APT40 Advisory

Overview

Background

This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea's National Intelligence Service (NIIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA) – hereafter referred to as the “authoring agencies” – outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations.

The PRC state-sponsored cyber group has previously targeted organisations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group, and similar techniques remain a threat to their countries’ networks as well.

The authoring agencies assess that this group conduct malicious cyber operations for the PRC Ministry of State Security (MSS). The activity and techniques overlaps with the groups tracked as Advanced Persistent Threat (APT) 40, Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting. This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department.^[¹^]

The following Advisory provides a sample of significant case studies of this adversary’s techniques in action against two victim networks. The case studies are consequential for cybersecurity practitioners to identify, prevent and remediate APT40 intrusions against their own networks. The selected case studies are those where appropriate remediation has been undertaken reducing the risk of re-exploitation by this threat actor, or others. As such, the case studies are naturally older in nature, to ensure organisations were given the necessary time to remediate.

Activity summary

APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing. The tradecraft described in this advisory is regularly observed against Australian networks.

Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilise them against target networks possessing the infrastructure of the associated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.

Figure 1. TTP Flowchart for APT40 activity

APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084) and Microsoft Exchange (CVE-2021-31207; CVE2021-34523; CVE-2021-34473). ASD's ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.

This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities. APT40 regularly uses web shells (T1505.003) for persistence, particularly early in the life cycle of an intrusion. Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions regardless of the extent of compromise or further actions taken.

Notable tradecraft

Although APT40 has previously used compromised Australian websites as command and control (C2) hosts for its operations, the group have evolved this tradecraft (T1594).

APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors (T1584.008) for its operations in Australia. This has enabled the authoring agencies to better characterise and track this group's movements.

Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once compromised, SOHO devices offer a launching point for attacks to blend in with legitimate traffic and challenge network defenders (T1001.003).

This technique is also regularly used by other PRC state-sponsored actors worldwide, and the authoring agencies consider this to be a shared threat. For additional information, see joint advisories People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices and PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure.

APT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations; however, this tradecraft appears to be in relative decline.

Tooling

ASD’s ACSC are sharing some of the malicious files identified during the investigations outlined below. These files have been uploaded to VirusTotal to enable the wider network defence and cyber security communities to better understand the threats they need to defend against.

MD5	Filename (VirusTotal link)	Additional information
26a5a7e71a601be991073c78d513dee3	horizon.jsp	1 kB \| Java Source
87c88f06a7464db2534bc78ec2b915de	Index_jsp$ProxyEndpoint$Attach.class	597 B \| Java Bytecode
6a9bc68c9bc5cefaf1880ae6ffb1d0ca	Index_jsp.class	5 kB \| Java Bytecode
64454645a9a21510226ab29e01e76d39	Index_jsp.java	5 kB \| Java Source
e2175f91ce3da2e8d46b0639e941e13f	Index_jsp$ProxyEndpoint.class	4 kB \| Java Bytecode
9f89f069466b8b5c9bf25c9374a4daf8	Index_jsp$ProxyEndpoint$1.class	3 kB \| Java Bytecode
187d6f2ed2c80f805461d9119a5878ac	Index_jsp$ProxyEndpoint$2.class	1 kB \| Java Bytecode
ed7178cec90ed21644e669378b3a97ec	Nova_jsp.class	7 kB \| Java Bytecode
5bf7560d0a638e34035f85cd3788e258	Nova_jsp$TomcatListenerMemShellFromThread.class	8 kB \| Java Bytecode
e02be0dc614523ddd7a28c9e9d500cff	Nova_jsp.java	15 kB \| Java Source

Case Studies

ASD’s ACSC are sharing two anonymised investigative reports to provide awareness of how the actor employs their tools and tradecraft.

Case study 1

This report has been anonymised to enable wider dissemination. The impacted organisation is hereafter referred to as ‘the organisation’. Some specific details have been removed to protect the identity of the victim and incident response methods of ASD’s ACSC.

Executive Summary

This report details the findings of the ASD’s ACSC investigation into the successful compromise of the organisation’s network between July and September 2022. This investigative report was provided to the organisation to summarise observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.

In mid-August, the ASD’s ACSC notified the organisation of malicious interactions with their network from a likely compromised device being used by the group in late August and, with the organisation's consent, the ASD’s ACSC deployed host-based sensors to likely affected hosts on the organisation's network. These sensors allowed ASD’s ACSC incident response analysts to undertake a thorough digital forensics investigation. Using available sensor data, ASD’s ACSC analysts successfully mapped the group's activity and created a detailed timeline of observed events.

From July to August, key actor activity observed by the ASD’s ACSC included:

host enumeration, which enables an actor to build their own map of the network;
web shell use, giving the actor an initial foothold on the network and a capability to execute commands; and
deployment of other tooling leveraged by the actor for malicious purposes.

The investigation uncovered evidence of large amounts of sensitive data being accessed and evidence that the actor moved laterally through the network (T1021.002). Much of the compromise was facilitated by the group's establishment of multiple access vectors into the network, the network having a flat structure, and the use of insecure internally developed software that could be manipulated to perform arbitrary file upload. Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow an actor to regain unauthorised access if the original access vector was blocked. No additional malicious tooling was discovered beyond those on the initially exploited machine; however, an group's access to legitimate and privileged credentials would negate the need for additional tooling. Findings from the investigation indicate the organisation was likely deliberately targeted by a state-sponsored cyber actor, as opposed to falling victim opportunistically to a publicly known vulnerability.

Investigation findings

In mid-August 2022, the ASD’s ACSC notified the organisation that a confirmed malicious IP believed to be affiliated with a state-sponsored cyber group had interacted with the organisation's computer networks between at least July and August. The compromised device probably belonged to a small business or home user.

In late August, the ASD’s ACSC deployed a host-based agent to hosts on the organisation’s network which showed evidence of having been impacted by the compromise.

Some artefacts which could have supported investigation efforts were not available due to the configuration of logging or network design. Despite this, the organisation's readiness to provide all available data enabled ASD’s ACSC incident responders to conduct comprehensive analysis and to form an understanding of likely APT40 activity on the network.

In September, after consultation with the ASD’s ACSC, the organisation decided to denylist the IP identified in the initial notification. In October, the organisation commenced remediation.

Details

Beginning in July, an actor was able to test and exploit a custom web application (T1190) running on <webapp>2-ext, which enables the group to establish a foothold in the network demilitarized zone (DMZ). This was leveraged to enumerate both the network as well as all visible domains. Compromised credentials (T1078.002) were used to query the Active Directory (T1018) and exfiltrate data by mounting file shares (T1039) from multiple machines within the DMZ. The actor carried out a Kerberoasting attack in order to obtain valid network credentials from a server (T1158.003). The group were not observed gaining any additional points of presence in either the DMZ or the internal network.

Visual Timeline

The below timeline provides a broad overview of the key phases of malicious actor activity observed on the organisation’s network.

Initial discovery
Actor testing of a custom web application built for the organisation.
Exploitation
T1190 Exploit Public-Facing Application.
Web application exploitation and web shell creation.
Host enumeration
T1082 System Information Discovery.
Host enumeration and establishing persistence.
First observed logon with use of legitimate credentials.
Malicious interaction
First observed interaction of organisation machine with known state-sponsored infrastructure.
Network reconnaissance
T1021.002 Remote Services: SMB/Windows Admin Shares.
T1135 Network Share Directory.
Network-based reconnaissance and actor activity including: mounting of SMB shares, network-based scanning and enumeration of domains.
Re-establishment of connection
T1090 Proxy.
Actor re-established connection of ssf tool (similar to activity on 28 July among other dates).

Detailed timeline

July: The actor establishes an initial connection to the front page of a custom web application (T1190) built for the organisation (hereafter referred to as the ‘web application’ or ‘webapp’) via a transport layer security (TLS) connection (T1102). No other noteworthy activity was observed.

July: The actors begins enumerating the web application’s website looking for endpoints^[²^] to further investigate.

July: The actors concentrates on attempts to exploit a specific endpoint.

July: The actors is able to successfully POST to the web server, probably via a web shell placed or another page. A second IP, likely employed by the same actor, also begins posting to the same URL. The actor created and tested a number of likely web shells.

The exact method of exploitation is unknown, but it is clear that the specific endpoint was targeted to create files on <webapp>2-ext.

The ASD's ACSC believes that the two IP address connections were part of the same intrusion due to their shared interest and initial connections occurring minutes apart.

July: The group continue to conduct host enumeration, looking for privilege escalation opportunities, and deploying a different web shell. The actor logs into the web application using compromised credentials for <firstname.surname>@<organisation domain>.

The actors' activity does not appear to have successfully achieved privilege escalation on <webapp>2-ext. Instead, the actors pivoted to network-based activity.

July: The actor tests the compromised credentials for a service account^[³^] which it likely found hardcoded in internally accessible binaries.

July: The actors deploys the open-source tool Secure Socket Funnelling (SSF), which was used to connect out to the malicious infrastructure. This connection is employed to tunnel traffic from the actor's attack machines into the organisation's internal networks, whose machine names are exposed in event logs as they attempt to use the credentials for the service account.

August: The actors are seen conducting a limited amount of activity, including failing to establish connections involving the service account.

August: The actors performs significant network and Active Directory enumeration. A different compromised account is subsequently employed to mount shares^[⁴^] on Windows machines within the DMZ, enabling successful data exfiltration.

This seems to be opportunistic usage of a stolen credential on mountable machines in the DMZ. Firewalls blocked the actor from targeting the internal network with similar activity.

August – September: The SSF tool re-established a connection to a malicious IP. The group are not observed performing any additional activities until their access is blocked.

September: The organisation blocks the malicious IP by blacklisting it on their firewalls.

Actor Tactics and Techniques

The MITRE ATT&CK framework is a documented collection of tactics and techniques employed by threat actors in cyberspace. The framework was created by US not-for-profit The MITRE Corporation and functions as a common global language around threat actor behaviour.

The ASD’s ACSC assesses the following techniques and tactics to be relevant to the actor’s malicious activity:

Reconnaissance

T1594 – Search Victim-Owned Websites

The actor enumerated the custom web application’s website to identify opportunities for accessing the network.

Initial Access

T1190 – Exploit Public-Facing Application (regarding exploiting the custom web application)

T1078.002 – Valid Accounts: Domain Accounts (regarding logging on with comprised credentials)

Exploiting internet-exposed custom web applications provided an initial point of access for the actor The actor was later able to use credentials they had compromised to further their access to the network.

Execution

T1059 – Command and Scripting Interpreter (regarding command execution through the web shell)

T1072 – Software Deployment Tools (regarding the actor using open-source tool Secure Socket Funnelling (SSF) to connect to an IP)

Persistence

T1505.003 – Server Software Component: Web Shell (regarding use of a web shell and SSF to establish access)

Credential Access

T1552.001 – Credentials from Password Stores (regarding password files relating to building management system (BMS))

T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting (regarding attack to gain network credentials)

Lateral Movement

T1021.002 – Remote Services: SMB Shares (regarding the actor mounting SMB shares from multiple devices)

Collection

T1213 – Data from Information Repositories (regarding manuals/documentation found on the BMS server)

Exfiltration

T1041 – Exfiltration Over C2 Channel (regarding the actor’s data exfiltration from Active Directory and mounting shares)

Case study 2

Executive Summary

This report details the findings of ASD’s ACSC investigation into the successful compromise of the organisation’s network in April 2022. This investigation report was provided to the organisation to summarise observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.

In May 2022, the ASD’s ACSC notified an organisation of suspected malicious activity impacting the organisation’s network since April 2022. Subsequently, the organisation informed the ASD's ACSC that they had discovered malicious software on an internet facing server which provided the login portal for the organisation's corporate remote access solution. This server used a remote access login and identity management product and will be referred to in this report as 'the compromised appliance'. This report details the investigation findings and remediation advice developed for the organisation in response to the investigation conducted by the ASD’s ACSC.

Evidence indicated that part of the organisation’s network had been compromised by malicious cyber actor(s) via the organisation’s remote access login portal since at least April 2022. This server may have been compromised by multiple actors, and was likely affected by a remote code execution (RCE) vulnerability that was widely publicised around the time of the compromise.

Key actor activity observed by the ASD’s ACSC included:

host enumeration, which enables an actor to build their own map of the network;
exploitation of internet-facing applications and web shell use, giving the actor an initial foothold on the network and a capability to execute commands;
exploitation of software vulnerabilities to escalate privileges; and
credential collection to enable lateral movement.

The ASD’s ACSC discovered that a malicious actor had exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artefacts related to remote access sessions. Upon a review by the organisation, the passwords were found to be legitimate. The ASD’s ACSC assesses that the actor may have collected these technical artefacts to hijack or create a remote login session as a legitimate user, and access the organisation's internal corporate network using a legitimate user account.

Investigation findings

Investigation summary

The ASD’s ACSC determined that actors compromised appliance(s) which provide remote login sessions for organisation staff and used this compromise to attempt to conduct further activity. These appliances consist of three load-balanced hosts where the earliest evidence of compromise was detected. The organisation shut down two of the three load-balanced hosts shortly after the initial compromise. As a result, all subsequent activity occurred on a single host. The other servers associated with the compromised appliance were also load-balanced in a similar manner. For legibility, all compromised appliances are referred to in most of this report as a ‘single appliance’.

The actor is believed to have used publicly known vulnerabilities to deploy web shells to the compromised appliance from April 2022 onwards. Threat actors from the group are assessed to have attained escalated privileges on the appliance. The ASD’s ACSC could not determine the full extent of the activity due to lack of logging availability. However, evidence on the device indicates that an actor achieved the following:

The collection of several hundred genuine username and password pairs; and
The collection of technical artefacts which may have allowed a malicious actor to access a virtual desktop infrastructure (VDI) session as a legitimate user.

The ASD’s ACSC assesses that the actor would have sought to further the compromise of the organisation network. The artefacts exfiltrated by the actor may have allowed them to hijack or initiate virtual desktop sessions as a legitimate user, possibly as a user of their choice, including administrators. The actor may have used this access vector to further compromise organisation services to achieve persistence and other goals. Other organisation appliances within the hosting provider managed environment did not show evidence of compromise.

Access

The host with the compromised appliance provided authentication via Active Directory and a webserver, for users connecting to VDI sessions (T1021.001).

Location	Compromised appliance hostnames (load-balanced)
Datacentre 1	HOST1, HOST2, HOST3

The appliance infrastructure also included access gateway hosts that provide a tunnel to the VDI for the user, once they possess an authentication token generated and downloaded from the appliance.

There was no evidence of compromise of any of these hosts. However, the access gateway hosts logs showed evidence of significant interactions with known malicious IP addresses. It is likely that this reflected activity that occurred on this host, or network connections with threat actor infrastructure that reached this host. The nature of this activity could not be determined using available evidence, but indicates that the group sought to move laterally in the organisation’s network (TA0008).

Internal Hosts

The ASD’s ACSC investigated limited data from the internal organisation’s network segment. Attempted or successful malicious activity known to have impacted the internal organisation’s network segment includes actor access to VDI-related artefacts, the scraping of an internal SQL server (T1505.001), and unexplained traffic observed going from known malicious IP addresses through the access gateway appliances (TA0011).

Using their access to the compromised appliance, the group collected genuine usernames, passwords (T1003), and MFA token values (T1111). The group also collected JSON Web Tokens (JWTs) (T1528), which is an authentication artefact used to create virtual desktop login sessions. The actor may have been able to use these to create or hijack virtual desktop sessions (T1563.002) and access the internal organisation network segment posing as a legitimate user (T1078).

The actor also used access to the compromised appliance to scrape an SQL server (T1505.001), which resided in the organisation’s internal network. It is likely that the actor had access to this data.

Evidence available from the access gateway appliance revealed that network traffic occurred through or to this device from known malicious IP addresses. As described above, this may indicate that malicious cyber actors impacted or utilised this device, potentially as a way to pivot into the internal network.

Investigation Timeline

The below list provides a timeline of key activities discovered during the investigation.

Time	Event
April 2022	Known malicious IP addresses interact with access gateway host HOST7. The nature of the interactions could not be determined.
April 2022	All hosts, HOST1, HOST2 and HOST3, were compromised by a malicious actor or actors, and web shells were placed on the hosts. A log file was created or modified on HOST2. This file contains credential material likely captured by a malicious actor. The /etc/security/opasswd and /etc/shadow files were modified on HOST1 and HOST3, indicating that passwords were changed. Evidence available on HOST1 suggests that the password for user ‘sshuser’ was changed.
April 2022	HOST2 was shut down by the organisation. Additional web shells (T1505.003) were created on HOST1 and HOST3. HOST1 experienced SSH brute force attempts from HOST3. A log file was modified (T1070) on HOST3. This file contains credential material (T1078) likely captured by a malicious actor. JWTs were captured (T1528) and output to a file on HOST3. HOST3 was shut down by the organisation. All activity after this time occurs on HOST1.
April 2022	Additional web shells were created on HOST1 (T1505.003). JWTs were captured and output to a file on HOST1.
April 2022	Additional web shells are created on HOST1 (T1505.003), and a known malicious IP address interacts with the host (TA0011). A known malicious IP address interacts with access gateway host HOST7.
May 2022	A known malicious IP address interacted with access gateway host HOST7 (TA0011). An authentication event for a user is linked to a known malicious IP address in logs on HOST1. An additional web shell is created on this host (T1505.003).
May 2022	A script on HOST1 was modified by an actor (T1543). This script contains functionality which would have scraped data from an internal SQL server.
May 2022	An additional log file on HOST1 was last modified (T1070). This file contains username and password pairs for the organisation network, which are believed to be legitimate (T1078).
May 2022	An additional log file was last modified (T1070). This file contains JWTs collected from HOST1.
May 2022	Additional web shells were created on the HOST1 (T1505.003). On this date, the organisation reported the discovery of a web shell with creation date in April 2022 to the ASD's ACSC.
May 2022	A number of scripts were created on HOST1, including one named Log4jHotPatch.jar.
May 2022	The iptables-save command was used to add two open ports to the access gateway host. The ports were 9998 and 9999 (T1572).

Actor Tactics and Techniques

Highlighted below are several tactics and techniques identified during the investigation.

Initial Access

T1190 Exploit public facing application

The group likely exploited RCE, privilege escalation, and authentication bypass vulnerabilities in the remote access login and identity management product to gain initial access to the network.

This initial access method is considered the most likely due to the following:

The server was vulnerable to these CVEs at the time;
Attempts to exploit these vulnerabilities from known actor; and
The first known internal malicious activity occurred shortly after attempted exploitation attempts were made.

Execution

T1059.004 Command and Scripting Interpreter: Unix Shell

The group successfully exploited the above vulnerabilities may have been able to run commands in a Unix shell available on the affected appliance. Complete details of the commands run by actors cannot be provided as they were not logged by the appliance.

Persistence

T1505.003 Server Software Component: Web Shell

Actors deployed a number of web shells on the affected appliance. It is possible that multiple distinct actors deployed web shells, but that only a smaller number of actors conducted activity using these web shells. Web shells would have allowed for arbitrary command execution by the actor on the compromised appliances.

Privilege Escalation

T1068 Exploitation for Privilege Escalation

Available evidence does not describe the level of privilege attained by actors. However, using web shells, the actor would have achieved a level of privilege comparable to that of the web server on the compromised appliance. Vulnerabilities believed to have been present on the compromised appliance would have allowed an actor to attain root privileges.

Credential Access

T1056.003 Input Capture: Web Portal Capture

Evidence on the compromised appliance showed that the actor had captured several hundred username password pairs, in clear text, which are believed to be legitimate. It is likely that these were captured using some modification to the genuine authentication process which output the credentials to a file.

T1111 Multi-Factor Authentication Interception

The actors also captured the value of MFA tokens corresponding to legitimate logins. These were likely captured by modifying the genuine authentication process to output these values to a file. There is no evidence of compromise of the ‘secret server’ which stores the unique values that provide for the security of MFA tokens.

T1040 Network Sniffing

The actors are believed to have captured JWTs by capturing HTTP traffic on the compromised appliance. There is evidence that the utility tcpdump was executed on the compromised appliance, which may have been how the actor captured these JWTs.

T1539 Steal Web Session Cookie.

As described above, the actors captured JWTs, which are analogous to web session cookies. These could have been reused by the actor to establish further access.

Discovery

T1046 Network Service Discovery

There is evidence that network scanning utility nmap was executed on the compromised appliance to scan other appliances in the same network segment. This was likely used by the actor to discover other reachable network services which might present opportunities for lateral movement.

Collection

Available evidence does not reveal how actors collected data or exactly what was collected from the compromised appliance or from other systems. However, it is likely that actors had access to all files on the compromised appliance, including the captured credentials (T1003), MFA token values (T1111), and JWTs described above.

Command and control

T1071.001 Application Layer Protocol: Web Protocols

Actors used web shells for command and control. Web shell commands would have been passed over HTTPS using the existing web server on the appliance (T1572).

T1001.003 Data Obfuscation: Protocol Impersonation

Actors used compromised devices as a launching point for attacks that are designed to blend in with legitimate traffic.

Detection and Mitigation Recommendations

The ASD’s ACSC strongly recommends implementing the ASD Essential Eight Controls and associated Strategies to Mitigate Cyber Security Incidents. Below are recommendations for network security actions that should be taken to detect and prevent intrusions by APT40, followed by specific mitigations for four key TTPs summarised in Table 1 below.

Detection

Some of the files identified above were dropped in locations such as C:\Users\Public\* and C:\Windows\Temp\*. These locations can be convenient spots for writing data as they are usually world writable, that is, all user accounts registered in Windows have access to these directories and their subdirectories. Often, any user can subsequently access these files, allowing opportunities for lateral movement, defence evasion, low-privilege execution and staging for exfiltration.

The following Sigma rules look for execution from suspicious locations as an indicator of anomalous activity. In all instances, subsequent investigation is required to confirm malicious activity and attribution.

Title: World Writable Execution - Temp

ID: d2fa2d71-fbd0-4778-9449-e13ca7d7505c

Description: Detect process execution from C:\Windows\Temp.

Background:

This rule looks specifically for execution out of C:\Windows\Temp\*. Temp is more broadly used by benign applications and thus a lower confidence malicious indicator than execution out of other world writable subdirectories in C:\Windows.

Removing applications executed by the SYSTEM or NETWORK SERVICE users substantially reduces the quantity of benign activity selected by this rule.

This means that the rule may miss malicious executions at a higher privilege level but it is recommended to use other rules to determine if a user is attempting to elevate privileges to SYSTEM.

Investigation:

Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.

References:

https://www.elastic.co/guide/en/security/current/process-execution-from-an-unusual-directory.html

Author: ASD's ACSC

Date: 2024/06/19

Status: experimental

Tags:

- tlp.green
- classification.au.official
- attack.execution

Log Source:

category: process_creation
product: windows

Detection:

temp:
Image|startswith: 'C:\\Windows\\Temp\\'
common_temp_path:
Image|re|ignorecase: 'C:\\Windows\\Temp\\\{[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}\}\\'
system_user:
User:
- 'SYSTEM'
- 'NETWORK SERVICE'
dismhost:
Image|endswith: 'dismhost.exe'
known_parent:
ParentImage|endswith:
- '\\esif_uf.exe'
- '\\vmtoolsd.exe'
- '\\cwainstaller.exe'
- '\\trolleyexpress.exe'
condition: temp and not (common_temp_path or system_user or dismhost or known_parent)

False Positives:

Allowlist auditing applications have been observed running executables from Temp.
Temp will legitimately contain an array of setup applications and launchers, so it will be worth considering how prevalent this behaviour is on a monitored network (and whether or not it can be allowlisted) before deploying this rule.

Level: low

Title: World Writable Execution - Non-Temp System Subdirectory

ID: 5b187157-e892-4fc9-84fc-aa48aff9f997

Description: Detect process execution from a world writable location in a subdirectory of the Windows OS install location.

Background:

This rule looks specifically for execution out of world writable directories within C:\ and particularly C:\Windows\*, with the exception of C:\Windows\Temp (which is more broadly used by benign applications and thus a lower confidence malicious indicator).

AppData folders are excluded if a file is run as SYSTEM - this is a benign way in which many temporary application files are executed.

After completing an initial network baseline and identifying known benign executions from these locations, this rule should rarely fire.

Investigation:

Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.

References:

Author: ASD's ACSC

Date: 2024/06/19

Status: experimental

Tags:

- tlp.green
- classification.au.official
- attack.execution

Log Source:

category: process_creation
product: windows

Detection:

writable_path:
Image|contains:
- ':\\$Recycle.Bin\\'
- ':\\AMD\\Temp\\'
- ':\\Intel\\'
- ':\\PerfLogs\\'
- ':\\Windows\\addins\\'
- ':\\Windows\\appcompat\\'
- ':\\Windows\\apppatch\\'
- ':\\Windows\\AppReadiness\\'
- ':\\Windows\\bcastdvr\\'
- ':\\Windows\\Boot\\'
- ':\\Windows\\Branding\\'
- ':\\Windows\\CbsTemp\\'
- ':\\Windows\\Containers\\'
- ':\\Windows\\csc\\'
- ':\\Windows\\Cursors\\'
- ':\\Windows\\debug\\'
- ':\\Windows\\diagnostics\\'
- ':\\Windows\\DigitalLocker\\'
- ':\\Windows\\dot3svc\\'
- ':\\Windows\\en-US\\'
- ':\\Windows\\Fonts\\'
- ':\\Windows\\Globalization\\'
- ':\\Windows\\Help\\'
- ':\\Windows\\IdentityCRL\\'
- ':\\Windows\\IME\\'
- ':\\Windows\\ImmersiveControlPanel\\'
- ':\\Windows\\INF\\'
- ':\\Windows\\intel\\'
- ':\\Windows\\L2Schemas\\'
- ':\\Windows\\LiveKernelReports\\'
- ':\\Windows\\Logs\\'
- ':\\Windows\\media\\'
- ':\\Windows\\Migration\\'
- ':\\Windows\\ModemLogs\\'
- ':\\Windows\\ms\\'
- ':\\Windows\\OCR\\'
- ':\\Windows\\panther\\'
- ':\\Windows\\Performance\\'
- ':\\Windows\\PLA\\'
- ':\\Windows\\PolicyDefinitions\\'
- ':\\Windows\\Prefetch\\'
- ':\\Windows\\PrintDialog\\'
- ':\\Windows\\Provisioning\\'
- ':\\Windows\\Registration\\CRMLog\\'
- ':\\Windows\\RemotePackages\\'
- ':\\Windows\\rescache\\'
- ':\\Windows\\Resources\\'
- ':\\Windows\\SchCache\\'
- ':\\Windows\\schemas\\'
- ':\\Windows\\security\\'
- ':\\Windows\\ServiceState\\'
- ':\\Windows\\servicing\\'
- ':\\Windows\\Setup\\'
- ':\\Windows\\ShellComponents\\'
- ':\\Windows\\ShellExperiences\\'
- ':\\Windows\\SKB\\'
- ':\\Windows\\TAPI\\'
- ':\\Windows\\Tasks\\'
- ':\\Windows\\TextInput\\'
- ':\\Windows\\tracing\\'
- ':\\Windows\\Vss\\'
- ':\\Windows\\WaaS\\'
- ':\\Windows\\Web\\'
- ':\\Windows\\wlansvc\\'
- ':\\Windows\\System32\\Com\\dmp\\'
- ':\\Windows\\System32\\FxsTmp\\'
- ':\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\'
- ':\\Windows\\System32\\Speech\\'
- ':\\Windows\\System32\\spool\\drivers\\color\\'
- ':\\Windows\\System32\\spool\\PRINTERS\\'
- ':\\Windows\\System32\\spool\\SERVERS\\'
- ':\\Windows\\System32\\Tasks_Migrated\\Microsoft\\Windows\\PLA\\System\\'
- ':\\Windows\\System32\\Tasks\\'
- ':\\Windows\\SysWOW64\\Com\\dmp\\'
- ':\\Windows\\SysWOW64\\FxsTmp\\'
- ':\\Windows\\SysWOW64\\Tasks\\'
appdata:
Image|contains: '\\AppData\\'
User: 'SYSTEM'
condition: writable_path and not appdata

False Positives:

Allowlist auditing applications have been observed running executables from these directories.

It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in one of these directories and should be addressed on a case-by-case basis.

Level: high

Title: World Writable Execution - Users

ID: 6dda3843-182a-4214-9263-925a80b4c634

Description: Detect process execution from C:\Users\Public\* and other world writable folders within Users.

Background:

AppData folders are excluded if a file is run as SYSTEM - this is a benign way in which many temporary application files are executed.

Investigation:

Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.

References:

https://www.elastic.co/guide/en/security/current/process-execution-from-an-unusual-directory.html

Author: ASD's ACSC

Date: 2024/06/19

Status: experimental

Tags:

- tlp.green
- classification.au.official
- attack.execution

Log Source:

category: process_creation
product: windows

Detection:

users:
Image|contains:
- ':\\Users\\All Users\\'
- ':\\Users\\Contacts\\'
- ':\\Users\\Default\\'
- ':\\Users\\Public\\'
- ':\\Users\\Searches\\'
appdata:
Image|contains: '\\AppData\\'
User: 'SYSTEM'
condition: users and not appdata

False Positives:

It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in Public or a subdirectory and should be addressed on a case-by-case basis.

Level: medium

Mitigations

Logging

During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs.

ASD’s ACSC recommends reviewing and implementing the guidance on Windows Event Logging and Forwarding including the configuration files and scripts in the Windows Event Logging Repository and the Information Security Manual’s Guidelines for System Monitoring, to include centralizing logs and retaining logs for a suitable period.

Patch management

Promptly patch all internet exposed devices and services, including web servers, web applications, and remote access gateways. Consider implementing a centralised patch management system to automate and expedite the process. ASD’s ACSC recommend implementation of the ISM’s Guidelines for System Management, specifically, the System Patching controls where applicable.

Most exploits utilised by the actor were publicly known and had patches or mitigations available. Organisations should ensure that security patches or mitigations are applied to internet facing infrastructure within 48 hours, and where possible, use the latest versions of software and operating systems.

Network segmentation

Network segmentation can make it significantly more difficult for adversaries to locate and gain access to an organisations sensitive data. Segment networks to limit or block lateral movement by denying traffic between computers unless required. Important servers such as Active Directory and other authentication servers should only be able to be administered from a limited number of intermediary servers or ‘jump servers’. These servers should be closely monitored, be well secured and limit which users and devices are able to connect to them.

Regardless of instances identified where lateral movement is prevented, additional network segmentation could have further limited the amount of data the actor was able to access and extract.

Additional mitigations

The authoring agencies also recommend the following mitigations to combat APT40 and others’ use of the TTPs below.

Disable unused or unnecessary network services, ports and protocols.
Use well-tuned Web application firewalls (WAFs) to protect web servers and applications.
Enforce least privilege to limit access to servers, file shares, and other resources.
Use multi-factor authentication (MFA) and managed service accounts to make credentials harder to crack and reuse. MFA should be applied to all internet accessible remote access services, including:
- Web and cloud-based email
- Collaboration platforms
- Virtual private network connections
- Remote desktop services
Replace end-of-life equipment.
Review custom applications for functionality that can be misused and reduce, remove or disable where possible.

Table 1. Mitigation Strategies/Techniques
TTP	Essential Eight Mitigation Strategies	ISM Controls
Initial Access T1190 Exploitation of Public-Facing Application	Patch applications Patch operating systems Multi-factor authentication Application control	ISM-0140 ISM-1698 ISM-1701 ISM-1921 ISM-1876 ISM-1877 ISM-1905
Execution T1059 Command and Scripting Interpreter	Application control Restrict Microsoft Office macros Restrict administrative privileges	ISM-0140 ISM-1490 ISM-1622 ISM-1623 ISM-1657 ISM-1890
Persistence T1505.003 Server Software Component: Web Shell	Application Control Restrict administrative privileges	ISM-0140 ISM-1246 ISM-1746 ISM-1249 ISM-1250 ISM-1490 ISM-1657 ISM-1871
Initial Access / Privilege Escalation / Persistence T1078 Valid Accounts	Patch operating systems Multi-factor authentication Restrict administrative privileges Application control User application hardening	ISM-0140 ISM-0859 ISM-1546 ISM-1504 ISM-1679

For additional general detection and mitigation advice, please consult the Mitigations and Detection sections on the MITRE ATT&CK technique web page for each of the techniques identified in the MITRE ATT&CK summary at the end of this advisory.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.

This document is marked TLP:CLEAR. Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol, see cisa.gov/tlp.

MITRE ATT&CK – Historical APT40 Tradecraft of Interest

MITRE ATT&CK Tactics and Techniques *>>>> Scroll right for full table*
Reconnaissance (TA0043)	Resource Development (TA0042)		Initial Access (TA0001)	Execution (TA0002)		Persistence (TA0003)		Privilege Escalation (TA0004)		Defence Evasion (TA0005)				Credential Access (TA0006)		Discovery (TA0007)			Lateral Movement (TA0008)	Collection (TA0009)		Exfiltration (TA0010)	Command and Control (TA0011)		Impact (TA0040)
Search Victim-Owned Websites (T1594)	Acquire Infrastructure: Domains (T1583.001)	Acquire Infrastructure (T1583)	Valid Accounts (T1078)	Windows Management Instrumentation (T1047)	Command and Scripting Interpreter: Python {T1059.006)	Valid Accounts (T1078)	Server Software Component: Webshell (T1505.003)	Scheduled Task/Job: At (1053.002)	Create or Modify System Process: Windows Service (T1543.003)	Rootkit (T1014)	ProcessInjection: Process Hollowing (T1055.012)	Indirect Command Execution (T1202)	Impair Defences: Disable or Modify System Firewall (T1562.004)	OS Credential Dumping: LSASS Memory (T1003.001)	Unsecured Credentials: Credentials in Files (T1552.001)	System Service Discovery (T1007)	System Network Connections Discovery (T1049)	System Time Discovery (T1124)	Remote Services: Remote Desktop Protocol (T1021.001)	Data from Local System (T1005)	Archive Collected Data: Archive via Library (T1560.002)	Exfiltration Over C2 Channel (T1041)	Data Obfuscation: Protocol Impersonation (T1001.003)	Web Service: Dead Drop Resolver (T1102.001)	Service Stop (T1489)
Active Scanning: Vulnerability Scanning (T1595.002)	Acquire Infrastructure: DNS Server (T1583.002)	Compromise Accounts (T1586)	Valid Accounts: Default Accounts (T1078.001	Scheduled Task/Job: At (1053.002)	Command and Scripting Interpreter: Javascript/Jscript (1059.007)	Office Application Startup: Office Template Macros (T1137.001)	Create or Modify System Process: Windows Service (T1543.003)	Scheduled Task/Job: Scheduled Task (T1053.005)	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)	Obfuscated Files or Information (T1027)	Indicator Removal: File Deletion (T1070.004)	System Binary Proxy Execution: Mshta (T1218.005)	Hide Artifacts: Hidden Files and Directories (T1564.001)	OS Credential Dumping: NTDS (T1003.003)	Brute Force: Password Guessing (T1110.001)	Application Window Discovery (T1010)	Process Discovery (T1057)	System Owner/User Discovery (T1033)	Remote Services: SMB/Windows Admin Shares (T1021.002)	Data from Network Shared Drive (T1039)	Email Collection: Remote Email Collection (T1114.002)	Exfiltration Over Alternative Protocol (T1048)	Commonly Used Port (T1043)	Web Service: One-way Communication (T1102.003)	System Shutdown/Reboot (T1529)
Search Open Websites/Domains: Search Engines (T1592.002)	Develop Capabilities: Code Signing Certificates (T1587.002)	Compromise Infrastructure (T1584)	Valid Accounts: Domain Accounts (T1078.002)	Scheduled Task/Job: Scheduled Task (T1053.005)	Native API (T1106)	Scheduled Task/Job: At (1053.002)	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)	Process Injection: Thread Execution Hijacking (T1055.003)	Boot or Logon Autostart Execution: Shortcut Modification (T1547.009)	Obfuscated Files or Information: Software Packing (T1027.002)	Indicator Removal: Timestomp (T1070.006)	System Binary Proxy Execution: Regsvr32 (T1218.010)	Hide Artifacts: Hidden Window (T1564.003)	Network Sniffing (T1040)	Forced Authentication (T1187)	Query Registry (T1012)	Permission Groups Discovery: Domain Groups (T1069.002)	Domain Trust Discovery (T1482)	Remote Services: Windows Remote Management (T1021.006)	Input Capture: Keylogging (T1056.001)	Clipboard Data (T1115)	Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002)	Application Layer Protocol: Web Protocols (T1071.001)	Ingress Tool Transfer (T1105)	Disk Wipe (T1561)
Gather Victim Identity Information: Email Addresses (T1589.002)	Develop Capabilities: Digital Certificates (T1587.003)	Develop Capabilities: Malware (T1587.001)	External Remote Services (T1133)	Command and Scripting Interpreter (T1059)	Inter-Process Communication (T1559)	Scheduled Task/Job: Scheduled Task (T1053.005)	Boot or Logon Autostart Execution: Shortcut Modification (T1547.009)	Process Injection: Process Hollowing (T1055.012)	Hijack Execution Flow: DLL Search Order Hijacking (T1574.001	Obfuscated Files or Information: Steganography (T1027.003)	Indicator Removal: Clear Windows Event Logs (T1070.001)	Subvert Trust Controls: Code Signing (T1553.002)	Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)	Credentials from Password Stores: Keychain (T1555.001	Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)	File and Directory Discovery (T1083	System Network Configuration Discovery: Internet Connection Discovery (T1016.001)	Account Discovery: Domain Account (T1087.002)	Remote Services (T1021)	Automated Collection (T1119)	Data from Information Repositories(T1213)	Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)	Application Layer Protocol: File Transfer Protocols (T1071.002)	Proxy: Internal Proxy (T1090.001)	Resource Hijacking (T1496)
Gather Victim Identity Information: Credentials (T1589.001)	Obtain Capabilities: Code Signing Certificates (T1588.003)	Establish Accounts: Cloud Accounts (T1585.003)	Drive-by Compromise (T1189)	Command and Scripting Interpreter: Windows Command Shell (T1059.003)	System Services: Service Execution (T1569.002)	External Remote Services (T1133)	Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)	Valid Accounts: Domain Accounts (T1078.002)	Exploitation for Privilege Escalation (T1068)	Obfuscated Files or Information: Compile After Delivery (T1027.004)	Modify Registry (T1112)	File and Directory Permissions Modifications: Linux and Mac File and Directory Permissions Modification (T1222.001)	Hijack Execution Flow: DLL Side-Loading (T1574.002)	Input Capture: Keylogging (T1056.001)	Multi-Factor Authentication Interception (T1111)	Network Service Discovery (T1046)	System Information Discovery (T1082)	Virtualisation/Sandbox Evasion: System Checks (T1497.001)	Use Alternate Material: Pass the Ticket (T1550.003)	Input Capture: Web Portal Capture (T1056.003)	Data Staged: Remote Data Staging (T1074.002)		Proxy: External Proxy (T1090.001)	Non-Standard Port (T1571)
Gather Victim Host Information (T1592)	Compromise Infrastructure: Network Devices (T1584.008)	Obtain Capabilities: Digital Certificates (T1588.004)	Phishing (T1566)	Command and Scripting Interpreter: PowerShell (T1059.001)	Exploitation for Client Execution (T1203)	Scheduled Task/Job: Cron Job (T1053.003)	Hijack Execution Flow: DLL Side-Loading (T1574.002)	Access Token Manipulation: Token Impersonation/Theft (T1134.001)	Event Triggered Execution: Unix Shell Configuration Modification (T1546.004)	Masquerading: Match Legitimate Name or Location (T1036.005)	Deobfuscate/Decode Files or Information (T1140)	Virtualisation/Sandbox Evasion: System Checks (T1497.001)	Web Service (T1102)	Steal Web Session Cookie (T1539)	Steal Application Access Token (T1528)	Remote System Discovery (T1018)	Account Discovery: Local Account (T1087.001)	Software Discovery (T1518)	Lateral Tool Transfer (T1570)	Data Staged: Local Data Staging (T1074.001)	Archive Collected Data (T1560)		Proxy: Multi-hop Proxy (T1090.003)	Protocol Tunnelling (T1572)
Gather Victim Network Information: Domain Properties (T1590.001)			Phishing: Spearphishing Attachment (T1566.001)	Command and Scripting Interpreter: Visual Basic (T1059.005)	User Execution: Malicious File (T1204.002)	Account Manipulation (T1098)	Valid Accounts: Cloud Accounts (T1078.004)	ProcessInjection: Dynamic-link Library Injection (T1055.001)	Valid Accounts: Domain Accounts (T1078.002)	Process Injection: Thread Execution Hijacking (T1055.003)	Impair Defenses (T1562)	Masquerading (T1036)	Masquerading: Masquerade Task or Service (T1036.004)	Exploitation for Credential Access (T1212)	Brute Force: Password Cracking (T1110.002)	Account Discovery: Email Account (T1087.003)	System Information Discovery, Technique T1082 - Enterprise \| MITRE ATT&CK®	Network Share Discovery, Technique T1135 - Enterprise \| MITRE ATT&CK®		Email Collection (T1114)			Web Service: Bidirectional Communication (T1102.002)	Encrypted Channel (T1573
			Spearfishing: Link (T1566:002)	Command and Scripting Interpreter: Unix Shell (T1059.004)	Command and Scripting Interpreter: Apple Script (T1059.002)	Valid Accounts: Domain Accounts (T1078.002)		Valid Accounts: Local Accounts (T1078.003)		Reflective Code Loading (T1620				Input Capture: Web Portal Capture (T1056.003)	OS Credential Dumping: DCSync (T1003.006)								Encrypted Channel: Asymmetric Cryptography (T1573.002)	Ingress Tool Transfer (T1105)
			Exploit Public-Facing Application (T1190)	Scheduled Task/Job: Cron (T1053.003)	Software Deployment Tools(T1072)									Credentials from Password Stores (T1555)	Credentials from Password Stores: Credentials from Web Browsers (T1555.003)								Proxy, Technique T1090 - Enterprise \| MITRE ATT&CK®

Footnotes

US Department of Justice 2021 Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research.
In this context, an endpoint is a function of the web application.
Service accounts are not tied to individual users, but rather to services. In a Microsoft corporate domain, there are various kinds of accounts.
Mounting shares is the process of making files on a file system structure accessible to a user or user group.

PRC MSS tradecraft in action

Content written for

Attachments

Overview

Background

Activity summary

Notable tradecraft

Tooling

Case Studies

Case study 1

Executive Summary

Investigation findings

Details

Visual Timeline

Detailed timeline

Actor Tactics and Techniques

Reconnaissance

Initial Access

Execution

Persistence

Credential Access

Lateral Movement

Collection

Exfiltration

Case study 2

Executive Summary

Investigation findings

Investigation summary

Access

Internal Hosts

Investigation Timeline

Actor Tactics and Techniques

Initial Access

Execution

Persistence

Privilege Escalation

Credential Access

Discovery

Collection

Command and control

Detection and Mitigation Recommendations

Detection

Mitigations

Logging

Patch management

Network segmentation

Additional mitigations

Disclaimer

MITRE ATT&CK – Historical APT40 Tradecraft of Interest

Footnotes

Thanks for your feedback!

Optional