State-sponsored actors, better known as the friends you don’t want

MITRE Techniques

• [T1595 ] Active Scanning – Used during reconnaissance when attackers probe for exposed services and map targets, though state-sponsored actors often do this more deeply and quietly. (‘They scan for exposed Remote Desktop Protocol (RDP) and move on’ / ‘mapping an organization’s personnel, technology stack, vendor relationships, and communication patterns’)
• [T1598 ] Phishing for Information – Used in extended reconnaissance and initial access preparation through social engineering and spear phishing. (‘open-source intelligence (OSINT) and social engineering of adjacent organizations’ / ‘they use legitimate credentials obtained through spear phishing’)
• [T1190 ] Exploit Public-Facing Application – Mentioned as a possible zero-day or supply-chain-assisted initial access route that may evade signature-based detection. (‘including zero-days or supply chain vectors that signature-based detection will not identify’)
• [T1078 ] Valid Accounts – Core state-sponsored method for covert access, using legitimate credentials to appear authorized. (‘using trusted tools, holding valid credentials, and performing actions that appear entirely authorized’)
• [T1021 ] Remote Services – Lateral movement and access via trusted administrative tools and remote management systems. (‘use tools already present on the target’s systems, such as PowerShell, WMI, and PsExec’)
• [T1047 ] Windows Management Instrumentation – Used for lateral movement with built-in admin functionality. (‘such as PowerShell, WMI, and PsExec’)
• [T1059.001 ] PowerShell – Used both for administrative-looking activity and for querying Active Directory while blending in. (‘When Active Directory is queried through PowerShell, the security stack registers a routine administrative task’)
• [T1569.002 ] Service Execution – Referenced through PsExec for remote execution and movement. (‘such as PowerShell, WMI, and PsExec’)
• [T1543 ] Create or Modify System Process – Persistence through modified service configurations. (‘scheduled tasks, modified service configurations, dormant accounts, and firmware-level implants’)
• [T1053 ] Scheduled Task/Job – Persistence by creating scheduled tasks that can remain dormant until needed. (‘Think about scheduled tasks, modified service configurations, dormant accounts, and firmware-level implants’)
• [T1098 ] Account Manipulation – Persistence and access maintenance through dormant or abused accounts. (‘dormant accounts’)
• [T1027 ] Obfuscated Files or Information – Anti-forensics and stealth by operating in memory and using encrypted channels to reduce artifacts. (‘operate in memory where possible, and use encrypted channels that leave minimal artifacts’)
• [T1070.001 ] Clear Windows Event Logs – Anti-forensics by clearing event logs to destroy evidence. (‘Advanced actors clear event logs’)
• [T1070.006 ] Timestomp – Anti-forensics by manipulating file timestamps. (‘manipulate file timestamps’)
• [T1055 ] Process Injection – Referenced indirectly through memory-resident activity to avoid disk artifacts. (‘operate in memory where possible’)
• [T1041 ] Exfiltration Over C2 Channel – Data collection and exfiltration blended into normal traffic patterns. (‘exfiltration is structured to blend into normal traffic patterns’)
• [T1071.001 ] Web Protocols – C2 and exfiltration that blend into routine network traffic, including encrypted channels. (‘use encrypted channels that leave minimal artifacts’ / ‘blend into normal traffic patterns’)
• [T1071.004 ] DNS – C2 frameworks relying on DNS for command delivery and exfiltration. (‘Many C2 frameworks rely on DNS for command delivery and exfiltration’)
• [T1003 ] OS Credential Dumping – Pass-the-hash and pass-the-ticket depend on stolen credentials and authentication material. (‘Pass-the-hash and pass-the-ticket attacks use legitimate authentication protocols’)
• [T1550.002 ] Pass the Hash – Explicitly mentioned credential abuse technique that bypasses antivirus. (‘Pass-the-hash…use legitimate authentication protocols and will not trigger antivirus’)
• [T1550.003 ] Pass the Ticket – Explicitly mentioned Kerberos ticket abuse. (‘Pass-the-hash and pass-the-ticket attacks use legitimate authentication protocols’)
• [T1558.003 ] Kerberoasting – Service tickets are requested for offline cracking and may be visible in Kerberos logs. (‘Kerberoasting, where an attacker requests service tickets for offline cracking’)
• [T1210 ] Exploitation of Remote Services – Lateral movement between systems with no operational reason to communicate. (‘lateral movement between systems that have no operational reason to communicate’)
• [T1090 ] Proxy – Legitimate binaries used as proxies for malicious activity. (‘flagging legitimate binaries used as proxies for malicious activity’)
• [T1562.001 ] Disable or Modify Tools – Clearing logs and reducing visibility through anti-forensic activity. (‘sophisticated actors routinely clear local event logs’)
• [T1537 ] Transfer Data to Cloud Account – Mentioned conceptually via exfiltration blended into normal cloud traffic patterns. (‘exfiltration is structured to blend into normal traffic patterns’)
• [T1213 ] Data from Information Repositories – Long-term collection of data from internal systems and infrastructure. (‘If the objective is long-term data collection’)
• [T1587.001 ] Develop Capabilities: Malware – Mentioned in context of custom malware as something state-sponsored actors may avoid in favor of trusted tools. (‘Rather than deploying custom malware’)