APT29

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. [1] [2] This group reportedly compromised the Democratic National Committee starting in the summer of 2015. [3]

ID: G0016
Version: 1.1

Associated Group Descriptions

NameDescription
YTTRIUM[8]
The Dukes[1]
Cozy Bear[3]
CozyDuke[3]

Techniques Used

DomainIDNameUse
EnterpriseT1015Accessibility FeaturesAPT29 used sticky-keys to obtain unauthenticated, privileged console access.[4][5]
EnterpriseT1088Bypass User Account ControlAPT29 has bypassed UAC.[4]
EnterpriseT1043Commonly Used PortAPT29 has used Port Number 443 for C2.[6]
EnterpriseT1172Domain FrontingAPT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.[4]
EnterpriseT1203Exploitation for Client ExecutionAPT29 has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.[1]
EnterpriseT1070Indicator Removal on HostAPT29 used SDelete to remove artifacts from victims.[4]
EnterpriseT1188Multi-hop ProxyA backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.[4]
EnterpriseT1027Obfuscated Files or InformationAPT29 uses PowerShell to use Base64 for obfuscation.[6]
EnterpriseT1097Pass the TicketAPT29 used Kerberos ticket attacks for lateral movement.[4]
EnterpriseT1086PowerShellAPT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell scripts to evade defenses.[7][4][6]
EnterpriseT1060Registry Run Keys / Startup FolderAPT29 added Registry Run keys to establish persistence.[4]
EnterpriseT1085Rundll32APT29 has used rundll32.exe for execution.[6]
EnterpriseT1053Scheduled TaskAPT29 used named and hijacked scheduled tasks to establish persistence.[4]
EnterpriseT1064ScriptingAPT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.[7][4]
EnterpriseT1023Shortcut ModificationAPT29 drops a Windows shortcut file for execution.[6]
EnterpriseT1045Software PackingAPT29 used UPX to pack files.[4]
EnterpriseT1193Spearphishing AttachmentAPT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.[1][6]
EnterpriseT1192Spearphishing LinkAPT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[4]
EnterpriseT1095Standard Non-Application Layer ProtocolAPT29 uses TCP for C2 communications.[6]
EnterpriseT1204User ExecutionAPT29 has used various forms of spearphishing attempting to get a user to open links or attachments.[1]
EnterpriseT1047Windows Management InstrumentationAPT29 used WMI to steal credentials and execute backdoors at a future time.[4]
EnterpriseT1084Windows Management Instrumentation Event SubscriptionAPT29 has used WMI event filters to establish persistence.[4]

Software

IDNameReferencesTechniques
S0054CloudDuke[1]Remote File Copy, Standard Application Layer Protocol, Web Service
S0154Cobalt Strike[6]Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0050CosmicDuke[1]Automated Exfiltration, Clipboard Data, Credential Dumping, Custom Cryptographic Protocol, Data from Local System, Data from Network Shared Drive, Data from Removable Media, Email Collection, Exfiltration Over Alternative Protocol, Exploitation for Privilege Escalation, File and Directory Discovery, Input Capture, New Service, Scheduled Task, Screen Capture, Standard Application Layer Protocol
S0046CozyCar[1]Command-Line Interface, Credential Dumping, Masquerading, New Service, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Rundll32, Scheduled Task, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Virtualization/Sandbox Evasion, Web Service
S0049GeminiDuke[1]Account Discovery, File and Directory Discovery, Process Discovery, Standard Application Layer Protocol, System Network Configuration Discovery, System Service Discovery
S0037HAMMERTOSS[1]Custom Cryptographic Protocol, Data Obfuscation, Exfiltration Over Alternative Protocol, PowerShell, Standard Application Layer Protocol, Web Service
S0175meek[4]Domain Fronting
S0002Mimikatz[1]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0051MiniDuke[1]Fallback Channels, Remote File Copy, Standard Application Layer Protocol, Web Service
S0052OnionDuke[1]Credential Dumping, Standard Application Layer Protocol, Web Service
S0048PinchDuke[1]Credential Dumping, Data from Local System, File and Directory Discovery, Standard Application Layer Protocol, System Information Discovery
S0150POSHSPY[9]Data Transfer Size Limits, Domain Generation Algorithms, Obfuscated Files or Information, PowerShell, Remote File Copy, Standard Cryptographic Protocol, Timestomp, Windows Management Instrumentation Event Subscription
S0139PowerDuke[10]Application Window Discovery, Command-Line Interface, Commonly Used Port, Data Destruction, File and Directory Discovery, File Deletion, NTFS File Attributes, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0029PsExec[1]Service Execution, Windows Admin Shares
S0195SDelete[4]Code Signing, Data Destruction, File Deletion
S0053SeaDuke[1]Command-Line Interface, Data Compressed, Data Encoding, Email Collection, File Deletion, Pass the Ticket, PowerShell, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Shortcut Modification, Software Packing, Standard Application Layer Protocol, Standard Cryptographic Protocol, Valid Accounts, Windows Management Instrumentation Event Subscription
S0183Tor[4]Multi-hop Proxy, Multilayer Encryption

References