#ThreatThursday - APT41

Welcome to another week of #ThreatThursday. This week we leverage an adversary emulation plan created and shared to the community by a third party: APT41 Emulation Plan. As usual, we will cover Cyber Threat Intelligence, create a threat actor profile, create an adversary emulation plan from the work done by Huy, share the plan in our Github, explain some of the new TTPs we will leverage, and discuss how to defend against APT41. We hope you enjoy.

Cyber Threat Intelligence

APT41 is a Chinese actor first seen active in 2012 and has been observed in a broad ranging campaign through 2020. Its intent has been both for state-sponsored espionage as well as for financial reasons. After exploitation, APT leverages sophisticated TTPs and even deploys additional payloads with multiple different methods such as bitsadmin and certutil. It also looks to evade defenses and establish persistence, making it an incredibly dangerous piece of malware. 

Cyber Threat Intelligence Sources: 

Many of these TTPs have been discussed in previous #ThreatThursdays so we want to focus on some new ones. In the adversary emulation part section we will discuss:

  • Execution Guardrails - restricting the payload to only execute within a particular domain environment
  • Bitsadmin - to download a payload
  • Certutil - to download a payload
  • PowerView.ps1 - PowerShell script to gain situational awareness on a domain

Adversary Emulation Plan

After reviewing the Cyber Threat Intelligence reports and MITRE ATT&CK mapping, we organized the TTPs by Tactic and created a threat profile for APT41:




Initial Access

T1190 - Exploit Public-Facing Application

T1566 - Phishing

T1566.001 - Spearphishing Attachment

T1195 - Supply Chain Compromise

T1195.002 - Compromise Software Supply Chain

Command and Control

T1071 - Application Layer Protocol

T1071.004 - DNS

T1071.002 - File Transfer Protocols

T1071.001 - Web Protocols

T1568 - Dynamic Resolution

T1568.002 - Domain Generation Algorithms

T1008 - Fallback Channels

T1105 - Ingress Tool Transfer

T1104 - Multi-Stage Channels

T1090 - Proxy

T1102 - Web Service

T1102.001 - Dead Drop Resolver


T1560 - Archive Collected Data

T1560.001 - Archive via Utility

T1056 - Input Capture

T1056.001 - Keylogging


T1059 - Command and Scripting Interpreter

T1059.001 - PowerShell

T1059.003 - Windows Command Shell

T1059.004 - Unix Shell

T1203 - Exploitation for Client Execution

T1053 - Scheduled Task/Job

T1053.005 - Scheduled Task

T1569 - System Services

T1569.002 - Service Execution

T1047 - Windows Management Instrumentation

Defense Evasion

T1197 - BITS Jobs

T1480 - Execution Guardrails

T1480.001 - Environmental Keying

T1070 - Indicator Removal on Host

T1070.001 - Clear Windows Event Logs

T1070.003 - Clear Command History

T1070.004 - File Deletion

T1036 - Masquerading

T1036.005 - Match Legitimate Name or Location

T1112 - Modify Registry

T1027 - Obfuscated Files or Information

T1542 - Pre-OS Boot

T1055 - Process Injection

T1014 - Rootkit

T1218 - Signed Binary Proxy Execution

T1218.001 - Compiled HTML File

T1553 - Subvert Trust Controls

T1553.002 - Code Signing

T1078 - Valid Accounts

Credential Access

T1110 - Brute Force

T1110.002 - Password Cracking

T1003 - OS Credential Dumping

T1003.001 - LSASS Memory


T1547 - Boot or Logon Autostart Execution

T1547.001 - Registry Run Keys / Startup Folder

T1136 - Create Account

T1136.001 - Local Account

T1543 - Create or Modify System Process

T1543.003 - Windows Service

T1133 - External Remote Services

T1574 - Hijack Execution Flow

T1574.002 - DLL Side-Loading

T1542.003 - Bootkit


T1083 - File and Directory Discovery

T1046 - Network Service Scanning

T1135 - Network Share Discovery

T1016 - System Network Configuration Discovery

T1049 - System Network Connections Discovery

T1033 - System Owner/User Discovery

Privilege Escalation

T1546 - Event Triggered Execution

T1546.008 - Accessibility Features

Lateral Movement

T1021 - Remote Services

T1021.001 - Remote Desktop Protocol


T1486 - Data Encrypted for Impact

T1496 - Resource Hijacking

As usual, we created and shared the APT41 adversary emulation plan on our Github in both ATT&CK Navigator JSON and SCYTHE Threat JSON. In this emulation plan, we broke down the threat into different steps: discovery, execution, defense evasion, persistence, credential access, and clean up. We also added threat automation language to check if the payload is running with high integrity (administrative privilege). If it is running with privilege, it takes additional steps than if it is not running with privilege.


APT41 leverages the well-known powershell script for host, network, and domain situational awareness (also known as reconnaissance or discovery) called PowerView.ps1 There are multiple ways to download and execute this script in memory but in this case, we are going to download the script to the disk and then call the script to run various commandlets it provides:

Defense Evasion with bitsadmin and certutil

APT41 uses two well known living off the land binaries and scripts. These are binaries signed by Microsoft that come with the operating system and have some added functionality. In the adversary emulation plan, we use bitsadmin and certutil to download two well-known powershell scripts for Kerberoasting and Domain Enumeration.

To maintain our non-destructive philosophy of emulation, we showed the ability to download example payloads and execute PowerShell commands without necessarily running anything malicious. To show a proof of concept for persistence, we chose to add example registry keys, services, and tasks so that they would be easily distinguishable and removable.

All of the above steps for persistence may be done by a user with limited privileges. We have added a check to the adversary emulation plan to determine the integrity of the process, if it is a high integrity process, then it performs other persistence and credential access TTPs that require administrative privileges:

After all the automation for APT41 is run, there are cleanup steps to remove the proof of concept persistence methods created by earlier actions.

Defend against APT41

While APT41 has quite the span of discovery, persistence, and evasion techniques, it also has a few specific key areas that can inform a security team on how to defend against it. 

Additional Payload Download

APT41 has a few methods of downloading additional payloads: powershell, certutil, and bitsadmin. These are known as living off the land binaries and scripts. These are binaries signed by Microsoft that come with the operating system. Preventing their execution is very difficult so it is best to enable detection and alerting controls when they are used to access external resources.

Public PowerShell Scripts

APT41 has been observed to use various publicly available PowerShell scripts by downloading them onto the endpoint and then executing them. In this adversary emulation plan we download the following to disk:

  • PowerView.ps1
  • WmiExec.ps1
  • ASREPRoast.ps1
  • SharpHound.ps1

In this case, we did not modify the scripts, creating detection for the exact script known to be used by malicious actors may be an easy and effective way to detect this activity. There are many ways around it but this detection is a start.


An alarming method that APT41 does to establish persistence on a victim is that it will look to create a user. To defend against this would require a group policy to disallow users from creating another user. Another method of persistence that is even more specific to APT41 is that it looks to create a service called “StorSyncSvc”. Detecting this service creation immediately (if the malware had somehow elevated privileges) would help defend against it.


While APT41 is quite the sophisticated actor, we can still ingest the Cyber Threat Intelligence, map it to MITRE ATT&CK, and create an adversary emulation plan that covers much of the behavior of the threat. More importantly, this emulation can aid in developing methods of preventing and detecting this threat through its specific and unique behaviors. We hope you enjoyed this edition of #ThreatThursday.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io

Latest Posts

Threat Thursday: February
February 22,2024
Threat Thursday: January
January 18,2024
Threat Thursday Buzz
November 16,2023