APT33 Group Technique |
Detection Technique |
Python-based backdoor |
Look for Python making external network connections |
At.exe used to perform task scheduling |
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. |
Specific files created by APT33 backdoor |
Look for the presence of the following files: SmartMega.exe, DysonPart.exe, MsdUpdate.exe in the Application Data folder (%LOCALAPPDATA% or %APPDATA%) |
Dumps stored credentials from lsass.exe |
Sysmon can be used, look for EventCode 10, where the TargetImage is lsass.exe and GrantedAccess is 0x1010. Sample Splunk query: EventCode=10 | where (GrantedAccess="0x1010" AND TargetImage LIKE "%lsass.exe") |
Uses run keys for persistence |
Analyze the following registry keys: |
Mimikatz used to dump credentials from lsass.exe |
First look for EventCode of 1 where ParentImage is cmd.exe and IntegrityLevel is high. Followed by EventCode of 10 where GrantedAccess is 0x1010 and TargetImage is lsass.exe and SourceImage is not svchost.exe |
Malware uses IP addresses directly with no domains in URLs |
Analyze network traffic looking for this behavior (hxxp://1.2.3.4/api/info) |
Malware runs PowerShell with suspect arguments |
Search for PowerShell command line execution containing suspect arguments (-nop-enc -bypassetc) |
Malware executes Powershell from non-standard locations |
Search for Powershell running from unusual locations (e.g. directories under %LOCALAPPDATA%) |
Suspect PowerShell cmdlets |
Looks for suspect cmdlets that are often used for only malicious purposes |
Malware uses Outlook to download additional files |
Search for Outlook.exe directly requesting externally hosted files |
Remcos installs to a specific location during install and deletes itself |
Look for the following file being created or deleted: %AppData%\remcos\remcos.exe |
Windows task scheduler used to schedule malicious code to run |
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. |
Delivers obfuscated JavaScript from compromised websites |
Analyze all JavaScript being executed for obfuscation techniques and for code pointing to a different domain |
Office Macros launch command line/scripting processes |
Look for strange children of Microsoft Office processes (winword.exe, excel.exe, powerpnt.exe, msaccess.exe, outlook.exe, visio.exe, winproj.exe, etc) such as, but not limited to: |
Mimikatz unique strings |
Look in Powershell logs for the following strings which are unique to Mimikatz: |
Adversary uses domain masquerading to blend in |
Analyze network traffic looking for domains that look similar to internal or trusted partner (e.g. example.com and example.com.sg) |
Process hollowing used to evade detection |
Investigate the user of the following API calls which are used to unmap process memory: ZwUnmapViewOfSection or NtUnmapViewOfSection. Also, WriteProcessMemory, which can be used to modify memory in another process |
Remcos creates a mutex to mark that it is installed on a system |
Look for the mutex remcos_etrcewrortwiujm present on a system |
WMI is used for persistence |
Verify all WmiEventFilter, WmiEventconsumer and WmiEventConsumerToFilter activity. |
Dumps stored credentials from lsass.exe |
Use Windows event logs to determine a handle for lsass.exe being requested via either Event Codes 4656 or 4663, where Object_name contains lsass.exe and Access_Mask is 0x143A. Sample Splunk queries: |
Specific URL path used by APT33 backdoor |
Look in network logs for activity matching the following pattern: /update.php?c=[0-9a-fA-F]{32} |
Actors include malicious links in spear phishing emails |
Examine incoming emails looking for links to .hta files |
Malware runs PowerShell with suspect parents |
Search for PowerShell with questionable parent processes such as: |
Password spray is used, trying a small set of passwords on a large amount of users |
Analyze failed login attempts for where a source has a large volume of different users |
Look for common name of Mimikatz cmdlet |
Look in Powershell logs for "Invoke-Mimikatz" which is the common name for the Mimikatz cmdlet |
Outlook client homepages are created for execution and persistence |
Analyze the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook Version>\ Outlook\WebView\Inbox |
Powershell used to dump credentials from lsass.exe |
Use Windows event logs to determine a handle for lsass.exe being requested via either Event Codes 4656, where Object_name contains lsass.exe and Access_Mask is 0x143A or 0x1410. With access_mask of 0x1410 needs to be anded with Process_name ending with shell.exe to reduce FPs. Sample Splunk query: |
Uses hta scripts to execute malware |
Analyze all instances of mshta being executed |
DynamicDNS used for C2 |
Analyze traffic going to DynamicDNS providers |
Adversary accesses Exchange remotely for collection |
Search for non-standard IPs logging into Exchange accounts |
Quasar creates a mutex to mark that it is installed on a system |
Look for the following mutex: QSR_MUTEX_[18 alphanumber upper/lower] |