# T1566.001 Spearphishing Attachment

-----------------------------------------------------------------------

## Technique Description

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. 

## Technique Detection

Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.

Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.

Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL)

-----------------------------------------------------------------------

### Tactics:

  *   Initial-Access

### Platforms:

  * macOS

  * Windows

  * Linux

### Data Sources:

  * **File:** File Creation

  * **Network Traffic:** Network Traffic Content

  * **Network Traffic:** Network Traffic Flow

  * **Application Log:** Application Log Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has crafted and sent victims malicious attachments to gain initial access.(Citation: Uptycs Confucius APT Jan 2021)| 
| LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used spam emails weaponized with archive or document files as its initial infection vector.(Citation: MalwareBytes LazyScripter Feb 2021)| 
| Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has conducted spearphishing campaigns that included malicious Word or Excel attachments.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: MalwareBytes Lazarus-Andariel Conceals Code April 2021)| 
| Ferocious Kitten | [Ferocious Kitten](https://attack.mitre.org/groups/G0137) has conducted spearphishing campaigns containing malicious documents to lure victims to open the attachments.(Citation: Kaspersky Ferocious Kitten Jun 2021)| 
| IndigoZebra | [IndigoZebra](https://attack.mitre.org/groups/G0136) sent spearphishing emails containing malicious password-protected RAR attachments.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)| 
| Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has sent spearphishing e-mails with attachments to deliver malicious payloads.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)(Citation: Unit 42 ProjectM March 2016)	 | 
| Nomadic Octopus | [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has targeted victims with spearphishing emails containing malicious attachments.(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)| 
| Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has delivered payloads via spearphishing attachments.(Citation: TrendMicro Tonto Team October 2020)| 
| Ajax Security Team | [Ajax Security Team](https://attack.mitre.org/groups/G0130) has used personalized spearphishing attachments.(Citation: Check Point Rocket Kitten)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used spearphishing attachments to deliver initial access payloads.(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)| 
| TA551 | [TA551](https://attack.mitre.org/groups/G0127) has sent spearphishing attachments with password protected ZIP files.(Citation: Unit 42 Valak July 2020)(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) has sent spearphishing emails containing malicious attachments.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) | 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has sent e-mails with malicious attachments often crafted for specific targets.(Citation: ATT Sidewinder January 2021)| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has sent spearphishing emails with attachment to harvest credentials and deliver malware.(Citation: SANS Windshift August 2018)| 
| Sharpshooter | [Sharpshooter](https://attack.mitre.org/groups/G0104) has sent malicious attachments via emails to targets.(Citation: McAfee Sharpshooter December 2018)| 
| Mofang | [Mofang](https://attack.mitre.org/groups/G0103) delivered spearphishing emails with malicious documents, PDFs, or Excel files attached.(Citation: FOX-IT May 2016 Mofang)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either [Emotet](https://attack.mitre.org/software/S0367), Bokbot, [TrickBot](https://attack.mitre.org/software/S0266), or [Bazar](https://attack.mitre.org/software/S0534).(Citation: CrowdStrike Grim Spider May 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has used spearphishing emails to send trojanized Microsoft Word documents.(Citation: Talos Frankenstein June 2019)  | 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)| 
| APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.(Citation: QiAnXin APT-C-36 Feb2019) | 
| BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.(Citation: FireEye APT41 Aug 2019)| 
| Machete |  [Machete](https://attack.mitre.org/groups/G0095) has delivered spearphishing emails that contain a zipped file with malicious contents.(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Securelist Kimsuky Sept 2013)(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)| 
| TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used spearphishing emails with malicious attachments to initially compromise victims.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)| 
| Silence | [Silence](https://attack.mitre.org/groups/G0091) has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)| 
| WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has sent emails to intended victims with malicious MS Word and Excel attachments.(Citation: Kaspersky WIRTE November 2021)| 
| The White Company | [The White Company](https://attack.mitre.org/groups/G0089) has sent phishing emails with malicious Microsoft Word attachments to victims.(Citation: Cylance Shaheen Nov 2018)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) leveraged spearphishing emails with malicious attachments to initially compromise victims.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)| 
| FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)| 
| Gallmaker | [Gallmaker](https://attack.mitre.org/groups/G0084) sent emails with malicious Microsoft Office documents attached.(Citation: Symantec Gallmaker Oct 2018)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) has conducted spearphishing campaigns using malicious email attachments.(Citation: CISA AA20-239A BeagleBoyz August 2020)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro TropicTrooper 2015)(Citation: CitizenLab Tropic Trooper Aug 2018)(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)| 
| Rancor | [Rancor](https://attack.mitre.org/groups/G0075) has attached a malicious document to an email to gain initial access.(Citation: Rancor Unit42 June 2018)| 
| Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)| 
| DarkHydrus | [DarkHydrus](https://attack.mitre.org/groups/G0079) has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the “attachedTemplate” technique to load a template from a remote server.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit 42 Phishery Aug 2018)(Citation: Unit 42 Playbook Dec 2017)| 
| APT19 | [APT19](https://attack.mitre.org/groups/G0073) sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.(Citation: FireEye APT19)| 
| Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) sent emails to victims with malicious Microsoft Office documents attached.(Citation: Unit 42 Gorgon Group Aug 2018)| 
| Elderwood | [Elderwood](https://attack.mitre.org/groups/G0066) has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)| 
| PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has sent spearphishing emails with attachments to victims as its primary initial access vector.(Citation: Microsoft PLATINUM April 2016)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)	 | 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has sent spearphishing e-mails with archive attachments.(Citation: Microsoft Holmium June 2020)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) delivers malware using spearphishing emails with malicious HWP attachments.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has distributed targeted emails containing Word documents with embedded malicious macros.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)| 
| TA459 | [TA459](https://attack.mitre.org/groups/G0062) has targeted victims using spearphishing emails with malicious Microsoft Word attachments.(Citation: Proofpoint TA459 April 2017)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) used spearphishing emails with malicious Microsoft Word attachments to infect victims.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 April 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)| 
| RTM | [RTM](https://attack.mitre.org/groups/G0048) has used spearphishing attachments to distribute its malware.(Citation: Group IB RTM August 2019)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered spearphishing emails with malicious attachments to targets.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: Secureworks IRON TILDEN Profile)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.(Citation: FireEye FIN7 April 2017)(Citation: DOJ FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)(Citation: FireEye APT10 Sept 2018)(Citation: District Court of NY APT10 Indictment December 2018)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has used spearphishing with an attachment to deliver files with exploits to initial victims.(Citation: Cymmetria Patchwork)(Citation: Securelist Dropping Elephant)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has targeted victims with e-mails containing malicious attachments.(Citation: Visa FIN6 Feb 2019)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has sent emails with malicious attachments to gain initial access.(Citation: Gigamon Berserk Bear October 2021)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has delivered malicious Microsoft Office attachments via spearphishing emails.(Citation: iSight Sandworm Oct 2014)(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has targeted victims with spearphishing emails containing malicious Microsoft Word documents.(Citation: McAfee Bankshot)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: McAfee Lazarus Jul 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used e-mail to deliver malicious attachments to victims.(Citation: Trend Micro DRBControl February 2020)| 
| Molerats | [Molerats](https://attack.mitre.org/groups/G0021) has sent phishing emails with malicious Microsoft Word and PDF attachments.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020)| 
| Naikon | [Naikon](https://attack.mitre.org/groups/G0019) has used malicious e-mail attachments to deliver malware.(Citation: CheckPoint Naikon May 2020)| 
| admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) has sent emails with malicious Microsoft Office documents attached.(Citation: FireEye admin@338)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used spearphishing emails with an attachment to deliver files with exploits to initial victims.(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: MSTIC NOBELIUM May 2021)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile)| 
| APT30 | [APT30](https://attack.mitre.org/groups/G0013) has used spearphishing emails with malicious DOC attachments.(Citation: FireEye APT30)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has sent spearphishing emails with malicious RAR and .LNK attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) sent spearphishing emails containing malicious Microsoft Office and RAR attachments.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) has sent spearphishing emails containing malicious attachments.(Citation: Mandiant APT1)| 
| APT12 | [APT12](https://attack.mitre.org/groups/G0005) has sent emails with malicious Microsoft Office documents and PDFs attached.(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1566/001)

  * [Capec](https://capec.mitre.org/data/definitions/163.html)

  * [Microsoft Anti Spoofing](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide), Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.

  * [Acsc Email Spoofing](https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf), Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.

  * [Elastic - Koadiac Detection With Eql](https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql), Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 28 June 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Emily Porras, SSgt Sengsouriya Kapkeo

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Spearphishing involves social engineering (i.e. social media) and technical deception. Lack of web-based content restrictions and user training can result in a compromised network due to a spearphishing attachment. Furthermore, computer systems/servers must maintain an updated version of Antivirus/Anti Malware to quarantine files. Once detection methodologies (i.e. network intrusion detection systems and email gateways) have been established, the compromised organization should identify every employee that received the phishing attachment, employees that clicked on the attachment, isolate the subset that provided credentials, and look for any misuses of those credentials. 

- Also see T1566.001 - Spearphishing Attachments for more generic queries on email traffic

* **Turla**
    * Used spear-phishing emails to deliver an Android malware family known as BrainTest as a malicious attachment. Identify e-mails with attachments will assist in scoping potential phishing emails. Turla has been known to use .scr and .rar file extensions for their phishing attempts. 

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT29 |  | 1, 2 |
| Turla |  | 1, 2 |
| APT28 |  | 1, 2 |

## Detection Blindspots

- Network Analytic I will detect files associated to emails. If TLS is in use or the ability for Moloch to view emails is disabled operators may have to adjust their queries to the network traffic they are seeing.  
- Network Analytic II only triggers alerts on anomalous IMAP protocol usage or usage of default PowerShell ports. Any attempts to sidestep this (malicious C2 through another process that does not use IMAP or changes default ports) would not be detected.
- Depending on when in the attack kill chain we are invited onto the MP network we may not see this TTP
- SSL/TLS will provide a hurdle if data is encrypted so analysis of the attachment and the behavior of the host regarding network connections will need to be analyzed closely to assist in bridging the gap.
- A majority of events will take place on the host so detection will be geared more towards C2, lateral movement, and data exfiltration.

## Analytical References

  * [F-Secure Dukes](https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf)
  * [Not So Cozy an Uncomfortable Examination of a Suspected APT29 Phishing Campaign](https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html)
  * [Fireeye - How to Stop Spearphishing](https://www.fireeye.com/content/dam/fireeye-www/global/en/products/pdfs/wp-fireeye-how-stop-spearphishing.pdf)
  * [Using Jack Crooks Log Analysis COncepts with Sagan](https://quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan/)
  * [Braintest - A New Level of Sophistication in Mobile Malware](https://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/)
  * [Carbon Paper Peering Turlas Second Stage Backdoor 2017 (welivesecurity)](https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/)
  * [The Epic Turla Operation (securelist)](https://securelist.com/the-epic-turla-operation/65545/)
  * [Palo Alto Networks - Sofacy Multiple Government Entities](https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/)
  * [Palo Alto Networks - Sofacy Parallel Attacks](https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/)
  * [We Live Security - Zebrocy](https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/)
  * [GitHub - Curi0usJack luckystrike](https://github.com/curi0usJack/luckystrike)
  * [Palo Alto Networks - Target European Government](https://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/)
  * [ShellNtel - Luckystrike](https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** Identifies suspicious child processes of Microsoft Outlook.

  * **Source:** Windows Audit, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or
arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe
or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or
installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or
nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or
reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe)```
 
  * **Query:** ```event.category:process and event.type:start and process.parent.name:"outlook.exe"```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- After identifying potential IOCs, identify all employees that received/downloaded the phishing attachment and search for credential misuse/potential pivoting or further compromise on their workstations.
- MD5 should be used to identify associated files from potential spearphishing emails. This will allow for quick analysis of network traffic.
- Additional analytic from APT 29 activity reports: unusually long PowerShell command in traffic, email address with 60+ characters
- MP may access email via the web (i.e., OWA) this may mean that email traffic is encrypted over HTTPS
- The SPIView tab in Arkime allows us to filter by protocol. Since we are hunting for spearphishing email attachments, we can use this to narrow the search by going to the SPIView tab, then clicking "Load All" in the email row.
- Turla has been seen using .scr, .pdf, and .rar attachments.

#### Analytic 1

  * **Information:** Identify possible email attachments with a focus on attached files, and files names.

  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:**
  * Filenames - gives an immediate overview of email attachments captured in the PCAP, allowing us to quickly filter anything suspicious.
  * Body Magic - uses libfile/magic to determine file types. Not as comprehensive as the Filenames, but can be used to investigate further.
  * Attach MD5s - lists MD5 hashes of detected attachments. These can be compared against known bad MD5 hashes, but are unlikely to yield actionable results.

  * **Query Arkime:** `protocols == [smtp, imap, pop3] && email.md5 == [md5 hash] && email.fn == [filename of interest] && email.bodymagic == EXISTS!`
  * **Query Kibana:** `protocol : (smtp or imap or pop3) AND email.md5 : * AND email.filename : * && email.bodymagic : *`

#### Analytic 2

  * **Information:** Expected actions of accessing a spearphising email with a malicious attachment is communications to a possible C2 domain. Analyze network traffic from email and possibly associated web traffic on or around the same time an email may have been accessed. We would expect a GET request to a domain if an attachment made a request to possible C2.

  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:** 

  * **Query Arkime:** `(http.method == "GET" && http.uri == [*.zip, *.rar, *.exe, *.lnk, *.docx, *.pdf]) || protocols == [smtp, imap, pop3]`
  * **Query Kibana:** `http.method : GET AND http.uri : (*.zip, *.rar, *.exe, *.lnk, *.docs, *.pdf) OR protocol : (smtp or imap or pop3)`

**Tools**

Arkime:
The SPIView tab in Arkime allows us to filter by protocol. Since we are hunting for spearphishing email attachments, we can use this to narrow the search by going to the SPIView tab, then clicking "Load All" in the email row.

<p align="center">
<img src="../../Images/T1566.001_Spearphishing_attachment.png">
</p>

Things we are looking for to begin to identify potential malicious attachments, in order:
* <font color="green"> Filenames </font> - gives an immediate overview of email attachments captured in the PCAP, allowing us to quickly filter anything suspicious.
      APT 29 has been known to use the following attachments in past spearphishing campaigns: ZIP archives, shortcut (.LNK), PDFs, Microsoft Word (.DOCX), fake Adobe installers (.EXE).
* <font color="yellow"> Body Magic </font> - uses libfile/magic to determine file types. Not as comprehensive as the Filenames, but can be used to investigate further.
* <font color="red"> Attach MD5s </font> - lists MD5 hashes of detected attachments. These can be compared against known bad MD5 hashes, but are unlikely to yield actionable results.

