
APT5 Smashes Citrix's Networks
APT5 is a sophisticated cyber espionage group that is believed to be based in China and has been active since at least 2007. The group primarily targets high-tech and telecommunications firms across the US, Europe, and Asia, using advanced malware and zero-day exploits to gain unauthorized access to networks and steal sensitive information.
Indicators of Compromise
Domains (7)
office-updates.infolocal0.infocss-ethz.chbnt2.liveprofilepic.sitegettogether.questnco2.liveHashes (3)
a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78b7bc6a853f160df2cc64371467ed866de3712e3d818e63060e30aec2a6db3598cbf0db92IPv4 (1)
66.29.153.90CVEs (1)
CVE-2022-27518APT Groups
Pitty Panda
China
Notes
<br>
Mitigation
<div><h2 class="pt-3 mb-2" id="techniques" style="box-sizing: border-box; margin-top: 0px; line-height: 1.2; font-size: 2rem; font-family: Roboto-Light, sans-serif; color: rgb(57, 67, 76); letter-spacing: normal; margin-bottom: 0.5rem !important; padding-top: 1rem !important;">Techniques Used</h2><table class="table techniques-used background table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; border-bottom: 2px solid rgb(222, 226, 230); background: rgb(242, 242, 242);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Domain</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Use</th></tr></thead><tbody style="box-sizing: border-box;"><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1588</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obtain Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1588/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Tool</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PittyTiger</a> has obtained and used tools such as <a href="https://attack.mitre.org/software/S0002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mimikatz</a> and <a href="https://attack.mitre.org/software/S0008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">gsecdump</a>.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://airbus-cyber-security.com/the-eye-of-the-tiger/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223);"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1078</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PittyTiger</a> attempts to obtain legitimate credentials during operations.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://airbus-cyber-security.com/the-eye-of-the-tiger/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></p></td></tr></tbody></table><h2 class="pt-3" id="software" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; font-size: 2rem; font-family: Roboto-Light, sans-serif; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;">Software</h2><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">References</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Techniques</th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0032</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">gh0st RAT</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://airbus-cyber-security.com/the-eye-of-the-tiger/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1568" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic Resolution</a>: <a href="https://attack.mitre.org/techniques/T1568/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Fast Flux DNS</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DLL Side-Loading</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Clear Windows Event Logs</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Application Layer Protocol</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1129" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Shared Modules</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Execution</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0008</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">gsecdump</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://airbus-cyber-security.com/the-eye-of-the-tiger/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSA Secrets</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0010</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lurid</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0002</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mimikatz</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://airbus-cyber-security.com/the-eye-of-the-tiger/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SID-History Injection</a>, <a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Manipulation</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Support Provider</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Credential Manager</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Web Browsers</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSA Secrets</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DCSync</a>, <a href="https://attack.mitre.org/techniques/T1207" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rogue Domain Controller</a>, <a href="https://attack.mitre.org/techniques/T1649" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Authentication Certificates</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Silver Ticket</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Golden Ticket</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Private Keys</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Ticket</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Hash</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0012</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PoisonIvy</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Window Discovery</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/014" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Active Setup</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Staged</a>: <a href="https://attack.mitre.org/techniques/T1074/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Data Staging</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic-link Library Injection</a>, <a href="https://attack.mitre.org/techniques/T1014" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rootkit</a></td></tr></tbody></table><b>Mitigations</b></div><div><b><br></b></div><div>In the event that you have results from the above detection methodology, NSA</div><div>recommends the following steps to mitigate the activity, to the extent applicable in your</div><div>environment:</div><div><ul><li>Move all Citrix ADC instances behind a VPN or other capability that requires valid<br>user authentication (ideally multi-factor) prior to being able to access the ADC.</li><li><span style="color: var(--q-dark);">Isolate the Citrix ADC appliances from the environment to ensure any malicious<br></span>activity is contained.</li><li>Restore the Citrix ADC to a known good state.</li></ul></div><div>Even if you do not have any indications of malicious activity, ensure that your Citrix ADC</div><div>appliances are running a current version with the latest updates.</div>