Home  >  APT29

APT29 Emulation

Enterprise Evaluation 2019
  • Call For Participation
  • Evaluating
  • Preparing
  • Published
ATT&CK Description

APT29 is a threat group that has been attributed to the Russian government and has operated since at least 2008.  [1] [2] This group reportedly compromised the Democratic National Committee starting in the summer of 2015. [3]

Emulation Notes

APT29 is distinguished by its commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. APT29 typically accomplishes its goals via custom compiled binaries and alternate execution methods such as PowerShell and WMI. APT29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the perceived intelligence value and/or infection method of victims.

Scenario Overview

Two scenarios emulate publicly reported APT29/Cozy Bear/The Dukes/YTTRIUM tradecraft and operational flows. The first scenario (executed with Pupy, Meterpreter, and custom tooling) begins with the execution of a payload delivered by a widespread "spray and pray" spearphishing campaign, followed by a rapid "smash and grab" collection and exfiltration of specific file types. After completing the initial data theft, the value of the target is realized, and the adversary drops a secondary, stealthier toolkit used to further explore and compromise the target network.

The second scenario (executed with PoshC2 and custom tooling) focuses on a very targeted and methodical breach, beginning with the execution of a specially crafted payload designed to scrutinize the target environment before executing. The scenario continues through a low and slow takeover of the initial target and eventually the entire domain. Both scenarios include executing previously established persistence mechanisms after a simulated time lapse to further the scope of the breach.