Campaigns
Messy Adventures of Cozy Bear

Messy Adventures of Cozy Bear

APT29The DukesCozy BearCozyDuke
Cozy Bear, also known as APT29, is a sophisticated advanced persistent threat (APT) group believed to be associated with the Russian government. The group has been active since at least 2008. It has been linked to several high-profile cyber espionage operations, including the 2016 hack of the Democratic National Committee (DNC) in the United States. Cozy Bear is known for its sophisticated techniques and ability to remain undetected for long periods of time within compromised networks.

Indicators of Compromise

pdf-docs.online
stopke-essen.de
recovery-activity-identification.site
youmiuri.com
appsprovider.com
domainingdirectory.com
identifier-service-review.site
lm-classiccars.de
datazr.com
limoservicecompany.com
worldhomeoutlet.com
rss2.org
drive-share.live
http.ddspadus.com
content.pcmsar.net
autohausnords.com
lemmenslecouter.net.bmw.be.eh-loc.de
galatinonews.com
rmssrv3.ru
editprod.waterfilter.in.ua
www.ciphertechsolutions.com
static.theyardservice.com
2055.site
efax.pfdregistry.net
blog.cluster25.duskrise.com
000000027.xyz
g.yourgoldenthimble.com
landing-polygon.pw
swipeservice.com
emergencystreet.com
autohaus-landharr.de
company.co.kr
usaid.theyardservice.com
maybyrne.co.uk
gnadptech.com
mappsglobal.com
drive-docs.com
32689657.xyz
pdf-cloud.online
name4050.com
32689658.xyz
muslimnewsdaily.com
protect-link.online
file-milgov.systems
docs-info.com
nco2.live
autohaus-buschgbr.de
fqtel.com
haesungtech.com
globel-auto.de
docs-shared.com
kandertalgarage.eh-loc.de
ms-o.online
hurricanepub.com
ebookstorelive.com
hpsj.firewall-gateway.net
skode-auto.de
cramer-schmits.de
1833.site
srfnetwork.org
1cloudserver.com
1000018.xyz
trendignews.com
stsnews.com
hu-s.online
autohuas-hesse.de
autohuas-e-c.de
4895458025-4545445-222435-9635794543-3242314342-234123423728.space
web.livitrentals.com
consumerpanel.eu3.biz
insta.reduct.ru
bu-s.online
globesoftwares.com
sense4baby.fr
protection-office.live
login.8hf57.online
communication-shield.site
ioxmesh.com
ftp.bornagroup.ir
mobilnweb.com
continuetogo.me
sabe-motors.bundauto.com
www.cderlearn.com
moneybac.ru
customers-verification-identifier.site
game.newfreepre.com
aspadmin.org
pharaosjournal.com
xrlinks.com
email.theyardservice.com
ns-s.online
www.ksd874r.online
bigtopweb.com
tacomanewspaper.com
wsuslink.com
km-s.online
consumerpanel.eu3.org
sharecrackapps.com
reclubpress.com
documents-pdf.online
16868138130.space
addirondackdodge.com
recovery-service-activity.site
stairwell.com
15052021.space
littjohnwilhap.ru
midcitylanews.com
www.hyundaiphulam.vn
updateservicecenter.blogspot.com
satkas.waw.pl
theadminforum.com
eyetechltd.com
proton-docs.com
aftercould.com
uk-s.online
edge-chrome.com
windowsupdatecdn.com
ritsoperrol.ru
rmssrv2.ru
imap.webdignusdata.com
differentfor.com
reyweb.com
car-place-rhienland.de
apexwebtech.com
picture.jpg.email
m.yourgoldenthimble.com
autohause-meissner.de
autohous-lips.de
proton-viewer.com
techforefront.com
www.disktest.com
timachinary.nl
enpport.com
smtp2.theyardservice.com
bigdataanalysts.com
onetechcompany.com
cdsa.xyz
consumerspanelsrv.eu3.org
99kg.site
turbocell.ir
readnewshot.com
kompartpomiar.pl
datacentreonline.com
fa-automobilie.de
assetdata.net
asa-automobilie.com
bundauto.com
olapdatabase.com
kitten-268.frge.io
auto-falkanhahn.de
autonetonline.com
sherence.ru
service-activity-session.online
megatoolkit.com
aimsecurity.net
caravan-spezialistan.de
softweblinks.com
protectpanel.eu3.biz
infinitysoftwares.com
microtransito.com
name1d.site
eh-loc.de
disknxt.com
dataplane.theyardservice.com
actualityworld.com
co-s.online
ksbyz.jelikob.ru
33655990.cyou
gosloto.site
rmssrv4.ru
wilcarobbe.com
1000020.xyz
web.yourgoldenthimble.com
storagewithoutborders.com
unitedyfl.com
computerrepublic.com
2f9348243249382479234343284324023432748892349702394023.xyz
imap.newlylab.com
groupschumecher.com
mail.reclubpress.com
ebbcloud.com
digitalphotohub.com
fiat-amenn.de
documents-cloud.online
9832473219412342343423243242364-34939246823743287468793247237.site
installcb.online
pdf-shared.online
pcmsar.net
auto-viotel.de
cache-dns.com
autohaus-schreoter.info
topwebservers.com
auto-centers.eu
santandbnkplc.turbocell.ir
www.specialityllc.com
productpitfalls.com
g.livitrentals.com
9348243249382479234343284324023432748892349702394023.xyz
na-w.online
login.ksd874r.online
stockmarketon.com
yereto.de
techiefly.com
diamondglobalnetwork.com
review-session-confirmation.site
hyundaiphulam.vn
autoland-ls.de
protectionmail.online
armrvrholo.com
datatidy.com
nikeoutletinc.org
updaterweb.com
ipadsreview.org
filetransfer.club
dailydews.com
cache-docs.com
sseekk.xyz
turnscor.com
1681683130.website
autozantrum-cloppenburg.de
techspaceinfo.com
428xck72m4.dattolocal.net
2215.site
ww1.systemlowcheck.com
atlasautomobiles.de
vmdisk.com
6b4s.popmonster.ru
crossfity.com
rommacaravanservice.nl
kdr.zarkada.ru
outlook.live
console.save
newsplacec.com
partner.skode-auto.de
mn-s.online
office-protection.online
newlylab.com
m-as.online
cdn.theyardservice.com
dom-news.com
9356.popmonster.ru
docs-drive.online
hanproud.com
gallerycenter.org
newfreepre.com
freedecrease.com
www.8hf57.online
docs-cache.com
capitalseniorliving.net
kfzrieter.de
rollver.com
officehoster.com
mymodule.waterfilter.in.ua
mail.sartoc.com
eye-watch.in
ostgotahusbilsuthynring.de
financialmarket.org
hypertextteches.com
cloud-docs.com
gdbcloud.com
webdignusdata.com
74d6b7b2.app.giftbox4u.com
m0s65.online
www.runblerx.com
support.net
graphicscodex.net
globalsection.org
coronavirus5g.site
spffusa.org
bornagroup.ir
getstatpro.com
documents-cloud.com
update.softhouse.store
livitrentals.com
theyardservice.com
1221.site
auto-kerl-gmbh.de
cityloss.com
ve0.popmonster.ru
cross-checking.com
va-s.online
newstepsco.com
giftbox4u.com
carnextauction.com
calacatta.com
ra-s.online
webpp.com
securitysystemnews.com
wethe6and9.ca
websitesline.com
gu-s.online
m.livitrentals.com
www.atomicmatryoshka.com
accessverification.online
one2shoppee.com
proton-view.online
summit-files.com
q.livitrentals.com
b.popmonster.ru
xre.popmonster.ru
ryaxtech.com
doggroomingnews.com
crochetnews.com
kamikirim.my.id
service-manager-notifications.info
q.yourgoldenthimble.com
verify-service-activity.site
sueverkreup.de
bfilmnews.com
softwarelaunches.com
weissner-tuning.de
yourgoldenthimble.com

APT Groups1

APT 29Russian Federation
NobleBaronDark HaloYttriumSolarStormCloaked UrsaNobeliumMinidionisStellarParticleBlueBravoMidnight BlizzardTEMP.MonkeysAPT 29CraneflyIron HemlockSilverFishCozy BearGrizzly SteppeBlue Dev 5ITG11Iron RitualCloudLookGroup 100ATK 7The DukesSolar PhoenixUNC2452UNC3524

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Domain
IDNameUse
EnterpriseT1548.002Abuse Elevation Control MechanismBypass User Account Control

APT29 has bypassed UAC.[24]

EnterpriseT1087Account Discovery

APT29 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.[12]

.002Domain Account

APT29 has used PowerShell to discover domain accounts by executing Get-ADUser and Get-ADGroupMember.[17][14]

.004Cloud Account

APT29 has conducted enumeration of Azure AD accounts.[25]

EnterpriseT1098.001Account ManipulationAdditional Cloud Credentials

APT29 has added credentials to OAuth Applications and Service Principals.[26][17]

.002Account ManipulationAdditional Email Delegate Permissions

APT29 added their own devices as allowed IDs for active sync using Set-CASMailbox, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.[12][26][25]

.003Account ManipulationAdditional Cloud Roles

APT29 has granted company administrator privileges to a newly created service principal.[17]

.005Account ManipulationDevice Registration

APT29 registered devices in order to enable mailbox syncing via the Set-CASMailbox command.[12]

EnterpriseT1583.001Acquire InfrastructureDomains

APT29 has acquired C2 domains, sometimes through resellers.[10][27][18]

.006Acquire InfrastructureWeb Services

APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSSAPT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.[28][18]

EnterpriseT1595.002Active ScanningVulnerability Scanning

APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.[13]

EnterpriseT1071.001Application Layer ProtocolWeb Protocols

APT29 has used HTTP for C2 and data exfiltration.[12]

EnterpriseT1560.001Archive Collected DataArchive via Utility

APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration; APT29 has also compressed text files into zipped archives.[12][29][17]

EnterpriseT1547.001Boot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder

APT29 added Registry Run keys to establish persistence.[24]

EnterpriseT1110.003Brute ForcePassword Spraying

APT29 has conducted brute force password spray attacks.[20][25]

EnterpriseT1059.001Command and Scripting InterpreterPowerShell

APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDukeAPT29 also used PowerShell to create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, and to execute other commands.[12][30][31][24][32][17][33][15]

.003Command and Scripting InterpreterWindows Command Shell

APT29 used cmd.exe to execute commands on remote machines.[12][30]

.005Command and Scripting InterpreterVisual Basic

APT29 has written malware variants in Visual Basic.[13]

.006Command and Scripting InterpreterPython

APT29 has developed malware variants written in Python.[22]

EnterpriseT1586.002Compromise AccountsEmail Accounts

APT29 has compromised email accounts to further enable phishing campaigns.[34]

EnterpriseT1584.001Compromise InfrastructureDomains

APT29 has compromised domains to use for C2.[10]

EnterpriseT1136.003Create AccountCloud Account

APT29 can create new users through Azure AD.[25]

EnterpriseT1555Credentials from Password Stores

APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.[29]

.003Credentials from Web Browsers

APT29 has stolen user's saved passwords from Chrome.[17]

EnterpriseT1213Data from Information Repositories

APT29 has accessed victims’ internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.[17]

.003Code Repositories

APT29 has downloaded source code from code repositories.[35]

EnterpriseT1005Data from Local System

APT29 has extracted files from compromised networks.[12]

EnterpriseT1001.002Data ObfuscationSteganography

APT29 has used steganography to hide C2 communications in images.[22]

EnterpriseT1074.002Data StagedRemote Data Staging

APT29 staged data and files in password-protected archives on a victim's OWA server.[12]

EnterpriseT1140Deobfuscate/Decode Files or Information

APT29 used 7-Zip to decode its Raindrop malware.[36]

EnterpriseT1587.001Develop CapabilitiesMalware

APT29 has leveraged numerous pieces of malware that appear to be unique to APT29 and were likely developed for or by the group.[9][11][29]

.003Develop CapabilitiesDigital Certificates

APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.[37][38]

EnterpriseT1484.002Domain Policy ModificationDomain Trust Modification

APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.[39][14]

EnterpriseT1482Domain Trust Discovery

APT29 used the Get-AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.[12] They also used AdFind to enumerate domains and to discover trust between federated domains.[29][17]

EnterpriseT1568Dynamic Resolution

APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.[12]

EnterpriseT1114.002Email CollectionRemote Email Collection

APT29 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.[12][13]

EnterpriseT1573Encrypted Channel

APT29 has used multiple layers of encryption within malware to protect C2 communication.[15]

EnterpriseT1546.003Event Triggered ExecutionWindows Management Instrumentation Event Subscription

APT29 has used WMI event subscriptions for persistence.[24][22][39][29]

.008Event Triggered ExecutionAccessibility Features

APT29 used sticky-keys to obtain unauthenticated, privileged console access.[24][40]

EnterpriseT1048.002Exfiltration Over Alternative ProtocolExfiltration Over Asymmetric Encrypted Non-C2 Protocol

APT29 has exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.[12]

EnterpriseT1190Exploit Public-Facing Application

APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access. They have also exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.[23][12][13]

EnterpriseT1203Exploitation for Client Execution

APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.[3][13][18]

EnterpriseT1068Exploitation for Privilege Escalation

APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host.[33]

EnterpriseT1133External Remote Services

APT29 has used compromised identities to access networks via SSH, VPNs, and other remote access tools.[10][23][17]

EnterpriseT1083File and Directory Discovery

APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.[12]

EnterpriseT1606.001Forge Web CredentialsWeb Cookies

APT29 has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.[12]

.002Forge Web CredentialsSAML Tokens

APT29 created tokens using compromised SAML signing certificates.[26][14]

EnterpriseT1589.001Gather Victim Identity InformationCredentials

APT29 has conducted credential theft operations to obtain credentials to be used for access to victim environments.[17]

EnterpriseT1562.001Impair DefensesDisable or Modify Tools

APT29 used the service control manager on a remote system to disable services associated with security monitoring products.[29]

.002Impair DefensesDisable Windows Event Logging

APT29 used AUDITPOL to prevent the collection of audit logs.[29]

.004Impair DefensesDisable or Modify System Firewall

APT29 used netsh to configure firewall rules that limited certain UDP outbound packets.[29]

EnterpriseT1070Indicator Removal

APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.[9]

.004File Deletion

APT29 routinely removed their tools, including custom backdoors, once remote access was achieved. APT29 has also used SDelete to remove artifacts from victims.[9][24]

.006Timestomp

APT29 modified timestamps of backdoors to match legitimate Windows files.[29]

.008Clear Mailbox Data

APT29 removed evidence of email export requests using Remove-MailboxExportRequest.[12]

EnterpriseT1105Ingress Tool Transfer

APT29 has downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to a compromised host following initial access.[9]

EnterpriseT1036Masquerading

APT29 has set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They have also used IP addresses originating from the same country as the victim for their VPN infrastructure.[9]

.004Masquerade Task or Service

APT29 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.[12]

.005Match Legitimate Name or Location

APT29 renamed software and DLL's with legitimate names to appear benign.[12][30][16]

EnterpriseT1556.007Modify Authentication ProcessHybrid Identity

APT29 has edited the Microsoft.IdentityServer.Servicehost.exe.config file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.[41]

EnterpriseT1621Multi-Factor Authentication Request Generation

APT29 has used repeated MFA requests to gain access to victim accounts.[42]

EnterpriseT1095Non-Application Layer Protocol

APT29 has used TCP for C2 communications.[32]

EnterpriseT1027Obfuscated Files or Information

APT29 has used encoded PowerShell commands.[32]

.001Binary Padding

APT29 has used large file sizes to avoid detection.[16]

.002Software Packing

APT29 used UPX to pack files.[24]

.006HTML Smuggling

APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.[33]

EnterpriseT1588.002Obtain CapabilitiesTool

APT29 has obtained and used a variety of tools including MimikatzSDeleteTormeek, and Cobalt Strike.[24][3][32]

EnterpriseT1003.006OS Credential DumpingDCSync

APT29 leveraged privileged accounts to replicate directory service data with domain controllers.[39][29][17]

EnterpriseT1069Permission Groups Discovery

APT29 used the Get-ManagementRoleAssignment PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.[12]

.002Domain Groups

APT29 has used AdFind to enumerate domain groups.[17]

EnterpriseT1566.001PhishingSpearphishing Attachment

APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.[3][32][22][18][33][15]

.002PhishingSpearphishing Link

APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[24][18][43]

.003PhishingSpearphishing via Service

APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.[13]

EnterpriseT1057Process Discovery

APT29 has used multiple command-line utilities to enumerate running processes.[12][29][17]

EnterpriseT1090.001ProxyInternal Proxy

APT29 has used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion.[36][17]

.003ProxyMulti-hop Proxy

A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.[24][25]

.004ProxyDomain Fronting

APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.[24]

EnterpriseT1021.001Remote ServicesRemote Desktop Protocol

APT29 has used RDP sessions from public-facing systems to internal servers.[17]

.002Remote ServicesSMB/Windows Admin Shares

APT29 has used administrative accounts to connect over SMB to targeted users.[17]

.006Remote ServicesWindows Remote Management

APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts.[36]

EnterpriseT1018Remote System Discovery

APT29 has used AdFind to enumerate remote systems.[29]

EnterpriseT1053.005Scheduled Task/JobScheduled Task

APT29 used scheduler and schtasks to create new tasks on remote hosts as part of lateral movement.[12] They have manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.[9] APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted during the 2020 SolarWinds intrusion.[11] They previously used named and hijacked scheduled tasks to also establish persistence.[24]

EnterpriseT1505.003Server Software ComponentWeb Shell

APT29 has installed web shells on exploited Microsoft Exchange servers.[13]

EnterpriseT1649Steal or Forge Authentication Certificates

APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.[44]

EnterpriseT1558.003Steal or Forge Kerberos TicketsKerberoasting

APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.[29]

EnterpriseT1539Steal Web Session Cookie

APT29 has stolen Chrome browser cookies by copying the Chrome profile directories of targeted users.[17]

EnterpriseT1553.002Subvert Trust ControlsCode Signing

APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.[9]

.005Subvert Trust ControlsMark-of-the-Web Bypass

APT29 has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.[33]

EnterpriseT1195.002Supply Chain CompromiseCompromise Software Supply Chain

APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.[9][13][14][25]

EnterpriseT1218.005System Binary Proxy ExecutionMshta

APT29 has use mshta to execute malicious scripts on a compromised host.[33]

.011System Binary Proxy ExecutionRundll32

APT29 has used Rundll32.exe to execute payloads.[26][29][32]

EnterpriseT1082System Information Discovery

APT29 used fsutil to check available free space before executing actions that might create large files on disk.[29]

EnterpriseT1016.001System Network Configuration DiscoveryInternet Connection Discovery

APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.[10]

EnterpriseT1199Trusted Relationship

APT29 has gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.[13][17][25]

EnterpriseT1552.004Unsecured CredentialsPrivate Keys

APT29 obtained PKI keys, certificate files and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[39][13]

EnterpriseT1550Use Alternate Authentication Material

APT29 used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling APT29 to access enterprise cloud applications and services.[39][14]

.001Application Access Token

APT29 has used compromised service principals to make changes to the Office 365 environment.[17]

.003Pass the Ticket

APT29 used Kerberos ticket attacks for lateral movement.[24]

.004Web Session Cookie

APT29 used stolen cookies to access cloud resources, and a forged duo-sid cookie to bypass MFA set on an email account.[12][17]

EnterpriseT1204.001User ExecutionMalicious Link

APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link.[32][22][18][43]

.002User ExecutionMalicious File

APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. [3] [32][22][33][15]

EnterpriseT1078Valid Accounts

APT29 used different compromised credentials for remote access and to move laterally.[9][10][13]

.002Domain Accounts

APT29 has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.[22][23][17]

.003Local Accounts

APT29 has used compromised local accounts to access victims' networks.[17]

.004Cloud Accounts

APT29 has used a compromised O365 administrator account to create a new Service Principal.[17]

EnterpriseT1102.002Web ServiceBidirectional Communication

APT29 has used social media platforms to hide communications to C2 servers.[22]

EnterpriseT1047Windows Management Instrumentation

APT29 used WMI to steal credentials and execute backdoors at a future time.[24] They have also used WMI for the remote execution of files for lateral movement.[39][29]

IDNameReferencesTechniques
S0677AADInternals[25]Account DiscoveryCloud AccountAccount ManipulationDevice RegistrationCloud Service DiscoveryCommand and Scripting InterpreterPowerShellCreate AccountCloud AccountDomain Policy ModificationDomain Trust ModificationForge Web CredentialsSAML TokensGather Victim Identity InformationEmail AddressesGather Victim Network InformationDomain PropertiesModify Authentication ProcessMulti-Factor AuthenticationModify Authentication ProcessHybrid IdentityModify RegistryOS Credential DumpingLSA SecretsPermission Groups DiscoveryCloud GroupsPhishingSpearphishing LinkPhishing for InformationSpearphishing LinkSteal Application Access TokenSteal or Forge Authentication CertificatesSteal or Forge Kerberos TicketsSilver TicketUnsecured CredentialsCredentials In FilesUnsecured CredentialsPrivate Keys
S0552AdFind[30][17][33]Account DiscoveryDomain AccountDomain Trust DiscoveryPermission Groups DiscoveryDomain GroupsRemote System DiscoverySystem Network Configuration Discovery
S0521BloodHound[33]Account DiscoveryLocal AccountAccount DiscoveryDomain AccountArchive Collected DataCommand and Scripting InterpreterPowerShellDomain Trust DiscoveryGroup Policy DiscoveryNative APIPassword Policy DiscoveryPermission Groups DiscoveryDomain GroupsPermission Groups DiscoveryLocal GroupsRemote System DiscoverySystem Owner/User Discovery
S0635BoomBox[19]Account DiscoveryDomain AccountAccount DiscoveryEmail AccountApplication Layer ProtocolWeb ProtocolsBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderDeobfuscate/Decode Files or InformationExecution GuardrailsExfiltration Over Web ServiceExfiltration to Cloud StorageFile and Directory DiscoveryIngress Tool TransferMasqueradingObfuscated Files or InformationSystem Binary Proxy ExecutionRundll32System Information DiscoverySystem Owner/User DiscoveryUser ExecutionMalicious FileWeb Service
S0054CloudDuke[3]Application Layer ProtocolWeb ProtocolsIngress Tool TransferWeb ServiceBidirectional Communication
S0154Cobalt Strike[32][9][13][18][19][16][33][14][43]Abuse Elevation Control MechanismBypass User Account ControlAbuse Elevation Control MechanismSudo and Sudo CachingAccess Token ManipulationToken Impersonation/TheftAccess Token ManipulationParent PID SpoofingAccess Token ManipulationMake and Impersonate TokenAccount DiscoveryDomain AccountApplication Layer ProtocolWeb ProtocolsApplication Layer ProtocolDNSApplication Layer ProtocolBITS JobsBrowser Session HijackingCommand and Scripting InterpreterVisual BasicCommand and Scripting InterpreterPowerShellCommand and Scripting InterpreterJavaScriptCommand and Scripting InterpreterPythonCommand and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceData EncodingStandard EncodingData from Local SystemData ObfuscationProtocol ImpersonationData Transfer Size LimitsDeobfuscate/Decode Files or InformationEncrypted ChannelAsymmetric CryptographyEncrypted ChannelSymmetric CryptographyExploitation for Client ExecutionExploitation for Privilege EscalationFile and Directory DiscoveryHide ArtifactsProcess Argument SpoofingImpair DefensesDisable or Modify ToolsIndicator RemovalTimestompIngress Tool TransferInput CaptureKeyloggingModify RegistryMultiband CommunicationNative APINetwork Service DiscoveryNetwork Share DiscoveryNon-Application Layer ProtocolObfuscated Files or InformationObfuscated Files or InformationIndicator Removal from ToolsOffice Application StartupOffice Template MacrosOS Credential DumpingSecurity Account ManagerOS Credential DumpingLSASS MemoryPermission Groups DiscoveryDomain GroupsPermission Groups DiscoveryLocal GroupsProcess DiscoveryProcess InjectionProcess HollowingProcess InjectionDynamic-link Library InjectionProcess InjectionProtocol TunnelingProxyInternal ProxyProxyDomain FrontingQuery RegistryReflective Code LoadingRemote ServicesSSHRemote ServicesSMB/Windows Admin SharesRemote ServicesDistributed Component Object ModelRemote ServicesRemote Desktop ProtocolRemote ServicesWindows Remote ManagementRemote System DiscoveryScheduled TransferScreen CaptureSoftware DiscoverySubvert Trust ControlsCode SigningSystem Binary Proxy ExecutionRundll32System Network Configuration DiscoverySystem Network Connections DiscoverySystem Service DiscoverySystem ServicesService ExecutionUse Alternate Authentication MaterialPass the HashValid AccountsLocal AccountsValid AccountsDomain AccountsWindows Management Instrumentation
S0050CosmicDuke[3][15]Application Layer ProtocolWeb ProtocolsAutomated ExfiltrationClipboard DataCreate or Modify System ProcessWindows ServiceCredentials from Password StoresCredentials from Password StoresCredentials from Web BrowsersData from Local SystemData from Network Shared DriveData from Removable MediaEmail CollectionLocal Email CollectionEncrypted ChannelSymmetric CryptographyExfiltration Over Alternative ProtocolExfiltration Over Unencrypted Non-C2 ProtocolExploitation for Privilege EscalationFile and Directory DiscoveryInput CaptureKeyloggingOS Credential DumpingSecurity Account ManagerOS Credential DumpingLSA SecretsScheduled Task/JobScheduled TaskScreen Capture
S0046CozyCar[3][15]Application Layer ProtocolWeb ProtocolsBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderCommand and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceMasqueradingRename System UtilitiesObfuscated Files or InformationOS Credential DumpingLSASS MemoryOS Credential DumpingSecurity Account ManagerScheduled Task/JobScheduled TaskSoftware DiscoverySecurity Software DiscoverySystem Binary Proxy ExecutionRundll32System Information DiscoveryVirtualization/Sandbox EvasionWeb ServiceBidirectional Communication
S0634EnvyScout[19]Command and Scripting InterpreterJavaScriptCommand and Scripting InterpreterWindows Command ShellData from Local SystemDeobfuscate/Decode Files or InformationExecution GuardrailsForced AuthenticationHide ArtifactsHidden Files and DirectoriesMasqueradingObfuscated Files or InformationHTML SmugglingObfuscated Files or InformationPhishingSpearphishing AttachmentSystem Binary Proxy ExecutionRundll32System Information DiscoveryUser ExecutionMalicious File
S0512FatDuke[22][15]Application Layer ProtocolWeb ProtocolsBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderCommand and Scripting InterpreterPowerShellData from Local SystemDeobfuscate/Decode Files or InformationEncrypted ChannelSymmetric CryptographyFallback ChannelsFile and Directory DiscoveryIndicator RemovalFile DeletionMasqueradingNative APIObfuscated Files or InformationObfuscated Files or InformationBinary PaddingObfuscated Files or InformationSoftware PackingProcess DiscoveryProxyInternal ProxyQuery RegistrySystem Binary Proxy ExecutionRundll32System Information DiscoverySystem Network Configuration DiscoveryVirtualization/Sandbox EvasionTime Based Evasion
S0661FoggyWeb[45]Application Layer ProtocolWeb ProtocolsArchive Collected DataArchive via Custom MethodArchive Collected DataArchive via LibraryData from Local SystemDeobfuscate/Decode Files or InformationEncrypted ChannelSymmetric CryptographyExfiltration Over C2 ChannelFile and Directory DiscoveryHijack Execution FlowDLL Search Order HijackingIngress Tool TransferMasqueradingMasqueradingMatch Legitimate Name or LocationNative APINetwork SniffingObfuscated Files or InformationObfuscated Files or InformationCompile After DeliveryProcess DiscoveryReflective Code LoadingShared ModulesUnsecured CredentialsPrivate KeysUse Alternate Authentication Material
S0049GeminiDuke[3]Account DiscoveryLocal AccountApplication Layer ProtocolWeb ProtocolsFile and Directory DiscoveryProcess DiscoverySystem Network Configuration DiscoverySystem Service Discovery
S0597GoldFinder[10][13][19][14]Application Layer ProtocolWeb ProtocolsAutomated CollectionSystem Network Configuration DiscoveryInternet Connection Discovery
S0588GoldMax[10][13][18][19][14]Application Layer ProtocolWeb ProtocolsCommand and Scripting InterpreterWindows Command ShellData ObfuscationJunk DataDeobfuscate/Decode Files or InformationEncrypted ChannelAsymmetric CryptographyExfiltration Over C2 ChannelIngress Tool TransferMasqueradingMasquerade Task or ServiceMasqueradingMatch Legitimate Name or LocationObfuscated Files or InformationSoftware PackingObfuscated Files or InformationScheduled Task/JobCronScheduled Task/JobScheduled TaskSystem Network Configuration DiscoverySystem Time DiscoveryVirtualization/Sandbox EvasionSystem ChecksVirtualization/Sandbox EvasionTime Based Evasion
S0037HAMMERTOSS[3][15]Application Layer ProtocolWeb ProtocolsCommand and Scripting InterpreterPowerShellData ObfuscationSteganographyEncrypted ChannelSymmetric CryptographyExfiltration Over Web ServiceExfiltration to Cloud StorageHide ArtifactsHidden WindowWeb ServiceOne-Way Communication
S0100ipconfig[46]System Network Configuration Discovery
S0513LiteDuke[22][15]Application Layer ProtocolWeb ProtocolsBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderDeobfuscate/Decode Files or InformationIndicator RemovalFile DeletionIngress Tool TransferObfuscated Files or InformationSteganographyObfuscated Files or InformationSoftware PackingQuery RegistrySoftware DiscoverySecurity Software DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Owner/User DiscoveryVirtualization/Sandbox EvasionTime Based Evasion
S0175meek[24]ProxyDomain Fronting
S0002Mimikatz[3][39][17]Access Token ManipulationSID-History InjectionAccount ManipulationBoot or Logon Autostart ExecutionSecurity Support ProviderCredentials from Password StoresCredentials from Password StoresWindows Credential ManagerCredentials from Password StoresCredentials from Web BrowsersOS Credential DumpingSecurity Account ManagerOS Credential DumpingLSASS MemoryOS Credential DumpingLSA SecretsOS Credential DumpingDCSyncRogue Domain ControllerSteal or Forge Authentication CertificatesSteal or Forge Kerberos TicketsSilver TicketSteal or Forge Kerberos TicketsGolden TicketUnsecured CredentialsPrivate KeysUse Alternate Authentication MaterialPass the TicketUse Alternate Authentication MaterialPass the Hash
S0051MiniDuke[3][22][15]Application Layer ProtocolWeb ProtocolsDynamic ResolutionDomain Generation AlgorithmsFallback ChannelsFile and Directory DiscoveryIngress Tool TransferObfuscated Files or InformationProxyInternal ProxySystem Information DiscoveryWeb ServiceDead Drop Resolver
S0637NativeZone[16]Deobfuscate/Decode Files or InformationExecution GuardrailsMasqueradingSystem Binary Proxy ExecutionRundll32User ExecutionMalicious FileVirtualization/Sandbox EvasionSystem Checks
S0039Net[46]Account DiscoveryLocal AccountAccount DiscoveryDomain AccountCreate AccountLocal AccountCreate AccountDomain AccountIndicator RemovalNetwork Share Connection RemovalNetwork Share DiscoveryPassword Policy DiscoveryPermission Groups DiscoveryLocal GroupsPermission Groups DiscoveryDomain GroupsRemote ServicesSMB/Windows Admin SharesRemote System DiscoverySystem Network Connections DiscoverySystem Service DiscoverySystem ServicesService ExecutionSystem Time Discovery
S0052OnionDuke[3][22][15]Application Layer ProtocolWeb ProtocolsDeobfuscate/Decode Files or InformationEndpoint Denial of ServiceOS Credential DumpingWeb ServiceOne-Way Communication
S0048PinchDuke[3]Application Layer ProtocolWeb ProtocolsCredentials from Password StoresCredentials from Web BrowsersCredentials from Password StoresData from Local SystemFile and Directory DiscoveryOS Credential DumpingSystem Information Discovery
S0518PolyglotDuke[22][15]Application Layer ProtocolWeb ProtocolsDeobfuscate/Decode Files or InformationIngress Tool TransferModify RegistryNative APIObfuscated Files or InformationObfuscated Files or InformationSteganographySystem Binary Proxy ExecutionRundll32Web ServiceDead Drop Resolver
S0150POSHSPY[47]Command and Scripting InterpreterPowerShellData Transfer Size LimitsDynamic ResolutionDomain Generation AlgorithmsEncrypted ChannelAsymmetric CryptographyEvent Triggered ExecutionWindows Management Instrumentation Event SubscriptionIndicator RemovalTimestompIngress Tool TransferObfuscated Files or Information
S0139PowerDuke[48]Application Window DiscoveryBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderCommand and Scripting InterpreterWindows Command ShellData DestructionFile and Directory DiscoveryHide ArtifactsNTFS File AttributesIndicator RemovalFile DeletionIngress Tool TransferObfuscated Files or InformationSteganographyProcess DiscoverySystem Binary Proxy ExecutionRundll32System Information DiscoverySystem Network Configuration DiscoverySystem Owner/User DiscoverySystem Time Discovery
S0029PsExec[3][22]Create AccountDomain AccountCreate or Modify System ProcessWindows ServiceLateral Tool TransferRemote ServicesSMB/Windows Admin SharesSystem ServicesService Execution
S0565Raindrop[36][19][14]Deobfuscate/Decode Files or InformationMasqueradingMatch Legitimate Name or LocationMasqueradingObfuscated Files or InformationObfuscated Files or InformationSoftware PackingObfuscated Files or InformationSteganographyVirtualization/Sandbox EvasionTime Based Evasion
S0511RegDuke[22][15]Command and Scripting InterpreterPowerShellDeobfuscate/Decode Files or InformationEvent Triggered ExecutionWindows Management Instrumentation Event SubscriptionIngress Tool TransferModify RegistryObfuscated Files or InformationObfuscated Files or InformationSteganographyWeb ServiceBidirectional Communication
S0684ROADTools[25]Account DiscoveryCloud AccountAutomated CollectionCloud Service DiscoveryPermission Groups DiscoveryCloud GroupsRemote System DiscoveryValid AccountsCloud Accounts
S0195SDelete[24]Data DestructionIndicator RemovalFile Deletion
S0053SeaDuke[3][15]Application Layer ProtocolWeb ProtocolsArchive Collected DataArchive via LibraryBoot or Logon Autostart ExecutionShortcut ModificationBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderCommand and Scripting InterpreterWindows Command ShellCommand and Scripting InterpreterPowerShellData EncodingStandard EncodingEmail CollectionRemote Email CollectionEncrypted ChannelSymmetric CryptographyEvent Triggered ExecutionWindows Management Instrumentation Event SubscriptionIndicator RemovalFile DeletionIngress Tool TransferObfuscated Files or InformationSoftware PackingUse Alternate Authentication MaterialPass the TicketValid Accounts
S0589Sibot[10][13][19][14]Application Layer ProtocolWeb ProtocolsCommand and Scripting InterpreterVisual BasicDeobfuscate/Decode Files or InformationIndicator RemovalFile DeletionIndicator RemovalIngress Tool TransferMasqueradingMatch Legitimate Name or LocationModify RegistryObfuscated Files or InformationQuery RegistryScheduled Task/JobScheduled TaskSystem Binary Proxy ExecutionMshtaSystem Binary Proxy ExecutionRundll32System Network Configuration DiscoverySystem Network Connections DiscoveryWeb ServiceWindows Management Instrumentation
S0633Sliver[13][15]Access Token ManipulationApplication Layer ProtocolWeb ProtocolsApplication Layer ProtocolDNSData EncodingStandard EncodingData ObfuscationSteganographyEncrypted ChannelSymmetric CryptographyEncrypted ChannelAsymmetric CryptographyExfiltration Over C2 ChannelFile and Directory DiscoveryIngress Tool TransferObfuscated Files or InformationProcess InjectionScreen CaptureSystem Network Configuration DiscoverySystem Network Connections Discovery
S0516SoreFang[23][46]Account DiscoveryLocal AccountAccount DiscoveryDomain AccountApplication Layer ProtocolWeb ProtocolsDeobfuscate/Decode Files or InformationExploit Public-Facing ApplicationFile and Directory DiscoveryIngress Tool TransferObfuscated Files or InformationPermission Groups DiscoveryDomain GroupsProcess DiscoveryScheduled Task/JobScheduled TaskSystem Information DiscoverySystem Network Configuration Discovery
S0559SUNBURST[9][18][14]Application Layer ProtocolDNSApplication Layer ProtocolWeb ProtocolsCommand and Scripting InterpreterVisual BasicData EncodingStandard EncodingData from Local SystemData ObfuscationJunk DataData ObfuscationProtocol ImpersonationData ObfuscationSteganographyDynamic ResolutionEncrypted ChannelSymmetric CryptographyEvent Triggered ExecutionImage File Execution Options InjectionFile and Directory DiscoveryImpair DefensesDisable or Modify ToolsIndicator RemovalFile DeletionIndicator RemovalClear PersistenceIndicator RemovalIndicator RemovalClear Network Connection History and ConfigurationsIngress Tool TransferMasqueradingMatch Legitimate Name or LocationModify RegistryObfuscated Files or InformationIndicator Removal from ToolsObfuscated Files or InformationProcess DiscoveryQuery RegistrySoftware DiscoverySecurity Software DiscoverySubvert Trust ControlsCode SigningSystem Binary Proxy ExecutionRundll32System Information DiscoverySystem Network Configuration DiscoverySystem Owner/User DiscoverySystem Service DiscoveryVirtualization/Sandbox EvasionTime Based EvasionVirtualization/Sandbox EvasionSystem ChecksWindows Management Instrumentation
S0562SUNSPOT[11][19]Access Token ManipulationData ManipulationStored Data ManipulationDeobfuscate/Decode Files or InformationExecution GuardrailsFile and Directory DiscoveryIndicator RemovalFile DeletionMasqueradingMatch Legitimate Name or LocationNative APIObfuscated Files or InformationProcess DiscoverySupply Chain CompromiseCompromise Software Supply Chain
S0096Systeminfo[46]System Information Discovery
S0057Tasklist[46]Process DiscoverySoftware DiscoverySecurity Software DiscoverySystem Service Discovery
S0560TEARDROP[9][18][19][14]Create or Modify System ProcessWindows ServiceDeobfuscate/Decode Files or InformationMasqueradingMatch Legitimate Name or LocationModify RegistryObfuscated Files or InformationQuery Registry
S0183Tor[24]Encrypted ChannelAsymmetric CryptographyProxyMulti-hop Proxy
S0682TrailBlazer[17]Application Layer ProtocolWeb ProtocolsData ObfuscationData ObfuscationJunk DataEvent Triggered ExecutionWindows Management Instrumentation Event SubscriptionMasquerading
S0636VaporRage[19]Application Layer ProtocolWeb ProtocolsDeobfuscate/Decode Files or InformationExecution GuardrailsIngress Tool Transfer
S0515WellMail[49][23][13]Archive Collected DataData from Local SystemDeobfuscate/Decode Files or InformationEncrypted ChannelAsymmetric CryptographyIngress Tool TransferNon-Application Layer ProtocolNon-Standard PortSystem Network Configuration DiscoverySystem Owner/User Discovery
S0514WellMess[37][38][50][23][13]Application Layer ProtocolWeb ProtocolsApplication Layer ProtocolDNSCommand and Scripting InterpreterWindows Command ShellCommand and Scripting InterpreterPowerShellData EncodingStandard EncodingData from Local SystemData ObfuscationJunk DataDeobfuscate/Decode Files or InformationEncrypted ChannelSymmetric CryptographyEncrypted ChannelAsymmetric CryptographyIngress Tool TransferPermission Groups DiscoveryDomain GroupsSystem Information DiscoverySystem Network Configuration DiscoverySystem Owner/User Discovery

Observed Countries18

AU (756)
BR (513)
CN (394)
DE (294)
ES (313)
FR (658)
HU (519)
JP (363)
KR (57)
MX (331)
NL (679)
NO (715)
NZ (939)
PT (845)
TR (922)
UA (986)
US (560)
UZ (263)