Execute Operator’s Is my host protected against APT37?
TTP on each host in your environment to test if you are vulnerable.
This chain is configured to stage a multi-stage malicious Word document to evade defenses and exfiltrate data. The macro enabled document will first load a previously staged C2 config file and execute mshta.exe to run a second stage HTA payload which downloads a secondary Pneuma Agent as the third stage. This chain will also collect key stroke and clipboard data and exfiltrate it using OneDrive as part of post-exploitation activites. If the host is protected, the malicious Word document should be blocked or killed.
To protect yourself from APT37, you should monitor for suspicious child process of Microsoft Office appllications, block and kill any suspicious related processes, and monitor for outbound connections attempting to exfiltrate data.
Check out the TTPs Is my host protected against APT37? on the Prelude chains website.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec