/
APT29_G0016.json
1 lines (1 loc) · 5.91 KB
/
APT29_G0016.json
1
{"description": "Enterprise techniques used by APT29, ATT&CK group G0016 v1.0", "name": "APT29 (G0016)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1547.009", "techniqueName": "Shortcut Modification", "comment": "[APT29](https://attack.mitre.org/groups/G0016) drops a Windows shortcut file for execution.(Citation: FireEye APT29 Nov 2018)"}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[APT29](https://attack.mitre.org/groups/G0016) uses PowerShell to use Base64 for obfuscation.(Citation: FireEye APT29 Nov 2018)"}, {"score": 1, "techniqueID": "T1218.011", "techniqueName": "Rundll32", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used rundll32.exe for execution.(Citation: FireEye APT29 Nov 2018)"}, {"score": 1, "techniqueID": "T1043", "techniqueName": "Commonly Used Port", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used Port Number 443 for C2.(Citation: FireEye APT29 Nov 2018)"}, {"score": 1, "techniqueID": "T1095", "techniqueName": "Non-Application Layer Protocol", "comment": "[APT29](https://attack.mitre.org/groups/G0016) uses TCP for C2 communications.(Citation: FireEye APT29 Nov 2018)"}, {"score": 1, "techniqueID": "T1203", "techniqueName": "Exploitation for Client Execution", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.(Citation: F-Secure The Dukes)"}, {"score": 1, "techniqueID": "T1204.002", "techniqueName": "Malicious File", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to open links or attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. (Citation: F-Secure The Dukes) (Citation: FireEye APT29 Nov 2018)"}, {"score": 1, "techniqueID": "T1566.001", "techniqueName": "Spearphishing Attachment", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used spearphishing emails with an attachment to deliver files with exploits to initial victims.(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)"}, {"score": 1, "techniqueID": "T1566.002", "techniqueName": "Spearphishing Link", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.(Citation: Mandiant No Easy Breach)"}, {"score": 1, "techniqueID": "T1090.003", "techniqueName": "Multi-hop Proxy", "comment": "A backdoor used by [APT29](https://attack.mitre.org/groups/G0016) created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.(Citation: Mandiant No Easy Breach)"}, {"score": 1, "techniqueID": "T1090.004", "techniqueName": "Domain Fronting", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.(Citation: Mandiant No Easy Breach)"}, {"score": 1, "techniqueID": "T1546.008", "techniqueName": "Accessibility Features", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used sticky-keys to obtain unauthenticated, privileged console access.(Citation: Mandiant No Easy Breach)(Citation: FireEye APT29 Domain Fronting)"}, {"score": 1, "techniqueID": "T1547.001", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "[APT29](https://attack.mitre.org/groups/G0016) added Registry Run keys to establish persistence.(Citation: Mandiant No Easy Breach)"}, {"score": 1, "techniqueID": "T1546.003", "techniqueName": "Windows Management Instrumentation Event Subscription", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used WMI event filters to establish persistence.(Citation: Mandiant No Easy Breach)"}, {"score": 1, "techniqueID": "T1548.002", "techniqueName": "Bypass User Access Control", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has bypassed UAC.(Citation: Mandiant No Easy Breach)"}, {"score": 1, "techniqueID": "T1047", "techniqueName": "Windows Management Instrumentation", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used WMI to steal credentials and execute backdoors at a future time.(Citation: Mandiant No Easy Breach)"}, {"score": 1, "techniqueID": "T1027.002", "techniqueName": "Software Packing", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used UPX to pack files.(Citation: Mandiant No Easy Breach)"}, {"score": 1, "techniqueID": "T1550.003", "techniqueName": "Pass the Ticket", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used Kerberos ticket attacks for lateral movement.(Citation: Mandiant No Easy Breach)"}, {"score": 1, "techniqueID": "T1053.005", "techniqueName": "Scheduled Task", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used named and hijacked scheduled tasks to establish persistence.(Citation: Mandiant No Easy Breach)"}, {"score": 1, "techniqueID": "T1059.001", "techniqueName": "PowerShell", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used encoded PowerShell scripts uploaded to [CozyCar](https://attack.mitre.org/software/S0046) installations to download and install [SeaDuke](https://attack.mitre.org/software/S0053). [APT29](https://attack.mitre.org/groups/G0016) also used PowerShell scripts to evade defenses.(Citation: Symantec Seaduke 2015)(Citation: Mandiant No Easy Breach)(Citation: FireEye APT29 Nov 2018)"}, {"score": 1, "techniqueID": "T1070.004", "techniqueName": "File Deletion", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used [SDelete](https://attack.mitre.org/software/S0195) to remove artifacts from victims.(Citation: Mandiant No Easy Breach)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT29", "color": "#ff6666"}]}