Adversary | UNC2452

Updated: Apr 3, 2021



Also Known As

Solorigate | StellarParticle | Dark Halo







Origin

Russia


Target Countries

Argentina | Australia | Austria | Belgium | Bolivia | Bulgaria | Canada | Colombia | Côte d'Ivoire | Denmark | Dominican Republic | France | Germany | Hong Kong | India | Indonesia | Iran | Israel | Italy | Japan | Kenya | Kuwait | Luxembourg | Mexico | Namibia | Netherlands | New Zealand | Pakistan | Peru | Philippines | Qatar | Saudi Arabia | Singapore | South Africa | Spain | Sweden | Switzerland | Thailand | Turkey | Ukraine | United Arab Emirates | United | Kingdom | United States | Vietnam

Targeted Verticals

Education

Critical Infrastructure

Financial Services

Government | Military

Telecommunications

Healthcare


MITRE TTPs

Account Discovery

Account Manipulation: Exchange Email Delegate Permissions

Account Manipulation: Additional Cloud Credentials

Application Layer Protocol: Web Protocols

Archive Collected Data: Archive via Utility

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Windows Command Shell

Credentials from Password Stores

Data from Local System

Data Staged: Remote Data Staging

Deobfuscate/Decode Files or Information

Develop Capabilities: Malware

Domain Policy Modification: Domain Trust Modification

Domain Trust Discovery

Dynamic Resolution

Email Collection: Remote Email Collection

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exploit Public-Facing Application

File and Directory Discovery

Forge Web Credentials: Web Cookies

Forge Web Credentials: SAML Tokens

Impair Defenses: Disable or Modify System Firewall

Impair Defenses: Disable Windows Event Logging

Impair Defenses: Disable or Modify Tools

Indicator Removal on Host

File Deletion

Timestomp

Ingress Tool Transfer

Masquerading

Masquerade Task or Service

Match Legitimate Name or Location

Obfuscated Files or Information

OS Credential Dumping: DCSync

Permission Groups Discovery

Process Discovery

Proxy: Internal Proxy

Remote Services: Windows Remote Management

Remote System Discovery

Scheduled Task/Job: Scheduled Task

Signed Binary Proxy Execution: Rundll32

Steal or Forge Kerberos Tickets: Kerberoasting

Subvert Trust Controls: Code Signing

Supply Chain Compromise: Compromise Software Supply Chain

System Information Discovery

Unsecured Credentials: Private Keys

Use Alternate Authentication Material

Web Session Cookie

Valid Accounts

Windows Management Instrumentation

23 views

Related Posts

See All