Campaigns
UAT-8837 Critical Infrastructure Campaign in North America

UAT-8837 Critical Infrastructure Campaign in North America

China-nexusAPTUAT-8837GoTokenThefEarthwormDWAgentSharpHoundImpacketGoExecRubeusCertipy
UAT-8837 is a China-linked intrusion campaign targeting North American critical infrastructure. It breaks in through exposed systems or stolen accounts, then uses common tools to survey Active Directory, steal credentials, and keep multiple backdoors. Links to recent zero-day activity increase the risk for internet-facing platforms.

Indicators of Compromise

No domains found for this campaign

APT Groups1

UAT-8837CN

A China-nexus advanced persistent threat (APT) actor primarily focused on gaining initial access to high-value targets within critical infrastructure sectors. The group is characterized by its sophisticated use of zero-day vulnerabilities and its objective of harvesting sensitive organizational data, including source code and security configurations, potentially to facilitate future supply chain compromises.

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1033 - System Owner/User Discovery


ID

Name

Analytic ID

Analytic Description

DET0093

Behavioral Detection of User Discovery via Local and Remote Enumeration

AN0254

Adversary launches built-in system tools (e.g., whoami, query user, net user) or scripts that enumerate user account information via local execution or remote API queries (e.g., WMI, PowerShell).

AN0255

Adversary runs commands like whoami, id, w, or cat /etc/passwd from non-interactive or scripting contexts to enumerate system user details.

AN0256

Adversary uses dscl, who, or environment variables like $USER to identify accounts or sessions via Terminal or malicious LaunchAgents.

AN0257

Adversary executes CLI commands like show users, show ssh, or attempts to dump AAA user lists from routers or switches.


T1003 - OS Credential Dumping


ID

Name

Analytic ID

Analytic Description

DET0234

Credential Dumping via Sensitive Memory and Registry Access Correlation

AN0648

Processes accessing LSASS memory or SAM registry hives outside of trusted security tools, often followed by file creation or lateral movement. Detects unauthorized access to sensitive OS subsystems for credential extraction.

AN0649

Processes opening /proc//mem or /proc//maps targeting credential-storing services like sshd or login. Behavior often includes high privilege escalation and memory inspection tools such as gcore or gdb.

AN0650

Unsigned processes accessing system memory or launching known credential scraping tools (e.g., osascript, dylib injections) to access the Keychain or sensitive memory regions.


T1543 - Create or Modify System Process


ID

Name

Analytic ID

Analytic Description

DET0571

Detection of System Process Creation or Modification Across Platforms

AN1575

Detects command-line or API-based creation/modification of Windows Services via sc.exe, powershell.exe, services.exe, or ChangeServiceConfig. Looks for creation/modification of autostart services via registry changes, file drops to System32\services, and anomalous parent-child process trees.

AN1576

Detects creation or modification of systemd service units, addition of cron jobs that invoke binaries on boot, or suspicious writes to /etc/init.d/. Monitors chmod +x and systemctl execution paths, especially from non-root parent processes.

AN1577

Detects creation or modification of LaunchDaemon or LaunchAgent plist files under /Library/LaunchDaemons/, ~/Library/LaunchAgents/, or similar. Monitors execution of launchctl, property list edits, and file permission changes.

AN1578

Detects creation of new container system processes via docker run --restart, kubectl exec to init containers, or modification of container init specs. Flags container images that override entrypoints to embed persistence behaviors.


T1133 - External Remote Services

ID

Name

Analytic ID

Analytic Description

DET0354

Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers

AN1004

Unusual or unauthorized external remote access attempts (e.g., RDP, VPN, Citrix) → repeated failed logins followed by a successful session from uncommon geolocations or outside business hours → subsequent internal lateral movement or data exfiltration activities.

AN1005

Repeated SSH, VPN, or RDP gateway authentication attempts from external IPs → subsequent successful logon → remote shell or lateral movement activity (e.g., scp/sftp).

AN1006

Unexpected inbound or outbound VNC/SSH/Screen Sharing connections from external sources → repeated failed logins followed by success → remote interactive sessions or abnormal file transfers.

AN1007

Connections to exposed container services (e.g., Docker API, Kubernetes API server) from unauthorized external IPs → abnormal container creation/start → lateral activity within cluster nodes.


T1069 - Permission Groups Discovery


ID

Name

Analytic ID

Analytic Description

DET0179

Behavioral Detection of Permission Groups Discovery

AN0507

Detection of adversary enumeration of domain or local group memberships via native tools such as net.exe, PowerShell, or WMI. This activity may precede lateral movement or privilege escalation.

AN0508

Detection of group enumeration using commands like 'id', 'groups', or 'getent group', often followed by privilege escalation or SSH lateral movement.

AN0509

Group membership checks via 'dscl', 'dscacheutil', or 'id', typically executed via terminal or automation scripts.


T1082 - System Information Discovery

ID

Name

Analytic ID

Analytic Description

DET0525

System Discovery via Native and Remote Utilities

AN1452

Process creation and command-line execution of native system discovery utilities such as systeminfo, hostname, wmic, or use of PowerShell/WMI for system enumeration.

AN1453

Execution of system enumeration commands such as uname, df, uptime, hostname, lscpu, and cat /etc/os-release through local terminal or scripts.

AN1454

Execution of system info utilities like systemsetup, sw_vers, uname, or sysctl by terminal or scripted processes.

AN1455

Execution of esxcli system hostname get, esxcli system version get, or esxcli hardware commands through SSH or local shell.

AN1456

Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets.

AN1457

Execution of show version, show hardware, or show system commands through CLI via SSH or console.


T1190 - Exploit Public-Facing Application


ID

Name

Analytic ID

Analytic Description

DET0080

Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress)

AN0219

Adversary sends crafted HTTP/S (or other service) input to an Internet-facing app (IIS/ASP.NET, API, device portal). Chain: (1) abnormal request patterns to public endpoint → (2) elevated 4xx/5xx or unusual methods/paths → (3) server process (w3wp.exe/other service) spawns shell/LOLbins or loads non-standard modules → (4) optional outbound callback from the host/container.

AN0220

Adversary exploits Apache/Nginx/app servers. Chain: (1) suspicious requests in access logs → (2) spike of 5xx or WAF blocks → (3) web server or interpreter (apache2/nginx/php-fpm/node/python) spawns /bin/sh, curl, wget, socat, or writes webshell → (4) outbound callback.

AN0221

Adversary targets macOS-hosted public services (e.g., nginx, node). Chain: suspicious inbound request → service crash/5xx → service spawns shell or writes file → new outbound connection.

AN0222

Adversary exploits containerized app via ingress or service. Chain: (1) suspicious request in ingress/app logs → (2) container process spawns a shell/exec/sidecar (kubectl exec/docker exec) → (3) egress to Internet or metadata service (169.254.169.254).

AN0223

Adversary targets cloud-hosted public endpoints. Chain: (1) ALB/ELB/Cloud LB logs show exploit-like inputs or error spikes → (2) workload spawns shell or reaches metadata API → (3) egress to new external hosts.

AN0224

Adversary exploits exposed OpenSLP on ESXi or vCenter public endpoints. Chain: inbound request pattern to mgmt service → hostd/vpxd error/crash/restart → unexpected process behavior or datastore access → outbound callback.

AN0225

Adversary exploits public admin services on routers/firewalls/switches. Chain: anomalous HTTP/SNMP/SmartInstall inputs → device syslog errors/restarts → config changes/CLI spawn → egress to attacker C2.


T1558 - Steal or Forge Kerberos Tickets


ID

Name

Analytic ID

Analytic Description

DET0522

Detect Kerberos Ticket Theft or Forgery (T1558)

AN1443

Detects anomalous Kerberos activity such as forged or stolen tickets by correlating malformed fields in logon events, RC4-encrypted TGTs, or TGS requests without corresponding TGT requests. Also detects suspicious processes accessing LSASS memory for ticket extraction.

AN1444

Detects suspicious access to SSSD secrets database and Kerberos key material indicating ticket theft or replay attempts. Correlates anomalous file access with unusual Kerberos service ticket requests.

AN1445

Detects attempts to forge or replay Kerberos tickets by monitoring Unified Logs for anomalous kinit/klist activity and correlating unusual authentication sequences.


T1550 - Use Alternate Authentication Material


ID

Name

Analytic ID

Analytic Description

DET0338

Behavioral Detection Strategy for Use Alternate Authentication Material (T1550)

AN0954

Use of stolen Kerberos tickets or token impersonation resulting in logon sessions from accounts without expected interactive logon events.

AN0955

Access tokens or SSH keys used without corresponding login shell or PAM module activity, particularly for remote execution.

AN0956

Token replay or impersonation in federated logins without interactive browser session or MFA prompts.

AN0957

Unusual reuse of OAuth access tokens from different geographic regions, without full login events.

AN0958

Container process uses mounted cloud credentials or token cache to authenticate without known orchestration.

AN0959

Access token reuse to connect to SharePoint or Outlook APIs without interactive user context.

AN0960

Use of instance metadata tokens across instances or misuse of short-lived tokens issued for different roles.


T1021 - Remote Services


ID

Name

Analytic ID

Analytic Description

DET0269

Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity

AN0750

Logon via RDP or WMI by a user account followed by uncommon command execution, file manipulation, or lateral network connections.

AN0751

SSH session from new source IP followed by interactive shell or privilege escalation (e.g., sudo, su) and outbound lateral connection.

AN0752

Remote login via ARD or SSH followed by screensharingd process activity or modification of TCC-protected files.

AN0753

Use of cloud-based bastion or VM console session followed by commands that initiate outbound SSH or RDP sessions from the cloud instance to other environments.

AN0754

vSphere API logins (vimService) or SSH to ESXi host followed by unauthorized shell commands or lateral remote logins from the ESXi host.


T1016 - System Network Configuration Discovery

ID

Name

Analytic ID

Analytic Description

DET0195

Behavioral Detection of System Network Configuration Discovery

AN0559

Execution of built-in tools (e.g., ipconfig, route, netsh) or PowerShell/WMI queries to enumerate IP, MAC, interface status, or routing configuration.

AN0560

Execution of ifconfig, ip a, or access to /proc/net/ indicating collection of local interface and route configuration.

AN0561

Execution of ifconfig, networksetup, or system_profiler to query IP/MAC/interface configuration and status.

AN0562

Use of esxcli network commands (e.g., esxcli network nic list, esxcli network ip interface ipv4 get) via SSH or hostd to enumerate adapter and IP information.

AN0563

CLI-based execution of interface and routing discovery commands (e.g., show ip interface, show arp, show route) over Telnet, SSH, or console.


T1087 - Account Discovery


ID

Name

Analytic ID

Analytic Description

DET0587

Enumeration of User or Account Information Across Platforms

AN1612

Detection of suspicious enumeration of local or domain accounts via command-line tools, WMI, or scripts.

AN1613

Enumeration of users and groups through suspicious shell commands or unauthorized access to /etc/passwd or /etc/shadow.

AN1614

Detection of user account enumeration through tools like dscl, dscacheutil, or loginshell enumeration via command-line.

AN1615

Detection of API calls listing users, IAM roles, or groups in cloud environments.

AN1616

Enumeration of user or role objects via IdP API endpoints or LDAP queries.

AN1617

Account enumeration via esxcli, vim-cmd, or API calls to vSphere.

AN1618

Account enumeration via bulk access to user directory features or hidden APIs.

AN1619

Account discovery via VBA macros, COM objects, or embedded scripting.


T1083 - File and Directory Discovery


ID

Name

Analytic ID

Analytic Description

DET0370

Recursive Enumeration of Files and Directories Across Privilege Contexts

AN1040

Execution of file enumeration commands (e.g., 'dir', 'tree') from non-standard processes or unusual user contexts, followed by recursive directory traversal or access to sensitive locations.

AN1041

Use of file enumeration commands (e.g., 'ls', 'find', 'locate') executed by suspicious users or scripts accessing broad file hierarchies or restricted directories.

AN1042

Execution of file or directory discovery commands (e.g., 'ls', 'find') from terminal or script-based tooling, especially outside normal user workflows.

AN1043

Execution of esxcli commands to enumerate datastore, configuration files, or directory structures by unauthorized or remote users.

AN1044

Execution of file discovery commands (e.g., 'dir', 'show flash', 'nvram:') from CLI interfaces, especially by unauthorized users or from abnormal source IPs.


T1049 - System Network Connections Discovery


ID

Name

Analytic ID

Analytic Description

DET0320

Detection of System Network Connections Discovery Across Platforms

AN0903

Detects usage of commands or binaries (e.g., netstat, PowerShell Get-NetTCPConnection) and WMI or API calls to enumerate local or remote network connections.

AN0904

Detects use of netstat, ss, lsof, or custom shell scripts to list current network connections. Often paired with privilege escalation or staging.

AN0905

Detects shell-based enumeration of active connections using netstat, lsof -i, or AppleScript-based system discovery.

AN0906

Detects shell or API usage of esxcli network ip connection list or netstat to enumerate ESXi host connections.

AN0907

Detects interactive or automated use of CLI commands like show ip sockets, show tcp brief, or SNMP queries for active sessions on routers/switches.

AN0908

Detects enumeration of cloud network interfaces, VPCs, subnets, or peer connections using CLI or SDKs (e.g., AWS CLI, Azure CLI, GCloud CLI).


T1057 - Process Discovery


ID

Name

Analytic ID

Analytic Description

DET0034

Detection of Adversarial Process Discovery Behavior

AN0095

Identifies adversary behavior that launches commands or invokes APIs to enumerate active processes (e.g., tasklist.exe, Get-Process, or CreateToolhelp32Snapshot). Detects execution combined with parent process lineage, network session context, or remote origin.

AN0096

Detects execution of common process enumeration utilities (e.g., ps, top, htop) or access to /proc with suspicious ancestry. Correlates command usage with interactive shell context and user role.

AN0097

Monitors execution of ps, top, or launchctl with unusual parent processes or from terminal scripts. Also detects AppleScript-based process listing or system_profiler SPApplicationsDataType misuse.

AN0098

Detects process enumeration using esxcli system process list or ps on ESXi shell or via unauthorized SSH sessions. Correlates with interactive sessions and abnormal user roles.

AN0099

Monitors CLI-based execution of show process or equivalent on routers/switches. Correlates unusual device access, unauthorized roles, or config mode changes.


T1098 - Account Manipulation

ID

Name

Analytic ID

Analytic Description

DET0096

Account Manipulation Behavior Chain Detection

AN0265

Account attribute changes (e.g., password set, group membership, servicePrincipalName, logon hours) correlated with unusual process lineage or timing, indicating privilege escalation or persistence via valid accounts.

AN0266

Use of native tools or scripting (e.g., usermod, passwd, groupmod) to escalate permissions or persist access on existing users, correlated with login or process events.

AN0267

Modifications to user accounts via dscl, pwpolicy, or System Preferences CLI (sysadminctl) that alter user groups, enable root, or bypass MDM restrictions.

AN0268

Modifications to SSO/SAML user attributes (e.g., isAdmin, role, MFA bypass, App assignments) often through CLI, API, or rogue IdP apps.

AN0269

Addition of new users or changes to role permissions (e.g., ReadOnly -> Admin) via API or vSphere Client, particularly from non-jumpbox IPs.

AN0270

Role escalation (e.g., Editor → Owner) in cloud collaboration tools (Google Workspace, O365) or file sharing apps to maintain elevated access.


T1078 - Valid Accounts

ID

Name

Analytic ID

Analytic Description

DET0560

Detection of Valid Account Abuse Across Platforms

AN1543

Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints.

AN1544

Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns.

AN1545

Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity.

AN1546

Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures.

AN1547

Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs.


T1505 - Server Software Component


ID

Name

Analytic ID

Analytic Description

DET0547

Detection Strategy for T1505 - Server Software Component

AN1507

Installation of malicious IIS/Apache/SQL server modules that later execute command-line interpreters or establish outbound connections.

AN1508

Abuse of extensible server modules (e.g., Apache, Nginx, Tomcat) to load rogue plugins that initiate bash, connect to C2, or spawn reverse shells.

AN1509

Malicious use of webserver plugins (e.g., for nginx, PHP, Node.js) that execute AppleScript or open network sockets.

AN1510

Use of ESXi web interface plugins or vSphere extensions to embed persistent malicious scripts or services.


T1018 - Remote System Discovery


ID

Name

Analytic ID

Analytic Description

DET0574

Detection Strategy for Remote System Enumeration Behavior

AN1583

Execution of network enumeration utilities (e.g., net.exe, ping.exe, tracert.exe) in short succession, often chained with lateral movement tools or system enumeration commands.

AN1584

Use of bash scripts or interactive shells to issue sequential ping, arp, or traceroute commands to map remote hosts.

AN1585

Execution of built-in or AppleScript-based system enumeration via arp, netstat, ping, and discovery of /etc/hosts contents.

AN1586

ESXi shell or SSH access issuing esxcli network diag ping or viewing routing tables to identify connected hosts.

AN1587

Execution of discovery commands like show cdp neighbors, show arp, and other interface-level introspection on Cisco or Juniper devices.


T1105 - Ingress Tool Transfer


ID

Name

Analytic ID

Analytic Description

DET0060

Detect Ingress Tool Transfers via Behavioral Chain

AN0165

Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded).

AN0166

Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk.

AN0167

Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories.

AN0168

Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories.

AN0169

Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks.



Observed Countries2

CA (468)
US (421)