APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.   This group reportedly compromised the Democratic National Committee starting in the summer of 2015. 
Aliases: APT29, The Dukes, Cozy Bear, CozyDuke
|Enterprise||T1015||Accessibility Features||APT29 used sticky-keys to obtain unauthenticated, privileged console access.|
|Enterprise||T1088||Bypass User Account Control||APT29 has bypassed UAC.|
|Enterprise||T1172||Domain Fronting||APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.|
|Enterprise||T1203||Exploitation for Client Execution||APT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.|
|Enterprise||T1070||Indicator Removal on Host||APT29 used SDelete to remove artifacts from victims.|
|Enterprise||T1188||Multi-hop Proxy||A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.|
|Enterprise||T1075||Pass the Hash||APT29 used Kerberos ticket attacks for lateral movement.|
|Enterprise||T1086||PowerShell||APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell scripts to evade defenses.|
|Enterprise||T1060||Registry Run Keys / Startup Folder||APT29 added Registry Run keys to establish persistence.|
|Enterprise||T1053||Scheduled Task||APT29 used named and hijacked scheduled tasks to establish persistence.|
|Enterprise||T1064||Scripting||APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.|
|Enterprise||T1045||Software Packing||APT29 used UPX to pack files.|
|Enterprise||T1193||Spearphishing Attachment||APT29 has used spearphishing with an attachment to deliver files with exploits to initial victims.|
|Enterprise||T1192||Spearphishing Link||APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.|
|Enterprise||T1204||User Execution||APT29 has used various forms of spearphishing attempting to get a user to open links or attachments.|
|Enterprise||T1047||Windows Management Instrumentation||APT29 used WMI to steal credentials and execute backdoors at a future time.|
|Enterprise||T1084||Windows Management Instrumentation Event Subscription||APT29 has used WMI event filters to establish persistence.|
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.