UNC2452

UNC2452 is a suspected Russian state-sponsored threat group responsible for the 2020 SolarWinds software supply chain intrusion.[1] Victims of this campaign include government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.[1] The group also compromised at least one think tank by late 2019.[2]

ID: G0118
Associated Groups: Solorigate, StellarParticle, Dark Halo
Contributors: Katie Nickels, Red Canary; Matt Brenton, Zurich Insurance Group
Version: 1.0
Created: 05 January 2021
Last Modified: 25 January 2021

Associated Group Descriptions

Name Description
Solorigate

[3]

StellarParticle

[4]

Dark Halo

[2]

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

UNC2452 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.[2]

Enterprise T1098 .002 Account Manipulation: Exchange Email Delegate Permissions

UNC2452 added their own devices as allowed IDs for active sync using Set-CASMailbox, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.[2][5]

.001 Account Manipulation: Additional Cloud Credentials

UNC2452 added credentials to OAuth Applications and Service Principals.[5]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

UNC2452 used HTTP for C2 and data exfiltration.[2]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

UNC2452 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.[2][6]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

UNC2452 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands.[2][3]

.003 Command and Scripting Interpreter: Windows Command Shell

UNC2452 used cmd.exe to execute commands on remote machines.[2][3]

Enterprise T1555 Credentials from Password Stores

UNC2452 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.[6]

Enterprise T1005 Data from Local System

UNC2452 extracted files from compromised networks.[2]

Enterprise T1074 .002 Data Staged: Remote Data Staging

UNC2452 staged data and files in password-protected archives on a victim's OWA server.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

UNC2452 used 7-Zip to decode its Raindrop malware.[7]

Enterprise T1587 .001 Develop Capabilities: Malware

UNC2452 developed Sunspot, Sunburst, Teardrop, and Raindrop; Sunspot and Sunburst were tailored to be incorporated into SolarWind's Orion software library.[1][4][6]

Enterprise T1484 .002 Domain Policy Modification: Domain Trust Modification

UNC2452 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.[8]

Enterprise T1482 Domain Trust Discovery

UNC2452 used the Get-AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.[2] They also used AdFind to enumerate domains and to discover trust between federated domains.[6]

Enterprise T1568 Dynamic Resolution

UNC2452 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.[2]

Enterprise T1114 .002 Email Collection: Remote Email Collection

UNC2452 collected emails from specific individuals, such as executives and IT staff, using New-MailboxExportRequest followed by Get-MailboxExportRequest.[2]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

UNC2452 used WMI event subscriptions for persistence.[8][6]

Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

UNC2452 exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.[2]

Enterprise T1190 Exploit Public-Facing Application

UNC2452 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.[2]

Enterprise T1083 File and Directory Discovery

UNC2452 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.[2]

Enterprise T1606 .001 Forge Web Credentials: Web Cookies

UNC2452 bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.[2]

.002 Forge Web Credentials: SAML Tokens

UNC2452 created tokens using compromised SAML signing certificates.[5]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

UNC2452 used netsh to configure firewall rules that limited certain UDP outbound packets.[6]

.002 Impair Defenses: Disable Windows Event Logging

UNC2452 used AUDITPOL to prevent the collection of audit logs.[6]

.001 Impair Defenses: Disable or Modify Tools

UNC2452 used the service control manager on a remote system to disable services associated with security monitoring products.[6]

Enterprise T1070 Indicator Removal on Host

UNC2452 removed evidence of email export requests using Remove-MailboxExportRequest.[2] They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.[1]

.004 File Deletion

UNC2452 routinely removed their tools, including custom backdoors, once remote access was achieved.[1]

.006 Timestomp

UNC2452 modified timestamps of backdoors to match legitimate Windows files.[6]

Enterprise T1105 Ingress Tool Transfer

UNC2452 downloaded additional tools, such as Teardrop malware and Cobalt Strike, to the compromised host following initial compromise.[1]

Enterprise T1036 Masquerading

UNC2452 set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They also primarily used IP addresses originating from the same country as the victim for their VPN infrastructure.[1]

.004 Masquerade Task or Service

UNC2452 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.[2]

.005 Match Legitimate Name or Location

UNC2452 renamed a version of AdFind to sqlceip.exe or csrss.exe in an attempt to appear as the SQL Server Telemetry Client or Client Service Runtime Process, respectively.[2][3]

Enterprise T1027 Obfuscated Files or Information

UNC2452 used encoded PowerShell commands.[5]

Enterprise T1003 .006 OS Credential Dumping: DCSync

UNC2452 leveraged privileged accounts to replicate directory service data with domain controllers.[8][6]

Enterprise T1069 Permission Groups Discovery

UNC2452 used the Get-ManagementRoleAssignment PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.[2]

Enterprise T1057 Process Discovery

UNC2452 used multiple command-line utilities to enumerate running processes.[2][6]

Enterprise T1090 .001 Proxy: Internal Proxy

UNC2452 configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion.[7]

Enterprise T1021 .006 Remote Services: Windows Remote Management

UNC2452 has used WinRM via PowerShell to execute command and payloads on remote hosts.[7]

Enterprise T1018 Remote System Discovery

UNC2452 used AdFind to enumerate remote systems.[6]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

UNC2452 used scheduler and schtasks to create new tasks on remote hosts as part of lateral movement.[2] They also manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.[1] UNC2452 also created a scheduled task to maintain Sunspot persistence when the host booted.[4]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

UNC2452 used Rundll32 to execute payloads.[5][6]

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

UNC2452 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.[6]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

UNC2452 was able to get Sunburst signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.[1]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

UNC2452 gained initial network access via a trojanized update of SolarWinds Orion software.[1]

Enterprise T1082 System Information Discovery

UNC2452 used fsutil to check available free space before executing actions that might create large files on disk.[6]

Enterprise T1552 .004 Unsecured Credentials: Private Keys

UNC2452 obtained the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.[8]

Enterprise T1550 Use Alternate Authentication Material

UNC2452 used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling UNC2452 to access enterprise cloud applications and services.[8]

.004 Web Session Cookie

UNC2452 used a forged duo-sid cookie to bypass MFA set on an email account.[2]

Enterprise T1078 Valid Accounts

UNC2452 used different compromised credentials for remote access and to move laterally.[1]

Enterprise T1047 Windows Management Instrumentation

UNC2452 used WMI for the remote execution of files for lateral movement.[8][6]

Software

ID Name References Techniques
S0552 AdFind [3] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0154 Cobalt Strike [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Exploitation for Privilege Escalation, Indicator Removal on Host: Timestomp, Input Capture: Keylogging, Man in the Browser, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Protocol Tunneling, Proxy: Internal Proxy, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, System Network Configuration Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0002 Mimikatz [8] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0565 Raindrop [7] Deobfuscate/Decode Files or Information, Masquerading: Match Legitimate Name or Location, Masquerading, Obfuscated Files or Information: Steganography, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Virtualization/Sandbox Evasion: Time Based Evasion
S0559 Sunburst [1] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Visual Basic, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Obfuscation: Steganography, Data Obfuscation: Junk Data, Dynamic Resolution, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Image File Execution Options Injection, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Indicator Removal on Host, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, Process Discovery, Query Registry, Signed Binary Proxy Execution: Rundll32, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Virtualization/Sandbox Evasion: Time Based Evasion, Virtualization/Sandbox Evasion: System Checks, Windows Management Instrumentation
S0562 Sunspot [4] Access Token Manipulation, Data Manipulation: Stored Data Manipulation, Deobfuscate/Decode Files or Information, Execution Guardrails, File and Directory Discovery, Indicator Removal on Host: File Deletion, Masquerading: Match Legitimate Name or Location, Native API, Obfuscated Files or Information, Process Discovery, Supply Chain Compromise: Compromise Software Supply Chain
S0560 Teardrop [1] Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information, Query Registry

References