
Messy Adventures of Cozy Bear
Cozy Bear, also known as APT29, is a sophisticated advanced persistent threat (APT) group believed to be associated with the Russian government. The group has been active since at least 2008. It has been linked to several high-profile cyber espionage operations, including the 2016 hack of the Democratic National Committee (DNC) in the United States. Cozy Bear is known for its sophisticated techniques and ability to remain undetected for long periods of time within compromised networks.
Indicators of Compromise
Domains (312)
pdf-docs.onlinestopke-essen.derecovery-activity-identification.siteyoumiuri.comappsprovider.comdomainingdirectory.comidentifier-service-review.sitelm-classiccars.dedatazr.comlimoservicecompany.comworldhomeoutlet.comrss2.orgdrive-share.livehttp.ddspadus.comcontent.pcmsar.netautohausnords.comlemmenslecouter.net.bmw.be.eh-loc.degalatinonews.comrmssrv3.rueditprod.waterfilter.in.ua+292 moreHashes (2441)
057e79801070572be543fdd7111657517827457fd4a5d44184333442f5015699c2b8af285bb9f53636efafdd30023d44be1be55bf7c7b7d5fad0ca06bacf9f247ac03d9366abd3ac41415e56af0ea16bdff70f6ca77ed41a0360f17c62d170f99e547f704908beec10b9a4514bc74bec9d8511df5655d397af6bdbc833a16f7702dc6be1236619f66bc7dc620221572065a1bc78169c663541522baaa96713b50ea4397451effcb07de9f2478338bbb0e6f947f2fdd3e098a2430d8f7ff16f715ad22325f9fd3f1d8da4ffd6a494228b934549d09e3c59d1f9c0c8358e7a9ebd141a4ec3423bbcb3fdf4ad9818b6af9ca4698bb9a06a284b2ba95320185359025379340c075cad3898c22ddd497a382289af061e5a63e1a88157f49908904141bc996a38be297435f8cc8de878c3b20ca08729a8e9457d19abe9c26fb148c74bf50511ea851d20ee08502f0adb786cd27f92dbf3548e0b26933baeaa7a1c7798933b3c5d3728ef6e08af4ae579c00d110ddd7d646dfb1a2220c5b3827c8190f7ab8d7398bbc2c612a34846a0d38fb32bc633c2d5eb87b3f3aff203f7802153fde338d49c270baf64363879e5eecb8fa6bdde8ad9+2421 moreIPv4 (1514)
120.48.255.247120.46.207.85114.116.99.91124.221.12.111121.36.165.78107.170.109.82101.42.229.45110.42.192.97139.224.227.232101.33.239.122124.222.125.194128.199.70.1101.35.240.155106.12.9.14106.54.182.249117.50.184.149216.244.71.154209.133.211.242121.5.195.8951.89.73.156+1494 moreCVEs (47)
CVE-2019-19781CVE-2020-0688CVE-2021-40449CVE-2021-26855CVE-2021-21551CVE-2021-26857CVE-2021-26858CVE-2019-1653CVE-2021-35561CVE-2019-0859CVE-2020-14882CVE-2020-4006CVE-2019-7609CVE-2019-16098CVE-2019-9670CVE-2019-11510CVE-2022-30190CVE-2019-0797CVE-2021-40444CVE-2021-28310+27 moreAPT Groups
APT 29
Russian Federation
Notes
<div>Cozy Bear, also known as APT29, is a notorious cyber espionage group that has been linked to a number of high-profile cyber attacks around the world. The group is believed to be associated with the Russian government and has been active since at least 2008.</div><div><br></div><div>Cozy Bear is known for its sophisticated hacking techniques and its ability to remain undetected within compromised networks for long periods of time. The group has been linked to a number of cyber espionage campaigns targeting government agencies, defense contractors, and other organizations around the world.</div><div><br></div><div>One of the most high-profile attacks attributed to Cozy Bear was the 2016 hack of the Democratic National Committee (DNC) in the United States. The attack resulted in the release of sensitive emails and documents that were damaging to the DNC and the Democratic Party. The attack was believed to be part of a broader effort by the Russian government to interfere in the 2016 US presidential election.</div><div><br></div><div>Cozy Bear has also been linked to a number of other cyber espionage campaigns around the world. In 2017, the group was accused of launching a series of attacks against the German parliament. The attacks were believed to be an attempt to gather intelligence on German political parties and to disrupt the upcoming national election.</div><div><br></div><div>In addition to its cyber espionage activities, Cozy Bear has also been linked to a number of other cyber attacks. In 2020, the group was accused of launching a series of attacks against COVID-19 vaccine developers and researchers. The attacks were believed to be an attempt to steal valuable research data and to disrupt the development of a vaccine.</div><div><br></div><div>Cozy Bear is known for its sophisticated hacking techniques, including the use of custom malware and zero-day exploits. The group has also been known to use spear-phishing emails to gain access to target networks.</div><div><br></div><div>The group's ability to remain undetected within compromised networks has made it a formidable adversary for cybersecurity professionals. However, there are steps that organizations can take to protect themselves from Cozy Bear and other cyber threats. These include implementing robust cybersecurity measures, such as firewalls and intrusion detection systems, and educating employees on how to recognize and avoid spear-phishing attacks.</div><div><br></div><div>In conclusion, Cozy Bear is a sophisticated cyber espionage group with a long history of attacking government agencies, defense contractors, and other organizations around the world. While the group's techniques are sophisticated, organizations can take steps to protect themselves from Cozy Bear and other cyber threats by implementing robust cybersecurity measures and educating employees on how to recognize and avoid spear-phishing attacks.</div>
Mitigation
<div><h2 class="pt-3 mb-2" id="techniques" style="box-sizing: border-box; margin-top: 0px; line-height: 1.2; font-size: 2rem; font-family: Roboto-Light, sans-serif; color: rgb(57, 67, 76); letter-spacing: normal; margin-bottom: 0.5rem !important; padding-top: 1rem !important;">Techniques Used</h2><br><table class="table techniques-used background table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1847.5px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; border-bottom: 2px solid rgb(222, 226, 230); background: rgb(242, 242, 242);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Domain<br></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Use</th></tr></thead><tbody style="box-sizing: border-box;"><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1548</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bypass User Account Control</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has bypassed UAC.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1087</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> obtained a list of users and their roles from an Exchange server using <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Get-ManagementRoleAssignment</code>.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used PowerShell to discover domain accounts by executing <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Get-ADUser</code> and <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Get-ADGroupMember</code>.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Account</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has conducted enumeration of Azure AD accounts.<span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1098</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1098/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1098/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Additional Cloud Credentials</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has added credentials to OAuth Applications and Service Principals.<span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[26]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1098/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1098/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Additional Email Delegate Permissions</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> added their own devices as allowed IDs for active sync using <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Set-CASMailbox</code>, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[26]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1098/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1098/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Additional Cloud Roles</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has granted <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">company administrator</code> privileges to a newly created service principal.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1098/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1098/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Device Registration</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> registered devices in order to enable mailbox syncing via the <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Set-CASMailbox</code> command.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1583" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1583</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Acquire Infrastructure</a>: <a href="https://attack.mitre.org/techniques/T1583/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domains</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has acquired C2 domains, sometimes through resellers.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-27-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[27]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.006</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Acquire Infrastructure</a>: <a href="https://attack.mitre.org/techniques/T1583/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Services</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has registered algorithmically generated Twitter handles that are used for C2 by malware, such as <a href="https://attack.mitre.org/software/S0037" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">HAMMERTOSS</a>. <a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has also used legitimate web services such as Dropbox and Constant Contact in their operations.<span id="scite-ref-28-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[28]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1595" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1595</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1595/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1595" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Active Scanning</a>: <a href="https://attack.mitre.org/techniques/T1595/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Vulnerability Scanning</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has conducted widespread scanning of target environments to identify vulnerabilities for exploit.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1071</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used HTTP for C2 and data exfiltration.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1560</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>: <a href="https://attack.mitre.org/techniques/T1560/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive via Utility</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration; <a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has also compressed text files into zipped archives.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1547</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> added Registry Run keys to establish persistence.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1110" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1110</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1110/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1110" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Brute Force</a>: <a href="https://attack.mitre.org/techniques/T1110/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Password Spraying</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has conducted brute force password spray attacks.<span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1059</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used encoded PowerShell scripts uploaded to <a href="https://attack.mitre.org/software/S0046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">CozyCar</a> installations to download and install <a href="https://attack.mitre.org/software/S0053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SeaDuke</a>. <a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> also used PowerShell to create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, and to execute other commands.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-30-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[30]</a></span></span><span id="scite-ref-31-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[31]</a></span></span><span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span><span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span><span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">cmd.exe</code> to execute commands on remote machines.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-30-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[30]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has written malware variants in Visual Basic.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.006</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Python</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has developed malware variants written in Python.<span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1586" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1586</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1586/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1586" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compromise Accounts</a>: <a href="https://attack.mitre.org/techniques/T1586/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Accounts</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has compromised email accounts to further enable phishing campaigns.<span id="scite-ref-34-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[34]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1584" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1584</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1584/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1584" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compromise Infrastructure</a>: <a href="https://attack.mitre.org/techniques/T1584/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domains</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has compromised domains to use for C2.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1136" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1136</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1136/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1136" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Account</a>: <a href="https://attack.mitre.org/techniques/T1136/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Account</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> can create new users through Azure AD.<span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1555</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.<span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Web Browsers</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has stolen user's saved passwords from Chrome.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1213" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1213</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1213" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Information Repositories</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has accessed victims’ internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1213/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1213/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Code Repositories</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has downloaded source code from code repositories.<span id="scite-ref-35-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[35]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has extracted files from compromised networks.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1001/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steganography</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used steganography to hide C2 communications in images.<span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1074</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1074/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Staged</a>: <a href="https://attack.mitre.org/techniques/T1074/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Data Staging</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> staged data and files in password-protected archives on a victim's OWA server.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1140</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used 7-Zip to decode its <a href="https://attack.mitre.org/software/S0565" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Raindrop</a> malware.<span id="scite-ref-36-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[36]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1587" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1587</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1587/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1587" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Develop Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1587/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malware</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has leveraged numerous pieces of malware that appear to be unique to <a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> and were likely developed for or by the group.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1587/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1587" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Develop Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1587/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Digital Certificates</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has created self-signed digital certificates to enable mutual TLS authentication for malware.<span id="scite-ref-37-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[37]</a></span></span><span id="scite-ref-38-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[38]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1484" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1484</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1484/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1484" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Policy Modification</a>: <a href="https://attack.mitre.org/techniques/T1484/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Trust Modification</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.<span id="scite-ref-39-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[39]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1482" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1482</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1482" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Trust Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used the <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Get-AcceptedDomain</code> PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span> They also used <a href="https://attack.mitre.org/software/S0552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">AdFind</a> to enumerate domains and to discover trust between federated domains.<span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1568" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1568</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1568" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic Resolution</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1114" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1114</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1114/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1114" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Collection</a>: <a href="https://attack.mitre.org/techniques/T1114/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Email Collection</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> collected emails from specific individuals, such as executives and IT staff, using <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">New-MailboxExportRequest</code> followed by <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Get-MailboxExportRequest</code>.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1573</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used multiple layers of encryption within malware to protect C2 communication.<span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1546</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1546/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Event Triggered Execution</a>: <a href="https://attack.mitre.org/techniques/T1546/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation Event Subscription</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used WMI event subscriptions for persistence.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-39-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[39]</a></span></span><span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1546/008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.008</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Event Triggered Execution</a>: <a href="https://attack.mitre.org/techniques/T1546/008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Accessibility Features</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used sticky-keys to obtain unauthenticated, privileged console access.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span><span id="scite-ref-40-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[40]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1048" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1048</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1048/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1048" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Alternative Protocol</a>: <a href="https://attack.mitre.org/techniques/T1048/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1190" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1190</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1190" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploit Public-Facing Application</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access. They have also exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.<span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1203</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation for Client Execution</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1068" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1068</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1068" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation for Privilege Escalation</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has exploited CVE-2021-36934 to escalate privileges on a compromised host.<span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1133" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1133</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1133" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">External Remote Services</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used compromised identities to access networks via SSH, VPNs, and other remote access tools.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1083</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> obtained information about the configured Exchange virtual directory using <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Get-WebServicesVirtualDirectory</code>.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1606" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1606</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1606/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1606" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Forge Web Credentials</a>: <a href="https://attack.mitre.org/techniques/T1606/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Cookies</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1606/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1606" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Forge Web Credentials</a>: <a href="https://attack.mitre.org/techniques/T1606/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SAML Tokens</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> created tokens using compromised SAML signing certificates.<span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[26]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1589" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1589</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1589/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1589" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Gather Victim Identity Information</a>: <a href="https://attack.mitre.org/techniques/T1589/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has conducted credential theft operations to obtain credentials to be used for access to victim environments.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1562</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify Tools</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used the service control manager on a remote system to disable services associated with security monitoring products.<span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable Windows Event Logging</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">AUDITPOL</code> to prevent the collection of audit logs.<span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify System Firewall</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">netsh</code> to configure firewall rules that limited certain UDP outbound packets.<span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1070</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> routinely removed their tools, including custom backdoors, once remote access was achieved. <a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has also used <a href="https://attack.mitre.org/software/S0195" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SDelete</a> to remove artifacts from victims.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.006</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> modified timestamps of backdoors to match legitimate Windows files.<span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.008</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Clear Mailbox Data</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> removed evidence of email export requests using <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Remove-MailboxExportRequest</code>.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1105</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has downloaded additional tools, such as <a href="https://attack.mitre.org/software/S0560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">TEARDROP</a> malware and <a href="https://attack.mitre.org/software/S0154" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cobalt Strike</a>, to a compromised host following initial access.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1036</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They have also used IP addresses originating from the same country as the victim for their VPN infrastructure.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerade Task or Service</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> named tasks <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager</code> in order to appear legitimate.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> renamed software and DLL's with legitimate names to appear benign.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-30-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[30]</a></span></span><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1556" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1556</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1556/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.007</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1556" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Authentication Process</a>: <a href="https://attack.mitre.org/techniques/T1556/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hybrid Identity</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">APT29 has edited the <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Microsoft.IdentityServer.Servicehost.exe.config</code> file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.<span id="scite-ref-41-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[41]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1621" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1621</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1621" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Multi-Factor Authentication Request Generation</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used repeated MFA requests to gain access to victim accounts.<span id="scite-ref-42-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mandiant.com/resources/russian-targeting-gov-business" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[42]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1095</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Application Layer Protocol</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used TCP for C2 communications.<span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1027</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used encoded PowerShell commands.<span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Binary Padding</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used large file sizes to avoid detection.<span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used UPX to pack files.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.006</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">HTML Smuggling</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.<span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1588</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obtain Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1588/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Tool</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has obtained and used a variety of tools including <a href="https://attack.mitre.org/software/S0002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mimikatz</a>, <a href="https://attack.mitre.org/software/S0195" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SDelete</a>, <a href="https://attack.mitre.org/software/S0183" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Tor</a>, <a href="https://attack.mitre.org/software/S0175" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">meek</a>, and <a href="https://attack.mitre.org/software/S0154" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cobalt Strike</a>.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1003/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.006</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DCSync</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> leveraged privileged accounts to replicate directory service data with domain controllers.<span id="scite-ref-39-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[39]</a></span></span><span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1069</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used the <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Get-ManagementRoleAssignment</code> PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1069/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1069/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Groups</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used <a href="https://attack.mitre.org/software/S0552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">AdFind</a> to enumerate domain groups.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1566</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used spearphishing emails with an attachment to deliver files with exploits to initial victims.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Link</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-43-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[43]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing via Service</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used the legitimate mailing service Constant Contact to send phishing e-mails.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1057</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used multiple command-line utilities to enumerate running processes.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1090</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internal Proxy</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of <a href="https://attack.mitre.org/software/S0154" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cobalt Strike</a> to use a network pipe over SMB during the 2020 SolarWinds intrusion.<span id="scite-ref-36-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[36]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Multi-hop Proxy</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">A backdoor used by <a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> created a <a href="https://attack.mitre.org/software/S0183" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Tor</a> hidden service to forward traffic from the <a href="https://attack.mitre.org/software/S0183" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Tor</a> client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Fronting</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used the meek domain fronting plugin for <a href="https://attack.mitre.org/software/S0183" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Tor</a> to hide the destination of C2 traffic.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1021</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Desktop Protocol</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used RDP sessions from public-facing systems to internal servers.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SMB/Windows Admin Shares</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used administrative accounts to connect over SMB to targeted users.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.006</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Remote Management</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used WinRM via PowerShell to execute command and payloads on remote hosts.<span id="scite-ref-36-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[36]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1018</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used <a href="https://attack.mitre.org/software/S0552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">AdFind</a> to enumerate remote systems.<span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1053</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">scheduler</code> and <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">schtasks</code> to create new tasks on remote hosts as part of lateral movement.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span> They have manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span> <a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> also created a scheduled task to maintain <a href="https://attack.mitre.org/software/S0562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SUNSPOT</a> persistence when the host booted during the 2020 SolarWinds intrusion.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span> They previously used named and hijacked scheduled tasks to also establish persistence.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1505" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1505</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1505/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1505" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Server Software Component</a>: <a href="https://attack.mitre.org/techniques/T1505/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Shell</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has installed web shells on exploited Microsoft Exchange servers.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1649" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1649</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1649" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Authentication Certificates</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.<span id="scite-ref-44-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[44]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1558</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1558/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Kerberoasting</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.<span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1539" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1539</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1539" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal Web Session Cookie</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has stolen Chrome browser cookies by copying the Chrome profile directories of targeted users.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1553</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Subvert Trust Controls</a>: <a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Code Signing</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> was able to get <a href="https://attack.mitre.org/software/S0559" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SUNBURST</a> signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1553/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Subvert Trust Controls</a>: <a href="https://attack.mitre.org/techniques/T1553/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mark-of-the-Web Bypass</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.<span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1195" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1195</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1195/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1195" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Supply Chain Compromise</a>: <a href="https://attack.mitre.org/techniques/T1195/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compromise Software Supply Chain</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> gained initial network access to some victims via a trojanized update of SolarWinds Orion software.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1218</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mshta</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has use <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">mshta</code> to execute malicious scripts on a compromised host.<span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.011</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Rundll32.exe</code> to execute payloads.<span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[26]</a></span></span><span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span><span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1082</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">fsutil</code> to check available free space before executing actions that might create large files on disk.<span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1016</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1016/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>: <a href="https://attack.mitre.org/techniques/T1016/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internet Connection Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used <a href="https://attack.mitre.org/software/S0597" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">GoldFinder</a> to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1199" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1199</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1199" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Trusted Relationship</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1552</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1552/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Private Keys</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> obtained PKI keys, certificate files and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.<span id="scite-ref-39-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[39]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1550</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling <a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> to access enterprise cloud applications and services.<span id="scite-ref-39-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[39]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1550/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1550/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Access Token</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used compromised service principals to make changes to the Office 365 environment.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1550/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1550/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Ticket</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used Kerberos ticket attacks for lateral movement.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1550/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1550/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Session Cookie</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used stolen cookies to access cloud resources, and a forged <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">duo-sid</code> cookie to bypass MFA set on an email account.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1204</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious Link</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used various forms of spearphishing attempting to get a user to click on a malicous link.<span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-43-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[43]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. <span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span> <span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1078</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used different compromised credentials for remote access and to move laterally.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1078/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1078/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Accounts</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.<span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1078/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1078/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Accounts</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used compromised local accounts to access victims' networks.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1078/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1078/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Accounts</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used a compromised O365 administrator account to create a new Service Principal.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1102</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bidirectional Communication</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> has used social media platforms to hide communications to C2 servers.<span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223);"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1047</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT29</a> used WMI to steal credentials and execute backdoors at a future time.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span> They have also used WMI for the remote execution of files for lateral movement.<span id="scite-ref-39-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[39]</a></span></span><span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></p></td></tr></tbody></table><h2 class="pt-3" id="software" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; font-size: 2rem; font-family: Roboto-Light, sans-serif; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;">Software</h2><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1847.5px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">References</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Techniques</th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0677" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0677</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0677" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">AADInternals</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Account</a>, <a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1098/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Device Registration</a>, <a href="https://attack.mitre.org/techniques/T1526" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1136" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Account</a>: <a href="https://attack.mitre.org/techniques/T1136/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Account</a>, <a href="https://attack.mitre.org/techniques/T1484" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Policy Modification</a>: <a href="https://attack.mitre.org/techniques/T1484/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Trust Modification</a>, <a href="https://attack.mitre.org/techniques/T1606" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Forge Web Credentials</a>: <a href="https://attack.mitre.org/techniques/T1606/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SAML Tokens</a>, <a href="https://attack.mitre.org/techniques/T1589" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Gather Victim Identity Information</a>: <a href="https://attack.mitre.org/techniques/T1589/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Addresses</a>, <a href="https://attack.mitre.org/techniques/T1590" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Gather Victim Network Information</a>: <a href="https://attack.mitre.org/techniques/T1590/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Properties</a>, <a href="https://attack.mitre.org/techniques/T1556" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Authentication Process</a>: <a href="https://attack.mitre.org/techniques/T1556/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Multi-Factor Authentication</a>, <a href="https://attack.mitre.org/techniques/T1556" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Authentication Process</a>: <a href="https://attack.mitre.org/techniques/T1556/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hybrid Identity</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSA Secrets</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Groups</a>, <a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Link</a>, <a href="https://attack.mitre.org/techniques/T1598" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing for Information</a>: <a href="https://attack.mitre.org/techniques/T1598/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Link</a>, <a href="https://attack.mitre.org/techniques/T1528" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal Application Access Token</a>, <a href="https://attack.mitre.org/techniques/T1649" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Authentication Certificates</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Silver Ticket</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials In Files</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Private Keys</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0552</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">AdFind</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-30-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[30]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span><span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1482" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Trust Discovery</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Groups</a>, <a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0521" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0521</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0521" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">BloodHound</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1482" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Trust Discovery</a>, <a href="https://attack.mitre.org/techniques/T1615" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Group Policy Discovery</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1201" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Password Policy Discovery</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Groups</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Groups</a>, <a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0635" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0635</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0635" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">BoomBox</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Account</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1480" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Execution Guardrails</a>, <a href="https://attack.mitre.org/techniques/T1567" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Web Service</a>: <a href="https://attack.mitre.org/techniques/T1567/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration to Cloud Storage</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0054" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0054</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0054" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">CloudDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bidirectional Communication</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0154" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0154</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0154" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cobalt Strike</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span><span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-43-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[43]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bypass User Account Control</a>, <a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Sudo and Sudo Caching</a>, <a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Token Impersonation/Theft</a>, <a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Parent PID Spoofing</a>, <a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Make and Impersonate Token</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DNS</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>, <a href="https://attack.mitre.org/techniques/T1197" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">BITS Jobs</a>, <a href="https://attack.mitre.org/techniques/T1185" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Browser Session Hijacking</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">JavaScript</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Python</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Impersonation</a>, <a href="https://attack.mitre.org/techniques/T1030" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Transfer Size Limits</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation for Client Execution</a>, <a href="https://attack.mitre.org/techniques/T1068" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation for Privilege Escalation</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Argument Spoofing</a>, <a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify Tools</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1026" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Multiband Communication</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1135" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Share Discovery</a>, <a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Application Layer Protocol</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal from Tools</a>, <a href="https://attack.mitre.org/techniques/T1137" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Office Application Startup</a>: <a href="https://attack.mitre.org/techniques/T1137/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Office Template Macros</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Groups</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Groups</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Hollowing</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic-link Library Injection</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>, <a href="https://attack.mitre.org/techniques/T1572" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Tunneling</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internal Proxy</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Fronting</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1620" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Reflective Code Loading</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SSH</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SMB/Windows Admin Shares</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Distributed Component Object Model</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Desktop Protocol</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Remote Management</a>, <a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a>, <a href="https://attack.mitre.org/techniques/T1029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Transfer</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Subvert Trust Controls</a>: <a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Code Signing</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Execution</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Hash</a>, <a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a>: <a href="https://attack.mitre.org/techniques/T1078/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Accounts</a>, <a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a>: <a href="https://attack.mitre.org/techniques/T1078/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Accounts</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0050" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0050</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0050" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">CosmicDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1020" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Automated Exfiltration</a>, <a href="https://attack.mitre.org/techniques/T1115" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Clipboard Data</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Web Browsers</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1039" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Network Shared Drive</a>, <a href="https://attack.mitre.org/techniques/T1025" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Removable Media</a>, <a href="https://attack.mitre.org/techniques/T1114" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Collection</a>: <a href="https://attack.mitre.org/techniques/T1114/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Email Collection</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1048" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Alternative Protocol</a>: <a href="https://attack.mitre.org/techniques/T1048/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Unencrypted Non-C2 Protocol</a>, <a href="https://attack.mitre.org/techniques/T1068" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation for Privilege Escalation</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSA Secrets</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0046</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">CozyCar</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rename System Utilities</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>: <a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bidirectional Communication</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0634" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0634</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0634" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">EnvyScout</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">JavaScript</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1480" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Execution Guardrails</a>, <a href="https://attack.mitre.org/techniques/T1187" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Forced Authentication</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hidden Files and Directories</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">HTML Smuggling</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0512" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0512</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0512" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">FatDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Fallback Channels</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Binary Padding</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internal Proxy</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Time Based Evasion</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0661" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0661</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0661" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">FoggyWeb</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-45-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[45]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>: <a href="https://attack.mitre.org/techniques/T1560/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive via Custom Method</a>, <a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>: <a href="https://attack.mitre.org/techniques/T1560/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive via Library</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DLL Search Order Hijacking</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1040" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Sniffing</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compile After Delivery</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1620" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Reflective Code Loading</a>, <a href="https://attack.mitre.org/techniques/T1129" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Shared Modules</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Private Keys</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0049</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">GeminiDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Service Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0597" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0597</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0597" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">GoldFinder</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1119" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Automated Collection</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>: <a href="https://attack.mitre.org/techniques/T1016/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internet Connection Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0588</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">GoldMax</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Junk Data</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerade Task or Service</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cron</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Time Discovery</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Checks</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Time Based Evasion</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0037" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0037</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0037" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">HAMMERTOSS</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steganography</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1567" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Web Service</a>: <a href="https://attack.mitre.org/techniques/T1567/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration to Cloud Storage</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hidden Window</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">One-Way Communication</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0100" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0100</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0100" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ipconfig</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-46-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[46]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0513" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0513</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0513" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LiteDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steganography</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>: <a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Time Based Evasion</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0175" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0175</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0175" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">meek</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Fronting</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0002</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mimikatz</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-39-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[39]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SID-History Injection</a>, <a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Manipulation</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Support Provider</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Credential Manager</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Web Browsers</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSA Secrets</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DCSync</a>, <a href="https://attack.mitre.org/techniques/T1207" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rogue Domain Controller</a>, <a href="https://attack.mitre.org/techniques/T1649" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Authentication Certificates</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Silver Ticket</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Golden Ticket</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Private Keys</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Ticket</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Hash</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0051" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0051</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0051" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MiniDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1568" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic Resolution</a>: <a href="https://attack.mitre.org/techniques/T1568/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Generation Algorithms</a>, <a href="https://attack.mitre.org/techniques/T1008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Fallback Channels</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internal Proxy</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dead Drop Resolver</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0637" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0637</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0637" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">NativeZone</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1480" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Execution Guardrails</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Checks</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0039" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0039</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0039" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Net</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-46-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[46]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1136" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Account</a>: <a href="https://attack.mitre.org/techniques/T1136/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1136" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Account</a>: <a href="https://attack.mitre.org/techniques/T1136/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Share Connection Removal</a>, <a href="https://attack.mitre.org/techniques/T1135" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Share Discovery</a>, <a href="https://attack.mitre.org/techniques/T1201" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Password Policy Discovery</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Groups</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Groups</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SMB/Windows Admin Shares</a>, <a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Execution</a>, <a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Time Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0052" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0052</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0052" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OnionDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1499" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Endpoint Denial of Service</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">One-Way Communication</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0048" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0048</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0048" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PinchDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Web Browsers</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0518</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PolyglotDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steganography</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dead Drop Resolver</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0150" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0150</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0150" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">POSHSPY</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-47-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[47]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1030" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Transfer Size Limits</a>, <a href="https://attack.mitre.org/techniques/T1568" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic Resolution</a>: <a href="https://attack.mitre.org/techniques/T1568/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Generation Algorithms</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Event Triggered Execution</a>: <a href="https://attack.mitre.org/techniques/T1546/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation Event Subscription</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0139" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0139</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0139" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-48-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[48]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Window Discovery</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1485" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Destruction</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">NTFS File Attributes</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steganography</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Time Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0029</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PsExec</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1136" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Account</a>: <a href="https://attack.mitre.org/techniques/T1136/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1570" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lateral Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SMB/Windows Admin Shares</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Execution</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0565" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0565</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0565" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Raindrop</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-36-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[36]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steganography</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Time Based Evasion</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0511" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0511</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0511" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">RegDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Event Triggered Execution</a>: <a href="https://attack.mitre.org/techniques/T1546/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation Event Subscription</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steganography</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bidirectional Communication</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0684" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0684</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0684" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ROADTools</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Account</a>, <a href="https://attack.mitre.org/techniques/T1119" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Automated Collection</a>, <a href="https://attack.mitre.org/techniques/T1526" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Groups</a>, <a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a>, <a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a>: <a href="https://attack.mitre.org/techniques/T1078/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Accounts</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0195" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0195</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0195" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SDelete</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1485" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Destruction</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0053</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SeaDuke</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>: <a href="https://attack.mitre.org/techniques/T1560/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive via Library</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Shortcut Modification</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1114" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Collection</a>: <a href="https://attack.mitre.org/techniques/T1114/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Email Collection</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Event Triggered Execution</a>: <a href="https://attack.mitre.org/techniques/T1546/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation Event Subscription</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Ticket</a>, <a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0589" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0589</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0589" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Sibot</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mshta</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0633" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0633</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0633" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Sliver</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.secureworks.com/research/threat-profiles/iron-hemlock" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DNS</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steganography</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0516" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0516</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0516" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SoreFang</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-46-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[46]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1190" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploit Public-Facing Application</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Groups</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0559" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0559</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0559" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SUNBURST</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DNS</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Junk Data</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Impersonation</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steganography</a>, <a href="https://attack.mitre.org/techniques/T1568" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic Resolution</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Event Triggered Execution</a>: <a href="https://attack.mitre.org/techniques/T1546/012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Image File Execution Options Injection</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify Tools</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Clear Persistence</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Clear Network Connection History and Configurations</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal from Tools</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>: <a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Subvert Trust Controls</a>: <a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Code Signing</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Time Based Evasion</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Checks</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0562</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SUNSPOT</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>, <a href="https://attack.mitre.org/techniques/T1565" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1565/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Stored Data Manipulation</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1480" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Execution Guardrails</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1195" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Supply Chain Compromise</a>: <a href="https://attack.mitre.org/techniques/T1195/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compromise Software Supply Chain</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0096" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0096</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0096" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Systeminfo</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-46-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[46]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0057</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Tasklist</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-46-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[46]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>: <a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Service Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0560</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">TEARDROP</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/threat-profiles/iron-ritual" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0183" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0183</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0183" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Tor</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Multi-hop Proxy</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0682" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0682</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0682" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">TrailBlazer</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Junk Data</a>, <a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Event Triggered Execution</a>: <a href="https://attack.mitre.org/techniques/T1546/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation Event Subscription</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0636" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0636</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0636" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">VaporRage</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1480" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Execution Guardrails</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0515" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0515</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0515" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">WellMail</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-49-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[49]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Application Layer Protocol</a>, <a href="https://attack.mitre.org/techniques/T1571" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Port</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0514" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0514</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0514" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">WellMess</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-37-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[37]</a></span></span><span id="scite-ref-38-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[38]</a></span></span><span id="scite-ref-50-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[50]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DNS</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Junk Data</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Groups</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a></td></tr></tbody></table></div><div><span style="font-size: 14px;"><b><br></b></span></div><div><br></div><div><span style="font-size: 14px;"><b>Defending Against APT29</b></span><br></div><div><ul><li><span style="font-size: 14px;">Increase your efforts to identify digital shadow assets, including the cloud hosts, by using an Attack Surface Management solution </span></li><li><span style="font-size: 14px;">Keep the internet-facing technologies and appliances patched at all times since threat actors continuously scan to detect these blind spots. </span></li><li><span style="font-size: 14px;">Be wary of external remote services like RDP, which is known to be vulnerable. If not necessary, close it down. </span></li><li><span style="font-size: 14px;">Quickly take action when you’re alerted by your Threat Intelligence or Digital Risk Protection platform about compromised employee credentials. </span></li><li><span style="font-size: 14px;">Continuously check for potential weaknesses on your internet infrastructure like expired domains, SSL certificates, or subdomains. </span></li><li><span style="font-size: 14px;">Keep the password hygiene within the organization at peak condition at all times. </span></li><li><span style="font-size: 14px;">Make sure EDR and logging functions are in place to detect suspicious actions within the network. It is only one component of the protection plan. </span></li></ul></div>