APT29 Evaluation: Operational Flow
The Operational Flow separated technique execution into sequences we referred to as “Steps”. Organizing our execution into Steps ensured that the detection displayed was correctly associated with the technique that was being tested. Each Step corresponded to an adversary’s intended goal during an operation. We performed 20 Steps in total across two scenarios: 10 Steps corresponded to our first scenario (which used Pupy, Meterpreter, and custom tooling), and 10 Steps corresponded to our second scenario (which used PoshC2 and custom tooling). We further divided each Step into Sub-Steps that are denoted by letters (e.g. 1A, 1B, etc.). Those Steps and the corresponding techniques are outlined below.
This information is also available in a single, downloadable PDF document.
First Scenario
The content to execute this scenario was tested and developed using Pupy, Meterpreter, and other custom/modified scripts and payloads. Pupy and Meterpreter were chosen based on their available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors. More information, including the required resources, setup instructions, and step by step instructions on how to execute the Day 1 scenario, is available at ATT&CK Arsenal.
Step 1 - Initial Compromise: Malware is executed on victim; establishes C2 connection
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The scenario begins with an initial breach, where a legitimate user clicks (T1204) an executable payload (screensaver executable) masquerading as a benign word document (T1036). Once executed, the payload creates a C2 connection over port 1234 (T1065) using the RC4 cryptographic cipher . The attacker then uses the active C2 connection to spawn interactive cmd.exe (T1059) and powershell.exe (T1086) shells.
|
CosmicDuke’s infection payloads have started by tricking victims into opening a Windows executable whose filename is manipulated to look like an image file using the Right-to-Left Override (RLO) feature. CosmicDuke has also used RC4 to decrypt incoming data and encrypt outgoing data.[2] SeaDuke and CozyDuke have used the RC4 cipher to encrypt data.[4] [7] [13] [16] CozyDuke can be used to spawn a command line shell. [16]
|
Kaspersky
|
The Day 1 README.md file describes how to either use the precompiled cod.3aka3.scr or generate a custom payload (via payload_configs.md), as well as additional commands to complete the step.
|
Step 2 - Collection and Exfiltration: Adversary performs smash-and-grab data theft
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker runs a one-liner command to search for filesystem for document and media files (T1083, T1119), collecting (T1005) and compressing (T1002) content into a single file (T1074). The file is then exfiltrated over the existing C2 connection (T1041).
|
CosmicDuke’s information stealing functionality included stealing user files with file extensions that match a predefined list.[1] [2]
|
Kaspersky
|
The Day 1 README.md file contains the commands to complete the step.
|
Step 3 - Deploy Stealth Toolkit: Adversary drops secondary malware, elevates privileges, and establishes new C2 connection
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker now uploads a new payload (T1105) to the victim. The payload is a legitimately formed image file with a concealed PowerShell script (T1027). The attacker then elevates privileges via a user account control (UAC) bypass (T1122, T1088), which executes the newly added payload. A new C2 connection is established over port 443 (T1043) using the HTTPS protocol (T1071, T1032). Finally, the attacker removes artifacts of the privilege escalation from the Registry (T1112).
|
CosmicDuke has occasionally embedded other malware components that are written to disk and executed. [1]
MiniDuke has transferred additional backdoors onto a system via GIF files.[3] SeaDaddy/SeaDuke may support HTTPS/SSL network communications. [4] [13]
APT29 has removed tools and forensic artifacts to hide activity, including the usage of Sdelete (S0195). APT29 has also bypassed UAC to elevate privileges.[5]
HAMMERTOSS has embedded pictures with commands using steganography.[6]
|
Kaspersky
Microsoft
|
The Day 1 README.md file describes how to either use the prebuilt monkey.png or generate a custom payload (via payload_configs.md), as well as additional commands to complete the step.
|
Step 4 - Clean Up and Reconnaissance: Adversary drops new tools, cleans up artifacts of breach, and surveys the victim environment
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker uploads additional tools (T1086) through the new, elevated access before spawning an interactive powershell.exe shell (T1086). The additional tools are decompressed (T1140) and positioned on the target for usage. The attacker then enumerates running processes (T1057) to discover/terminate the initial access from Step 1 before deleting various files (T1107) associated with that access. Finally, the attacker launches a PowerShell script that performs a wide variety of reconnaissance commands (T1083, T1033, T1082, T1016, T1057, T1063, T1069), some of which are done by accessing the Windows API (T1106).
|
CozyDuke has been instructed to download and execute other executables, which in some cases included common hacking tools such as PSExec (S0029). [1]
MiniDuke can download and execute new malware and lateral movement tools. [3]
APT29 has removed tools and forensic artifacts to hide activity. [5] [7] [13]
CozyDuke can be used to spawn a command line shell. [16]
|
Microsoft
Kaspersky
SentinelOne
|
The Day 1 README.md file contains the commands to complete the step, including executing the Invoke-Discovery function within readme.txt.
|
Step 5 - Establish Persistence: Adversary establishes two separate means of persistent access to the victim
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker establishes two distinct means of persistent access to the victim by creating a new service (T1050) and creating a malicious payload in the Windows Startup folder (T1060)
|
CosmicDuke has installed a Windows service to achieve persistence on a system. [2]
SeaDuke has the ability to persist using a .lnk file stored in the Startup directory. [4]
APT29 has used several persistence mechanisms, including .LNK files. [5]
|
Kaspersky
|
The Day 1 README.md file describes how to generate custom hostui.exe and javamtsup.exe payloads (via payload_configs.md), as well as additional commands to complete the step, including executing the Invoke-Persistence function within readme.txt.
|
Step 6 - Credential Access: Adversary gathers various forms of credential materials
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker accesses credentials stored in a local web browser (T1081, T1003) using a tool renamed to masquerade as a legitimate utility (T1036). The attacker then harvests private keys (T1145) and password hashes (T1003).
|
CosmicDuke’s information stealing functionality has included exporting user’s cryptographic certificates, including private keys, and collecting user credentials, including passwords from web browsers (ex: Google Chrome). CozyDuke has contained modules that can steal NTLM hashes as well as capture screenshots. [1] [2]
|
Kaspersky
SentinelOne
|
The Day 1 README.md file contains the commands to complete the step, including executing the Get-PrivateKeys function within readme.txt.
|
Step 7 - Collection and Exfiltration: Adversary collects data from victim user, exfiltrates data to attacker-controller infrastructure
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker collects screenshots (T1113), data from the user’s clipboard (T1115), and keystrokes (T1056). The attacker then collects files (T1005), which are compressed (T1002) and encrypted (T1022), before being exfiltrated to an attacker-controlled WebDAV share (T1048).
|
CosmicDuke’s information stealing functionality has included keylogging, taking screenshots, and stealing clipboard contents. Collected data can be exfiltrated using WebDAV. [1] [2]
CozyDuke can be used to take screenshots of a full desktop window and encrypt collected data. [16]
|
Kaspersky
|
The Day 1 README.md file contains the commands to complete the step, including executing the Invoke-ScreenCapture, Get-Clipboard, Get-Keystrokes, and Invoke-Exfil functions within psversion.txt.
|
Step 8 - Expand Access: Adversary enumerates then executes payload on a remote workstation
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker uses Lightweight Directory Access Protocol (LDAP) queries to enumerate other hosts in the domain (T1018) before creating a remote PowerShell session to a secondary victim (T1028). Through this connection, the attacker enumerates running processes (T1057). Next, the attacker uploads a new UPX-packed payload (T1045) to the secondary victim. This new payload is executed on the secondary victim via the PSExec utility (T1077, T1035) using the previously stolen credentials (T1078).
|
SeaDuke has been written in Python and has been delivered through the CozyDuke toolkit. [1] [13]
SeaDuke/SeaDaddy samples have been UPX-packed. [4] [5] [12]
APT29 has UPX-packed and used SMB to transfer files. [5] APT29 has used UPX-packed, Python-compiled backdoors. [7]
|
Microsoft
SentinelOne
|
The Day 1 README.md file describes how to generate a custom python.exe payload (via payload_configs.md), as well as additional commands to complete the step, including executing the Ad-Search and Invoke-SeaDukeStage functions within psversion.txt.
|
Step 9 - Clean Up, Collection, and Exfiltration: Adversary drops new tools, performs smash-and-grab data theft, then cleans up artifacts of breach on a remote workstation
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker uploads additional utilities to the secondary victim (T1105) before running a PowerShell one-liner command (T1086) to search for filesystem for document and media files (T1083, T1119). Files of interested are collected (T1005) then encrypted (T1022) and compressed (T1002) into a single file (T1074). The file this then exfiltrated over the existing C2 connection (T1041). Finally, the attacker deletes various files (T1107) associated with that access
|
CosmicDuke’s information stealing functionality has included stealing user files with file extensions that match a predefined list and exfiltrating collected data via HTTPS. SeaDuke can execute command such as uploading and downloading files. [1] [2] MiniDuke can download and execute new malware and lateral movement tools. [3] SeaDuke has contained commands to download and Base-64-encode files. [4] APT29 has removed tools and forensic artifacts to hide activity, including the usage of Sdelete (S0195). [5] [7] [13] SeaDaddy has used RAR to archive collected data. [7] CozyDuke can be used to take screenshots of a full desktop window and encrypt collected data. [16]
|
Kaspersky
Microsoft
SentinelOne
|
The Day 1 README.md file contains the commands to complete the step.
|
Step 10 - Persistence Execution: Adversary persistence mechanisms are executed when the initial victim machine is rebooted
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The original victim is rebooted and the legitimate user logs in, emulating ordinary usage and a passage of time. This activity triggers the previously established persistence mechanisms, namely the execution of the new service (T1035) and payload in the Windows Startup folder (T1060). The payload in the Startup folder executes a follow-on payload using a stolen token (T1106, T1134).
|
CosmicDuke has installed persistence services that duplicate and uses the process token of explorer.exe to start the malware. [2]
|
Kaspersky
|
The Day 1 README.md file contains the commands to complete the step.
|
Second Scenario
The content to execute this scenario was tested and developed using PoshC2 and other custom/modified scripts and payloads. PoshC2 was chosen based on its available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors. More information, including the required resources, setup instructions, and step by step instructions on how to execute the Day 2 scenario, is available at ATT&CK Arsenal.
Step 11 - Initial Compromise: Malware is executed on victim; surveys victim then establishes persistence access and C2 connection
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The scenario begins with initial breach, where a legitimate user clicks (T1204) a link file payload, which executes an alternate data stream (ADS) hidden on another dummy file (T1096) delivered as part of the spearphishing campaign. The ADS performs a series of enumeration commands to ensure it is not executing in a virtualized analysis environment (T1497, T1082, T1120, T1033, T1016, T1057, T1083) before establishing persistence via a Windows Registry Run key entry (T1060) pointing to an embedded DLL payload that was decoded and dropped to disk (T1140). The ADS then executes a PowerShell stager (T1086) which creates a C2 connection over port 443 (T1043) using the HTTPS protocol (T1071, T1032).
|
APT29 has used several persistence mechanisms, including, Registry run keys. [5] [11]
APT29 phishing campaigns have contained weaponized Windows shortcut files that executed an obfuscated PowerShell command from within the file and dropped a DLL to the victim’s system.[8] [11] [17]
PowerDuke has performed anti-VM checks designed to avoid executing in virtualized environments. PowerDuke payloads have also contained a component hidden in an ADS and connected to C2 over port 443. [11]
Note: The anti-analysis commands and logic were derived from a VirusTotal submission.[9]
|
Microsoft
|
The Day 2 README.md file describes how to configure the schemas.ps1, 2016_United_States_presidential_election_-_Wikipedia.html and 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk payloads, as well as additional commands to complete the step.
|
Step 12 - Fortify Access: Adversary attempts to hide artifacts of breach, enumerates victim software
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker modifies the time attributes of the DLL payload (T1099) used in the previously established persistence mechanism to match that of a random file found in the victim’s System32 directory (T1083). The attacker then enumerates registered AV products (T1063) and software installed by the user documented in the Windows Registry (T1012)
|
POSHSPY can modify standard information timestamps of downloaded executables to match a randomly selected file from the System32 directory. PowerDuke also has had undescribed commands named “detectav” and “software.” [10]
|
Kaspersky
SentinelOne
|
The Day 2 README.md file contains the commands to complete the step, including executing the timestomp function within timestomp.ps1 and the detectav and software functions within stepTwelve.ps1.
|
Step 13 - Reconnaissance: Adversary surveys the victim environment
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker performs local enumeration using various Windows API calls, specifically gathering the local computer name (T1082), domain name (T1063), current user context (T1033), and running processes (T1057).
|
PowerDuke can get the NetBIOS name, the computer’s domain name, user’s name, and process list via select Windows API calls. [11]
|
|
The Day 2 README.md file contains the commands to complete the step, including executing the comp, domain, user, and pslist functions within stepThirteen.ps1.
|
Step 14 - Elevation & Credential Access: Adversary elevates privileges and dumps credential materials
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker elevates privileges via a user account control (UAC) bypass (T1122, T1088). The attacker then uses the new elevated access to create and execute code within a custom WMI class (T1047) that downloads (T1105) and executes Mimikatz to dump plain-text credentials (T1003), which are parsed, encoded, and stored in the WMI class (T1027). After tracking that the WMI execution has completed (T1057), the attacker reads the plaintext credentials stored within the WMI class (T1140)
|
APT29 has embedded and encoded PowerShell scripts in WMI class properties. [5] [10] APT29 has bypassed UAC to elevate privileges. [5] APT29 has used WMI to store and run Invoke-Mimikatz (S0002) on remote hosts. [7] [12] POSHSPY has used WMI to both store and persist PowerShell backdoor code. POSHSPY can also download and execute additional PowerShell code and Windows binaries. [7] [10] [12]
|
Microsoft
SentinelOne
|
The Day 2 README.md file describes how to configure the stepFourteen_bypassUAC.ps1 and stepFourteen_credDump.ps1 payloads, as well as additional commands to complete the step, including executing the bypass function within stepFourteen_bypassUAC.ps1 and the wmidump function within stepFourteen_credDump.ps1.
|
Step 15 - Establish Persistence: Adversary establishes a secondary means of persistent access to the victim
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker establishes a secondary means of persistent access to the victim by creating a WMI event subscription (T1084) to execute a PowerShell payload whenever the current user (T1033) logs in
|
APT29 has used several persistence mechanisms, including WMI backdoors that execute PowerShell components. [5] [10]
|
Microsoft
SentinelOne
|
The Day 2 README.md file describes how to configure the stepFifteen_wmi.ps1 payload, as well as additional commands to complete the step, including executing the wmi function within stepFifteen_wmi.ps1
|
Step 16 - Expand Access: Adversary enumerates then dumps credential materials from domain controller
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker enumerates the environment’s domain controller (T1018) and the domain’s security identifier (SID) (T1033) via the Windows API (T1106). Next, the attacker uses the previously dumped credentials (T1078) to create a remote PowerShell session to the domain controller (T1028). Through this connection, the attacker copies the Mimikatz binary used in Step 14 to the domain controller (T1105) then dumps the hash of the KRBTGT account (T1003).
|
PowerDuke can get the current user’s SID via select Windows API calls. [11]
|
Microsoft
SentinelOne
|
The Day 2 README.md file contains the commands to complete the step, including executing the Get-NetDomainController function within powerView.ps1, the siduser function within stepSixteen_SID.ps1, and the Invoke-WinRMSession function within Invoke-WinRMSession.ps1
|
Step 17 - Collection: Adversary collects, stages, and obfuscates data from victim user
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker harvests emails stored in the local email client (T1114) before collecting (T1005) and staging (T1074) a file of interest. The staged file is compressed (T1002) as well as prepended with the magic bytes of the GIF file type (T1027).
|
APT29 has used the legit Microsoft DLL and PowerShell to interact with Exchange Web Services (EWS) for email theft. [7]
POSHSPY can appended a file signature header to all encrypted data prior to upload or download. [10]
|
Kaspersky
Microsoft
|
The Day 2 README.md file contains the commands to complete the step, including executing the psemail function within stepSeventeen_email.ps1 and the zip function within stepSeventeen_zip.ps1.
|
Step 18 - Exfiltration: Adversary exfiltrates data to attacker-controller web infrastructure
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker maps a local drive to an online web service account (T1102) then exfiltrates the previous staged data to this repository (T1048).
|
CloudDuke can use a Microsoft OneDrive to exchange stolen data with its operators. [1] [5]
|
Kaspersky
Microsoft
SentinelOne
|
The Day 2 README.md file contains the commands to complete the step.
|
Step 19 - Clean Up: Adversary cleans up artifacts of breach
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The attacker deletes various files (T1107) associated with that access by reflectively loading and executing the Sdelete binary (T1055) within powershell.exe
|
APT29 has removed tools and forensic artifacts to hide activity, including the usage of Sdelete (S0195). [5] PowerDuke can write random data across then delete a file. [11]
|
Microsoft
SentinelOne
|
The Day 2 README.md file contains the commands to complete the step, including executing the wipe function within wipe.ps1.
|
Step 19 was excluded from the evaluation due to execution inconsistencies.
Step 20 - Persistence Execution: Adversary persistence mechanisms are executed when the initial victim machine is rebooted, access is used to create credential material and access new victim workstation
High Level Overview of Emulation and Techniques Evaluated |
Cited Intelligence |
Open Invitation Contributor(s) |
Emulation Content |
The original victim is rebooted and the legitimate user logs in, emulating ordinary usage and a passage of time. This activity triggers the previously established persistence mechanisms, namely the execution of the DLL payload (T1085), referenced by the Windows Registry Run key, and the WMI event subscription (T1084), which executes a new PowerShell stager (T1086). The attacker uses the renewed access to generate a Kerberos Golden Ticket (T1097), using materials from the earlier breach, which is used to establish a remote PowerShell session to a new victim (T1028). Through this connection, the attacker creates a new account within the domain (T1136).
|
APT29 have used Kerberos ticket attacks for lateral movement and has created accounts to log in. [5] [7]
|
Microsoft
SentinelOne
|
The Day 2 README.md file contains the commands to complete the step, including executing the Invoke-Mimikatz function within Invoke-Mimikatz.ps1
|