Adversary | UNC2452

Updated: Apr 3, 2021

Also Known As

Solorigate | StellarParticle | Dark Halo



Target Countries

Argentina | Australia | Austria | Belgium | Bolivia | Bulgaria | Canada | Colombia | Côte d'Ivoire | Denmark | Dominican Republic | France | Germany | Hong Kong | India | Indonesia | Iran | Israel | Italy | Japan | Kenya | Kuwait | Luxembourg | Mexico | Namibia | Netherlands | New Zealand | Pakistan | Peru | Philippines | Qatar | Saudi Arabia | Singapore | South Africa | Spain | Sweden | Switzerland | Thailand | Turkey | Ukraine | United Arab Emirates | United | Kingdom | United States | Vietnam

Targeted Verticals


Critical Infrastructure

Financial Services

Government | Military




Account Discovery

Account Manipulation: Exchange Email Delegate Permissions

Account Manipulation: Additional Cloud Credentials

Application Layer Protocol: Web Protocols

Archive Collected Data: Archive via Utility

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Windows Command Shell

Credentials from Password Stores

Data from Local System

Data Staged: Remote Data Staging

Deobfuscate/Decode Files or Information

Develop Capabilities: Malware

Domain Policy Modification: Domain Trust Modification

Domain Trust Discovery

Dynamic Resolution

Email Collection: Remote Email Collection

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exploit Public-Facing Application

File and Directory Discovery

Forge Web Credentials: Web Cookies

Forge Web Credentials: SAML Tokens

Impair Defenses: Disable or Modify System Firewall

Impair Defenses: Disable Windows Event Logging

Impair Defenses: Disable or Modify Tools

Indicator Removal on Host

File Deletion


Ingress Tool Transfer


Masquerade Task or Service

Match Legitimate Name or Location

Obfuscated Files or Information

OS Credential Dumping: DCSync

Permission Groups Discovery

Process Discovery

Proxy: Internal Proxy

Remote Services: Windows Remote Management

Remote System Discovery

Scheduled Task/Job: Scheduled Task

Signed Binary Proxy Execution: Rundll32

Steal or Forge Kerberos Tickets: Kerberoasting

Subvert Trust Controls: Code Signing

Supply Chain Compromise: Compromise Software Supply Chain

System Information Discovery

Unsecured Credentials: Private Keys

Use Alternate Authentication Material

Web Session Cookie

Valid Accounts

Windows Management Instrumentation


Related Posts

See All