“Exploring the SLOW#TEMPEST Campaign: A Deep Dive into Cobalt Strike and Mimikatz Targeting Chinese Users”

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – ZIP files (sometimes password-protected) distributed via unsolicited emails to deliver the LNK payload. “ZIP files (which were sometimes password-protected), were distributed via unsolicited emails.”
• [T1078.001] Valid Accounts: Default Accounts – Privilege escalation by manipulating the Guest account to gain admin access. “The Guest account … added to the critical administrative group and assigning it a new password.”
• [T1560] Archive Collected Data – BloodHound data collected and zipped into BloodHound.zip. “The data collected by BloodHound was then compiled into several .json files … These files were subsequently compressed into a BloodHound.zip archive.”
• [T1132] Data Encoding – Cobalt Strike beacon uses obfuscated network traffic per Malleable_C2_Instructions. “The beacon uses obfuscated network traffic described by the ‘Malleable_C2_Instructions’ …”
• [T1003] OS Credential Dumping – Mimikatz used for credential dumping during lateral movement. “Windows credential dumping utility Mimikatz being used from the Cobalt Strike process ‘lld.exe’.”
• [T1555] Credentials from Password Stores – Sharpdecryptpwd.exe dumps cached credentials from browsers and apps. “sharpdecryptpwd.exe: A command-line based utility that collects and dumps cached credentials…”
• [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – DLL sideloading of dui70.dll via a renamed UI.exe. “The DLL sideloading … technique involving LicensignUI.exe appears to be unreported.”
• [T1620] Reflective Code Loading – Shellcode loaded/executed by lld.exe. “shellcode to be executed by lld.exe.”
• [T1033] System Owner/User Discovery – BloodHound mapping of AD users/computers. “BloodHound … collect data on users, computers, groups…”
• [T1057] Process Discovery – Observed process chain with runonce.exe as a staging/run process. “The Cobalt Strike implant is programmed to inject itself into the Windows binary ‘runonce.exe’.”
• [T1069] Permission Groups Discovery: Domain Groups – BloodHound data includes domain groups. “information on users, computers, groups, organizational units”…
• [T1082] System Information Discovery – System information queries during enumeration. “System information discovery” content.
• [T1059.001] Command and Scripting Interpreter: PowerShell – Multiple interpreters used during execution. “PowerShell” listed in the techniques.
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Windows Command Shell usage observed. “Windows Command Shell” in the techniques.
• [T1059.006] Command and Scripting Interpreter: Python – Python usage for scripting actions. “Python” in the techniques.
• [T1569.002] System Services: Service Execution – Creation of a Windows service (windowsinspectionupdate) to run lld.exe. “sc create ‘windowsinspectionupdate’ …”
• [T1204.001] User Execution: Malicious Link – LNK file acts as a lure to execute payload. “a shortcut (.lnk) file contained within a compressed archive (.zip) file.”
• [T1204.002] User Execution: Malicious File – Malicious files executed by user action. “LNK file … executed”
• [T1021.001] Remote Services: Remote Desktop Protocol – Lateral movement via RDP to other systems. “a successful RDP connection … to another domain-joined server.”
• [T1550.002] Use Alternate Authentication Material: Pass the Hash – Hash-based authentication attempts during lateral movement. “pass the hash as one of the captured users and hash combinations.”
• [T1053] Scheduled Task/Job – Persistence via scheduled tasks (windowsinspectionupdate). “T1053: Scheduled Task/Job”
• [T1041] Exfiltration Over C2 Channel – Data exfiltration through C2 communications. “Exfiltration over C2 channel” content.