
Operation DeepRoot: UNC1549’s Covert Espionage Against Aerospace and Defense Networks
According to Google Cloud Mandiant, the Iran-nexus group UNC1549 is driving a long-running espionage campaign specifically targeting the aerospace, aviation, and defense industries. The attackers gain entry by mixing supply chain compromises with precise spear-phishing attacks. To maintain stealthy, long-term access, they utilize DLL search order hijacking to execute custom backdoors known as TWOSTROKE and DEEPROOT.
Indicators of Compromise
Domains (11)
forcecodestore.comairbus.usa-careers.comthetacticstore.comvcs-news.comautomationagencybusiness.comtini-ventures.compoliticalanorak.comaaaaaaaaaaaaaaaaaa.bbbbbb.cccccccc.ddddd.comairplaneserviceticketings.comairtravellog.comfdtsprobusinesssolutions.comHashes (2)
b2bd275f97cb95c7399065b57f90bb6c10f16991665df69d1ccd5187e027cf3dIPv4 (3)
46.31.115.92104.194.215.88167.172.137.208APT Groups
UNC1549
IR
Notes
<span id="docs-internal-guid-2779ea4a-7fff-27bc-b972-169cd5a8b604"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">This campaign illustrates how a well-structured threat group can maintain a presence in high-value environments for extended periods by utilizing custom malware, exploiting trusted tools, and employing careful evasion techniques. UNC1549 focuses on sensitive sectors, employs various access methods, and conceals its activities within normal traffic patterns. These strategies render the operation difficult to detect and provide the attackers with numerous opportunities to exfiltrate data, gather intelligence, and undermine critical systems. The tactics demonstrated in this campaign reaffirm that aerospace, defense, and telecommunications networks continue to be prime targets for state-sponsored actors.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Organizations operating in these sectors should implement enhanced identity security measures, improve monitoring of lateral movements, and enforce stringent controls over remote access pathways. Any suspicious login attempts, unusual outbound connections, or atypical DLL loading behaviors can serve as early indicators of potential threats. Furthermore, this campaign serves as a reminder that supply chain relationships and third-party accounts can become unnoticed entry points for attackers if not adequately secured.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">SOCRadar can assist defenders by providing early visibility and real-time intelligence.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 121, 107); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Cyber </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Threat Intelligence</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 121, 107); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: line-through; vertical-align: baseline;">**</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> aids in tracking actor behaviors, malware families, command and control indicators, and recent changes in tactics, techniques, and procedures (TTP).</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Attack Surface Management</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 121, 107); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: line-through; vertical-align: baseline;">**</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> identifies exposed assets, risky services, and vulnerabilities that threat actors may seek to exploit.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Digital Risk Protection uncovers leaked credentials, attempts at impersonation, and harmful references found in underground sources.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Security Operations Center Tools (Threat Hunting + Alerts) enable teams to monitor for signals related to the campaign and respond more swiftly.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">By integrating these modules, organizations can enhance detection capabilities, minimize blind spots, and enable quicker responses before attackers can establish long-term persistence once more.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div></span>
Mitigation
<span id="docs-internal-guid-f0ec0de7-7fff-d86f-6094-c6257555e444"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATION</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(32, 33, 36); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITRE ATT&CK </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;"><a href="https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense">REF</a></span></p><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col></colgroup><tbody><tr style="height:38.25pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">TACTIC</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Name</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:64.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1213/002/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Collection</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1213/002/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">T1213.002</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Data from Information Repositories: SharePoint</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">UNC1549 browsed Microsoft Teams and SharePoint to download files used for extortion.</span></p></td></tr><tr style="height:51.75pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1113/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Collection</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1113/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">T1113</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Screen Capture</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">UNC1549 was observed making screenshots from sensitive data.</span></p></td></tr><tr style="height:64.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1598/003/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Reconnaissance</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1598/003/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">T1598.003</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Phishing for Information</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">UNC1549 used third party vendor accounts to obtain privileged accounts using a Password Reset portal theme.</span></p></td></tr><tr style="height:64.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1110/003/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Credential Access</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1110/003/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">T1110.003</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Brute Force: Password Spraying</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">UNC1549 was observed performing password spray attacks against the Domain.</span></p></td></tr><tr style="height:64.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1003/006/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Credential Access</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1003/006/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">T1003.006</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">OS Credential Dumping: DCSync</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">UNC1549 was observed using DCSYNCER.SLICK to perform DCSync on domain controller level.</span></p></td></tr><tr style="height:64.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1574/001/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Defense Evasion</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1574/001/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">T1574.001</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Hijack Execution Flow: DLL Search Order Hijacking</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">UNC1549 was observed using Search Order Hijacking to execute both LIGHTRAIL and DCSYNCER.SLICK.</span></p></td></tr><tr style="height:51.75pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1078/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Initial Access</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1078/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">T1078</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Valid Accounts</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">UNC1549 used valid compromised accounts to gain initial access</span></p></td></tr><tr style="height:64.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1199/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Initial Access</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><a href="https://attack.mitre.org/techniques/T1199/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">T1199</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Trusted Relationship</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:middle;padding:12pt 12pt 12pt 12pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:27pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(95, 99, 104); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">UNC1549 used trusted third party vendor accounts for both initial access and lateral movement.</span></p></td></tr></tbody></table></div></span>