Stand up a watering hole website to steal credentials. Use any capture credentials from a Windows operating system to perform a password reuse on check against SMB and RDP services.

TTP Tuesday: APT40 - Government Organizations

Gaining a foothold via the Oasis Chain

Theme Overview

Our last release looked at the APT40 targeting the maritime industry and associated persistence techniques.

For this week’s TTP Tuesday we are releasing a new APT40-themed chain based on how APT40 gains a foothold into organizations. This chain utilizes techniques found in watering-hole and password reuse attacks. The chain contains 5 TTPs with the end goal of identifying valid credentials for SMB or RDP connections.

The Watering Hole

A watering hole attack has quite a few definitions, but essentially you are setting up a resource that will eventually be visited by the target you are interested in. Typically, you would inject your code into a website that is accessed by numerous parties, with the goal of successfully exploiting the target you have your sights on.

In the chain, we set up a single-page website that requests a user to log in. Upon entering your information, the website will send the credentials that were entered into the form, as well as the operating system listed in the user-agent header back to Operator.

Checking for Password Reuse

Utilizing the credentials gained from a detected Windows OS, the next TTPs will check those credentials against SMB and RDP for the remote host. Your initial agent running these TTPs will be notified if the credentials were valid.

Watch a demonstration: APT40 Government Organizations

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Start Watering Hole server
Install Python network protocol library
Install PySMB
Check RDP credentials
Check SMB credentials


python ad discovery

User-Set Custom Variables

  • waterhole.port: 8080
  • operator.api: