SecureSet Cybersecurity Analyst

AN IMMERSIVE CYBERSECURITY
ANALYT ICS PROGRAM
HUNT 100
APT1 Case Study
LEARNING OBJECTIVES

By the end of this class, you should be able to:

LO1: Describe APT1 Key Findings
LO2: Explain Tactics, Techniques and Procedures Deployed by APT1
LO3: Describe Mitigation Steps to Defend Against APT1 and Future APTs

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
APT1 CASE STUDY

• Who?
• What?
• Where?
• Why?
• When?
• How?

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
 APT 1 – WHO

https://attack.mitre.org/wiki/Group/G0006
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

KEY FINDINGS

APT1 is believed to be the 2nd Bureau of the People’s Liberation army (PLa) General
staff Department’s (GsD) 3rd Department (总参三部二局), which is most commonly
known by its Military unit Cover Designator (MuCD) as unit 61398 (61398部队).
APT 1 – WHAT

For APT, an incident is an

indication of some kind of
adversarial relationship you are
either in or relevant for
MD5 Hashes Domain
Names

Over
3000 IoCs

13 (X.509) 40 Malware
Certs Families
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Mandiant released a digital appendix with more than 3,000 indicators to bolster
defenses against APT1 operations.

This appendix includes:

Digital delivery of over 3,000 APT1 indicators, such as domain names, and
MD5 hashes of malware.
Thirteen (13) X.509 encryption certificates used by APT1.
A set of APT1 Indicators of Compromise (IOCs) and detailed descriptions of
over 40 malware families in APT1's arsenal of digital weapons.

The activity we have directly observed likely represents only a small fraction of the
cyber espionage that APT1 has conducted. Though our visibility of APT1’s activities
is incomplete, we have analyzed the group’s intrusions against nearly 150 victims
over seven years. From our unique vantage point responding to victims, we tracked
APT1 back to four large networks in Shanghai, two of which are allocated directly to
the Pudong New Area. We uncovered a substantial amount of APT1’s attack
infrastructure, command and control, and modus operandi (tools, tactics, and
procedures). In an effort to underscore there are actual individuals behind the
keyboard, Mandiant is revealing three personas we have attributed to APT1. These
operators, like soldiers, may merely be following orders given to them by others.
Our analysis has led us to conclude that APT1 is likely government-sponsored and one of
the most persistent of China’s cyber threat actors.
APT 1 – WHAT

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Once APT1 has established access, they periodically revisit the victim’s network
over several months or years and steal broad categories of intellectual property,
including technology blueprints, proprietary manufacturing processes, test results,
business plans, pricing documents, partnership agreements, and emails and
contact lists from victim organizations’ leadership.

APT1 uses some tools and techniques that we have not yet observed being used by
other groups including two utilities designed to steal email — GETMAIL and
MAPIGET.

APT1 maintained access to victim networks for an average of 356 days.

The longest time period APT1 maintained access to a victim’s network was 1,764
days, or four years and ten months.

Among other large-scale thefts of intellectual property, we have observed APT1

stealing 6.5 terabytes of compressed data from a single organization over a ten-
month time period.
APT 1 – WHERE

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Unit 61398 is partially situated on Datong Road (大同路) in Gaoqiaozhen (高桥镇),

which is located in the Pudong New Area (浦东新区) of Shanghai (上海). The central
building in this compound is a 130,663 square foot facility that is 12 stories high
and was built in early 2007.

We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of

people based on the size of Unit 61398’s physical infrastructure.

China Telecom provided special fiber optic communications infrastructure for the
unit in the name of national defense.

Unit 61398 requires its personnel to be trained in computer security and computer
network operations and also requires its personnel to be proficient in the English
language.
APT 1 – WHERE

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

In the first month of 2011, APT1 successfully compromised at least 17 new victims
operating in 10 different industries.
APT1 focuses on compromising organizations across a broad range of industries in
English-speaking countries.

Of the 141 APT1 victims, 87% of them are headquartered in countries where English
is the native language.

The industries APT1 targets match industries that China has identified as strategic
to their growth, including four of the seven strategic emerging industries that China
identified in its 12th Five Year Plan.

APT1 maintains an extensive infrastructure of computer systems around the world.

APT1 controls thousands of systems in support of their computer intrusion

activities.

There were APT1 a minimum of 937 Command and Control (C2) servers hosted on
849 distinct IP addresses in 13 countries. The majority of these 849 unique IP
addresses were registered to organizations in China (709), followed by the U.S.
(109).
APT1 use fully qualified domain names (FQDNs) resolving to 988 unique IP addresses.

Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1
actors logging into their attack infrastructure from 832 different IP addresses with Remote
Desktop, a tool that provides a remote user with an interactive graphical interface to a
system.

The size of APT1’s infrastructure implies a large organization with at least dozens, but
potentially hundreds of human operators.
We conservatively estimate that APT1’s current attack infrastructure includes over 1,000
servers.
APT1 - WHY

The nature of “Unit 61398’s” work is considered by China to be a state

secret; however, we believe it engages in harmful “Computer Network
Operations.”

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
APT1 - WHEN

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
APT 1 – WHEN AND WHAT

Shipping Aeronautics Arms Energy Manufacturing

Software
Engineering Electronics Financial
Development

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

APT1 has systematically stolen hundreds of terabytes of data from at least 141
organizations and has demonstrated the capability and intent to steal from dozens
of organizations simultaneously.

Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20
major industries.

APT1 has a well-defined attack methodology, honed over years and designed to
steal large volumes of valuable intellectual property.
APT 1 – HOW

APT1 TTPs
• Credential Dumping
• Masquerading
• Pass the Hash
• Remote Desktop Protocol
• Email Collection
• Scripting
• Command-Line Interface
• Data from Local System
• Compressed Data

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Credential Dumping - APT1 has been known to use credential dumping.

Masquerading - The file name AcroRD32.exe, a legitimate process name for Adobe's
Acrobat Reader, was used by APT1 as a name for malware.

Pass the Hash - The APT1 group is known to have used pass the hash.

Remote Desktop Protocol - The APT1 group is known to have used RDP during
operations.

Email Collection - APT1 uses two utilities, GETMAIL and MAPIGET, to steal email.
GETMAIL extracts emails from archived Outlook .pst files, and MAPIGET steals email
still on Exchange servers that has not yet been archived.

Scripting - APT1 has used batch scripting to automate execution of commands.

Command-Line Interface - APT1 has used the Windows command shell to execute
commands.

Data from Local System - APT1 has collected files from a local victim.
Data Compressed - APT1 has used RAR to compress files before moving them outside of the
victim network
 APT1 – HOW (CREDENTIAL DUMPING)

Credential Dumping
Abuse of
Service
SAM (Security Accounts the DC
Registry Attacks Cashed Credentials DCSync NTDS Group Policy Preference Files Principle Plaintext Creds
Manager) API
Names
interface

Kali
LSASS
Metasploit Get- Dir /s *.xml Windows
Pwdumpx.e KLM\syste Gesecdum Pass the Shadow Secretdum Ntdsutil.ex Invoke- Gpprefdecr Kerberoast process
gsecdump Mimikatz HKLM\sam Mimikatz “post GPPPasswo enumerati Credential Mimikatz sekurlsa
xe m p ticket Copy p.py e NinjaCopy ypt.py ing memory
exploitatio rd on Editor
dumps
n module”

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Credential Dumping - APT1 has been known to use credential dumping.

Credential dumping is the process of obtaining account login and password

information, normally in the form of a hash or a clear text password, from the
operating system and software. Credentials can then be used to perform Lateral
Movement and access restricted information.

SAM (Security Accounts Manager)

The SAM is a database file that contains local accounts for the host, typically those
found with the ‘net user’ command. To enumerate the SAM database, system level
access is required.

A number of tools can be used to retrieve the SAM file through in-memory
techniques:
pwdumpx.exe
gsecdump
Mimikatz
secretsdump.py

Plaintext Credentials
Once compromised, after a user logs on to a system, a variety of credentials are generated
and stored in the Local Security Authority Subsystem Service (LSASS) process in memory.

These credentials can be harvested by an administrative user or SYSTEM.

APT1 – HOW (MASQUERADING)

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Masquerading occurs when the name or location of an executable, legitimate or

malicious, is manipulated or abused for the sake of evading defenses and
observation. Several different variations of this technique have been observed.

One variant is for an executable to be placed in a commonly trusted directory or

given the name of a legitimate, trusted program.

Alternatively, the filename given may be a close approximation of legitimate

programs.

This is done to bypass tools that trust executables by relying on file name or path,
as well as to deceive defenders and system administrators into thinking a file is
benign by associating the name with something that is thought to be legitimate.

Windows
In another variation of this technique, an adversary may use a renamed copy of a
legitimate utility, such as rundll32.exe. An alternative case occurs when a legitimate
utility is moved to a different directory and renamed to avoid detections based on
system utilities executing from non-standard paths.

An example of abuse of trusted locations in Windows would be

the C:\Windows\System32 directory. Examples of trusted binary names that can be given to
malicious binaries include "explorer.exe" and "svchost.exe".

Linux
Another variation of this technique includes malicious binaries changing the name of their
running process to that of a trusted or benign process, after they have been launched as
opposed to before.
An example of abuse of trusted locations in Linux would be the /bin directory.

Examples of trusted binary names that can be given to malicious binaries include "rsyncd"
and "dbus-inotifier".

Mitigation

When creating security rules, avoid exclusions based on file name or file path. Require
signed binaries. Use file system access controls to protect folders such as
C:\Windows\System32. Use tools that restrict program execution via whitelisting by
attributes other than file name.
Identify potentially malicious software that may look like a legitimate program based on
name and location, and audit and/or block it by using whitelisting tools like AppLockeror
Software Restriction Policies where appropriate.

Detection

Collect file hashes; file names that do not match their expected hash are suspect. Perform
file monitoring; files with known names but in unusual locations are suspect. Likewise, files
that are modified outside of an update or patch are suspect.

If file names are mismatched between the binary name on disk and the binary's resource
section, this is a likely indicator that a binary was renamed after it was compiled. Collecting
and comparing disk and resource filenames for binaries could provide useful leads, but
may not always be indicative of malicious activity

Examples

The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was
used by APT1 as a name for malware.
APT32 has used hidden or non-printing characters to help masquerade file names on a
system, such as appending a Unicode no-break space character to a legitimate service
name.

BRONZE BUTLER has given malware the same name as an existing file on the file share
server to cause users to unwittingly launch and install the malware on additional systems.

Carbanak malware names itself "svchost.exe," which is the name of the Windows shared
service host program.9
Accounts created by Dragonfly masqueraded as legitimate service accounts.

FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.

MuddyWater has used filenames and Registry key names associated with Windows
Defender.

Patchwork installed its payload in the startup programs folder as "Baidu Software Update."
The group also adds its second stage payload to the startup programs as “Net Monitor."

Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.

=
admin@338 actors used the following command to rename one of their tools to a benign
file name: ren "%temp%\upload" audiodg.exe16
BADNEWS attempts to hide its payloads using legitimate filenames.

ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton
Antivirus but has several letters reversed (e.g. notron.exe).

The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe
executable that was moved to the malware's install directory and renamed according to a
predefined configuration file.

If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe
saved in %APPDATA%\Microsoft\Network.19
Felismus has masqueraded as legitimate Adobe Content Management System files.

HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the
RAT. navlu.dll is also the name of a legitimate Symantec DLL.

Mis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate
Microsoft Distributed Transaction Coordinator service.
Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate
Microsoft Distributed Transaction Coordinator service.

Nidiran can create a new service named msamger (Microsoft Security Accounts Manager),
which mimics the legitimate Microsoft database by the same name.

OLDBAIT installs itself in %ALLUSERPROFILE%\\Application

Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and
the file name is missing the letter "o."

OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides
in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file
by the same name is saved in %ProgramFiles%\Microsoft\Exchange
Server\ClientAccess\Owa\bin\.

PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR%

and/or %TEMP%.

In one instance, menuPass added PlugX as a service with a display name of "Corel Writing
Tools Utility."

New services created by RawPOS are made to appear like legitimate Windows services, with
names such as "Windows Management Help Service", "Microsoft Support", and "Windows
Advanced Task Manager".

The Remsec loader implements itself with the name Security Support Provider, a legitimate
Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft,
Symantec, Kaspersky, Hewlett-Packard, and VMWare.3334 Remsec also disguised malicious
modules using similar filenames as custom network encryption software on victims.

S-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate
Microsoft Distributed Transaction Coordinator service.

Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the
service's display name is “Microsoft Network Realtime Inspection Service” and its
description is “Helps guard against time change attempts targeting known and newly
discovered vulnerabilities in network time protocols.”

To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link
to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or
“MSN Talk” shortcut.

Starloader has masqueraded as legitimate software update packages such as Adobe

Acrobat Reader and Intel.
To establish persistence, Truvasys adds a Registry Run key with a value "TaskMgr" in an
attempt to masquerade as the legitimate Windows Task Manager.

USBStealer mimics a legitimate Russian program called USB Disk Security.

A Winnti implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET
ISAPI filter DLL with the same name.
ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia,
or Synaptics modules.
APT1 – HOW (PASS THE HASH)

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Pass the hash (PtH) is a method of authenticating as a user without having access
to the user's cleartext password.

This method bypasses standard authentication steps that require a cleartext

password, moving directly into the portion of the authentication that uses the
password hash.

In this technique, valid password hashes for the account being used are captured
using a Credential Access technique.

Captured hashes are used with PtH to authenticate as that user. Once
authenticated, PtH may be used to perform actions on local or remote systems.

Windows 7 and higher with KB2871997 require valid domain user credentials or RID
500 administrator hashes.

Mitigation

Monitor systems and domain logs for unusual credential logon activity. Prevent
access to Valid Accounts. Apply patch KB2871997 to Windows 7 and higher systems
to limit the default access of accounts in the local administrator group.
Enable pass the hash mitigations to apply UAC restrictions to local accounts on network
logon. The associated Registry key is
located HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccou
ntTokenFilterPolicy

Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass
the Hash Mitigations: Apply UAC restrictions to local accounts on network logons.

Limit credential overlap across systems to prevent the damage of credential compromise
and reduce the adversary's ability to perform Lateral Movement between systems. Ensure
that built-in and created local administrator accounts have complex, unique passwords. Do
not allow a domain user to be in the local administrator group on multiple systems.

Detection

Audit all logon and credential use events and review for discrepancies. Unusual remote
logins that correlate with other suspicious activity (such as writing and executing binaries)
may indicate malicious activity. NTLM LogonType 3 authentications that are not associated
to a domain login and are not anonymous logins are suspicious.
APT1 – HOW (EXPLOITING REMOTE DESKTOP PROTOCOL)

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

A remote access Trojan (RAT) is a malware program that includes a back door for
administrative control over the target computer. RATs are usually downloaded
invisibly with a user-requested program -- such as a game -- or sent as an email
attachment. Once the host system is compromised, the intruder may use it to
distribute RATs to other vulnerable computers and establish a botnet.

Because a RAT enables administrative control, it makes it possible for the intruder
to do just about anything on the targeted computer, including:
Monitoring user behavior through keyloggers or other spyware.
Accessing confidential information, such as credit card and social security
numbers.
Activating a system's webcam and recording video.
Taking screenshots.
Distributing viruses and other malware.
Formatting drives.
Deleting, downloading or altering files and file systems.

The Back Orifice rootkit is one of the best known examples of a RAT. A hacker group
known as the Cult of the Dead Cow created Back Orifice to expose the security
deficiencies of Microsoft's Windows operating systems.
RATs can be difficult to detect because they usually don't show up in lists of running
programs or tasks. The actions they perform can be similar to those of legitimate
programs. Furthermore, an intruder will often manage the level of resource use so that a
drop in performance doesn't alert the user that something's amiss.

To protect your system from RATs, follow the same procedures you use to prevent other
malware infections: Keep antivirus software up to date and refrain from downloading
programs or opening attachments that aren't from a trusted source. At the administrative
level, it's always a good idea to block unused ports, turn off unused services and monitor
outgoing traffic.
APT1 – HOW (REMOTE DESKTOP PROTOCOL)

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Remote desktop is a common feature in operating systems. It allows a user to log

into an interactive session with a system desktop graphical user interface on a
remote system. Microsoft refers to its implementation of the Remote Desktop
Protocol (RDP) as Remote Desktop Services (RDS).1

There are other implementations and third-party tools that provide graphical
access Remote Services similar to RDS.

Adversaries may connect to a remote system over RDP/RDS to expand access if the
service is enabled and allows access to accounts with known credentials.
Adversaries will likely use Credential Access techniques to acquire credentials to
use with RDP. Adversaries may also use RDP in conjunction with the Accessibility
Features technique for Persistence.2

Adversaries may also perform RDP session hijacking which involves stealing a
legitimate user's remote session. Typically, a user is notified when someone else is
trying to steal their session and prompted with a question. With System
permissions and using Terminal Services Console, c:\windows\system32\tscon.exe
[session number to be stolen], an adversary can hijack a session without the need
for credentials or prompts to the user.
This can be done remotely or locally and with active or disconnected sessions.

It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain
Admin or higher privileged account session.

All of this can be done by using native Windows commands, but it has also been added as a
feature in RedSnarf.

Mitigation
Disable the RDP service if it is unnecessary, remove unnecessary accounts and groups from
Remote Desktop Users groups, and enable firewall rules to block RDP traffic between
network security zones. Audit the Remote Desktop Users group membership regularly.
Remove the local Administrators group from the list of groups allowed to log in through
RDP. Limit remote user permissions if remote access is necessary. Use remote desktop
gateways and multifactor authentication for remote logins. Do not leave RDP accessible
from the internet. Change GPOs to define shorter timeouts sessions and maximum amount
of time any single session can be active. Change GPOs to specify the maximum amount of
time that a disconnected session stays active on the RD session host server.

Detection
Use of RDP may be legitimate, depending on the network environment and how it is used.

Other factors, such as access patterns and activity that occurs after a remote login, may
indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into
systems they would not normally access or access patterns to multiple systems over a
relatively short period of time.

Also, set up process monitoring for tscon.exe usage and monitor service creation that
uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP session hijacking.
APT1 – HOW (EMAIL COLLECTION)

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Adversaries may target user email to collect sensitive information from a target.

Files containing email data can be acquired from a user's system, such as Outlook
storage or cache files .pst and .ost.
Adversaries may leverage a user's credentials and interact directly with the
Exchange server to acquire information from within a network.
Some adversaries may acquire user credentials and access externally facing
webmail applications, such as Outlook Web Access.

Examples
APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts
emails from archived Outlook .pst files, and MAPIGET steals email still on Exchange
servers that has not yet been archived.
Dragonfly leveraged Outlook Web Access.
Backdoor.Oldrea collects address book information from Outlook.
CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost
for collection and exfiltration.
Crimson contains a command to collect and exfiltrate emails from Outlook.
Pupy can interact with a victim’s Outlook session and look through folders and
emails.
Some SeaDuke samples have a module to extract email from Microsoft Exchange
servers using compromised credentials.

Mitigation
Use of encryption provides an added layer of security to sensitive information sent over
email. Encryption using public key cryptography requires the adversary to obtain the
private certificate along with an encryption key to decrypt messages.

Use of two-factor authentication for public-facing webmail servers is also a recommended

best practice to minimize the usefulness of user names and passwords to adversaries.

Identify unnecessary system utilities or potentially malicious software that may be used to
collect email data files or access the corporate email server, and audit and/or block them
by using whitelisting tools, like AppLocker, or Software Restriction Policies where
appropriate.

Detection
There are likely a variety of ways an adversary could collect email from a target, each with
a different mechanism for detection.

File access of local system email files for Exfiltration, unusual processes connecting to an
email server within a network, or unusual access patterns or authentication attempts on a
public-facing webmail server may all be indicators of malicious activity.

Monitor processes and command-line arguments for actions that could be taken to gather
local email files. Remote access tools with built-in features may interact directly with the
Windows API to gather information.

Information may also be acquired through Windows system management tools such
as Windows Management Instrumentation and PowerShell.
APT1 – HOW (SCRIPTING)

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Adversaries may use scripts to aid in operations and perform multiple actions that
would otherwise be manual. Scripting is useful for speeding up operational tasks
and reducing the time required to gain access to critical resources.

Some scripting languages may be used to bypass process monitoring mechanisms

by directly interacting with the operating system at an API level instead of calling
other programs.

Common scripting languages for Windows include VBScript and PowerShell but
could also be in the form of command-line batch scripts.

Scripts can be embedded inside Office documents as macros that can be set to
execute when files used in Spearphishing Attachment and other types of
spearphishing are opened. Malicious embedded macros are an alternative means
of execution than software exploitation through Exploitation for Client Execution,
where adversaries will rely on macos being allowed or that the user will accept to
activate them.
Many popular offensive frameworks exist which use forms of scripting for security
testers and adversaries alike. Metasploit1, Veil2, and PowerSploit are three
examples that are popular among penetration testers for exploit and post-
compromise operations and include many features for evading defenses. Some
adversaries are known to use PowerShell.

Mitigation
Turn off unused features or restrict access to scripting engines such as VBScript or
scriptable administration frameworks such as PowerShell.

Configure Office security settings enable Protected View, to execute within a sandbox
environment, and to block macros through Group Policy. Other types of virtualization and
application micro segmentation may also mitigate the impact of compromise.

The risks of additional exploits and weaknesses in implementation may still exist.

Detection
Scripting may be common on admin, developer, or power user systems, depending on job
function. If scripting is restricted for normal users, then any attempts to enable scripts
running on a system would be considered suspicious.

If scripts are not commonly used on a system, but enabled, scripts running out of cycle
from patching or other administrator functions are suspicious. Scripts should be captured
from the file system when possible to determine their actions and intent.

Scripts are likely to perform actions with various effects on a system that may generate
events, depending on the types of monitoring used. Monitor processes and command-line
arguments for script execution and subsequent behavior.

Actions may be related to network and system information Discovery, Collection, or other
scriptable post-compromise behaviors and could be used as indicators of detection
leading back to the source script.

Analyze Office file attachments for potentially malicious macros. Execution of macros may
create suspicious process trees depending on what the macro is designed to do. Office
processes, such as word.exe, spawning instances of cmd.exe, script application like
wscript.exe or powershell.exe, or other suspicious processes may indicate malicious
activity.
APT1 – HOW (COMMAND LINE INTERFACE)

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Command-line interfaces provide a way of interacting with computer systems and

is a common feature across many types of operating system platforms.1

One example command-line interface on Windows systems is cmd, which can be

used to perform a number of tasks including execution of other software.
Command-line interfaces can be interacted with locally or remotely via a remote
desktop application, reverse shell session, etc.

Commands that are executed run with the current permission level of the
command-line interface process unless the command includes process invocation
that changes permissions context for that execution (e.g. Scheduled Task).

Adversaries may use command-line interfaces to interact with systems and execute
other software during the course of an operation.

Mitigation
Audit and/or block command-line interpreters by using whitelisting tools, like
AppLocker, or Software Restriction Policies where appropriate.

Detection
Command-line interface activities can be captured through proper logging of
process execution with command-line arguments. This information can be useful in gaining
additional insight to adversaries' actions through how they use native processes or custom
tools.
APT1 – HOW (DATA FROM LOCAL SYSTEM)

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

Sensitive data can be collected from local system sources, such as the file system
or databases of information residing on the system prior to Exfiltration.

Adversaries will often search the file system on computers they have compromised
to find files of interest. They may do this using a Command-Line Interface, such
as cmd, which has functionality to interact with the file system to gather
information. Some adversaries may also use Automated Collection on the local
system.

Mitigation
Identify unnecessary system utilities or potentially malicious software that may be
used to collect data from the local system, and audit and/or block them by using
whitelisting tools, like AppLocker, or Software Restriction Policies where
appropriate.

Detection
Monitor processes and command-line arguments for actions that could be taken to
collect files from a system. Remote access tools with built-in features may interact
directly with the Windows API to gather data.

Data may also be acquired through Windows system management tools such
as Windows Management Instrumentation and PowerShell.
APT1 – HOW (COMPRESSED DATA)

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

An adversary may compress data (e.g., sensitive documents) that is collected prior
to exfiltration in order to make it portable and minimize the amount of data sent
over the network. They might utilize steganography or other encryption methods in
the hopes to avoid DLP.

The compression is done separately from the exfiltration channel and is performed
using a custom program or algorithm, or a more common compression library or
utility such as 7zip, RAR, ZIP, or zlib.

Mitigation

Identify unnecessary system utilities, third-party tools, or potentially malicious

software that may be used to compress files, and audit and/or block them by using
whitelisting tools, like AppLocker,or Software Restriction Policies where
appropriate.

If the communications channel is unencrypted, compressed files can be detected in

transit during exfiltration with a network intrusion detection (IDS / IPS) or data loss
prevention systems (DLP) analyzing file headers.
APT 1 – WHO: CONCLUSION

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

The sheer scale and duration of sustained attacks against such a wide set of
industries from a singularly identified group based in China leaves little doubt
about the organization behind APT1. We believe the totality of the evidence we
provide in this document bolsters the claim that APT1 is Unit 61398.

However, we admit there is one other unlikely possibility:

A secret, resourced organization full of mainland Chinese speakers with direct

access to Shanghai-based telecommunications infrastructure is engaged in a multi-
year, enterprise scale computer espionage campaign right outside of Unit 61398’s
gates, performing tasks similar to Unit 61398’s known mission.

So what makes an APT?

An advanced persistent threat (APT) is a network attack in which an unauthorized

person gains access to a network and stays there undetected for a long period of
time. The intention of an APT attack is to steal data rather than to cause damage to
the network or organization.
OTHER ADVANCED PERSISTENT THREATS

APT 1 – Unit 61398, Comment Crew - CHINA APT 19 – Codoso Team – CHINA - Suspected

APT 3- UPS Team - CHINA APT 28 – Tsar Team – RUSSIA - Suspected

APT 5 – Undisclosed- ? APT 29 – Cozy Bear – RUSSIA - Suspected

APT 10 – Menupass Team – CHINA - Suspected APT 30 - ? – CHINA - Suspected

APT 32 – OceanLotus Group – VIETNAM -

APT 12 – Calc Team – CHINA - Suspected
Suspected

APT 16 - ? – CHINA - Suspected APT 33 - ? – IRAN - Suspected

APT 17 – Tailgator Team, Deputy Dog – CHINA -

APT 34 - ? – IRAN - Suspected
Suspected

APT 18 – Wekby – CHINA – Suspected APT 37 - ? – NORTH KOREA - Suspected

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved

APT1 isn’t the only one. Here are some of the more notorious ones, but others are
operating with out us knowing that they exist and who they are.
REFERENCES

• FBI. (2014, May 19). Five Chinese Military Hackers Charged with Cyber Espionage
Against U.S. Retrieved December 30, 2019, from
https://www.fbi.gov/news/stories/five-chinese-military-hackers-charged-with-
cyber-espionage-against-us.

• Eclipse Digital Imaging, Inc. (2019). PowerPoint Templates. Retrieved December 30,
2019, from https://www.presentermedia.com/.

• BBC News. (2014, May 20). China denounces US cyber-theft charges. Retrieved
December 30, 2019, from https://www.bbc.com/news/world-us-canada-27477601.

• Mandiant. (2013, February). Mandiant APT1. Retrieved December 30, 2019, from
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-
apt1-report.pdf.

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
LAB TIME

SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved