Leviathan Australian Intrusions
Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.[1]
Groups
| ID | Name | Description |
|---|---|---|
| G0065 | Leviathan |
Leviathan Australian Intrusions was conducted by the Leviathan threat actor.[1] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1213 | Data from Information Repositories |
Leviathan gathered information from SQL servers and Building Management System (BMS) servers during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Leviathan stored captured credential material on local log files on victim systems during Leviathan Australian Intrusions.[1] |
| Enterprise | T1482 | Domain Trust Discovery |
Leviathan performed Active Directory enumeration of victim environments during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Leviathan exfiltrated collected data over existing command and control channels during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1190 | Exploit Public-Facing Application |
Leviathan exploited public-facing web applications and appliances for initial access during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1212 | Exploitation for Credential Access |
Leviathan exploited vulnerable network appliances during Leviathan Australian Intrusions, leading to the collection and exfiltration of valid credentials.[1] |
|
| Enterprise | T1068 | Exploitation for Privilege Escalation |
Leviathan exploited software vulnerabilities in victim environments to escalate privileges during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1615 | Group Policy Discovery |
Leviathan performed extensive Active Directory enumeration of victim environments during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
Leviathan modified system firewalls to add two open listening ports on 9998 and 9999 during Leviathan Australian Intrusions.[1] |
| Enterprise | T1056 | Input Capture |
Leviathan captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1111 | Multi-Factor Authentication Interception |
Leviathan abused compromised appliance access to collect multifactor authentication token values during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1135 | Network Share Discovery |
Leviathan scanned and enumerated remote network shares in victim environments during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1588 | .006 | Obtain Capabilities: Vulnerabilities |
Leviathan weaponized publicly-known vulnerabilities for initial access and other purposes during Leviathan Australian Intrusions.[1] |
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Leviathan used remote shares to move laterally through victim networks during Leviathan Australian Intrusions.[1] |
| .004 | Remote Services: SSH |
Leviathan used SSH brute force techniques to move laterally within victim environments during Leviathan Australian Intrusions.[1] |
||
| Enterprise | T1018 | Remote System Discovery |
Leviathan performed extensive remote host enumeration to build their own map of victim networks during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1594 | Search Victim-Owned Websites |
Leviathan enumerated compromised web application resources to identify additional endpoints and resources linkd to the website for follow-on access during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Leviathan relied extensively on web shell use following initial access for persistence and command execution purposes in victim environments during Leviathan Australian Intrusions.[1] |
| Enterprise | T1528 | Steal Application Access Token |
Leviathan abused access to compromised appliances to collect JSON Web Tokens (JWTs), used for creating virtual desktop sessions, during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
Leviathan used Kerberoasting techniques during Leviathan Australian Intrusions.[1] |
| Enterprise | T1082 | System Information Discovery |
Leviathan performed host enumeration and data gathering operations on victim machines during Leviathan Australian Intrusions.[1] |
|
| Enterprise | T1552 | Unsecured Credentials |
Leviathan gathered credentials hardcoded in binaries located on victim devices during Leviathan Australian Intrusions.[1] |
|
| .001 | Credentials In Files |
Leviathan gathered credentials stored in files related to Building Management System (BMS) operations during Leviathan Australian Intrusions.[1] |
||
| Enterprise | T1078 | Valid Accounts |
Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions.[1] |
|
| .002 | Domain Accounts |
Leviathan compromised domain credentials during Leviathan Australian Intrusions.[1] |
||
| .003 | Local Accounts |
Leviathan used captured local account information, such as service accounts, for actions during Leviathan Australian Intrusions.[1] |
||