|Deobfuscate/Decode Files or Information||Technique||T1140||https://attack.mitre.org/techniques/T1140/|
|Indicator Removal on Host: Clear Windows Event Logs||Technique||T1070.001||https://attack.mitre.org/techniques/T1070/001/|
|Indicator Removal on Host: File Deletion||Technique||T1070.004||https://attack.mitre.org/techniques/T1070/004/|
|Indicator Removal on Host: Timestomp||Technique||T1070.006||https://attack.mitre.org/techniques/T1070/006/|
|Hijack Execution Flow: DLL Side-Loading||Technique||T1574.002||https://attack.mitre.org/techniques/T1574/002/|
|Masquerading: Rename System Utilities||Technique||T1036.003||https://attack.mitre.org/techniques/T1036/003/|
|Masquerading: Match Legitimate Name or Location||Technique||T1036.005||https://attack.mitre.org/techniques/T1036/005/|
|Use Alternate Authentication Material: Pass the Hash||Technique||T1550.002||https://attack.mitre.org/techniques/T1550/002/|
|Brute Force: Password Spraying||Technique||T1110.003||https://attack.mitre.org/techniques/T1110/003/|
|Brute Force: Credential Stuffing||Technique||T1110.004||https://attack.mitre.org/techniques/T1110/004/|
|OS Credential Dumping: LSASS Memory||Technique||T1003.001||https://attack.mitre.org/techniques/T1003/001/|
|OS Credential Dumping: NTDS||Technique||T1003.003||https://attack.mitre.org/techniques/T1003/003/|
|Two-Factor Authentication Interception||Technique||T1111||https://attack.mitre.org/techniques/T1111/|
|Account Discovery: Local Account||Technique||T1087.001||https://attack.mitre.org/techniques/T1087/001/|
|Account Discovery: Domain Account||Technique||T1087.002||https://attack.mitre.org/techniques/T1087/002/|
|Browser Bookmark Discovery||Technique||T1217||https://attack.mitre.org/techniques/T1217/|
|Domain Trust Discovery||Technique||T1482||https://attack.mitre.org/techniques/T1482/|
|File and Directory Discovery||Technique||T1083||https://attack.mitre.org/techniques/T1083|
|Network Service Scanning||Technique||T1046||https://attack.mitre.org/techniques/T1046|
|Network Share Discovery||Technique||T1135||https://attack.mitre.org/techniques/T1135|
|Permission Groups Discovery||Technique||T1069||https://attack.mitre.org/techniques/T1069|
|Remote System Discovery||Technique||T1018||https://attack.mitre.org/techniques/T1018|
|System Information Discovery||Technique||T1082||https://attack.mitre.org/techniques/T1082|
|System Network Configuration Discovery||Technique||T1016||https://attack.mitre.org/techniques/T1016|
|System Network Connections Discovery||Technique||T1049||https://attack.mitre.org/techniques/T1049|
|System Owner/User Discovery||Technique||T1033||https://attack.mitre.org/techniques/T1033|
|System Service Discovery||Technique||T1007||https://attack.mitre.org/techniques/T1007|
|System Time Discovery||Technique||T1124||https://attack.mitre.org/techniques/T1124|
|Lateral Tool Transfer||Technique||T1570||https://attack.mitre.org/techniques/T1570/|
|Remote Services: SMB/Windows Admin Shares||Technique||T1021.002||https://attack.mitre.org/techniques/T1021/002/|
|Remote Services: SSH||Technique||T1021.004||https://attack.mitre.org/techniques/T1021/004/|
|Remote Services: Windows Remote Management||Technique||T1021.006||https://attack.mitre.org/techniques/T1021/006/|
|Use Alternate Authentication Material: Pass the Hash||Technique||T1550.002||https://attack.mitre.org/techniques/T1550/002/|
|Archive Collected Data: Archive via Utility||Technique||T1560.001||https://attack.mitre.org/techniques/T1560/001/|
|Data from Information Repositories: SharePoint||Technique||T1213.002||https://attack.mitre.org/techniques/T1213/002/|
|Data from Local System||Technique||T1005||https://attack.mitre.org/techniques/T1005/|
|Data from Network Shared Drive||Technique||T1039||https://attack.mitre.org/techniques/T1039/|
|Data Staged: Local Data Staging||Technique||T1074.001||https://attack.mitre.org/techniques/T1074/001/|
|Data Staged: Remote Data Staging||Technique||T1074.002||https://attack.mitre.org/techniques/T1074/002/|
|Email Collection: Local Email Collection||Technique||T1114.001||https://attack.mitre.org/techniques/T1114/001/|
|Command and Control||Tactic||TA0011||https://attack.mitre.org/tactics/TA0011/|
|Application Layer Protocol: Web Protocols||Technique||T1071.001||https://attack.mitre.org/techniques/T1071/001/|
|Application Layer Protocol: DNS||Technique||T1071.004||https://attack.mitre.org/techniques/T1071/004/|
|Encrypted Channel: Asymmetric Cryptography||Technique||T1573.002||https://attack.mitre.org/techniques/T1573/002/|
|Data Transfer Size Limits||Technique||T1030||https://attack.mitre.org/techniques/T1030/|
|Exfiltration Over C2 Channel||Technique||T1041||https://attack.mitre.org/techniques/T1041/|
|Exfiltration Over Web Service: Exfiltration to Cloud Storage||Technique||T1567.002||https://attack.mitre.org/techniques/T1567/002/|