The 2021 ATT&CK Evaluations for Enterprise Call for Participation is now open. Click here to learn how to participate.

Home  >  Enterprise APT29 Overview


Overview

APT29

Enterprise Evaluation 2019
RESULTS
  • Call For Participation
  • Evaluating
  • Preparing
  • Published
ATT&CK Description

APT29 is a threat group that has been attributed to the Russian government and has operated since at least 2008.  [1] [2] This group reportedly compromised the Democratic National Committee starting in the summer of 2015. [3]

Emulation Notes

APT29 is distinguished by its commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. APT29 typically accomplishes its goals via custom compiled binaries and alternate execution methods such as PowerShell and WMI. APT29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the perceived intelligence value and/or infection method of victims.

Results

Operational Flow

The Operations Flow chains techniques together into a logical order that commonly occur across APT29 operations. In the case of APT29, we break out their operations into two distinct scenarios:

Scenario 1: This scenario starts with a “smash-and-grab” then rapid espionage mission that focuses on gathering and exfiltrating data, before transitioning to stealthier techniques to achieve persistence, further data collection, credential access, and lateral movement. The scenario ends with the execution of previously established persistence mechanisms.

Scenario 2: This scenario consists of a stealthier and slower approach to compromising the initial target, establishing persistence, harvesting credentials, then finally enumerating and compromising the entire domain. The scenario ends with a simulated time-lapse where previously established persistence mechanisms are executed.

For details on the APT29 emulation please refer to the Operational Flow, or expore other resources:

Technique Scope

For the APT29 evaluation, we tested 58 of 60 in scope Enterprise ATT&CK techniques across 10 ATT&CK tactics. Uncommonly Used Port was added to scope at the time of evaluation. DLL Search Order Hijacking was not evaluated. Process Injection was part of Step 19, which was excluded from results. The Initial Access tactic was considered out of scope for the evaluation. The in-scope techniques for the APT29 evaluation are displayed below and are also highlighted in each vendor’s results page.

You can view the in scope Techniques for the APT29 evaluation in the ATT&CK Navigator by checking out the layer file we made available here. A preview is shown below! The Techniques in-scope for Round 2 are highlighted in green. (Updated April 21, 2020)

Learn More: Technique Scope Page

Environment

Figure 1: APT29 Evaluation Environment

The APT29 evaluations used a Windows domain hosted in Microsoft Azure, with one domain controller, one file server and five clients. All VMs were the “Standard B4MS” instance, with four vCPUs and 16GB memory. The servers ran Windows Server with SKU: “2019-Datacenter” and the clients ran Windows 10 1903 with SKU “19h1-pro” or “1903-evd-o365pp.”

In addition to disabling Windows Defender we made a number of modifications to the standard images to execute our evaluation. Full details can be found here.

Learn More: Environment Page

Detection Categories

Vendors use their own terminology and approaches to detect potential adversary behavior. They provide this information to us in their unique way, and then it is our responsibility to abstract the data using detection categories to talk about the products in similar ways.

These categories are divided into two types: “Main” and “Modifier.” Each detection receives one main category designation, which relates to the amount of context provided to the user. A detection may optionally receive one or more modifier category designations that help describe the detection in more detail. For the APT29 evaluation, there are six main detection categories representing the amount of context provided to the analyst.

You can learn more about our process for processing detections here.

Learn More: Detection Categories Page