Emulating the Notorious Chinese State-Sponsored Winnti Group

MITRE Techniques

• [T1059.005] Command and Scripting Interpreter – Visual Basic Script: ‘This scenario attempts to execute a Visual Basic Script (VBS) via cs.’
• [T1016] System Network Configuration Discovery: ‘This scenario executes route, ipconfig, nltest, net or arp commands to obtain the different information available about the network configuration.’
• [T1082] System Information Discovery: ‘This scenario executes the systeminfo command to collect information about the compromised system.’
• [T1087.001] Account Discovery: Local Account: ‘This scenario executes the native net user Windows command to get a list of local accounts.’
• [T1007] System Service Discovery: ‘This scenario executes sc, Get-Service, net start or tasklist /svc to query all running Windows services.’
• [T1083] File and Directory Discovery: ‘This scenario executes the dir command to discover files and directories.’
• [T1003.002] OS Credential Dumping: Security Account Manager: ‘Mimikatz is employed to dump credentials from the system.’
• [T1003] OS Credential Dumping: ‘This scenario utilizes an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.’
• [T1105] Ingress Tool Transfer: ‘These scenarios download to memory and save to disk in two separate scenarios…’
• [T1012] Query Registry: ‘This scenario executes reg query to obtain information from the registry.’
• [T1055.001] Process Injection: Dynamic-link Library Injection: ‘This scenario performs the injection of a Dynamic-link Library (DLL) into a process using CreateRemoteThread and LoadLibrary.’
• [T1574.002] Hijack Execution Flow: DLL Side-Loading: ‘This scenario leverages a legitimate and trusted executable to load a malicious DLL.’
• [T1620] Reflective Code Loading: ‘This scenario takes a default AttackIQ DLL and loads it into the memory space of its own process…’
• [T1218.011] System Binary Proxy Execution: Rundll32: ‘This scenario executes an exported function from a specific DLL using the rundll32.exe Windows utility.’
• [T1218.010] Regsvr32: ‘…RegSvr32’ (implied alongside Rundll32 as native execution methods)
• [T1543.003] Windows Service: ‘This scenario creates a new service to achieve persistence within the system.’
• [T1049] System Network Connections Discovery: ‘net session’ to list the active network sessions.
• [T1071.004] Application Layer Protocol: DNS: ‘nslookup’ Windows command to resolve a domain via DNS.
• [T1016.001] Internet Connection Discovery: ‘tracert’ to gather information about network topology.
• [T1120] Peripheral Device Discovery: ‘fsutil fsinfo drives’ to gather information about attached devices.
• [T1201] Password Policy Discovery: ‘net accounts’ to obtain password policy details.
• [T1087.002] Account Discovery: Domain Account: ‘net group’ to list domain administrator accounts.
• [T1135] Network Share Discovery: ‘net share’ to list network shares.
• [T1057] Process Discovery: ‘tasklist’ to enumerate running processes.
• [T1033] System Owner/User Discovery: ‘query user’ and ‘whoami’ to retrieve logged-on user information.
• [T1124] System Time Discovery: ‘net time’ to identify system time/time zone.
• [T1021.001] Remote Services: Remote Desktop Protocol: ‘RDP’ for lateral movement.
• [T1078] Valid Accounts (referenced contextually with credential dumping and lateral movement)
• [T1074.001] Data Staged: Local Data Staging: ‘automated collection of files and stores them in a specific directory prior to exfiltration.’
• [T1048.003] Exfiltration Over Unencrypted Non-C2 Protocol: ‘exfiltrates a pre-generated text file containing the output from a series of discovery commands… HTTP POST’
• [T1048] Exfiltration Over Unencrypted Non-C2 Protocol (general note): ‘exfiltration over HTTP to an AttackIQ controlled test server.’