resource-development

Obtain Capabilities

Obtain Capabilities: Tool

Stage Capabilities

Stage Capabilities: Upload Malware


Stage Capabilities: Upload Tool

initial-access

Exploit Public-Facing Application

Supply Chain Compromise

Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Supply Chain Compromise: Compromise Software Supply Chain

Phishing

Phishing: Spearphishing Attachment

defense-evasion

Query Registry

Obfuscated Files or Information

Obfuscated Files or Information: Steganography

Obfuscated Files or Information: Compile After Delivery

Process Injection

Process Injection: Portable Executable Injection

Indicator Removal on Host

Modify Registry

Deobfuscate/Decode Files or Information

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Mshta

File and Directory Permissions Modification

Abuse Elevation Control Mechanism

Abuse Elevation Control Mechanism: Bypass User Account Control 


Subvert Trust Controls

Subvert Trust Controls: Mark-of-the-Web Bypass

Impair Defenses

Impair Defenses: Disable or Modify Tools

Disable Windows Event Logging

Hijack Execution Flow

Hijack Execution Flow: DLL Side-Loading

command-and-control

Application Layer Protocol

Application Layer Protocol: Web Protocols

Web Service

Web Service: Bidirectional Communication

Multi-Stage Channels

Ingress Tool Transfer

Traffic Signaling

Traffic Signaling: Port Knocking

Remote Access Software

discovery

System Service Discovery

System Network Configuration Discovery

Remote System Discovery

System Owner/User Discovery

Network Service Scanning

Windows Management Instrumentation

System Network Connections Discovery

Process Discovery

Permission Groups Discovery

Data Staged

Data Staged: Local Data Staging

System Information Discovery

File and Directory Discovery

Account Discovery

Account Discovery: Domain Account

Network Share Discovery

Domain Trust Discovery

Software Discovery

Cloud Infrastructure Discovery

Container and Resource Discovery

System Location Discovery

collection

Data from Local System

Input Capture

Input Capture: Keylogging

Screen Capture

Email Collection

Email Collection: Local Email Collection

Video Capture

Archive via Custom Method

persistence

Scheduled Task/Job

Scheduled Task/Job: Cron

Create Account

Create Account: Local Account

Create or Modify System Process

Create or Modify System Process: Launch Agent

Event Triggered Execution

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Event Triggered Execution: Unix Shell Configuration Modification

Event Triggered Execution: Netsh Helper DLL

Boot or Logon Autostart Execution

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution: Security Support Provider 


Boot or Logon Autostart Execution: Shortcut Modification

Compromise Client Software Binary

credential-access

CISA-AA22-216A

OS Credential Dumping: DCSync

Unsecured Credentials

Unsecured Credentials: Private Keys


Unsecured Credentials: Group Policy Preferences

Credentials from Password Stores

Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: Kerberoasting

Steal or Forge Kerberos Tickets: AS-REP Roasting

privilege-escalation

Exploitation for Privilege Escalation

Abuse Elevation Control Mechanism: Setuid and Setgid

Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Escape to Host

lateral-movement

Remote Services

Remote Services: SMB/Windows Admin Shares

Remote Services: SSH


Exploitation of Remote Services

Use Alternate Authentication Material

Lateral Tool Transfer

execution

Scheduled Task/Job: Cron 


Command and Scripting Interpreter

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Unix Shell

Command and Scripting Interpreter: Python

Command and Scripting Interpreter: JavaScript

Native API

User Execution

User Execution: Malicious File

Execution Guardrails

Hijack Execution Flow: Dylib Hijacking

exfiltration

Transfer Data to Cloud Account

Archive Collected Data

Exfiltration Over Web Service

Exfiltration Over Web Service: Exfiltration to Cloud Storage

impact

Audio Capture

Data Destruction

Data Encrypted for Impact

Service Stop

Inhibit System Recovery

Defacement

Defacement: Internal Defacement

Resource Hijacking

System Shutdown/Reboot

Disk Wipe

Disk Wipe: Disk Structure Wipe

A chain that uses a multi-stage malicious Word document to evade defenses and exfiltrate data. The macro enabled document will first load a previously staged C2 config file and execute mshta.exe to run a second stage HTA payload which downloads a secondary Pneuma Agent as the third stage. This chain will also execute and collect keystrokes and exfiltrate data using OneDrive. Similar behaviours were observed in APT37 when targetting South Korean users, North Korean defectors, policy makers, journalists and human rights activists.


Is my host protected against APT37?

Atlassian Bitbucket Server and Data Center versions after 6.10.17 including 7.0.0 and newer are affected. The severity level of this vulnerability is rated critical by Atlassian and has a CVSS3 score of 9.8. This vulnerability is easily exploitable, reliable, and has a low risk of service disruption. 
This Chain executes a Pneuma agent upon code execution on the Atlassian Bitbucket Server.


Is CVE-2022-36804 patched on Atlassian Bitbucket Server?

A chain that bypasses Mark of the Web (MOTW) by using PackMyPayload to create an ISO.  The ISO contains a decoy PDF and a malicious executable (a Sliver agent) that when extracted will not contain MOTW.  When executed, the Sliver agent will receive a queued instruction from Operator.  Similar trust control bypass behaviour was observed in APT38 when targeting the pharmaceutical industry; ISOs were shared with decoy PDFs and backdoored PDF readers to stage malware.


APT38 Pharmaceutical Attacks

A chain that replicates the TraderTraitor malware distributed by APT38. Host the cryptoSpy payload for a user to download.
Once downloaded wait for the user to click the malicious update button, which will download a pneuma agent from the Operator
API. The pneuma agent named "cryptoSpy" will callback into Operator and run a queued TTP that retrieves the user's information.


APT38 CryptoSpy

Installs a pneuma agent on the remote server by exploiting the remote code execution vulnerability (CVE-2022-22965) in Spring Framework.
You can use the following command to start up a vulnerable docker instance: "docker run -d -p 8082:8080 --name springrce -it vulfocus/spring-core-rce-2022-03-29"


Spring4Shell

Execute a multi-stage macro-enabled Office document to download a malicious HTA file that will launch stage-2 malware.


APT40 defense industry

Insert code into a Python library to emulate a supply chain attack. Whenever someone calls the targeted library a Schism 
agent will be downloaded from Github and loaded directly into memory. When finished, simply add the fact "clean.now" with 
any value to remove the inserted code from the targeted library.


PolarCalm

Stage a phishing email in user's Documents directory then open it. Next, stage and launch a malicious PDF in user's Downloads directory. 
The malicious PDF creates a C:\Conti directory to stage and launch a Jambi agent.


Conti Recon And Initial Access

Takes the Python SciPy package and conceals the Schism agent within its files. When SciPy is installed it will launch 
the Schism agent in the background without the user knowing, providing initial access to the target.


B1-66ER (Initial Access)

Initial Access Chains

Browse By:

Platforms

All

Windows

Darwin

Linux

Global

Android

Themes

Tags

Licenses