Oasis

Stand up a watering hole website to steal credentials. Use any capture credentials from a Windows operating system to perform a password reuse on check against SMB and RDP services.

2022-04-26

Professional

Authors:bartimus, vvx7

TTP Tuesday: APT40 - Government Organizations

Gaining a foothold via the Oasis Chain

Theme Overview

Our last release looked at the APT40 targeting the maritime industry and associated persistence techniques.

For this week’s TTP Tuesday we are releasing a new APT40-themed chain based on how APT40 gains a foothold into organizations. This chain utilizes techniques found in watering-hole and password reuse attacks. The chain contains 5 TTPs with the end goal of identifying valid credentials for SMB or RDP connections.

The Watering Hole

A watering hole attack has quite a few definitions, but essentially you are setting up a resource that will eventually be visited by the target you are interested in. Typically, you would inject your code into a website that is accessed by numerous parties, with the goal of successfully exploiting the target you have your sights on.

In the chain, we set up a single-page website that requests a user to log in. Upon entering your information, the website will send the credentials that were entered into the form, as well as the operating system listed in the user-agent header back to Operator.

Checking for Password Reuse

Utilizing the credentials gained from a detected Windows OS, the next TTPs will check those credentials against SMB and RDP for the remote host. Your initial agent running these TTPs will be notified if the credentials were valid.

Watch a demonstration: APT40 Government Organizations

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Source: https://feed.prelude.org

Execute this chain

Download Operator (1.7.1)

Learn about Operator

TTPs

Start Watering Hole server

Install Python network protocol library

Install PySMB

Check RDP credentials

Check SMB credentials

User-Set Custom Variables

waterhole.port: 8080
operator.api: https://127.0.0.1:8888

Other chains in this theme

APT40 Find and Exfiltrate

2022-05-10

Find and exfiltrate files that potentially contain cleartext usernames or passwords based on filename.

APT40 educational institutions

2022-05-03

Perform process injection and native API execution techniques.

APT40 maritime industry

2022-04-19

Emulating APT40's malware persistence techniques.

APT40 defense industry

2022-04-12

Emulating APT40's multi-stage macro-enabled documents.

About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.

Follow @preludeorg on Twitter for new chains and more.

Join the Prelude Discord to discuss chains and more.

Keep up to date with code changes and community activity on Github

preludesecurity.com Careers Tactics & Techniques Attack themes

Privacy Policy support@preludesecurity.com© 2023 Prelude Research, Inc.All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.