APT3 Evaluation: Operational Flow
The Operational Flow separated technique execution into sequences we referred to as “Steps”. Organizing our execution into Steps ensured that the detection displayed was correctly associated with the technique that was being tested. Each Step corresponded to an adversary’s intended goal during an operation. We performed 20 Steps in total across two scenarios: 10 Steps corresponded to our first scenario (which used Cobalt Strike), and 10 Steps corresponded to our second scenario (which used Empire). We further divided each Step into Sub-Steps that are denoted by letters (e.g. 1A, 1B, etc.). Those Steps, Sub-Steps, and the corresponding techniques are outlined below.
First Scenario
We used Cobalt Strike, a commercially available red team tool, to execute our emulation for the first scenario.
Step 1 - Initial Compromise
We emulated initial compromise via a malicious executable sent in a spearphishing email. Delivery was out of scope for our evaluation, so Step 1 began with a legitimate user executing the payload on the victim host, which was a Remote Access Tool (RAT) that connected back to our attacker infrastructure for tasking. The malicious executable was a self-extracting archive that established persistence and launched an initial callback through a C2 channel.
Step 1 tested the following techniques:
- 1.A.1 - User Execution (T1204) via Scripting (T1064) with Rundll32 (T1085)
- A legitimate user executed the payload, which launched a batch file that executed a Cobalt Strike DLL payload via Rundll32.
- 1.B.1 - Registry Run Keys / Start Folder (T1060)
- The launched batch file wrote a separate batch file (that will also execute the Cobalt Strike DLL payload) to the current user's Startup folder.
- 1.C.1 - Commonly Used Port (T1043), Standard Application Layer Protocol (T1071), Data Encoding (T1132)
- The executed Cobalt Strike DLL callback established a C2 channel over DNS port 53 using both NetBIOS and base64 encoding.
Step 2 - Initial Discovery
We emulated initial discovery using a succession of common discovery commands executed through both the command-line interface and API calls. Discovery techniques in Step 2 targeted gaining fundamental knowledge about the system and network required before follow-on activity.
Step 2 tested the following techniques:
- 2.A.1 - System Network Configuration Discovery (T1016) via Command-Line Interface (T1059)
- The ipconfig utility was executed via cmd to enumerate local TCP/IP network configuration information.
- 2.A.2 - System Network Configuration Discovery (T1016) via Command-Line Interface (T1059)
- The arp utility was executed via cmd to enumerate local ARP configuration information.
- 2.B.1 – System Owner / User Discovery (T1033) via Command-Line Interface (T1059)
- The native echo command was executed via cmd to enumerate local environment variables associated with current user and domain.
- 2.C.1 – Process Discovery (T1057) via Execution through API (T1106)
- Native API call(s) were executed to enumerate local running processes.
- 2.C.2 – Process Discovery (T1057) via Command-Line Interface (T1059)
- The tasklist utility was executed via cmd to enumerate local running processes.
- 2.D.1 – System Service Discovery (T1007) via Command-Line Interface (T1059)
- The sc utility was executed via cmd to enumerate local active services.
- 2.D.2 – System Service Discovery (T1007) via Command-Line Interface (T1059)
- The net utility was executed via cmd to enumerate local active services.
- 2.E.1 – System Information Discovery (T1082) via Command-Line Interface (T1059)
- The systeminfo utility was executed via cmd to enumerate local operating system configuration.
- 2.E.2 – System Information Discovery (T1082) via Command-Line Interface (T1059)
- The net utility was executed via cmd to enumerate local operating system configuration.
- 2.F.1 – Permissions Groups Discovery (T1069) via Command-Line Interface (T1059)
- The net utility was executed via cmd to enumerate members of the local system's administrators group.
- 2.F.2 – Permissions Groups Discovery (T1069) via Command-Line Interface (T1059)
- The net utility was executed via cmd to enumerate members of the domain controller’s administrators group.
- 2.F.3 – Permissions Groups Discovery (T1069) via Command-Line Interface (T1059)
- The net utility was executed via cmd to enumerate members of the domain administrators group.
- 2.G.1 – Account Discovery (T1087) via Command-Line Interface (T1059)
- The net utility was executed via cmd to enumerate domain user accounts.
- 2.G.2 – Account Discovery (T1087) via Command-Line Interface (T1059)
- The net utility was executed via cmd to enumerate detailed information about a specific user account.
- 2.H.1 – Query Registry (T1012) via Command-Line Interface (T1059)
- The reg utility was executed via cmd to enumerate a specific Registry key associated with local system policies to ensure that the user will not be prompted for credentials when elevating permissions.
Step 3 - Privilege Escalation
We emulated privilege escalation by elevating our RAT’s process integrity level from medium to high, while maintaining the current user. Step 3 began with the execution of a User Account Control (UAC) bypass technique included in Cobalt Strike. The UAC Bypass technique resulted in a high integrity process that had limited functionality, but it allowed us to inject into an already existing high-integrity process, which was not limited in functionality. The targeted high-integrity process in this case was an elevated command-prompt started previously as the legitimate user.
Step 3 tested the following techniques:
- 3.A.1 - Bypass User Account Control (T1088) via Access Token Manipulation (T1134)
- A Cobalt Strike native UAC bypass technique was executed to steal the token of an existing high-integrity process and launch a new, high-integrity RAT with limited functionality.
- 3.B.1 - Process Discovery (T1057) via Execution Through API (T1106)
- Native API call(s) were executed to enumerate local running processes.
- 3.C.1 - Process Injection (T1055)
- The limited functionality high-integrity RAT then injected malicious code into an existing fully functional high-integrity process, resulting in a new elevated, fully functional high- integrity RAT.
Step 4 - Discovery for Lateral Movement
We emulated a second round of discovery using a sequence of discovery commands executed through the high-integrity command-line interface that was injected into during Step 3.C.1. Discovery techniques in Step 4 targeted knowledge about the system and network specifically related to enabling lateral movement.
Step 4 tested the following techniques:
- 4.A.1 - Remote System Discovery (T1018) via Command-Line Interface (T1059)
- The net utility was executed via cmd to enumerate DCs within the domain
- 4.A.2 - Remote System Discovery (T1018) via Command-Line Interface (T1059)
- The net utility was executed via cmd to enumerate hosts within the domain.
- 4.B.1 – System Network Configuration Discovery (T1016) via Command-Line Interface (T1059)
- The netsh utility was executed via cmd to enumerate local firewall configuration information.
- 4.C.1 – System Network Connections Discovery (T1049) via Command-Line Interface (T1059)
- The netstat utility was executed via cmd to enumerate local active network connections.
Step 5 - Credential Access
We emulated credential access in a way such that it exposed different formats of legitimate credentials. Step 5 consisted of dumping both plaintext and hashed user passwords, as well as theft of a separate user’s authentication token.
Step 5 tested the following techniques:
- 5.A.1 – Credential Dumping (T1003) using Process Injection (T1055)
- The Cobalt Strike native Mimikatz utility was executed to dump passwords via process injection into LSASS.
- 5.A.2 – Credential Dumping (T1003) using Process Injection (T1055)
- The Cobalt Strike native hashdump utility was executed to dump hashes via process injection into LSASS.
- 5.B.1 – Access Token Manipulation (T1134)
- The Cobalt Strike native token theft utility was executed to steal and assume the token of another user’s existing process, changing the user context of the RAT process.
Step 6 - Lateral Movement
We emulated lateral movement by establishing a Remote Desktop Protocol (RDP) connection to a remote host. Step 6 began with discovery targeting the remote host to ensure RDP was enabled before modifying and leveraging the existing C2 channel to establish a RDP session.
Step 6 tested the following techniques:
- 6.A.1 – Query Registry (T1012) via Command-Line Interface (T1059)
- The reg utility was executed via cmd to remotely enumerate a specific Registry key associated with terminal services to ensure RDP was enabled.
- 6.B.1 – Commonly Used Port (T1043), Standard Application Layer Protocol (T1071), and Multiband Communication (T1026)
- The existing C2 channel was modified to callback over HTTP port 80 as well as the existing DNS channel.
- 6.C.1 – Remote Desktop Protocol (T1076)
- The existing C2 channel was used to proxy a RDP connection to a target remote host.
Step 7 - Persistence
We emulated persistence using two distinct mechanisms. Step 7 included both the addition of a new user (through the previously established lateral movement RDP connection) as well as the creation of a scheduled task on the compromised host.
Step 7 tested the following techniques:
- 7.A.1 - Create Account (T1136) using Graphical User Interface (T1061) with residual Account Discovery (T1087)
- Through the RDP session to the remote host, the GUI Management Console utility mmc was used to add another local user account, including memberships in the local administrators and RDP-enabled groups. Use of the GUI utility also incidentally enumerated local system user accounts.
- 7.B.1 - Remote File Copy (T1105)
- Another Cobalt Strike DLL payload was dropped to disk on the initially compromised system.
- 7.C.1 - Scheduled Tasks (T1053) and Rundll32 (T1085) via Command-Line Interface (T1059)
- The schtasks utility was executed via cmd to create a scheduled task that executed the Cobalt Strike DLL payload whenever the user logs in.
Step 8 - Collection
We emulated collection to identify and gather information. Step 8 included locating files of interest within local and remote file systems, as well as using API calls to harvest keystrokes and a screenshot.
Step 8 tested the following techniques:
- 8.A.1 – File and Directory Discovery (T1083) via Command-Line Interface (T1059)
- The native dir command executed via cmd to enumerate files in a pre-mapped drive remote file share.
- 8.A.2 – File and Directory Discovery (T1083) via Command-Line Interface (T1059)
- The tree utility was executed via cmd to enumerate files in the local filesystem of the initially compromised system.
- 8.B.1 – Process Discovery (T1057) via Execution Through API (T1106)
- Native API call(s) were executed to enumerate local running processes.
- 8.C.1 – Input Capture (T1056) via Execution Through API (T1106) with residual Application Window Discovery (T1010)
- Native API calls(s) were used to identify and collect user keystrokes from the local explorer process. Use of the Cobalt Strike native keylogging utility also incidentally enumerated contextual information about target application windows.
- 8.D.1 – Screen Capture (T1113) by Process Injection (T1055) via Execution Through API (T1106)
- Native API call(s) were used to inject into and collect a screenshot from the local explorer process.
Step 9 - Exfiltration
We emulated exfiltration by locating and stealing data. Step 9 began with the discovery of specific directories of interest followed by exfiltration of a file through the existing C2 channel.
Step 9 tested the following techniques:
- 9.A.1 – File and Directory Discovery (T1083) via Execution Through API (T1106)
- Native API call(s) were used to enumerate files in a remote file share.
- 9.B.1 – Data from Network Shared Drive (T1039), Exfiltration over C2 Channel (T1041) via Execution Through API (T1106)
- Native API call(s) were used to copy a target file from a remote file share through the existing DNS C2 channel.
Step 10 - Execution of Persistence
We emulated the execution of persistence by triggering previously established persistence mechanisms. Step 10 began with a simulated user logon that triggered two RATs to execute and check-in with the attacker infrastructure, followed by a remote logon of a previously added user account.
Step 10 tested the following techniques:
- 10.A.1 – Registry Run Key / Startup Folder (T1060) from 1.B
- The batch file (that launches a Cobalt Strike DLL payload) in the Startup folder was executed when the user logged off and back on.
- 10.A.2 – Scheduled Task (T1053) from 7.C
- The scheduled task (that launches a Cobalt Strike DLL payload) was executed when the user logged off and back on.
- 10.B.1 – Valid Accounts (T1078) using RDP (T1076) from 7.A
- The previously added user account was used to authenticate and establish a RDP connection back to the remote host targeted during lateral movement.
Second Scenario
We used Empire, an open-source red team tool, to execute our emulation for the second scenario.
Step 11 - Initial Compromise
We emulated initial compromise via a malicious VBScript delivered through a drive-by compromise. Delivery was out of scope for our evaluation, so Step 11 began with an emulated legitimate user executing the payload on the victim host. The malicious script was a first stage payload that downloaded and executed a PowerShell payload to establish a C2 channel.
Step 11 tested the following techniques:
- 11.A.1 – Scripting (T1064) via PowerShell (T1086)
- A legitimate user executed the VBScript stager, which launches PowerShell to download and execute an Empire payload.
- 11.B.1 – Commonly Used Port (T1043), Standard Application Layer Protocol (T1071), and Standard Cryptographic Protocol (T1032)
- The executed Empire payload established an encrypted C2 channel over HTTPS on TCP port 443.
Step 12 - Initial Discovery
We emulated initial discovery using a sequence of common discovery commands executed through PowerShell, including scripting and a series of API calls. Discovery techniques in Step 12 targeted gaining fundamental knowledge about the system and network required before follow-on activity.
Step 12 tested the following techniques:
- 12.A.1 – System Network Configuration Discovery (T1016) via PowerShell (T1086)
- The route utility was executed via PowerShell to enumerate the local routing table.
- 12.A.2 – System Network Configuration Discovery (T1016) via PowerShell (T1086)
- The ipconfig utility was executed via PowerShell to enumerate local TCP/IP network configuration information.
- 12.B.1 – System Owner / User Discovery (T1033) via PowerShell (T1086)
- The whoami utility was executed via PowerShell to enumerate information about the current user context.
- 12.C.1 – Process Discovery (T1057) via PowerShell (T1086)
- The qprocess utility was executed via PowerShell to enumerate local running processes.
- 12.D.1 – System Service Discovery (T1007) via PowerShell (T1086)
- The net utility was executed via PowerShell to enumerate local active services.
- 12.E.1 – Scripting (T1064) via PowerShell (T1086) and Execution through API (T1106)
- The Empire WinEnum module was executed via PowerShell to execute the following Discovery and Collection techniques:
- 12.E.1.1 – System Owner / User Discovery (T1033) – WinEnum: Get-UserInfo
- 12.E.1.2 – Permission Groups Discovery (T1069) – WinEnum: “AD Group Memberships”
- 12.E.1.3 – Password Policy Discovery (T1201) – WinEnum: “Password Last Changed”
- 12.E.1.4.1 – File and Directory Discovery (T1083) – WinEnum: “Last 5 Files Opened”
- 12.E.1.4.2 - File and Directory Discovery (T1083) – WinEnum: “Interesting Files”
- 12.E.1.5 – Clipboard Data (T1115) – WinEnum: “Clipboard Contents”
- 12.E.1.6.1 – System Information Discovery (T1082) – WinEnum: Get-SysInfo
- 12.E.1.6.2 - System Information Discovery (T1082) – WinEnum: “Windows Last Updated”
- 12.E.1.7 – Query Registry (T1012) – WinEnum: Get-SysInfo
- 12.E.1.8 – System Service Discovery (T1007) – WinEnum: “Services”
- 12.E.1.9.1 – Network Share Discovery (T1135) – WinEnum: “Available Shares”
- 12.E.1.9.2 – Network Share Discovery (T1135) – WinEnum: “Mapped Network Drives”
- 12.E.1.10.1 – Security Software Discovery (T1063) – WinEnum: “AV Solution
- 12.E.1.10.2 - Security Software Discovery (T1063) – WinEnum: “Firewall Rules”
- 12.E.1.11 - System Network Configuration Discovery (T1016) – WinEnum: Get-NetInfo – “Network Adapters”
- 12.E.1.12 – System Network Connections Discovery (T1049) – WinEnum: Get-NetInfo – “Netstat Established Connections and Processes”
- 12.F.1 – Permissions Group Discovery (T1069) via PowerShell (T1086)
- The net utility was executed via PowerShell to enumerate members of the Domain Administrators group.
- 12.F.2 – Permissions Group Discovery (T1069) via PowerShell (T1086)
- The net utility was executed via PowerShell to enumerate members of the local Administrators group.
- 12.G.1 – Account Discovery (T1087) via PowerShell (T1086)
- The net utility was executed via PowerShell to enumerate local system user accounts.
- 12.G.2 – Account Discovery (T1087) via PowerShell (T1086)
- The net utility was executed via PowerShell to enumerate domain user accounts.
Step 13 - Discovery for Lateral Movement
We emulated a second round of discovery using a sequence of common discovery commands executed through PowerShell. Discovery techniques in Step 13 targeted knowledge about the system and network specifically related to enabling lateral movement.
Step 13 tested the following techniques:
- 13.A.1 – Remote System Discovery (T1018) via PowerShell (T1086)
- The net utility was executed via PowerShell to enumerate hosts within the domain.
- 13.B.1 – System Network Connections Discovery (T1049) via PowerShell (T1086)
- The net utility was executed via PowerShell to enumerate local active network connections.
- 13.B.2 – System Network Connections Discovery (T1049) via PowerShell (T1086)
- The netstat utility was executed via PowerShell to enumerate local active network connections.
- 13.C.1 – Query Registry (T1012) via PowerShell (T1086)
- The reg utility was executed via cmd to enumerate a specific Registry key associated with local system policies to ensure that the user will not be prompted for credentials when elevating permissions.
Step 14 - Privilege Escalation
We emulated privilege escalation by elevating our RAT’s process integrity level from medium to high, while maintaining our current user. Step 14 consisted of a UAC bypass technique native to Empire to download and execute a new stager, spawning a new high-integrity RAT.
Step 14 tested the following techniques:
- 14.A.1 - Bypass UAC (T1088) with Remote File Copy (T1105), Standard Application Layer Protocol (T1071), Commonly Used Port (T1043)
- The Empire native UAC bypass attack was executed to steal the token of an existing high-integrity process, download a new payload over HTTP port 8080 and execute it, resulting in a RAT running in a high-integrity context.
Step 15 - Credential Access
We emulated credential access to identify and gather passwords. Step 15 included harvesting keystrokes from the initially compromised system as well as stealing files containing credentials from a remote file share.
Step 15 tested the following techniques:
- 15.A.1 – Input Capture (T1056) with residual Application Window Discovery (T1010)
- The Empire native keylogger module was executed to collect keystrokes from local processes, including login credentials and accesses to sensitive files. Use of the Empire native keylogger module also incidentally enumerated contextual information about target application windows.
- 15.B.1 – Credentials in Files (T1081) via PowerShell (T1086)
- The native Get-Content cmdlet was executed via PowerShell to copy a target file from a remote file share previously identified during the keylogging process as containing credentials.
Step 16 - Lateral Movement
We emulated lateral movement via a sequence of actions to obtain and employ credentials to access and execute on remote hosts. Step 16 began with a brute force technique to expose valid credentials, followed by a remote file copy and execution of a VBScript stager through a new service.
Step 16 tested the following techniques:
- 16.A.1 – Brute Force (T1110) to Windows Admin Shares (T1077) via PowerShell (T1086)
- The net utility was executed via PowerShell to brute force password spraying authentication attempts to remote admin shares.
- 16.B.1 – Valid Accounts (T1078) to Windows Admins Shares (T1077) via PowerShell (T1086) because of Brute Force (T1110)
- The net utility was executed via PowerShell to successfully authenticate to and mount a remote admin share using credentials of a separate user exposed by the brute force.
- 16.C.1 – Network Share Connection Removal (T1126) via PowerShell (T1086)
- The net utility was executed via PowerShell to remove the previous mapped remote admin share.
- 16.D.1 – Windows Admin Shares (T1077) using Valid Accounts (T1078) via PowerShell (T1086)
- The net utility was executed via PowerShell to successfully authenticate to and mount a remote admin share on the domain controller.
- 16.E.1 – Remote File Copy (T1105) via PowerShell (T1086)
- Another Empire stager was dropped to disk on the initial victim.
- 16.F.1 – Command-Line Interface (T1059)
- The Empire native runas module was executed to execute the Empire stager via cmd using the credentials previously exposed as useful by the brute force.
- 16.G.1 - Remote File Copy (T1105) via PowerShell (T1086)
- The native move command was executed via PowerShell to copy the Empire stager to the domain controller.
- 16.H.1 – System Service Discovery (T1007) via PowerShell (T1086)
- The sc utility was executed via PowerShell to enumerate active services on the domain controller.
- 16.I.1 – New Service (T1050) and Masquerading (T1036) via PowerShell (T1086)
- The sc utility was executed via PowerShell to create and attempt to disguise a new service on the domain controller.
- 16.J.1 – System Service Discovery (T1007) via PowerShell (T1086)
- The sc utility was executed via PowerShell to enumerate the newly created service on the domain controller.
- 16.K.1 – File and Directory Discovery (T1083) via PowerShell (T1086)
- The native type command was executed via PowerShell to enumerate the Empire stager previously copied to the domain controller.
- 16.L.1 – Service Execution (T1035) via PowerShell (T1086)
- The sc utility was executed via PowerShell to launch the newly created service on the domain controller, executing the Empire stager and creating a new, elevated RAT on the domain controller.
Step 17 - Persistence
We emulated persistence via a sequence of actions to maliciously abuse accessibility programs as a persistence mechanism. Step 17 began with discovery to ensure RDP was enabled on the domain controller before swapping the binary of the magnify accessibility feature. These techniques are performed using the RAT on the domain controller.
Step 17 tested the following techniques:
- 17.A.1 – System Service Discovery (T1007) and Query Registry (T1012) via PowerShell (T1086)
- The reg utility was executed via PowerShell to identify a specific Registry key associated with terminal services to ensure RDP was enabled.
- 17.B.1 – File Permissions Modification (T1222) via PowerShell (T1086)
- The takeown utility was executed via PowerShell to obtain ownership of the magnify utility binary.
- 17.B.2 – File Permissions Modification (T1222) via PowerShell (T1086)
- The icacls utility was executed via PowerShell to modify the discretionary access control list for the magnify utility binary.
- 17.C.1 – Accessibility Features (T1015) via PowerShell (T1086)
- The native copy command was executed via PowerShell to overwrite the magnify utility binary with the cmd utility binary.
Step 18 - Collection
We emulated collection via a sequence of actions to identify and stage collected files. Step 18 included locating files of interest within remote file shares and staging target files on the initially compromised host.
Step 18 tested the following techniques:
- 18.A.1 – File and Directory Discovery (T1083) via PowerShell (T1086)
- The native Get-ChildItem cmdlet was executed via PowerShell to enumerate files in a remote file share.
- 18.B.1 – Data Staged (T1074) from Network Shared Drive (T1039) via PowerShell (T1086)
- The native copy command was executed via PowerShell to copy and stage a target file from a remote file share on the initially compromised host.
Step 19 - Exfiltration
We emulated exfiltration by compressing, encrypting, and stealing data previously staged. Step 19 began with uploading and using a renamed archiving utility, WinRAR, followed by exfiltration through a network connection separate from the existing C2 channel, and finally deletion of the files that were created.
Step 19 tested the following techniques:
- 19.A.1 – Remote File Copy (T1105) and Masquerading (T1036)
- A renamed binary of the WinRAR utility was dropped to disk on the initially compromised host.
- 19.B.1 – Data Compressed (T1002), Data Encrypted (T1022), Masquerading (T1036)
- The renamed WinRAR utility was used to create an encrypted archive of the previously staged target file.
- 19.C.1 - Exfiltration over Alternative Protocol (T1048)
- The ftp utility was executed to copy the previously created archive through a network connection separate of the C2 channel.
- 19.D.1 – File Deletion (T1107) via PowerShell (T1086)
- The native del command was executed via PowerShell to delete the previously created files.
- 19.D.2 – File Deletion (T1107) via PowerShell (T1086)
- The native del command was executed via PowerShell to delete the renamed WinRAR utility.
Step 20 - Execution of Persistence
We emulated exfiltration by compressing, encrypting, and stealing data that was previously staged. Step 19 began with uploading and using a renamed archiving utility, WinRAR, followed by exfiltration through a network connection separate from the existing C2 channel, and finally deletion of the files that were created.
Step 20 tested the following techniques:
- 20.A.1 – Accessibility Features (T1015) via Remote Desktop Protocol (T1076) from 17.C
- The cmd binary that replaced the magnify binary was executed through the logon screen of an RDP connection made to the domain controller.
- 20.B.1 – System Owner / User Discovery (T1033)
- The native whoami command was executed via the previously launched cmd to identify information about the current user context.
Round Specific Resources
APT3 Overview |
---|
APT29 Overview |
Carbanak+FIN7 Overview |