WIXLIB

TLP:WHITETacticTechniqueThreat Actor ActivityDetection scovery[T1069]The threat actor used the GetManagementRoleAssignmentPowerShell cmdlet to enumerateExchange management role assignmentsthrough an Exchange ManagementShell. 43Enable command-line parameter monitoring, and look for:C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFileexshell.psc1 -Command “Get-ManagementRoleAssignment GetEffectiveUsers ,IsValid ConvertTo-Csv -NoTypeInformation % { -replace ‘ n’,’ ’} Out-File C:\temp\1.xml”. 44Discovery[TA0007]File andDirectoryDiscovery[T1083]The threat actor obtained informationabout the configured Exchange virtualdirectory using GetWebServicesVirtualDirectory. 45Enable command-line parameter monitoring, and look for:C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFileexshell.psc1 -Command “Get-WebServicesVirtualDirectory Format-List”. 46Execution[TA0002]Command and The threat actor used cmd.exe toScriptingexecute commands on remoteInterpreter:machines. 47WindowsCommand Shell[T1059.003]Execution[TA0002]Command andScriptingInterpreter:PowerShell[T1059.001]The threat actor used PowerShell tocreate new tasks on remote machines,identify configuration settings, exfiltratedata, and to execute other commands. 49AccountDiscovery[T1087]The threat actor obtained a list of usersand their roles from an Exchange serverusing GetManagementRoleAssignment. 54,55Microsoft Windows cmd.exe was used to run powershell.exe, AdFind(often renamed to a number of other names), and other commands. 48 Useprocess tracking, event logging, and PowerShell monitoring functions toidentify use of these command-line tools.Review PowerShell cmdlets that involve adding or changing permissions orroles to existing accounts, applications, and service principals or that useOut-File filenames and unusual locations (such as C:\TEMP). 50Organizations should review these sources and determine if the changes theymake are expected and authorized.Look for PowerShell being used to create Scheduled Tasks on remotemachines with command parameters that look like this: scheduler New-Object -ComObject(“Schedule.Service”); scheduler.Connect( env:COMPUTERNAME); 8CISA DEFEND TODAY, SECURE TOMORROWTLP:WHITE

TLP:WHITETacticTechniqueDiscovery[TA0007]Domain ipulation:Exchange EmailDelegatePermissions[T1098.002]Threat Actor ActivityDetection RecommendationsThe threat actor used the GetAcceptedDomain PowerShell cmdletto enumerate accepted domains throughan Exchange Management Shell. Theyalso used AdFind to enumerate domainsand to discover trust between federateddomains. 56folder ProtectionPlatform”); task folder.GetTask(“EventCacheManager”); definition task.Definition; definition.Settings.ExecutionTimeLimit “PT0S”; folder.RegisterTaskDefinition( task.Name, definition,6,”System”, null,5);echo “Done”. 51Look for events related to Beacon commands jump psexec and jumppsexec psh—these commands will generate an EventID 7045 (ServiceThe threat actor added their own devices Installation) from System.evtx. The additional commands will generate anas allowed identifications (IDs) for active EventID 400 event log (PowerShell Engine Startup) from Windowssync using Set-CASMailbox, allowingPowerShell.evtx.their devices to obtain copies of victimSince this attacker is adept at PowerShell, CISA recommends enablingmailboxes. The actor also addedPowerShell logging and monitoring use of the tool. Look cmdlets in PowerShelladditional permissions (such aslogs, including the following: 52Mail.Read and Mail.ReadWrite) tocompromised application or service Get-ManagementRoleAssignmentprincipals. 57 Get-AcceptedDomain Get-CASMailbox Get-Mailbox Get-OrganizationConfig Get-OwaVirtualDirectory Get-Process Get-WebServicesVirtualDirectory New-MailboxExportRequest Remove-MailboxExportRequest Set-CASMailbox Export-pfxcertificate Export-Certificate Add-AdfsCertificate Get-AdfsCertificate Get-AdfsSslCertificate New-AdfsAzureMfaTenantCertificate SEt-AdfsCertificate9CISA DEFEND TODAY, SECURE TOMORROWTLP:WHITE

TLP:WHITETacticTechniqueThreat Actor ActivityDetection Recommendations SEt-AdfsSslCertificate Update-AdfsCertificate Set-mppreference Compress-Archive Invoke-Command Invoke-WMIMethodFor more information on PowerShell logging, refer to FireEye: Greater VisibilityThrough PowerShell Logging.Modification of mail delegation rules and changes to the behavior orfrequency of mail traffic being sent may be a sign that a compromisedaccount is being leveraged by threat actors. 53DefenseEvasion[TA0005]ObfuscatedFiles orInformation[T1027]The threat actor used encodedPowerShell commands. 58The attacker is known to use PowerShell's built-in ability to take Base64encoded parameters (the -EncodedCommand parameter). 59 There are manyways this can be called, so defenders should familiarize themselves with whatthis can look like in PowerShell logs using the following resources: Persistence[TA0003]AccountManipulation:Additional CloudCredentials[T1098.001]The threat actor added credentials toAzure service principals/applicationsafter gaining access to the Microsoft 365(M365) environment. 60,61Palo Alto Networks Unit 42: Pulling Back the Curtains on EncodedCommand PowerShell AttacksMicrosoft: Customer Guidance on Recent Nation State Cyber AttacksLook for behavioral artifacts, such as accounts behaving abnormally, andverify information such as IP and/or user agent strings are normal. Identify ifcredentials have been added to service principals/applications (such asSharePoint and Microsoft Teams) that previously did not have them. Check10CISA DEFEND TODAY, SECURE TOMORROWTLP:WHITE

lection:Remote EmailCollection[T1114.002]Threat Actor ActivityCollected emails from accounts ofspecific individuals, such as executivesand IT staff, using NewMailboxExportRequest followed byGet-MailboxExportRequest.The actor used Azure serviceprincipals/applications with addedcredentials to exfiltrate emails fromspecific users. 63Initial Access[TA0001]Supply ChainThe threat actor gained initial networkCompromise:access via a Trojanized update ofCompromiseSolarWinds Orion software. 64,65Software SupplyChain[T1195.002]Execution[TA0002]Command andScriptingInterpreter:WindowsCommand T1057]Detection Recommendationswith administrators to ensure applications are supposed to have credentials(and the type of credential) associated with them.Monitor for use of Application Programming Interfaces (APIs) that create orimport Secure Shell (SSH) keys, especially by unexpected users or accountssuch as root accounts. 62Refer to the SolarWinds Security Advisory for details on versions affected.Refer to CISA Alert: AA20-352A: Advanced Persistent Threat Compromise ofGovernment Agencies, Critical Infrastructure, and Private Sector Organizationsfor immediate mitigation recommendations.The threat actor “lived off the land” byReview the following Windows commands and investigate if each use wasusing native commands in Windows. The legitimate. (Note: this list of commands not exhaustive.) 68,69,70actor used multiple command-line cmd.exeutilities to enumerate running 7z.exe66,67processes. Powershell.exe schtasks certutil whoami rundll32.exe wmic auditpol sc net netsc fsutil11CISA DEFEND TODAY, SECURE TOMORROWTLP:WHITE

TLP:WHITETacticTechniqueThreat Actor ActivityDetection Recommendations PrivilegeEscalation[TA0004]Domain PolicyModification:Domain TrustModification[T1484.002]regnslookupMonitor for Event ID 307, which can be correlated to relevant Event ID 510with the same Instance ID for change details. 72The threat actor changed domainfederation trust settings using AzureActive Directory (AD) administrativepermissions to configure the domain toaccept authorization tokens signed bytheir own SAML signing certificate. 71Monitor for PowerShell commands such as: 73 Update-MSOLFederatedDomain –DomainName: "FederatedDomain Name"Update-MSOLFederatedDomain –DomainName: "FederatedDomain Name" –supportmultipledomainLook for behavioral artifacts in UnifiedAuditLogs (PowerShell - ExchangeOnline) to help detect potential SAML abuse.DefenseEvasion[TA0005]Use AlternateAuthenticationMaterial[T1550]The threat actor used SAML tokens toimpersonate existing cloud users in thecloud environment with fullauthentication and was able to bypassmulti-factor authentication (MFA). 74,75CredentialAccess[TA0006]Forge WebCredentials:SAML Tokens[T1606.002]The threat actor created tokens usingcompromised SAML signingcertificates. 76LateralMovement[TA0008]Use AlternateAuthenticationMaterial[T1550]The threat actor used forged SAMLtokens that allowed them to impersonateusers and bypass MFA, enabling them toaccess enterprise cloud applications andservices. 77Note: prior to October 31, 2020 the UnifiedAuditLogs (PowerShell Exchange Online) showed the UserAuthenticationMethod of 16457 tohelp detect potential SAML abuse ( in conjunction with other indicators suchas user behavior, whether the user is part of the domain (guest accountsproduce 16457 somewhat frequently depending on how the environment isset up). However, since 16457 was removed, the artifacts will be behavioral.12CISA DEFEND TODAY, SECURE TOMORROWTLP:WHITE

TLP:WHITETacticTechniqueThreat Actor ActivityDefenseEvasion[TA0005]Deobfuscate/D The threat actor used 7-Zip to decodeecode Files or their RAINDROP malware. 78Information[T1140]Collection[TA0009]ArchiveThe threat actor used 7-Zip to archiveCollected Data: collected data of interest for removalArchive viafrom the environment. e threat actor used AUDITPOL toDefenses:prevent the collection of audit logs. 80DisableWindows rDefenses:Disable orModify SystemFirewall[T1562.004]Detection RecommendationsLook for the use of compression utilities such as run from or in unusuallocations such as C:\Windows/system32 and others (these utilities mayhave previously existed on the system or have been installed by the threatactor). 7z.exe creates compressed files (ending in .7z) that may then besecurely deleted by the threat actor.Look for the built-in command auditpol used in the following ways 81 auditpol /GET /category:"Detailed Tracking"auditpol /set /category:"Detailed Tracking"/success:disable /failure:disable[execution ofseveral commands and actions]auditpol /set /category:"Detailed Tracking"/success:enable /failure:enableThe threat actor used netsh to configure Refer to the following resources for guidance on detecting this.firewall rules that limited certain User CISA Activity Alert: AA21-008A Detecting Post-Compromise ThreatDatagram Protocol (UDP) outboundActivity in Microsoft Cloud Environments82,83packets. Microsoft: Deep dive into the Solorigate second-stage activation:From SUNBURST to TEARDROP and Raindrop13CISA DEFEND TODAY, SECURE TOMORROWTLP:WHITE

TLP:WHITETacticTechniqueThreat Actor ActivityDetection RecommendationsImpairDefenses:Disable orModify Tools[T1562.001]The threat actor disabled servicesassociated with security monitoringproducts by using the service controlmanager on a remote system. 84Look for the built-in command sc used the following ways:DefenseEvasion[TA0005]Masquerading[T1036]The threat actor matched hostnames ofits command and control (C2)infrastructure with legitimate hostnamesin the victim environment. The actorprimarily used IP addresses originatingfrom the same country as the victim fortheir VPN infrastructure. 85Geolocate IP addresses and look for “impossible travel.” 86 Impossible traveloccurs when a user logs in from multiple IP addresses that are a significantgeographic distance apart (i.e., a person could not realistically travel betweenthe geographic locations of the two IP addresses during the time periodbetween the logins). Note: implementing this detection opportunity can resultin false positives if legitimate users apply VPN solutions before connectinginto networks.DefenseEvasion[TA0005]Subvert TrustControls: CodeSigning[T1553.002]The threat actor ensured Orion codeN/Acontaining SUNBURST was signed bySolarWinds code signing certificates byinjecting the malware into the SolarWindsOrion software lifecycle. 87DefenseEvasion[TA0005]Use AlternateThe threat actor used a forged duo-sidAuthentication cookie to bypass MFA set on an emailMaterial: Web account. 88Session Cookie[T1550.004]MITRE ATT&CK recommends the following: “Monitor for anomalous access ofwebsites and cloud-based applications by the same user in different locationsor by different systems that do not match expected configurations.” 89CredentialAccess[TA0006]Forge WebCredentials:Web Cookies[T1606.001]MITRE ATT&CK recommends the following: “Monitor for anomalousauthentication activity, such as logons or other user session activityassociated with unknown accounts. Monitor for unexpected and abnormalaccess to resources, including access of websites and cloud-basedapplications by the same user in different locations or by different systemsthat do not match expected configurations.” 91DefenseEvasion[TA0005] The threat actor bypassed the MFA set onOutlook on the Web (OWA) accounts bygenerating a cookie value from apreviously stolen secret key. 9014On the source machine: sc \\[dest machine] stop [servicename][perform lateral move Source- Dest]On the destination machine: sc \\[source machine] start[service name]CISA DEFEND TODAY, SECURE TOMORROWTLP:WHITE

TLP:WHITETacticTechniqueThreat Actor ActivityDetection RecommendationsCredentialAccess[TA0006]Steal or ForgeKerberosTickets:Kerberoasting[T1558.003]The threat actor obtained Ticket GrantingService (TGS) tickets for Active DirectoryService Principal Names for offlinecracking. 92Log Kerberos TGS service ticket requests by enabling Audit Kerberos ServiceTicket Operations to log. Investigate irregular activity (e.g., accounts makingnumerous requests, accounts making requests within a short period,accounts triggering Event ID 4769). 93 For more information on detectingkerberoasting, refer to TrustedSec: The Art of Detecting Kerberoast Attacks.CredentialAccess[TA0006]CredentialsThe threat actor used compromisedfrom Password account credentials to attempt access to Monitor processes, system calls, and file read events and look for activityStores [T1555] Group Managed Service Account (gMSA) related to password searches (e.g., keyword searches for password, pwd,passwords. 94login, secure, credentials) in the process memory for credentials. Monitor fileread events around known password storage applications. vate Keys[T1552.004]The threat actor obtained the privateencryption key from an Active DirectoryFederation Services (ADFS) container todecrypt corresponding SAML signingcertificates. 96MITRE ATT&CK recommends the following: “Monitor access to files anddirectories related to cryptographic keys and certificates patterns that mayindicate collection and exfiltration activity. Collect authentication logs and lookfor potentially abnormal activity that may indicate improper use of keys orcertificates for remote authentication.” oteManagement[T1021.006]The threat actor used WinRM viaPowerShell to execute command andpayloads on remote hosts. 98Monitor WinRM use by tracking service execution. Abnormal WinRM activity(e.g., if WinRM is normally not used or is normally disabled) observed, this mayindicate suspicious behavior. Monitor WinRM processes, actions, and invokedscript to correlate the activity with other related events. 99Collection[TA0009]Data Staged:Remote DataStaging[T1074.002]The threat actor staged data and files in Monitor publicly writeable directories and central locations as well as recyclepassword-protected archives on a victim's bins, temp folders, etc., that are commonly used for staging. Look forOWA server. 100encrypted or compressed data, which may be a sign of staging. Indicators ofdata being staged include processes that appear to be reading files fromdisparate locations and writing them to the same directory or file, especially ifthey are suspected of performing encryption or compression (such as 7zip,RAR, ZIP, or zlib) on the files. 101Monitor processes and command-line arguments and look for actions tocollect and combine files. Data may be acquired and staged through remote15CISA DEFEND TODAY, SECURE TOMORROWTLP:WHITE

TLP:WHITETacticTechniqueThreat Actor ActivityDetection Recommendationsaccess tools with built-in features that interact directly with the Windows APIor through Windows system management tools such as WMI andPowerShell. 102Command and Ingress Transfer The threat actor downloaded additionalControlTool [T1105]tools, such as TEARDROP malware and[TA0011]Cobalt Strike, to the compromised hostfollowing the initial compromise. 103,104Refer to the following Malware Analysis Reports for IOCs associated with theAPT actor’s malware. If any IOCs are detected, remove the implant.Command and lgorithms[T1568.002]The threat actor used dynamic DomainName System (DNS) resolution toconstruct and resolve to randomlygenerated subdomains for C2. 105This is challenging to detect. Look for domain generation algorithms (DGAs) bylooking for domains in DNS logging that exhibit a high degree of entropy. Formore information, refer to:Command and Proxy: InternalControlProxy[TA0011][T1090.001]The threat actor configured at least one Refer to the following Malware Analysis Reports for IOCs associated with theinstance of Cobalt Strike to use a network APT actor’s malware. If any IOCs are detected, remove the implant.pipe over Server Message Block MAR-10318845-1.v1 - SUNBURST(SMB). 106 MAR-10320115-1.v1 - TEARDROP MAR-10318845-1.v1 - SUNBURSTMAR-10320115-1.v1 - TEARDROPRed Canary: Using Entropy in Threat Hunting: a Mathematical Searchfor the UnknownActive Countermeasures: Real Intelligence Threat AnalyticsData Sources16CISA DEFEND TODAY, SECURE TOMORROWTLP:WHITE

TLP:WHITEThe below recommendations serves as a starting point for network defende

Audit existing scheduled tasks in the environment and review against known and expected scheduled tasks; MITRE ATT&CK recommends looking "for changes to tasks and services that do not correlate with known software, patch cycles etc." 8. Verify the tasks do what they are intended to do, as this actor is known to alter existing legitimate tasks.