SCYTHE Library: #ThreatThursday

Welcome to another week of #ThreatThursday. This week we leverage an adversary emulation plan created and shared to the community by a third party: APT41 Emulation Plan. As usual, we will cover Cyber Threat Intelligence, create a threat actor profile, create an adversary emulation plan from the work done by Huy, share the plan in our Github, explain some of the new TTPs we will leverage, and discuss how to defend against APT41. We hope you enjoy.

Cyber Threat Intelligence

APT41 is a Chinese actor first seen active in 2012 and has been observed in a broad ranging campaign through 2020. Its intent has been both for state-sponsored espionage as well as for financial reasons. After exploitation, APT leverages sophisticated TTPs and even deploys additional payloads with multiple different methods such as bitsadmin and certutil. It also looks to evade defenses and establish persistence, making it an incredibly dangerous piece of malware.

Cyber Threat Intelligence Sources:

Many of these TTPs have been discussed in previous #ThreatThursdays so we want to focus on some new ones. In the adversary emulation part section we will discuss:

Execution Guardrails - restricting the payload to only execute within a particular domain environment
Bitsadmin - to download a payload
Certutil - to download a payload
PowerView.ps1 - PowerShell script to gain situational awareness on a domain

Adversary Emulation Plan

After reviewing the Cyber Threat Intelligence reports and MITRE ATT&CK mapping, we organized the TTPs by Tactic and created a threat profile for APT41:

Tactic	Description
Initial Access	T1190 - Exploit Public-Facing Application T1566 - Phishing T1566.001 - Spearphishing Attachment T1195 - Supply Chain Compromise T1195.002 - Compromise Software Supply Chain
Command and Control	T1071 - Application Layer Protocol T1071.004 - DNS T1071.002 - File Transfer Protocols T1071.001 - Web Protocols T1568 - Dynamic Resolution T1568.002 - Domain Generation Algorithms T1008 - Fallback Channels T1105 - Ingress Tool Transfer T1104 - Multi-Stage Channels T1090 - Proxy T1102 - Web Service T1102.001 - Dead Drop Resolver
Collection	T1560 - Archive Collected Data T1560.001 - Archive via Utility T1056 - Input Capture T1056.001 - Keylogging
Execution	T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.004 - Unix Shell T1203 - Exploitation for Client Execution T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1569 - System Services T1569.002 - Service Execution T1047 - Windows Management Instrumentation
Defense Evasion	T1197 - BITS Jobs T1480 - Execution Guardrails T1480.001 - Environmental Keying T1070 - Indicator Removal on Host T1070.001 - Clear Windows Event Logs T1070.003 - Clear Command History T1070.004 - File Deletion T1036 - Masquerading T1036.005 - Match Legitimate Name or Location T1112 - Modify Registry T1027 - Obfuscated Files or Information T1542 - Pre-OS Boot T1055 - Process Injection T1014 - Rootkit T1218 - Signed Binary Proxy Execution T1218.001 - Compiled HTML File T1553 - Subvert Trust Controls T1553.002 - Code Signing T1078 - Valid Accounts
Credential Access	T1110 - Brute Force T1110.002 - Password Cracking T1003 - OS Credential Dumping T1003.001 - LSASS Memory
Persistence	T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1136 - Create Account T1136.001 - Local Account T1543 - Create or Modify System Process T1543.003 - Windows Service T1133 - External Remote Services T1574 - Hijack Execution Flow T1574.002 - DLL Side-Loading T1542.003 - Bootkit
Discovery	T1083 - File and Directory Discovery T1046 - Network Service Scanning T1135 - Network Share Discovery T1016 - System Network Configuration Discovery T1049 - System Network Connections Discovery T1033 - System Owner/User Discovery
Privilege Escalation	T1546 - Event Triggered Execution T1546.008 - Accessibility Features
Lateral Movement	T1021 - Remote Services T1021.001 - Remote Desktop Protocol
Impact	T1486 - Data Encrypted for Impact T1496 - Resource Hijacking

As usual, we created and shared the APT41 adversary emulation plan on our Github in both ATT&CK Navigator JSON and SCYTHE Threat JSON. In this emulation plan, we broke down the threat into different steps: discovery, execution, defense evasion, persistence, credential access, and clean up. We also added threat automation language to check if the payload is running with high integrity (administrative privilege). If it is running with privilege, it takes additional steps than if it is not running with privilege.

PowerView.ps1

APT41 leverages the well-known powershell script for host, network, and domain situational awareness (also known as reconnaissance or discovery) called PowerView.ps1 There are multiple ways to download and execute this script in memory but in this case, we are going to download the script to the disk and then call the script to run various commandlets it provides:

Defense Evasion with bitsadmin and certutil

APT41 uses two well known living off the land binaries and scripts. These are binaries signed by Microsoft that come with the operating system and have some added functionality. In the adversary emulation plan, we use bitsadmin and certutil to download two well-known powershell scripts for Kerberoasting and Domain Enumeration.

To maintain our non-destructive philosophy of emulation, we showed the ability to download example payloads and execute PowerShell commands without necessarily running anything malicious. To show a proof of concept for persistence, we chose to add example registry keys, services, and tasks so that they would be easily distinguishable and removable.

All of the above steps for persistence may be done by a user with limited privileges. We have added a check to the adversary emulation plan to determine the integrity of the process, if it is a high integrity process, then it performs other persistence and credential access TTPs that require administrative privileges:

After all the automation for APT41 is run, there are cleanup steps to remove the proof of concept persistence methods created by earlier actions.

Defend against APT41

While APT41 has quite the span of discovery, persistence, and evasion techniques, it also has a few specific key areas that can inform a security team on how to defend against it.

Additional Payload Download

APT41 has a few methods of downloading additional payloads: powershell, certutil, and bitsadmin. These are known as living off the land binaries and scripts. These are binaries signed by Microsoft that come with the operating system. Preventing their execution is very difficult so it is best to enable detection and alerting controls when they are used to access external resources.

Public PowerShell Scripts

APT41 has been observed to use various publicly available PowerShell scripts by downloading them onto the endpoint and then executing them. In this adversary emulation plan we download the following to disk:

PowerView.ps1
WmiExec.ps1
ASREPRoast.ps1
SharpHound.ps1

In this case, we did not modify the scripts, creating detection for the exact script known to be used by malicious actors may be an easy and effective way to detect this activity. There are many ways around it but this detection is a start.

Persistence

An alarming method that APT41 does to establish persistence on a victim is that it will look to create a user. To defend against this would require a group policy to disallow users from creating another user. Another method of persistence that is even more specific to APT41 is that it looks to create a service called “StorSyncSvc”. Detecting this service creation immediately (if the malware had somehow elevated privileges) would help defend against it.

Conclusion

While APT41 is quite the sophisticated actor, we can still ingest the Cyber Threat Intelligence, map it to MITRE ATT&CK, and create an adversary emulation plan that covers much of the behavior of the threat. More importantly, this emulation can aid in developing methods of preventing and detecting this threat through its specific and unique behaviors. We hope you enjoyed this edition of #ThreatThursday.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.

Tags:

#threatthursday, Blue Team, CTI

Post by Sean
October 15, 2020

#ThreatThursday - APT41