Simulating Advanced Persistent Threat Group Activity

Advanced Persistent Threats (APT) groups are elite adversaries that combine multiple advanced attack vectors with stealth to avoid detection. APT groups typically attack and maintain control over target systems for long periods of time. Organizations that may be targeted by APT groups should regularly audit and harden systems to mitigate the risk of these attacks. This blog post outlines some of techniques that can be used to simulate APT group activity.

APT Operations Lifecycle – Common Activity

Advanced Persistent Threat (APT) attacks happen when  some organization decides you specifically have something they want and they are willing to invest resources and time to get it. The organized nature of APT groups is what makes them advanced. Their operations start with a plan. The objectives are defined and a series of well-rehearsed and coordinated procedures are put into motion.

These targeted operations can be dissected into a series of phases. Phases such as preparation and gaining the initial entry point are prerequisites. Other parts of the operation may be parallelized and divided amongst available cells for efficiency.

APT Lifecycle
APT Life Cycle

Tools to Simulation APT Attacks

Simulating APT attacks is a useful practice to assess how effective the current security solutions in place may be. Generating digital artifacts similar to an APT attack on your network can help determine your network security monitoring’s detection capabilities. Although manually generating APT activity is possible, there are a few automated tools that can be used to simulate these attacks:

  • APTSimulator – A Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised
  • CALDERA – The automated adversary emulation system
  • Infection Monkey – An automated penetration testing tool
  • Flightsim – A utility to generate malicious network traffic and evaluate controls

The remainder of this blog post details common APT activity that recreated to simulate an attack.

Gaining Elevated Credential Access

When adversaries gain access to a target machine, one of the first things they do is elevate their access. There are a few techniques that are commonly used to obtain elevated credentials:

  • Dump LSASS process memory to a suspicious folder
  • Run Invoke-Mimikatz in memory
  • Dump mimikatz output to the working directory

Remaining Hidden – Evading Security Defenses

Threat groups are consistently adapting their techniques to avoid security defenses. Some of their tactics that have been highly successful in the past include:

  • Active an admin guest account
  • Drop a suspicious executable with a system file name (like svchost.exe) in %PUBLIC% folder
  • Add malware network entries to the local hosts file
  • Run obfuscated JavaScript code with wscript.exe and start a decoded bind shell
  • Download a cloaked RAR file with malicious content

Establishing Persistence Network Access

After an initial intrusion has taken place and attackers have elevated their credentials, they will attempt to enable persistency that allows them to keep coming back to the infected machines. There are a lot of different methods to achieve persistency, some of them are:

  • Create a scheduled task that runs mimikatz and dumps the output to a file
  • Create a scheduled task via XML file using Invoke-SchtasksBackdoor.ps1
  • Enable the sticky keys exploit by replacing sethc.exe with cmd.exe
  • Create a standard web root directory with a GIF obfuscated web shell
  • Use WMIBackdoor to kill local process explorer instances when they start

Command and Control Communication

Advance persistent threat groups use some type of infrastructure for communication and accessing the targeted network. Some techniques to recreate this activity are:

  • Drop a PowerShell Ncat shell to the working directory and connect it to a well-known attacker domain
  • Look up several well-known C2 addresses to cause DNS requests and get the addresses into the local DNS cache
  • Use WMIBackdoor to contact a C2 in intervals
  • Use Curl to access well-known C2 servers

Discovering New Targets on the Local Network

Finally, when APT groups have compromised a machine, elevated their status and enabled persistent access, they will start to look for their next machine to compromise on the target network. Some signs of this new discovery include:

  • Scan private IP address class-C subnets using nbtscan and dump the output to the working directory
  • Execute commands used by attackers to get information about a target system

Potential APT Activity on Your Network?

If your organization suspects they might be a victim to a targeted APT attack, it is important to get the assistance needed. Red Flare Security is ready to provide digital forensics and incident response services in response to even the most advanced threats. Contact us today for more information and assistance.


You must be logged in to post a comment.