<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>APT29, IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard, Group G0016 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/groups/">Groups</a></li> <li class="breadcrumb-item">APT29</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> APT29 </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/groups/G0016">APT29</a> is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021."data-reference="White House Imposing Costs RU Gov April 2021">^{<a href="https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021."data-reference="UK Gov Malign RIS Activity April 2021">^{<a href="https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. <a href="/groups/G0016">APT29</a> reportedly compromised the Democratic National Committee starting in the summer of 2015.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017."data-reference="GRIZZLY STEPPE JAR">^{<a href="https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021."data-reference="UK Gov UK Exposes Russia SolarWinds April 2021">^{<a href="https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p><p>In April 2021, the US and UK governments attributed the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a> to the SVR; public statements included citations to <a href="/groups/G0016">APT29</a>, Cozy Bear, and The Dukes.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021."data-reference="NSA Joint Advisory SVR SolarWinds April 2021">^{<a href="https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021."data-reference="UK NSCS Russia SolarWinds April 2021">^{<a href="https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span> Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021."data-reference="CrowdStrike SUNSPOT Implant January 2021">^{<a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023."data-reference="Unit 42 SolarStorm December 2020">^{<a href="https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>G0016 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a group entry and may refer to the same or similar group in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Groups</span>: IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: Daniyal Naeem, BT Security; Matt Brenton, Zurich Insurance Group; Katie Nickels, Red Canary; Joe Gumke, U.S. Bank; Liran Ravich, CardinalOps </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 6.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>03 September 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G0016" href="/versions/v16/groups/G0016/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G0016" href="/versions/v16/groups/G0016/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Group Descriptions</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> IRON RITUAL </td> <td> <p><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> IRON HEMLOCK </td> <td> <p><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr> <td> NobleBaron </td> <td> <p><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021."data-reference="SentinelOne NobleBaron June 2021">^{<a href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> Dark Halo </td> <td> <p><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> NOBELIUM </td> <td> <p><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021."data-reference="MSRC Nobelium June 2021">^{<a href="https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr> <td> UNC2452 </td> <td> <p><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr> <td> YTTRIUM </td> <td> <p><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019."data-reference="Microsoft Unidentified Dec 2018">^{<a href="https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> The Dukes </td> <td> <p><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020."data-reference="NCSC APT29 July 2020">^{<a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> Cozy Bear </td> <td> <p><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020."data-reference="NCSC APT29 July 2020">^{<a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr> <td> CozyDuke </td> <td> <p><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr> <td> SolarStorm </td> <td> <p><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023."data-reference="Unit 42 SolarStorm December 2020">^{<a href="https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> Blue Kitsune </td> <td> <p><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020."data-reference="PWC WellMess July 2020">^{<a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020."data-reference="PWC WellMess C2 August 2020">^{<a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr> <td> UNC3524 </td> <td> <p><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr> <td> Midnight Blizzard </td> <td> <p><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023."data-reference="Microsoft Threat Actor Naming July 2023">^{<a href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="campaigns">Campaigns</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">First Seen</th> <th scope="col">Last Seen</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/campaigns/C0023">C0023</a> </td> <td> <a href="/campaigns/C0023">Operation Ghost</a> </td> <td style="white-space:nowrap">September 2013 <span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> </td> <td style="white-space:nowrap">October 2019 <span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> </td> <td> <p><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> <td> <a href="/techniques/T1583">Acquire Infrastructure</a>: <a href="/techniques/T1583/001">Domains</a>, <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/002">Steganography</a>, <a href="/techniques/T1587">Develop Capabilities</a>: <a href="/techniques/T1587/001">Malware</a>, <a href="/techniques/T1585">Establish Accounts</a>: <a href="/techniques/T1585/001">Social Media Accounts</a>, <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/003">Steganography</a>, <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/002">Domain Accounts</a>, <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/002">Bidirectional Communication</a> </td> </tr> <tr> <td> <a href="/campaigns/C0024">C0024</a> </td> <td> <a href="/campaigns/C0024">SolarWinds Compromise</a> </td> <td style="white-space:nowrap">August 2019 <span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023."data-reference="Unit 42 SolarStorm December 2020">^{<a href="https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td style="white-space:nowrap">January 2021 <span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </td> <td> <p><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021."data-reference="NSA Joint Advisory SVR SolarWinds April 2021">^{<a href="https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021."data-reference="UK NSCS Russia SolarWinds April 2021">^{<a href="https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023."data-reference="Mandiant UNC2452 APT29 April 2022">^{<a href="https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1087">Account Discovery</a>, <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/002">Additional Email Delegate Permissions</a>, <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/003">Additional Cloud Roles</a>, <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/005">Device Registration</a>, <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/001">Additional Cloud Credentials</a>, <a href="/techniques/T1583">Acquire Infrastructure</a>: <a href="/techniques/T1583/001">Domains</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1560">Archive Collected Data</a>: <a href="/techniques/T1560/001">Archive via Utility</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/005">Visual Basic</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1584">Compromise Infrastructure</a>: <a href="/techniques/T1584/001">Domains</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>, <a href="/techniques/T1213">Data from Information Repositories</a>, <a href="/techniques/T1213">Data from Information Repositories</a>: <a href="/techniques/T1213/003">Code Repositories</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1074">Data Staged</a>: <a href="/techniques/T1074/002">Remote Data Staging</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1587">Develop Capabilities</a>: <a href="/techniques/T1587/001">Malware</a>, <a href="/techniques/T1484">Domain or Tenant Policy Modification</a>: <a href="/techniques/T1484/002">Trust Modification</a>, <a href="/techniques/T1482">Domain Trust Discovery</a>, <a href="/techniques/T1568">Dynamic Resolution</a>, <a href="/techniques/T1114">Email Collection</a>: <a href="/techniques/T1114/002">Remote Email Collection</a>, <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a>, <a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/techniques/T1048/002">Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</a>, <a href="/techniques/T1190">Exploit Public-Facing Application</a>, <a href="/techniques/T1133">External Remote Services</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1606">Forge Web Credentials</a>: <a href="/techniques/T1606/002">SAML Tokens</a>, <a href="/techniques/T1606">Forge Web Credentials</a>: <a href="/techniques/T1606/001">Web Cookies</a>, <a href="/techniques/T1589">Gather Victim Identity Information</a>: <a href="/techniques/T1589/001">Credentials</a>, <a href="/techniques/T1665">Hide Infrastructure</a>, <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/002">Disable Windows Event Logging</a>, <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/004">Disable or Modify System Firewall</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/006">Timestomp</a>, <a href="/techniques/T1070">Indicator Removal</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/008">Clear Mailbox Data</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/006">DCSync</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/001">Internal Proxy</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/006">Windows Remote Management</a>, <a href="/techniques/T1018">Remote System Discovery</a>, <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/003">Kerberoasting</a>, <a href="/techniques/T1539">Steal Web Session Cookie</a>, <a href="/techniques/T1553">Subvert Trust Controls</a>: <a href="/techniques/T1553/002">Code Signing</a>, <a href="/techniques/T1195">Supply Chain Compromise</a>: <a href="/techniques/T1195/002">Compromise Software Supply Chain</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>: <a href="/techniques/T1016/001">Internet Connection Discovery</a>, <a href="/techniques/T1199">Trusted Relationship</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/004">Private Keys</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/001">Application Access Token</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/004">Web Session Cookie</a>, <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/004">Cloud Accounts</a>, <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/002">Domain Accounts</a>, <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/003">Local Accounts</a>, <a href="/techniques/T1078">Valid Accounts</a>, <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> </tbody> </table> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/groups/G0016/G0016-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/theme/images/external-site-dark.jpeg"></a> <script src="/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0016/G0016-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1548">T1548</a> </td> <td> <a href="/techniques/T1548/002">.002</a> </td> <td> <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/techniques/T1548/002">Bypass User Account Control</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has bypassed UAC.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1087">T1087</a> </td> <td> <a href="/techniques/T1087/002">.002</a> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used PowerShell to discover domain accounts by exectuing <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1087/004">.004</a> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/004">Cloud Account</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has conducted enumeration of Azure AD accounts.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022."data-reference="MSTIC Nobelium Oct 2021">^{<a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1098">T1098</a> </td> <td> <a href="/techniques/T1098/001">.001</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/001">Additional Cloud Credentials</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> added credentials to OAuth Applications and Service Principals.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020."data-reference="Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks">^{<a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/002">.002</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/002">Additional Email Delegate Permissions</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used a compromised global administrator account in Azure AD to backdoor a service principal with <code>ApplicationImpersonation</code> rights to start collecting emails from targeted mailboxes; <a href="/groups/G0016">APT29</a> has also used compromised accounts holding <code>ApplicationImpersonation</code> rights in Exchange to collect emails.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> added their own devices as allowed IDs for active sync using <code>Set-CASMailbox</code>, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020."data-reference="Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks">^{<a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022."data-reference="MSTIC Nobelium Oct 2021">^{<a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/003">.003</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/003">Additional Cloud Roles</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> granted <code>company administrator</code> privileges to a newly created service principle.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/005">.005</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/005">Device Registration</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has enrolled their own devices into compromised cloud tenants, including enrolling a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024."data-reference="NCSC et al APT29 2024">^{<a href="https://www.ic3.gov/Media/News/2024/240226.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> registered devices in order to enable mailbox syncing via the <code>Set-CASMailbox</code> command.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1583">T1583</a> </td> <td> <a href="/techniques/T1583/001">.001</a> </td> <td> <a href="/techniques/T1583">Acquire Infrastructure</a>: <a href="/techniques/T1583/001">Domains</a> </td> <td> <p>For the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> acquired C2 domains, sometimes through resellers.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021."data-reference="FireEye SUNSHUTTLE Mar 2021">^{<a href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><p>For <a href="https://attack.mitre.org/campaigns/C0023">Operation Ghost</a>, <a href="/groups/G0016">APT29</a> registered domains for use in C2 including some crafted to appear as existing legitimate domains.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1583/006">.006</a> </td> <td> <a href="/techniques/T1583">Acquire Infrastructure</a>: <a href="/techniques/T1583/006">Web Services</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has registered algorithmically generated Twitter handles that are used for C2 by malware, such as <a href="/software/S0037">HAMMERTOSS</a>. <a href="/groups/G0016">APT29</a> has also used legitimate web services such as Dropbox and Constant Contact in their operations.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015."data-reference="FireEye APT29">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1595">T1595</a> </td> <td> <a href="/techniques/T1595/002">.002</a> </td> <td> <a href="/techniques/T1595">Active Scanning</a>: <a href="/techniques/T1595/002">Vulnerability Scanning</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has conducted widespread scanning of target environments to identify vulnerabilities for exploit.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1071">T1071</a> </td> <td> <a href="/techniques/T1071/001">.001</a> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used HTTP for C2 and data exfiltration.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1560">T1560</a> </td> <td> <a href="/techniques/T1560/001">.001</a> </td> <td> <a href="/techniques/T1560">Archive Collected Data</a>: <a href="/techniques/T1560/001">Archive via Utility</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used 7-Zip to compress stolen emails into password-protected archives prior to exfltration; <a href="/groups/G0016">APT29</a> also compressed text files into zipped archives.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1547">T1547</a> </td> <td> <a href="/techniques/T1547/001">.001</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/groups/G0016">APT29</a> added Registry Run keys to establish persistence.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1037">T1037</a> </td> <td> <a href="/techniques/T1037">Boot or Logon Initialization Scripts</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has hijacked legitimate application-specific startup scripts to enable malware to execute on system startup.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1037/004">.004</a> </td> <td> <a href="/techniques/T1037/004">RC Scripts</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has installed a run command on a compromised system to enable malware execution on system startup.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1110">T1110</a> </td> <td> <a href="/techniques/T1110/001">.001</a> </td> <td> <a href="/techniques/T1110">Brute Force</a>: <a href="/techniques/T1110/001">Password Guessing</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has successfully conducted password guessing attacks against a list of mailboxes.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/003">.003</a> </td> <td> <a href="/techniques/T1110">Brute Force</a>: <a href="/techniques/T1110/003">Password Spraying</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has conducted brute force password spray attacks.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021."data-reference="MSRC Nobelium June 2021">^{<a href="https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022."data-reference="MSTIC Nobelium Oct 2021">^{<a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span><span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024."data-reference="NCSC et al APT29 2024">^{<a href="https://www.ic3.gov/Media/News/2024/240226.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1651">T1651</a> </td> <td> <a href="/techniques/T1651">Cloud Administration Command</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022."data-reference="MSTIC Nobelium Oct 2021">^{<a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1059">T1059</a> </td> <td> <a href="/techniques/T1059/001">.001</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used encoded PowerShell scripts uploaded to <a href="/software/S0046">CozyCar</a> installations to download and install <a href="/software/S0053">SeaDuke</a>.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Symantec Security Response. (2015, July 13). "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015."data-reference="Symantec Seaduke 2015">^{<a href="http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022."data-reference="ESET T3 Threat Report 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021."data-reference="Microsoft Analyzing Solorigate Dec 2020">^{<a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/003">.003</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used <code>cmd.exe</code> to execute commands on remote machines.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021."data-reference="Microsoft Analyzing Solorigate Dec 2020">^{<a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/005">.005</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/005">Visual Basic</a> </td> <td> <p>For the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> wrote malware such as <a href="/software/S0589">Sibot</a> in Visual Basic.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/006">.006</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/006">Python</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has developed malware variants written in Python.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Symantec Security Response. (2015, July 13). "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015."data-reference="Symantec Seaduke 2015">^{<a href="http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/009">.009</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/009">Cloud API</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. They have also utilized AADInternals PowerShell Modules to access the API <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1586">T1586</a> </td> <td> <a href="/techniques/T1586/002">.002</a> </td> <td> <a href="/techniques/T1586">Compromise Accounts</a>: <a href="/techniques/T1586/002">Email Accounts</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has compromised email accounts to further enable phishing campaigns and taken control of dormant accounts.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="ANSSI. (2021, December 6). PHISHING CAMPAIGNS BY THE NOBELIUM INTRUSION SET. Retrieved April 13, 2022."data-reference="ANSSI Nobelium Phishing December 2021">^{<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1586/003">.003</a> </td> <td> <a href="/techniques/T1586">Compromise Accounts</a>: <a href="/techniques/T1586/003">Cloud Accounts</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used residential proxies, including Azure Virtual Machines, to obfuscate their access to victim environments.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1584">T1584</a> </td> <td> <a href="/techniques/T1584/001">.001</a> </td> <td> <a href="/techniques/T1584">Compromise Infrastructure</a>: <a href="/techniques/T1584/001">Domains</a> </td> <td> <p>For the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> compromised domains to use for C2.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1136">T1136</a> </td> <td> <a href="/techniques/T1136/003">.003</a> </td> <td> <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/003">Cloud Account</a> </td> <td> <p><a href="/groups/G0016">APT29</a> can create new users through Azure AD.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022."data-reference="MSTIC Nobelium Oct 2021">^{<a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1555">T1555</a> </td> <td> <a href="/techniques/T1555/003">.003</a> </td> <td> <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> stole users' saved passwords from Chrome.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1213">T1213</a> </td> <td> <a href="/techniques/T1213">Data from Information Repositories</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> accessed victims' internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1213/003">.003</a> </td> <td> <a href="/techniques/T1213/003">Code Repositories</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> downloaded source code from code repositories.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation – Final Update. Retrieved May 14, 2021."data-reference="Microsoft Internal Solorigate Investigation Blog">^{<a href="https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1005">T1005</a> </td> <td> <a href="/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has stolen data from compromised hosts.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> extracted files from compromised networks.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1001">T1001</a> </td> <td> <a href="/techniques/T1001/002">.002</a> </td> <td> <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/002">Steganography</a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0023">Operation Ghost</a>, <a href="/groups/G0016">APT29</a> used steganography to hide the communications between the implants and their C&amp;C servers.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1074">T1074</a> </td> <td> <a href="/techniques/T1074/002">.002</a> </td> <td> <a href="/techniques/T1074">Data Staged</a>: <a href="/techniques/T1074/002">Remote Data Staging</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> staged data and files in password-protected archives on a victim's OWA server.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1140">T1140</a> </td> <td> <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used 7-Zip to decode their <a href="/software/S0565">Raindrop</a> malware.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021."data-reference="Symantec RAINDROP January 2021">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1587">T1587</a> </td> <td> <a href="/techniques/T1587/001">.001</a> </td> <td> <a href="/techniques/T1587">Develop Capabilities</a>: <a href="/techniques/T1587/001">Malware</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used unique malware in many of their operations.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><p>For the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used numerous pieces of malware that were likely developed for or by the group, including <a href="/software/S0559">SUNBURST</a>, <a href="/software/S0562">SUNSPOT</a>, <a href="/software/S0565">Raindrop</a>, and <a href="/software/S0560">TEARDROP</a>.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021."data-reference="CrowdStrike SUNSPOT Implant January 2021">^{<a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span> </p><p>For <a href="https://attack.mitre.org/campaigns/C0023">Operation Ghost</a>, <a href="/groups/G0016">APT29</a> used new strains of malware including <a href="/software/S0512">FatDuke</a>, <a href="/software/S0051">MiniDuke</a>, <a href="/software/S0511">RegDuke</a>, and <a href="/software/S0518">PolyglotDuke</a>.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1587/003">.003</a> </td> <td> <a href="/techniques/T1587">Develop Capabilities</a>: <a href="/techniques/T1587/003">Digital Certificates</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has created self-signed digital certificates to enable mutual TLS authentication for malware.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020."data-reference="PWC WellMess July 2020">^{<a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020."data-reference="PWC WellMess C2 August 2020">^{<a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1484">T1484</a> </td> <td> <a href="/techniques/T1484/002">.002</a> </td> <td> <a href="/techniques/T1484">Domain or Tenant Policy Modification</a>: <a href="/techniques/T1484/002">Trust Modification</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021."data-reference="Microsoft 365 Defender Solorigate">^{<a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1482">T1482</a> </td> <td> <a href="/techniques/T1482">Domain Trust Discovery</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used the <code>Get-AcceptedDomain</code> PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span> They also used <a href="/software/S0552">AdFind</a> to enumerate domains and to discover trust between federated domains.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1568">T1568</a> </td> <td> <a href="/techniques/T1568">Dynamic Resolution</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used Dynamic DNS providers for their malware C2 infrastructure.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span> </p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1114">T1114</a> </td> <td> <a href="/techniques/T1114/002">.002</a> </td> <td> <a href="/techniques/T1114">Email Collection</a>: <a href="/techniques/T1114/002">Remote Email Collection</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has collected emails from targeted mailboxes within a compromised Azure AD tenant and compromised Exchange servers, including via Exchange Web Services (EWS) API requests.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> collected emails from specific individuals, such as executives and IT staff, using <code>New-MailboxExportRequest</code> followed by <code>Get-MailboxExportRequest</code>.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1573">T1573</a> </td> <td> <a href="/techniques/T1573">Encrypted Channel</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used multiple layers of encryption within malware to protect C2 communication.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1585">T1585</a> </td> <td> <a href="/techniques/T1585/001">.001</a> </td> <td> <a href="/techniques/T1585">Establish Accounts</a>: <a href="/techniques/T1585/001">Social Media Accounts</a> </td> <td> <p>For <a href="https://attack.mitre.org/campaigns/C0023">Operation Ghost</a>, <a href="/groups/G0016">APT29</a> registered Twitter accounts to host C2 nodes.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1546">T1546</a> </td> <td> <a href="/techniques/T1546/003">.003</a> </td> <td> <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used WMI event subscriptions for persistence.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used a WMI event filter to invoke a command-line event consumer at system boot time to launch a backdoor with <code>rundll32.exe</code>.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021."data-reference="Microsoft 365 Defender Solorigate">^{<a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p><p>During <a href="https://attack.mitre.org/campaigns/C0023">Operation Ghost</a>, <a href="/groups/G0016">APT29</a> used WMI event subscriptions to establish persistence for malware.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/008">.008</a> </td> <td> <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/008">Accessibility Features</a> </td> <td> <p><a href="/groups/G0016">APT29</a> used sticky-keys to obtain unauthenticated, privileged console access.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017."data-reference="FireEye APT29 Domain Fronting">^{<a href="https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1048">T1048</a> </td> <td> <a href="/techniques/T1048/002">.002</a> </td> <td> <a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/techniques/T1048/002">Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1190">T1190</a> </td> <td> <a href="/techniques/T1190">Exploit Public-Facing Application</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020."data-reference="NCSC APT29 July 2020">^{<a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1203">T1203</a> </td> <td> <a href="/techniques/T1203">Exploitation for Client Execution</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1068">T1068</a> </td> <td> <a href="/techniques/T1068">Exploitation for Privilege Escalation</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has exploited CVE-2021-36934 to escalate privileges on a compromised host.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022."data-reference="ESET T3 Threat Report 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1133">T1133</a> </td> <td> <a href="/techniques/T1133">External Remote Services</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used compromised identities to access networks via VPNs and Citrix.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020."data-reference="NCSC APT29 July 2020">^{<a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><p>For the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used compromised identities to access networks via SSH, VPNs, and other remote access tools.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1083">T1083</a> </td> <td> <a href="/techniques/T1083">File and Directory Discovery</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> obtained information about the configured Exchange virtual directory using <code>Get-WebServicesVirtualDirectory</code>.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1606">T1606</a> </td> <td> <a href="/techniques/T1606/001">.001</a> </td> <td> <a href="/techniques/T1606">Forge Web Credentials</a>: <a href="/techniques/T1606/001">Web Cookies</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1606/002">.002</a> </td> <td> <a href="/techniques/T1606">Forge Web Credentials</a>: <a href="/techniques/T1606/002">SAML Tokens</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> created tokens using compromised SAML signing certificates.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020."data-reference="Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks">^{<a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1589">T1589</a> </td> <td> <a href="/techniques/T1589/001">.001</a> </td> <td> <a href="/techniques/T1589">Gather Victim Identity Information</a>: <a href="/techniques/T1589/001">Credentials</a> </td> <td> <p>For the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> conducted credential theft operations to obtain credentials to be used for access to victim environments.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1665">T1665</a> </td> <td> <a href="/techniques/T1665">Hide Infrastructure</a> </td> <td> <p><a href="/groups/G0016">APT29</a> uses compromised residential endpoints, typically within the same ISP IP address range, as proxies to hide the true source of C2 traffic.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024."data-reference="NCSC et al APT29 2024">^{<a href="https://www.ic3.gov/Media/News/2024/240226.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> set the hostnames of their C2 infrastructure to match legitimate hostnames in the victim environment. They also used IP addresses originating from the same country as the victim for their VPN infrastructure.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562/001">.001</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used the service control manager on a remote system to disable services associated with security monitoring products.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/002">.002</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/002">Disable Windows Event Logging</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a>, used <code>AUDITPOL</code> to prevent the collection of audit logs.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/004">.004</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/004">Disable or Modify System Firewall</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used <code>netsh</code> to configure firewall rules that limited certain UDP outbound packets.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/008">.008</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/008">Disable or Modify Cloud Logs</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070/004">.004</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used <a href="/software/S0195">SDelete</a> to remove artifacts from victim networks.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> routinely removed their tools, including custom backdoors, once remote access was achieved.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/006">.006</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/006">Timestomp</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> modified timestamps of backdoors to match legitimate Windows files.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/008">.008</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/008">Clear Mailbox Data</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> removed evidence of email export requests using <code>Remove-MailboxExportRequest</code>.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1105">T1105</a> </td> <td> <a href="/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has downloaded additional tools and malware onto compromised networks.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020."data-reference="PWC WellMess July 2020">^{<a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> downloaded additional malware, such as <a href="/software/S0560">TEARDROP</a> and <a href="/software/S0154">Cobalt Strike</a>, onto a compromised host following initial access.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036/004">.004</a> </td> <td> <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/004">Masquerade Task or Service</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> named tasks <code>\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager</code> in order to appear legitimate.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/005">.005</a> </td> <td> <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021."data-reference="SentinelOne NobleBaron June 2021">^{<a href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> renamed software and DLLs with legitimate names to appear benign.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021."data-reference="Microsoft Analyzing Solorigate Dec 2020">^{<a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1556">T1556</a> </td> <td> <a href="/techniques/T1556/007">.007</a> </td> <td> <a href="/techniques/T1556">Modify Authentication Process</a>: <a href="/techniques/T1556/007">Hybrid Identity</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has edited the <code>Microsoft.IdentityServer.Servicehost.exe.config</code> file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022."data-reference="MagicWeb">^{<a href="https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1621">T1621</a> </td> <td> <a href="/techniques/T1621">Multi-Factor Authentication Request Generation</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used repeated MFA requests to gain access to victim accounts.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock. (2021, December 6). Suspected Russian Activity Targeting Government and Business Entities Around the Globe. Retrieved April 15, 2022."data-reference="Suspected Russian Activity Targeting Government and Business Entities Around the Globe">^{<a href="https://www.mandiant.com/resources/russian-targeting-gov-business" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span><span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024."data-reference="NCSC et al APT29 2024">^{<a href="https://www.ic3.gov/Media/News/2024/240226.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1027">T1027</a> </td> <td> <a href="/techniques/T1027/001">.001</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/001">Binary Padding</a> </td> <td> <p><a href="/groups/G0016">APT29</a> used large size files to avoid detection by security solutions with hardcoded size limits.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021."data-reference="SentinelOne NobleBaron June 2021">^{<a href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1027/002">.002</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/002">Software Packing</a> </td> <td> <p><a href="/groups/G0016">APT29</a> used UPX to pack files.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1027/003">.003</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/003">Steganography</a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0023">Operation Ghost</a>, <a href="/groups/G0016">APT29</a> used steganography to hide payloads inside valid images.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1027/006">.006</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/006">HTML Smuggling</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022."data-reference="ESET T3 Threat Report 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1588">T1588</a> </td> <td> <a href="/techniques/T1588/002">.002</a> </td> <td> <a href="/techniques/T1588">Obtain Capabilities</a>: <a href="/techniques/T1588/002">Tool</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has obtained and used a variety of tools including <a href="/software/S0002">Mimikatz</a>, <a href="/software/S0195">SDelete</a>, <a href="/software/S0183">Tor</a>, <a href="/software/S0175">meek</a>, and <a href="/software/S0154">Cobalt Strike</a>.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1003">T1003</a> </td> <td> <a href="/techniques/T1003/002">.002</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/002">Security Account Manager</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used the <code>reg save</code> command to save registry hives.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1003/004">.004</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used the <code>reg save</code> command to extract LSA secrets offline.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1003/006">.006</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/006">DCSync</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used privileged accounts to replicate directory service data with domain controllers.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021."data-reference="Microsoft 365 Defender Solorigate">^{<a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1069">T1069</a> </td> <td> <a href="/techniques/T1069/002">.002</a> </td> <td> <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used <a href="/software/S0552">AdFind</a> to enumerate domain groups.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1566">T1566</a> </td> <td> <a href="/techniques/T1566/001">.001</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used spearphishing emails with an attachment to deliver files with exploits to initial victims.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022."data-reference="ESET T3 Threat Report 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1566/002">.002</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/002">Spearphishing Link</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL USAID Phish May 2021">^{<a href="https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1566/003">.003</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/003">Spearphishing via Service</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used the legitimate mailing service Constant Contact to send phishing e-mails.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1057">T1057</a> </td> <td> <a href="/techniques/T1057">Process Discovery</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used multiple command-line utilities to enumerate running processes.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1090">T1090</a> </td> <td> <a href="/techniques/T1090/001">.001</a> </td> <td> <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/001">Internal Proxy</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of <a href="/software/S0154">Cobalt Strike</a> to use a network pipe over SMB.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021."data-reference="Symantec RAINDROP January 2021">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1090/002">.002</a> </td> <td> <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/002">External Proxy</a> </td> <td> <p><a href="/groups/G0016">APT29</a> uses compromised residential endpoints as proxies for defense evasion and network access.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024."data-reference="NCSC et al APT29 2024">^{<a href="https://www.ic3.gov/Media/News/2024/240226.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1090/003">.003</a> </td> <td> <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/003">Multi-hop Proxy</a> </td> <td> <p>A backdoor used by <a href="/groups/G0016">APT29</a> created a <a href="/software/S0183">Tor</a> hidden service to forward traffic from the <a href="/software/S0183">Tor</a> client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022."data-reference="MSTIC Nobelium Oct 2021">^{<a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1090/004">.004</a> </td> <td> <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/004">Domain Fronting</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used the meek domain fronting plugin for <a href="/software/S0183">Tor</a> to hide the destination of C2 traffic.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1021">T1021</a> </td> <td> <a href="/techniques/T1021/001">.001</a> </td> <td> <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/001">Remote Desktop Protocol</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used RDP sessions from public-facing systems to internal servers.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/002">.002</a> </td> <td> <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used administrative accounts to connect over SMB to targeted users.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/006">.006</a> </td> <td> <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/006">Windows Remote Management</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used WinRM via PowerShell to execute commands and payloads on remote hosts.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021."data-reference="Symantec RAINDROP January 2021">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/007">.007</a> </td> <td> <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/007">Cloud Services</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally into a cloud environment, including through the use of Azure AD PowerShell.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Mandiant. (2022, August). Remediation and Hardening Strategies for Microsoft 365 to Defend Against APT29. Retrieved February 21, 2023."data-reference="Mandiant Remediation and Hardening Strategies for Microsoft 365">^{<a href="https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1018">T1018</a> </td> <td> <a href="/techniques/T1018">Remote System Discovery</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used <a href="/software/S0552">AdFind</a> to enumerate remote systems.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1053">T1053</a> </td> <td> <a href="/techniques/T1053/005">.005</a> </td> <td> <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used named and hijacked scheduled tasks to establish persistence.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used <code>scheduler</code> and <code>schtasks</code> to create new tasks on remote host as part of their lateral movement. They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. <a href="/groups/G0016">APT29</a> also created a scheduled task to maintain <a href="/software/S0562">SUNSPOT</a> persistence when the host booted.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021."data-reference="CrowdStrike SUNSPOT Implant January 2021">^{<a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1505">T1505</a> </td> <td> <a href="/techniques/T1505/003">.003</a> </td> <td> <a href="/techniques/T1505">Server Software Component</a>: <a href="/techniques/T1505/003">Web Shell</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has installed web shells on exploited Microsoft Exchange servers.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1528">T1528</a> </td> <td> <a href="/techniques/T1528">Steal Application Access Token</a> </td> <td> <p><a href="/groups/G0016">APT29</a> uses stolen tokens to access victim accounts, without needing a password.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024."data-reference="NCSC et al APT29 2024">^{<a href="https://www.ic3.gov/Media/News/2024/240226.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1649">T1649</a> </td> <td> <a href="/techniques/T1649">Steal or Forge Authentication Certificates</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Wolfram, J. et al. (2022, April 28). Trello From the Other Side: Tracking APT29 Phishing Campaigns. Retrieved August 3, 2022."data-reference="Mandiant APT29 Trello">^{<a href="https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1558">T1558</a> </td> <td> <a href="/techniques/T1558/003">.003</a> </td> <td> <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/003">Kerberoasting</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1539">T1539</a> </td> <td> <a href="/techniques/T1539">Steal Web Session Cookie</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> stole Chrome browser cookies by copying the Chrome profile directories of targeted users.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1553">T1553</a> </td> <td> <a href="/techniques/T1553/002">.002</a> </td> <td> <a href="/techniques/T1553">Subvert Trust Controls</a>: <a href="/techniques/T1553/002">Code Signing</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> was able to get <a href="/software/S0559">SUNBURST</a> signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1553/005">.005</a> </td> <td> <a href="/techniques/T1553">Subvert Trust Controls</a>: <a href="/techniques/T1553/005">Mark-of-the-Web Bypass</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022."data-reference="ESET T3 Threat Report 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1195">T1195</a> </td> <td> <a href="/techniques/T1195/002">.002</a> </td> <td> <a href="/techniques/T1195">Supply Chain Compromise</a>: <a href="/techniques/T1195/002">Compromise Software Supply Chain</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> gained initial network access to some victims via a trojanized update of SolarWinds Orion software.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021."data-reference="SolarWinds Sunburst Sunspot Update January 2021">^{<a href="https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1218">T1218</a> </td> <td> <a href="/techniques/T1218/005">.005</a> </td> <td> <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/005">Mshta</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has use <code>mshta</code> to execute malicious scripts on a compromised host.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022."data-reference="ESET T3 Threat Report 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/011">.011</a> </td> <td> <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used <code>Rundll32.exe</code> to execute payloads.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020."data-reference="Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks">^{<a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1082">T1082</a> </td> <td> <a href="/techniques/T1082">System Information Discovery</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used <code>fsutil</code> to check available free space before executing actions that might create large files on disk.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1016">T1016</a> </td> <td> <a href="/techniques/T1016/001">.001</a> </td> <td> <a href="/techniques/T1016">System Network Configuration Discovery</a>: <a href="/techniques/T1016/001">Internet Connection Discovery</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has ensured web servers in a victim environment are Internet accessible before copying tools or malware to it.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used <a href="/software/S0597">GoldFinder</a> to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1199">T1199</a> </td> <td> <a href="/techniques/T1199">Trusted Relationship</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has compromised IT, cloud services, and managed services providers to gain broad access to multiple customers for subsequent operations.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022."data-reference="MSTIC Nobelium Oct 2021">^{<a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1552">T1552</a> </td> <td> <a href="/techniques/T1552/004">.004</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/004">Private Keys</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> obtained PKI keys, certificate files, and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021."data-reference="Microsoft 365 Defender Solorigate">^{<a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1550">T1550</a> </td> <td> <a href="/techniques/T1550/001">.001</a> </td> <td> <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/001">Application Access Token</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used compromised service principals to make changes to the Office 365 environment.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1550/003">.003</a> </td> <td> <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/003">Pass the Ticket</a> </td> <td> <p><a href="/groups/G0016">APT29</a> used Kerberos ticket attacks for lateral movement.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1550/004">.004</a> </td> <td> <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/004">Web Session Cookie</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used stolen cookies to access cloud resources and a forged <code>duo-sid</code> cookie to bypass MFA set on an email account.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1204">T1204</a> </td> <td> <a href="/techniques/T1204/001">.001</a> </td> <td> <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/001">Malicious Link</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used various forms of spearphishing attempting to get a user to click on a malicious link.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL USAID Phish May 2021">^{<a href="https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1204/002">.002</a> </td> <td> <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/002">Malicious File</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022."data-reference="ESET T3 Threat Report 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1078">T1078</a> </td> <td> <a href="/techniques/T1078">Valid Accounts</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has used a compromised account to access an organization's VPN infrastructure.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used different compromised credentials for remote access and to move laterally.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/002">.002</a> </td> <td> <a href="/techniques/T1078/002">Domain Accounts</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used domain administrators' accounts to help facilitate lateral movement on compromised networks.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><p>For <a href="https://attack.mitre.org/campaigns/C0023">Operation Ghost</a>, <a href="/groups/G0016">APT29</a> used stolen administrator credentials for lateral movement on compromised networks.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/003">.003</a> </td> <td> <a href="/techniques/T1078/003">Local Accounts</a> </td> <td> <p><a href="/groups/G0016">APT29</a> targets dormant or inactive user accounts, accounts belonging to individuals no longer at the organization but whose accounts remain on the system, for access and persistence.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024."data-reference="NCSC et al APT29 2024">^{<a href="https://www.ic3.gov/Media/News/2024/240226.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used compromised local accounts to access victims' networks.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/004">.004</a> </td> <td> <a href="/techniques/T1078/004">Cloud Accounts</a> </td> <td> <p><a href="/groups/G0016">APT29</a> has gained access to a global administrator account in Azure AD and has used <code>Service Principal</code> credentials in Exchange.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022">^{<a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used a compromised O365 administrator account to create a new Service Principal.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1102">T1102</a> </td> <td> <a href="/techniques/T1102/002">.002</a> </td> <td> <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/002">Bidirectional Communication</a> </td> <td> <p>For <a href="https://attack.mitre.org/campaigns/C0023">Operation Ghost</a>, <a href="/groups/G0016">APT29</a> used social media platforms to hide communications to C2 servers.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1047">T1047</a> </td> <td> <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> <td> <p><a href="/groups/G0016">APT29</a> used WMI to steal credentials and execute backdoors at a future time.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used WMI for the remote execution of files for lateral movement.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021."data-reference="Microsoft 365 Defender Solorigate">^{<a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="software">Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S0677">S0677</a> </td> <td> <a href="/software/S0677">AADInternals</a> </td> <td> <span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022."data-reference="MSTIC Nobelium Oct 2021">^{<a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/004">Cloud Account</a>, <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/005">Device Registration</a>, <a href="/techniques/T1651">Cloud Administration Command</a>, <a href="/techniques/T1526">Cloud Service Discovery</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/003">Cloud Account</a>, <a href="/techniques/T1530">Data from Cloud Storage</a>, <a href="/techniques/T1484">Domain or Tenant Policy Modification</a>: <a href="/techniques/T1484/002">Trust Modification</a>, <a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a>, <a href="/techniques/T1606">Forge Web Credentials</a>: <a href="/techniques/T1606/002">SAML Tokens</a>, <a href="/techniques/T1589">Gather Victim Identity Information</a>: <a href="/techniques/T1589/002">Email Addresses</a>, <a href="/techniques/T1590">Gather Victim Network Information</a>: <a href="/techniques/T1590/001">Domain Properties</a>, <a href="/techniques/T1556">Modify Authentication Process</a>: <a href="/techniques/T1556/007">Hybrid Identity</a>, <a href="/techniques/T1556">Modify Authentication Process</a>: <a href="/techniques/T1556/006">Multi-Factor Authentication</a>, <a href="/techniques/T1112">Modify Registry</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/003">Cloud Groups</a>, <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/002">Spearphishing Link</a>, <a href="/techniques/T1598">Phishing for Information</a>: <a href="/techniques/T1598/003">Spearphishing Link</a>, <a href="/techniques/T1528">Steal Application Access Token</a>, <a href="/techniques/T1649">Steal or Forge Authentication Certificates</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/002">Silver Ticket</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/001">Credentials In Files</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/004">Private Keys</a> </td> </tr> <tr> <td> <a href="/software/S0552">S0552</a> </td> <td> <a href="/software/S0552">AdFind</a> </td> <td> <span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021."data-reference="Microsoft Analyzing Solorigate Dec 2020">^{<a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022."data-reference="ESET T3 Threat Report 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1482">Domain Trust Discovery</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1018">Remote System Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0521">S0521</a> </td> <td> <a href="/software/S0521">BloodHound</a> </td> <td> <span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022."data-reference="ESET T3 Threat Report 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a>, <a href="/techniques/T1560">Archive Collected Data</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1482">Domain Trust Discovery</a>, <a href="/techniques/T1615">Group Policy Discovery</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1201">Password Policy Discovery</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/001">Local Groups</a>, <a href="/techniques/T1018">Remote System Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0635">S0635</a> </td> <td> <a href="/software/S0635">BoomBox</a> </td> <td> <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/003">Email Account</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1480">Execution Guardrails</a>, <a href="/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/techniques/T1567/002">Exfiltration to Cloud Storage</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a>, <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/002">Malicious File</a>, <a href="/techniques/T1102">Web Service</a> </td> </tr> <tr> <td> <a href="/software/S0054">S0054</a> </td> <td> <a href="/software/S0054">CloudDuke</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/002">Bidirectional Communication</a> </td> </tr> <tr> <td> <a href="/software/S0154">S0154</a> </td> <td> <a href="/software/S0154">Cobalt Strike</a> </td> <td> <span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021."data-reference="SentinelOne NobleBaron June 2021">^{<a href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022."data-reference="ESET T3 Threat Report 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL USAID Phish May 2021">^{<a href="https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span> </td> <td> <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/techniques/T1548/003">Sudo and Sudo Caching</a>, <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/techniques/T1548/002">Bypass User Account Control</a>, <a href="/techniques/T1134">Access Token Manipulation</a>: <a href="/techniques/T1134/004">Parent PID Spoofing</a>, <a href="/techniques/T1134">Access Token Manipulation</a>: <a href="/techniques/T1134/001">Token Impersonation/Theft</a>, <a href="/techniques/T1134">Access Token Manipulation</a>: <a href="/techniques/T1134/003">Make and Impersonate Token</a>, <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/004">DNS</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/002">File Transfer Protocols</a>, <a href="/techniques/T1197">BITS Jobs</a>, <a href="/techniques/T1185">Browser Session Hijacking</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/007">JavaScript</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/005">Visual Basic</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/006">Python</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a>, <a href="/techniques/T1132">Data Encoding</a>: <a href="/techniques/T1132/001">Standard Encoding</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/003">Protocol or Service Impersonation</a>, <a href="/techniques/T1030">Data Transfer Size Limits</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1203">Exploitation for Client Execution</a>, <a href="/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1564">Hide Artifacts</a>: <a href="/techniques/T1564/010">Process Argument Spoofing</a>, <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/006">Timestomp</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1056">Input Capture</a>: <a href="/techniques/T1056/001">Keylogging</a>, <a href="/techniques/T1112">Modify Registry</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1046">Network Service Discovery</a>, <a href="/techniques/T1135">Network Share Discovery</a>, <a href="/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/005">Indicator Removal from Tools</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1137">Office Application Startup</a>: <a href="/techniques/T1137/001">Office Template Macros</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/002">Security Account Manager</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/001">Local Groups</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1055">Process Injection</a>: <a href="/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/techniques/T1055">Process Injection</a>: <a href="/techniques/T1055/012">Process Hollowing</a>, <a href="/techniques/T1055">Process Injection</a>, <a href="/techniques/T1572">Protocol Tunneling</a>, <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/004">Domain Fronting</a>, <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/001">Internal Proxy</a>, <a href="/techniques/T1012">Query Registry</a>, <a href="/techniques/T1620">Reflective Code Loading</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/004">SSH</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/006">Windows Remote Management</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/003">Distributed Component Object Model</a>, <a href="/techniques/T1018">Remote System Discovery</a>, <a href="/techniques/T1029">Scheduled Transfer</a>, <a href="/techniques/T1113">Screen Capture</a>, <a href="/techniques/T1518">Software Discovery</a>, <a href="/techniques/T1553">Subvert Trust Controls</a>: <a href="/techniques/T1553/002">Code Signing</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1049">System Network Connections Discovery</a>, <a href="/techniques/T1007">System Service Discovery</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/002">Pass the Hash</a>, <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/002">Domain Accounts</a>, <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/003">Local Accounts</a>, <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/software/S0050">S0050</a> </td> <td> <a href="/software/S0050">CosmicDuke</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1020">Automated Exfiltration</a>, <a href="/techniques/T1115">Clipboard Data</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1039">Data from Network Shared Drive</a>, <a href="/techniques/T1025">Data from Removable Media</a>, <a href="/techniques/T1114">Email Collection</a>: <a href="/techniques/T1114/001">Local Email Collection</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/techniques/T1048/003">Exfiltration Over Unencrypted Non-C2 Protocol</a>, <a href="/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1056">Input Capture</a>: <a href="/techniques/T1056/001">Keylogging</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/002">Security Account Manager</a>, <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a>, <a href="/techniques/T1113">Screen Capture</a> </td> </tr> <tr> <td> <a href="/software/S0046">S0046</a> </td> <td> <a href="/software/S0046">CozyCar</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/003">Rename System Utilities</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/002">Security Account Manager</a>, <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a>, <a href="/techniques/T1518">Software Discovery</a>: <a href="/techniques/T1518/001">Security Software Discovery</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>, <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/002">Bidirectional Communication</a> </td> </tr> <tr> <td> <a href="/software/S0634">S0634</a> </td> <td> <a href="/software/S0634">EnvyScout</a> </td> <td> <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/007">JavaScript</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1480">Execution Guardrails</a>, <a href="/techniques/T1187">Forced Authentication</a>, <a href="/techniques/T1564">Hide Artifacts</a>: <a href="/techniques/T1564/001">Hidden Files and Directories</a>, <a href="/techniques/T1036">Masquerading</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/006">HTML Smuggling</a>, <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/001">Spearphishing Attachment</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/002">Malicious File</a> </td> </tr> <tr> <td> <a href="/software/S0512">S0512</a> </td> <td> <a href="/software/S0512">FatDuke</a> </td> <td> <span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1008">Fallback Channels</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1036">Masquerading</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/002">Software Packing</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/001">Binary Padding</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/001">Internal Proxy</a>, <a href="/techniques/T1012">Query Registry</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/003">Time Based Evasion</a> </td> </tr> <tr> <td> <a href="/software/S0661">S0661</a> </td> <td> <a href="/software/S0661">FoggyWeb</a> </td> <td> <span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021."data-reference="MSTIC FoggyWeb September 2021">^{<a href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1560">Archive Collected Data</a>: <a href="/techniques/T1560/003">Archive via Custom Method</a>, <a href="/techniques/T1560">Archive Collected Data</a>: <a href="/techniques/T1560/002">Archive via Library</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1574">Hijack Execution Flow</a>: <a href="/techniques/T1574/001">DLL Search Order Hijacking</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1040">Network Sniffing</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/004">Compile After Delivery</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1620">Reflective Code Loading</a>, <a href="/techniques/T1129">Shared Modules</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/004">Private Keys</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a> </td> </tr> <tr> <td> <a href="/software/S0049">S0049</a> </td> <td> <a href="/software/S0049">GeminiDuke</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1007">System Service Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0597">S0597</a> </td> <td> <a href="/software/S0597">GoldFinder</a> </td> <td> <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1119">Automated Collection</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>: <a href="/techniques/T1016/001">Internet Connection Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0588">S0588</a> </td> <td> <a href="/software/S0588">GoldMax</a> </td> <td> <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/001">Junk Data</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/techniques/T1564">Hide Artifacts</a>: <a href="/techniques/T1564/011">Ignore Process Interrupts</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/002">Software Packing</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a>, <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/003">Cron</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1124">System Time Discovery</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/003">Time Based Evasion</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/001">System Checks</a> </td> </tr> <tr> <td> <a href="/software/S0037">S0037</a> </td> <td> <a href="/software/S0037">HAMMERTOSS</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/002">Steganography</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/techniques/T1567/002">Exfiltration to Cloud Storage</a>, <a href="/techniques/T1564">Hide Artifacts</a>: <a href="/techniques/T1564/003">Hidden Window</a>, <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/003">One-Way Communication</a> </td> </tr> <tr> <td> <a href="/software/S0357">S0357</a> </td> <td> <a href="/software/S0357">Impacket</a> </td> <td> <span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span> </td> <td> <a href="/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/techniques/T1040">Network Sniffing</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/003">NTDS</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/002">Security Account Manager</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/003">Kerberoasting</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/005">Ccache Files</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a>, <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/software/S0100">S0100</a> </td> <td> <a href="/software/S0100">ipconfig</a> </td> <td> <span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020."data-reference="CISA SoreFang July 2016">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span> </td> <td> <a href="/techniques/T1016">System Network Configuration Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0513">S0513</a> </td> <td> <a href="/software/S0513">LiteDuke</a> </td> <td> <span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/003">Steganography</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/002">Software Packing</a>, <a href="/techniques/T1012">Query Registry</a>, <a href="/techniques/T1518">Software Discovery</a>: <a href="/techniques/T1518/001">Security Software Discovery</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/003">Time Based Evasion</a> </td> </tr> <tr> <td> <a href="/software/S0175">S0175</a> </td> <td> <a href="/software/S0175">meek</a> </td> <td> <span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span> </td> <td> <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/004">Domain Fronting</a> </td> </tr> <tr> <td> <a href="/software/S0002">S0002</a> </td> <td> <a href="/software/S0002">Mimikatz</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021."data-reference="Microsoft 365 Defender Solorigate">^{<a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a>: <a href="/techniques/T1134/005">SID-History Injection</a>, <a href="/techniques/T1098">Account Manipulation</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/005">Security Support Provider</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/004">Windows Credential Manager</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/006">DCSync</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/002">Security Account Manager</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a>, <a href="/techniques/T1207">Rogue Domain Controller</a>, <a href="/techniques/T1649">Steal or Forge Authentication Certificates</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/001">Golden Ticket</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/002">Silver Ticket</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/004">Private Keys</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/002">Pass the Hash</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/003">Pass the Ticket</a> </td> </tr> <tr> <td> <a href="/software/S0051">S0051</a> </td> <td> <a href="/software/S0051">MiniDuke</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1568">Dynamic Resolution</a>: <a href="/techniques/T1568/002">Domain Generation Algorithms</a>, <a href="/techniques/T1008">Fallback Channels</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/001">Internal Proxy</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/001">Dead Drop Resolver</a> </td> </tr> <tr> <td> <a href="/software/S0637">S0637</a> </td> <td> <a href="/software/S0637">NativeZone</a> </td> <td> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021."data-reference="SentinelOne NobleBaron June 2021">^{<a href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> </td> <td> <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1480">Execution Guardrails</a>, <a href="/techniques/T1036">Masquerading</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/002">Malicious File</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/001">System Checks</a> </td> </tr> <tr> <td> <a href="/software/S0039">S0039</a> </td> <td> <a href="/software/S0039">Net</a> </td> <td> <span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020."data-reference="CISA SoreFang July 2016">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a>, <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/007">Additional Local or Domain Groups</a>, <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/001">Local Account</a>, <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/002">Domain Account</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/005">Network Share Connection Removal</a>, <a href="/techniques/T1135">Network Share Discovery</a>, <a href="/techniques/T1201">Password Policy Discovery</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/001">Local Groups</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/techniques/T1018">Remote System Discovery</a>, <a href="/techniques/T1049">System Network Connections Discovery</a>, <a href="/techniques/T1007">System Service Discovery</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a>, <a href="/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0052">S0052</a> </td> <td> <a href="/software/S0052">OnionDuke</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1499">Endpoint Denial of Service</a>, <a href="/techniques/T1003">OS Credential Dumping</a>, <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/003">One-Way Communication</a> </td> </tr> <tr> <td> <a href="/software/S0048">S0048</a> </td> <td> <a href="/software/S0048">PinchDuke</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1003">OS Credential Dumping</a>, <a href="/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0518">S0518</a> </td> <td> <a href="/software/S0518">PolyglotDuke</a> </td> <td> <span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1112">Modify Registry</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/011">Fileless Storage</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/003">Steganography</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/001">Dead Drop Resolver</a> </td> </tr> <tr> <td> <a href="/software/S0150">S0150</a> </td> <td> <a href="/software/S0150">POSHSPY</a> </td> <td> <span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017."data-reference="FireEye POSHSPY April 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1030">Data Transfer Size Limits</a>, <a href="/techniques/T1568">Dynamic Resolution</a>: <a href="/techniques/T1568/002">Domain Generation Algorithms</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/006">Timestomp</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a> </td> </tr> <tr> <td> <a href="/software/S0139">S0139</a> </td> <td> <a href="/software/S0139">PowerDuke</a> </td> <td> <span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017."data-reference="Volexity PowerDuke November 2016">^{<a href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span> </td> <td> <a href="/techniques/T1010">Application Window Discovery</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1485">Data Destruction</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1564">Hide Artifacts</a>: <a href="/techniques/T1564/004">NTFS File Attributes</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/003">Steganography</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a>, <a href="/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0029">S0029</a> </td> <td> <a href="/software/S0029">PsExec</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> </td> <td> <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/002">Domain Account</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a>, <a href="/techniques/T1570">Lateral Tool Transfer</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a> </td> </tr> <tr> <td> <a href="/software/S1084">S1084</a> </td> <td> <a href="/software/S1084">QUIETEXIT</a> </td> <td> <span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>, <a href="/techniques/T1008">Fallback Channels</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/002">External Proxy</a> </td> </tr> <tr> <td> <a href="/software/S0565">S0565</a> </td> <td> <a href="/software/S0565">Raindrop</a> </td> <td> <span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021."data-reference="Symantec RAINDROP January 2021">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1036">Masquerading</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/002">Software Packing</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/003">Steganography</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/003">Time Based Evasion</a> </td> </tr> <tr> <td> <a href="/software/S0511">S0511</a> </td> <td> <a href="/software/S0511">RegDuke</a> </td> <td> <span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1112">Modify Registry</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/003">Steganography</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/011">Fileless Storage</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/002">Bidirectional Communication</a> </td> </tr> <tr> <td> <a href="/software/S0684">S0684</a> </td> <td> <a href="/software/S0684">ROADTools</a> </td> <td> <span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022."data-reference="MSTIC Nobelium Oct 2021">^{<a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/004">Cloud Account</a>, <a href="/techniques/T1119">Automated Collection</a>, <a href="/techniques/T1526">Cloud Service Discovery</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/003">Cloud Groups</a>, <a href="/techniques/T1018">Remote System Discovery</a>, <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/004">Cloud Accounts</a> </td> </tr> <tr> <td> <a href="/software/S0195">S0195</a> </td> <td> <a href="/software/S0195">SDelete</a> </td> <td> <span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span> </td> <td> <a href="/techniques/T1485">Data Destruction</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a> </td> </tr> <tr> <td> <a href="/software/S0053">S0053</a> </td> <td> <a href="/software/S0053">SeaDuke</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Symantec Security Response. (2015, July 13). "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015."data-reference="Symantec Seaduke 2015">^{<a href="http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1560">Archive Collected Data</a>: <a href="/techniques/T1560/002">Archive via Library</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/009">Shortcut Modification</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1132">Data Encoding</a>: <a href="/techniques/T1132/001">Standard Encoding</a>, <a href="/techniques/T1114">Email Collection</a>: <a href="/techniques/T1114/002">Remote Email Collection</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/002">Software Packing</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/003">Pass the Ticket</a>, <a href="/techniques/T1078">Valid Accounts</a> </td> </tr> <tr> <td> <a href="/software/S0589">S0589</a> </td> <td> <a href="/software/S0589">Sibot</a> </td> <td> <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/005">Visual Basic</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1070">Indicator Removal</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1112">Modify Registry</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/010">Command Obfuscation</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/011">Fileless Storage</a>, <a href="/techniques/T1012">Query Registry</a>, <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/005">Mshta</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1049">System Network Connections Discovery</a>, <a href="/techniques/T1102">Web Service</a>, <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/software/S0633">S0633</a> </td> <td> <a href="/software/S0633">Sliver</a> </td> <td> <span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022."data-reference="Secureworks IRON HEMLOCK Profile">^{<a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/004">DNS</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1132">Data Encoding</a>: <a href="/techniques/T1132/001">Standard Encoding</a>, <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/002">Steganography</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/techniques/T1055">Process Injection</a>, <a href="/techniques/T1113">Screen Capture</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1049">System Network Connections Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0516">S0516</a> </td> <td> <a href="/software/S0516">SoreFang</a> </td> <td> <span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020."data-reference="NCSC APT29 July 2020">^{<a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020."data-reference="CISA SoreFang July 2016">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1190">Exploit Public-Facing Application</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0559">S0559</a> </td> <td> <a href="/software/S0559">SUNBURST</a> </td> <td> <span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/004">DNS</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/005">Visual Basic</a>, <a href="/techniques/T1132">Data Encoding</a>: <a href="/techniques/T1132/001">Standard Encoding</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/003">Protocol or Service Impersonation</a>, <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/001">Junk Data</a>, <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/002">Steganography</a>, <a href="/techniques/T1568">Dynamic Resolution</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/012">Image File Execution Options Injection</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/009">Clear Persistence</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/007">Clear Network Connection History and Configurations</a>, <a href="/techniques/T1070">Indicator Removal</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1112">Modify Registry</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/005">Indicator Removal from Tools</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1012">Query Registry</a>, <a href="/techniques/T1518">Software Discovery</a>: <a href="/techniques/T1518/001">Security Software Discovery</a>, <a href="/techniques/T1553">Subvert Trust Controls</a>: <a href="/techniques/T1553/002">Code Signing</a>, <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a>, <a href="/techniques/T1007">System Service Discovery</a>, <a href="/techniques/T1124">System Time Discovery</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/003">Time Based Evasion</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/001">System Checks</a>, <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/software/S0562">S0562</a> </td> <td> <a href="/software/S0562">SUNSPOT</a> </td> <td> <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021."data-reference="CrowdStrike SUNSPOT Implant January 2021">^{<a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a>, <a href="/techniques/T1565">Data Manipulation</a>: <a href="/techniques/T1565/001">Stored Data Manipulation</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1480">Execution Guardrails</a>, <a href="/techniques/T1480">Execution Guardrails</a>: <a href="/techniques/T1480/002">Mutual Exclusion</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1106">Native API</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1195">Supply Chain Compromise</a>: <a href="/techniques/T1195/002">Compromise Software Supply Chain</a> </td> </tr> <tr> <td> <a href="/software/S0096">S0096</a> </td> <td> <a href="/software/S0096">Systeminfo</a> </td> <td> <span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020."data-reference="CISA SoreFang July 2016">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span> </td> <td> <a href="/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0057">S0057</a> </td> <td> <a href="/software/S0057">Tasklist</a> </td> <td> <span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020."data-reference="CISA SoreFang July 2016">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span> </td> <td> <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1518">Software Discovery</a>: <a href="/techniques/T1518/001">Security Software Discovery</a>, <a href="/techniques/T1007">System Service Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0560">S0560</a> </td> <td> <a href="/software/S0560">TEARDROP</a> </td> <td> <span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/techniques/T1112">Modify Registry</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>, <a href="/techniques/T1012">Query Registry</a> </td> </tr> <tr> <td> <a href="/software/S0183">S0183</a> </td> <td> <a href="/software/S0183">Tor</a> </td> <td> <span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span> </td> <td> <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/003">Multi-hop Proxy</a> </td> </tr> <tr> <td> <a href="/software/S0682">S0682</a> </td> <td> <a href="/software/S0682">TrailBlazer</a> </td> <td> <span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/001">Junk Data</a>, <a href="/techniques/T1001">Data Obfuscation</a>, <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a>, <a href="/techniques/T1036">Masquerading</a> </td> </tr> <tr> <td> <a href="/software/S0636">S0636</a> </td> <td> <a href="/software/S0636">VaporRage</a> </td> <td> <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1480">Execution Guardrails</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a> </td> </tr> <tr> <td> <a href="/software/S0515">S0515</a> </td> <td> <a href="/software/S0515">WellMail</a> </td> <td> <span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020."data-reference="CISA WellMail July 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020."data-reference="NCSC APT29 July 2020">^{<a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> </td> <td> <a href="/techniques/T1560">Archive Collected Data</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/techniques/T1571">Non-Standard Port</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0514">S0514</a> </td> <td> <a href="/software/S0514">WellMess</a> </td> <td> <span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020."data-reference="PWC WellMess July 2020">^{<a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020."data-reference="PWC WellMess C2 August 2020">^{<a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020."data-reference="CISA WellMess July 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020."data-reference="NCSC APT29 July 2020">^{<a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021."data-reference="Cybersecurity Advisory SVR TTP May 2021">^{<a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/004">DNS</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1132">Data Encoding</a>: <a href="/techniques/T1132/001">Standard Encoding</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1001">Data Obfuscation</a>: <a href="/techniques/T1001/001">Junk Data</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/" target="_blank"> White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services" target="_blank"> UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank"> F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" target="_blank"> Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank"> Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise" target="_blank"> UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF" target="_blank"> NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise" target="_blank"> UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank"> CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank"> Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank"> NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/" target="_blank"> Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank"> Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank"> Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank"> Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank"> Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank"> MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/" target="_blank"> MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" target="_blank"> Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank"> Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank"> National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank"> CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank"> PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" target="_blank"> PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank"> Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank"> Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29" target="_blank"> Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="30.0"> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank"> Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank"> Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank"> MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank"> Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://www.ic3.gov/Media/News/2024/240226.pdf" target="_blank"> UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank"> Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" target="_blank"> FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank"> MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory" target="_blank"> Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank"> ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank"> MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf" target="_blank"> ANSSI. (2021, December 6). PHISHING CAMPAIGNS BY THE NOBELIUM INTRUSION SET. Retrieved April 13, 2022. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/" target="_blank"> MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation – Final Update. Retrieved May 14, 2021. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank"> Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank"> Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" target="_blank"> Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/" target="_blank"> Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://www.mandiant.com/resources/russian-targeting-gov-business" target="_blank"> Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock. (2021, December 6). Suspected Russian Activity Targeting Government and Business Entities Around the Globe. Retrieved April 15, 2022. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure" target="_blank"> Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf" target="_blank"> Mandiant. (2022, August). Remediation and Hardening Strategies for Microsoft 365 to Defend Against APT29. Retrieved February 21, 2023. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns" target="_blank"> Wolfram, J. et al. (2022, April 28). Trello From the Other Side: Tracking APT29 Phishing Campaigns. Retrieved August 3, 2022. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/" target="_blank"> Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank"> Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank"> CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" target="_blank"> Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank"> Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank"> CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank"> CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/sidebar-load-all.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>