Threat Thursday

SCYTHE Library: #ThreatThursday - APT33

Written by Jorge Orchilles | Jun 18, 2020 4:00:00 AM

This week on #ThreatThursday we look at an Iranian Threat Actor, APT33 or Elfin. We introduce the MITRE ATT&CK Beta with sub-techniques, create and share an adversary emulation plan for APT33 on Github, show how to execute PowerShell (both powershell.exe and unmanaged PowerShell) through SCYTHE and show how to perform lateral movement within the SCYTHE user interface as well as on the command line. As usual, we cover how to detect attacks from APT33. We hope you enjoy it!

Cyber Threat Intelligence

If you read #ThreatThursday on APT19 you saw how to leverage MITRE ATT&CK for Cyber Threat Intelligence and map it with ATT&CK Navigator. APT33 is documented on the MITRE ATT&CK site so we do not need to extract TTPs from Cyber Threat Intelligence like we did with Buhtrap. Although, we do recommend reading through the CTI as you may get details about the procedures used by the threat actor. Here are a few reports on APT33:

Keeping with the theme of covering new topics, let’s explore the beta of ATT&CK Navigator that has sub-techniques. It is available on: https://mitre-attack.github.io/attack-navigator/beta/enterprise/

We select APT33 as we showed in the APT19 #ThreatThursday and see something similar to Figure 1:

 

Figure 1

APT33 Threat Profile

Reading through the CTI sources above (feel free to read other sources) and Navigator, we can extract the TTPs and create a Threat Profile for APT33:

 

Tactic

Description

Description

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations in the United States, Saudi Arabia, and South Korea, in multiple industries including governments, research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.

Objective

Establishing persistent access to partners and suppliers of targets.

Mounting supply chain attacks

Command and Control

T1043 - Commonly Used Port: Port 80 and 443 

T1071 - Standard Application Layer Protocol: HTTP and HTTPS

T1032 - Standard Cryptographic Protocol

T1065 - Uncommonly Used Port: Ports 808 and 880

Initial Access

T1192 – Spear phishing Link

T1110 - Brute Force

T1078 - Valid Accounts

Execution

T1204 - User Execution

T1203 - Exploitation for Client Execution

Defense Evasion

T1132 - Data Encoding

T1480 - Execution Guardrails: Kill dates in payload 

T1027 - Obfuscated Files or Information

T1086 – PowerShell

Discovery

T1040 - Network Sniffing

Privilege Escalation

T1068 - Exploitation for Privilege Escalation

Persistence

T1060 - Registry Run Keys / Startup Folder

T1053 - Scheduled Task

Credential Access

T1003 - Credential Dumping: Publicly available tools like Mimikatz

Exfiltration 

T1002 - Data Compressed

T1048 - Exfiltration Over Alternative Protocol

Adversary Emulation Plan

We have covered how to automate most of these TTPs in previous #ThreatThursday so download the adversary emulation plan from our Community Threat Github and import it to SCYTHE to begin testing. A best practice we encource while using SCYTHE is to avoid automating the escalation of privilege or persistence as every new instance will trigger the automated actions resulting in your escalated shell trying to escalate again or your persistent shell trying to persist again.

This week, we will cover how to emulate PowerShell and how to move laterally through the SCYTHE user interface. Below is an explanation of what is done followed by a video.

PowerShell for Discovery

PowerShell is a very common technique (T1086) used by adversaries and it will be a sub-technique in the new version of MITRE ATT&CK (T1059.001 in beta). PowerShell may be executed through powershell.exe or through unmanaged PowerShell. It may be worth testing both of these methods against your target organization. In SCYTHE, we prefer to use unmanaged PowerShell which can be loaded with: “loader --load upsh”. Then to execute any PowerShell command you use “upsh --cmd <PowerShell Command>”. In this case we want to determine the anti-virus that is running and the Domain Controller/DNS Server:

To run the same from powershell.exe (not unmanaged) use the following run commands (as shown in Figure 2):

upsh --cmd Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

upsh --cmd Get-DnsClientServerAddress

 

To run the same from powershell.exe (not unmanaged) use the following run commands (as shown in Figure 2):

run powershell.exe Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

run powershell.exe Get-DnsClientServerAddress

 

Figure 2

Lateral Movement 

Now we will show how easy it is to move laterally within the user interface of SCYTHE. From the Campaign window, select “More actions…” - “Observe Campaign”. In the new window, click the system you want to use to move laterally from. Selecting it will show two new blue buttons as shown in Figure 3.

 

Figure 3

 

Click “Discover Nearby Devices” and give it a bit to discover and return the results. On the bottom of this screen, you can see the status. Once complete, SCYTHE will show you an image of the nearby devices as seen in Figure 4.

 

Figure 4

 

In this case, ENDPOINT02 has an SMB connection open to TARGETSERVER01. We know this because we ran the “run net use” command in the APT33 emulation. Click on TARGETSERVER01 and select the new blue button “Inject into Neighbor”. You will be prompted for credentials but since the SMB session has already been established, you can click “No credentials”. Give it a moment and if successful, you will see the icon turn blue. Go back to the Device List by selecting it under “More actions…”

To understand what just happened, you can click the device that you pivoted from, in our example it is ENDPOINT02. Click on the persist module and take a look at the request: 

persist --hostname TARGETSERVER01 --name SCYTHEC --display SCYTHEC --description SCYTHE Client --path \\TARGETSERVER01\c$\windows\temp\scythe.exe

SCYTHE used the SMB connection that was already established and created a new service called SCYTHEC to execute a new file it copied over at C:\windows\temp\scythe.exe. Clicking on the new device will result in the APT33 automation to run on the new device. Take a look at the whoami module that executed on the new device and note the payload is running with NT AUTHORITY\SYSTEM privileges; this is because Windows services run with SYSTEM privilege.

Defend against APT33

Detecting PowerShell when executed from powershell.exe should be a simple test case for defenders. Using sysmon may be the simplest method of detecting when a new process is created. Our friends at Blackhills Information Security have a great post on getting started with sysmon.

We will go into detected unmanaged powershell in another #ThreatThursday but in the meantime, our friends at Optiv have a two part post related to unmanaged powershell: Part 1 and Part 2.

Lets focus on detecting the lateral movement performed through the user interface of SCYTHE. It is important to understand what occurs in the background to defend against it. SCYTHE created a service called SCYTHEC with a command to execute C:\Windows\temp\scythe.exe To defend against this ensure you are monitoring when new services are created on systems, especially where there is no change record or ticket to install or modify a system.

Clean up

Make sure to clean up when complete. To delete the service: open a privileged cmd.exe, type “sc delete SCYTHEC” and press “Enter“. You should also delete C:\Windows\temp\scythe.exe

Conclusion

In this #ThreatThursday we learned about an Iranian threat known as APT33 or Elfin. We used the beta of ATT&CK Navigator with sub-techniques to gather Cyber Threat Intelligence and create a Threat Profile. We imported the adversary emulation plan from the community threats Github. We learned the difference between powershell.exe and unmanaged PowerShell. We moved laterally using the SCYTHE user interface and looked under the hood to understand how it executed the lateral movement. Lastly, we covered methods for detecting some of the new techniques introduced by APT33/Elfin on this #ThreatThursday. We hope you enjoyed it!

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io