JUST RELEASED: ATT&CK for Industrial Control Systems
ENTERPRISE MOBILE PRE-ATT&CK
TECHNIQUES
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
  1. Home
  2. Techniques
  3. Enterprise
  4. Redundant Access

Redundant Access

Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated.

If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network.[1] Adversaries may also retain access through cloud-based infrastructure and applications.

Use of a Web Shell is one such way to maintain access to a network through an externally accessible Web server.

ID: T1108
Tactic: Defense Evasion, Persistence
Platform: Linux, macOS, Windows, AWS, GCP, Azure, Office 365, SaaS, Azure AD
Permissions Required: User, Administrator, SYSTEM
Data Sources: Office 365 account logs, Azure activity logs, AWS CloudTrail logs, Stackdriver logs, Process monitoring, Process use of network, Packet capture, Network protocol analysis, File monitoring, Authentication logs, Binary file metadata
Defense Bypassed: Network intrusion detection system, Anti-virus
Contributors: Praetorian
Version: 2.0
Created: 31 May 2017
Last Modified: 09 October 2019

Procedure Examples

Name Description
3PARA RAT

3PARA RAT will sleep until after a date/time value loaded from a .dat file has passed. This allows the RAT to remain dormant until a set date, which could allow a means to regain access if other parts of the actors' toolset are removed from a victim.[3]
APT3

APT3 has been known to use multiple backdoors per campaign.[7]
Cobalt Group

Cobalt Group has used TeamViewer to preserve remote access in case control using the Cobalt Strike module was lost.[4]
FIN5

FIN5 maintains access to victim environments by using Valid Accounts to access External Remote Services as well as establishing a backup RDP tunnel by using FLIPSIDE.[5]
Leafminer

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[9]
OilRig

OilRig has used RGDoor via Web shell to establish redundant access. The group has also used harvested credentials to gain access to Internet-accessible resources such as Outlook Web Access, which could be used for redundant access.[6]
Stolen Pencil

Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.[10]
Threat Group-3390

Threat Group-3390 has deployed backup web shells and obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.[8]

Mitigations

Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[2]

Detection

Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost.

Detection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators.

If an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation.

For alternative access using externally accessible VPNs or remote services, follow detection recommendations under Valid Accounts and External Remote Services to collect account use information.

References

  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  2. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  3. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  4. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  5. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  1. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  2. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
  3. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  4. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  5. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.