Emulating the Politically Motivated North Korean Adversary Andariel: Part 2

MITRE Techniques

• [T1082] System Information Discovery – Brief description of how it was used. ‘executes the native systeminfo command to retrieve Windows system information.’
• [T1033] System Owner/User Discovery – Brief description of how it was used. ‘Executes the native whoami command to receive details of the running user account.’
• [T1087] Account Discovery – Brief description of how it was used. ‘Uses the native net user command to enumerate available accounts on the system.’
• [T1057] Process Discovery – Brief description of how it was used. ‘Uses the tasklist command to discover running processes.’
• [T1083] File and Directory Discovery – Brief description of how it was used. ‘Uses the native dir command to find files of interest.’
• [T1654] Log Enumeration – Brief description of how it was used. ‘Searches the Windows Event Log for RDP Session Reconnection Information.’
• [T1049] System Network Connections Discovery – Brief description of how it was used. ‘Uses netstat to collect active connections and listening services.’
• [T1012] Query Registry – Brief description of how it was used. ‘Queries the WDigest registry key to enable authentication.’
• [T1562] Impair Defenses – Brief description of how it was used. ‘Modifies registry keys to enable WDigest authentication.’
• [T1105] Ingress Tool Transfer – Brief description of how it was used. ‘Downloads additional malware stages to test network and endpoint controls.’
• [T1136.001] Create Account: Local Account – Brief description of how it was used. ‘Creates a new account named krtbgt using the net user command.’
• [T1098] Account Manipulation – Brief description of how it was used. ‘Adds a local user to the local Administrators group.’
• [T1003] OS Credential Dumping – Brief description of how it was used. ‘Uses Mimikatz to dump passwords and hashes for Windows accounts.’
• [T1003.001] OS Credential Dumping: LSASS Memory – Brief description of how it was used. ‘Dumps LSASS memory to disk to extract credential information.’
• [T1543.003] Windows Service – Brief description of how it was used. ‘Creates a new service named Aarsvc_XXXXXX for persistence.’
• [T1518.001] Security Software Discovery – Brief description of how it was used. ‘Determines installed security software via WMIC.’
• [T1016] System Network Configuration Discovery – Brief description of how it was used. ‘Collects network configuration using ipconfig /all.’
• [T1018] Remote System Discovery – Brief description of how it was used. ‘Gathers additional hosts available in the domain.’
• [T1047] Windows Management Instrumentation (WMI) – Brief description of how it was used. ‘This scenario uses WMIC os get osarchitecture to discover the current operating system architecture.’
• [T1082] System Information Discovery – Brief description of how it was used. ‘ver’ command to discover the Windows version.
• [T1047] Windows Management Instrumentation – Brief description of how it was used. ‘WMIC os get osarchitecture’ (system fingerprinting context).