APT29

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. [1] [2] This group reportedly compromised the Democratic National Committee starting in the summer of 2015. [3]

ID: G0016
Aliases: APT29, The Dukes, Cozy Bear, CozyDuke
Version: 1.0

Alias Descriptions

NameDescription
APT29[1]
The Dukes[1]
Cozy Bear[3]
CozyDuke[3]

Techniques Used

DomainIDNameUse
EnterpriseT1015Accessibility FeaturesAPT29 used sticky-keys to obtain unauthenticated, privileged console access.[4][5]
EnterpriseT1088Bypass User Account ControlAPT29 has bypassed UAC.[4]
EnterpriseT1172Domain FrontingAPT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.[4]
EnterpriseT1203Exploitation for Client ExecutionAPT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.[1]
EnterpriseT1070Indicator Removal on HostAPT29 used SDelete to remove artifacts from victims.[4]
EnterpriseT1188Multi-hop ProxyA backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.[4]
EnterpriseT1075Pass the HashAPT29 used Kerberos ticket attacks for lateral movement.[4]
EnterpriseT1086PowerShellAPT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell scripts to evade defenses.[6][4]
EnterpriseT1060Registry Run Keys / Startup FolderAPT29 added Registry Run keys to establish persistence.[4]
EnterpriseT1053Scheduled TaskAPT29 used named and hijacked scheduled tasks to establish persistence.[4]
EnterpriseT1064ScriptingAPT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.[6][4]
EnterpriseT1045Software PackingAPT29 used UPX to pack files.[4]
EnterpriseT1193Spearphishing AttachmentAPT29 has used spearphishing with an attachment to deliver files with exploits to initial victims.[1]
EnterpriseT1192Spearphishing LinkAPT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[4]
EnterpriseT1204User ExecutionAPT29 has used various forms of spearphishing attempting to get a user to open links or attachments.[1]
EnterpriseT1047Windows Management InstrumentationAPT29 used WMI to steal credentials and execute backdoors at a future time.[4]
EnterpriseT1084Windows Management Instrumentation Event SubscriptionAPT29 has used WMI event filters to establish persistence.[4]

Software

IDNameTechniques
S0054CloudDukeRemote File Copy, Standard Application Layer Protocol, Web Service
S0050CosmicDukeAutomated Exfiltration, Clipboard Data, Credential Dumping, Custom Cryptographic Protocol, Data from Local System, Data from Network Shared Drive, Data from Removable Media, Email Collection, Exfiltration Over Alternative Protocol, Exploitation for Privilege Escalation, File and Directory Discovery, Input Capture, New Service, Scheduled Task, Screen Capture, Standard Application Layer Protocol
S0046CozyCarCommand-Line Interface, Credential Dumping, Masquerading, New Service, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Rundll32, Scheduled Task, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Web Service
S0049GeminiDukeAccount Discovery, File and Directory Discovery, Process Discovery, Standard Application Layer Protocol, System Network Configuration Discovery, System Service Discovery
S0037HAMMERTOSSCustom Cryptographic Protocol, Data Obfuscation, Exfiltration Over Alternative Protocol, PowerShell, Standard Application Layer Protocol, Web Service
S0175meekDomain Fronting
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0051MiniDukeFallback Channels, Remote File Copy, Standard Application Layer Protocol, Web Service
S0052OnionDukeCredential Dumping, Standard Application Layer Protocol, Web Service
S0048PinchDukeCredential Dumping, Data from Local System, File and Directory Discovery, Standard Application Layer Protocol, System Information Discovery
S0150POSHSPYData Transfer Size Limits, Obfuscated Files or Information, PowerShell, Remote File Copy, Standard Cryptographic Protocol, Timestomp, Windows Management Instrumentation Event Subscription
S0139PowerDukeApplication Window Discovery, Command-Line Interface, Commonly Used Port, File and Directory Discovery, File Deletion, NTFS File Attributes, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0029PsExecService Execution, Windows Admin Shares
S0195SDeleteCode Signing, File Deletion
S0053SeaDukeCommand-Line Interface, Data Compressed, Data Encoding, Email Collection, File Deletion, Pass the Ticket, PowerShell, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Shortcut Modification, Software Packing, Standard Application Layer Protocol, Standard Cryptographic Protocol, Valid Accounts, Windows Management Instrumentation Event Subscription
S0183TorMulti-hop Proxy, Multilayer Encryption

References