{"description": "Enterprise techniques used by APT29, ATT&CK group G0016 (v6.2)", "name": "APT29 (G0016)", "domain": "enterprise-attack", "versions": {"layer": "4.4", "attack": "17", "navigator": "4.8.1"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has bypassed UAC.(Citation: Mandiant No Easy Breach)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) obtained a list of users and their roles from an Exchange server using `Get-ManagementRoleAssignment`.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used PowerShell to discover domain accounts by exectuing `Get-ADUser` and `Get-ADGroupMember`.(Citation: CrowdStrike StellarParticle January 2022)(Citation: Secureworks IRON RITUAL Profile)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1087.004", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has conducted enumeration of Azure AD accounts.(Citation: MSTIC Nobelium Oct 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.001", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) added credentials to OAuth Applications and Service Principals.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1098.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used a compromised global administrator account in Azure AD to backdoor a service principal with `ApplicationImpersonation` rights to start collecting emails from targeted mailboxes; [APT29](https://attack.mitre.org/groups/G0016) has also used compromised accounts holding `ApplicationImpersonation` rights in Exchange to collect emails.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: Mandiant APT29 Eye Spy Email Nov 22)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) added their own devices as allowed IDs for active sync using `Set-CASMailbox`, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.(Citation: Volexity SolarWinds)(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: MSTIC Nobelium Oct 2021)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1098.003", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) granted `company administrator` privileges to a newly created service principle.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1098.005", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has enrolled their own devices into compromised cloud tenants, including enrolling a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: NCSC et al APT29 2024)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) registered devices in order to enable mailbox syncing via the `Set-CASMailbox` command.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "For the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) acquired C2 domains, sometimes through resellers.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)For [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) registered domains for use in C2 including some crafted to appear as existing legitimate domains.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has registered algorithmically generated Twitter handles that are used for C2 by malware, such as [HAMMERTOSS](https://attack.mitre.org/software/S0037). [APT29](https://attack.mitre.org/groups/G0016) has also used legitimate web services such as Dropbox and Constant Contact in their operations.(Citation: FireEye APT29)(Citation: MSTIC NOBELIUM May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1595", "showSubtechniques": true}, {"techniqueID": "T1595.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has conducted widespread scanning of target environments to identify vulnerabilities for exploit.(Citation: Cybersecurity Advisory SVR TTP May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used HTTP for C2 and data exfiltration.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used 7-Zip to compress stolen emails into password-protected archives prior to exfltration; [APT29](https://attack.mitre.org/groups/G0016) also compressed text files into zipped archives.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[APT29](https://attack.mitre.org/groups/G0016) added Registry Run keys to establish persistence.(Citation: Mandiant No Easy Breach)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has hijacked legitimate application-specific startup scripts to enable malware to execute on system startup.(Citation: Mandiant APT29 Eye Spy Email Nov 22)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037.004", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has installed a run command on a compromised system to enable malware execution on system startup.(Citation: Mandiant APT29 Eye Spy Email Nov 22)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has successfully conducted password guessing attacks against a list of mailboxes.(Citation: Mandiant APT29 Microsoft 365 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.003", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has conducted brute force password spray attacks.(Citation: MSRC Nobelium June 2021)(Citation: MSTIC Nobelium Oct 2021)(Citation: NCSC et al APT29 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1651", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines.(Citation: MSTIC Nobelium Oct 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used encoded PowerShell scripts uploaded to [CozyCar](https://attack.mitre.org/software/S0046) installations to download and install [SeaDuke](https://attack.mitre.org/software/S0053).(Citation: Symantec Seaduke 2015)(Citation: Mandiant No Easy Breach)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used `cmd.exe` to execute commands on remote machines.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "For the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) wrote malware such as [Sibot](https://attack.mitre.org/software/S0589) in Visual Basic.(Citation: Cybersecurity Advisory SVR TTP May 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has developed malware variants written in Python.(Citation: Symantec Seaduke 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.009", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. They have also utilized AADInternals PowerShell Modules to access the API (Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1586", "showSubtechniques": true}, {"techniqueID": "T1586.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has compromised email accounts to further enable phishing campaigns and taken control of dormant accounts.(Citation: ANSSI Nobelium Phishing December 2021)(Citation: Mandiant APT29 Microsoft 365 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1586.003", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used residential proxies, including Azure Virtual Machines, to obfuscate their access to victim environments.(Citation: Mandiant APT29 Microsoft 365 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.001", "comment": "For the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) compromised domains to use for C2.(Citation: MSTIC NOBELIUM Mar 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.003", "comment": "[APT29](https://attack.mitre.org/groups/G0016) can create new users through Azure AD.(Citation: MSTIC Nobelium Oct 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.(Citation: Microsoft Deep Dive Solorigate January 2021) ", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) stole users' saved passwords from Chrome.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1213", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) accessed victims' internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1213.003", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) downloaded source code from code repositories.(Citation: Microsoft Internal Solorigate Investigation Blog)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has stolen data from compromised hosts.(Citation: Mandiant APT29 Eye Spy Email Nov 22)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) extracted files from compromised networks.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.002", "comment": "During [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) used steganography to hide the communications between the implants and their C&C servers.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) staged data and files in password-protected archives on a victim's OWA server.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used 7-Zip to decode their [Raindrop](https://attack.mitre.org/software/S0565) malware.(Citation: Symantec RAINDROP January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used unique malware in many of their operations.(Citation: F-Secure The Dukes)(Citation: Mandiant No Easy Breach)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: Mandiant APT29 Eye Spy Email Nov 22)For the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used numerous pieces of malware that were likely developed for or by the group, including [SUNBURST](https://attack.mitre.org/software/S0559), [SUNSPOT](https://attack.mitre.org/software/S0562), [Raindrop](https://attack.mitre.org/software/S0565), and [TEARDROP](https://attack.mitre.org/software/S0560).(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021) \nFor [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) used new strains of malware including [FatDuke](https://attack.mitre.org/software/S0512), [MiniDuke](https://attack.mitre.org/software/S0051), [RegDuke](https://attack.mitre.org/software/S0511), and [PolyglotDuke](https://attack.mitre.org/software/S0518).(Citation: ESET Dukes October 2019)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1587.003", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has created self-signed digital certificates to enable mutual TLS authentication for malware.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.(Citation: Secureworks IRON RITUAL Profile)(Citation: Microsoft 365 Defender Solorigate)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1482", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used the `Get-AcceptedDomain` PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.(Citation: Volexity SolarWinds) They also used [AdFind](https://attack.mitre.org/software/S0552) to enumerate domains and to discover trust between federated domains.(Citation: CrowdStrike StellarParticle January 2022)(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1568", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used Dynamic DNS providers for their malware C2 infrastructure.(Citation: Mandiant APT29 Eye Spy Email Nov 22)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.(Citation: Volexity SolarWinds) ", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has collected emails from targeted mailboxes within a compromised Azure AD tenant and compromised Exchange servers, including via Exchange Web Services (EWS) API requests.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: Mandiant APT29 Eye Spy Email Nov 22)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) collected emails from specific individuals, such as executives and IT staff, using `New-MailboxExportRequest` followed by `Get-MailboxExportRequest`.(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1573", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used multiple layers of encryption within malware to protect C2 communication.(Citation: Secureworks IRON HEMLOCK Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.001", "comment": "For [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) registered Twitter accounts to host C2 nodes.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.003", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used WMI event subscriptions for persistence.(Citation: Mandiant No Easy Breach)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used a WMI event filter to invoke a command-line event consumer at system boot time to launch a backdoor with `rundll32.exe`.(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: Microsoft 365 Defender Solorigate)\nDuring [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) used WMI event subscriptions to establish persistence for malware.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1546.008", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used sticky-keys to obtain unauthenticated, privileged console access.(Citation: Mandiant No Easy Breach)(Citation: FireEye APT29 Domain Fronting)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: NCSC APT29 July 2020)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.(Citation: F-Secure The Dukes)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: MSTIC NOBELIUM May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has exploited CVE-2021-36934 to escalate privileges on a compromised host.(Citation: ESET T3 Threat Report 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used compromised identities to access networks via VPNs and Citrix.(Citation: NCSC APT29 July 2020)(Citation: Mandiant APT29 Microsoft 365 2022)For the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used compromised identities to access networks via SSH, VPNs, and other remote access tools.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) obtained information about the configured Exchange virtual directory using `Get-WebServicesVirtualDirectory`.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1606", "showSubtechniques": true}, {"techniqueID": "T1606.001", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1606.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) created tokens using compromised SAML signing certificates.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: Secureworks IRON RITUAL Profile)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1589", "showSubtechniques": true}, {"techniqueID": "T1589.001", "comment": "For the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) conducted credential theft operations to obtain credentials to be used for access to victim environments.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1665", "comment": "[APT29](https://attack.mitre.org/groups/G0016) uses compromised residential endpoints, typically within the same ISP IP address range, as proxies to hide the true source of C2 traffic.(Citation: NCSC et al APT29 2024)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) set the hostnames of their C2 infrastructure to match legitimate hostnames in the victim environment. They also used IP addresses originating from the same country as the victim for their VPN infrastructure.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used the service control manager on a remote system to disable services associated with security monitoring products.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1562.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016), used `AUDITPOL` to prevent the collection of audit logs.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used `netsh` to configure firewall rules that limited certain UDP outbound packets.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1562.008", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has disabled Purview Audit on targeted accounts prior to stealing emails from  Microsoft 365 tenants.(Citation: Mandiant APT29 Microsoft 365 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used [SDelete](https://attack.mitre.org/software/S0195) to remove artifacts from victim networks.(Citation: Mandiant No Easy Breach)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) routinely removed their tools, including custom backdoors, once remote access was achieved.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory.(Citation: Mandiant APT29 Eye Spy Email Nov 22)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) modified timestamps of backdoors to match legitimate Windows files.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1070.008", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) removed evidence of email export requests using `Remove-MailboxExportRequest`.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has downloaded additional tools and malware onto compromised networks.(Citation: Mandiant No Easy Breach)(Citation: PWC WellMess July 2020)(Citation: F-Secure The Dukes)(Citation: Mandiant APT29 Eye Spy Email Nov 22)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) downloaded additional malware, such as [TEARDROP](https://attack.mitre.org/software/S0560) and [Cobalt Strike](https://attack.mitre.org/software/S0154), onto a compromised host following initial access.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) named tasks `\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager` in order to appear legitimate.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.(Citation: SentinelOne NobleBaron June 2021)(Citation: Mandiant APT29 Microsoft 365 2022)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) renamed software and DLLs with legitimate names to appear benign.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1556", "showSubtechniques": true}, {"techniqueID": "T1556.007", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has edited the `Microsoft.IdentityServer.Servicehost.exe.config` file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.(Citation: MagicWeb)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1621", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used repeated MFA requests to gain access to victim accounts.(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)(Citation: NCSC et al APT29 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used large size files to avoid detection by security solutions with hardcoded size limits.(Citation: SentinelOne NobleBaron June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used UPX to pack files.(Citation: Mandiant No Easy Breach)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "During [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) used steganography to hide payloads inside valid images.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1027.006", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.(Citation: ESET T3 Threat Report 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has obtained and used a variety of tools including [Mimikatz](https://attack.mitre.org/software/S0002), [SDelete](https://attack.mitre.org/software/S0195), [Tor](https://attack.mitre.org/software/S0183), [meek](https://attack.mitre.org/software/S0175), and [Cobalt Strike](https://attack.mitre.org/software/S0154).(Citation: Mandiant No Easy Breach)(Citation: F-Secure The Dukes)(Citation: Mandiant APT29 Eye Spy Email Nov 22)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used the `reg save` command to save registry hives.(Citation: Mandiant APT29 Eye Spy Email Nov 22)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.004", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used the `reg save` command to extract LSA secrets offline.(Citation: Mandiant APT29 Eye Spy Email Nov 22)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.006", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used privileged accounts to replicate directory service data with domain controllers.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1069", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used the `Get-ManagementRoleAssignment` PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.(Citation: Volexity SolarWinds)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used [AdFind](https://attack.mitre.org/software/S0552) to enumerate domain groups.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used spearphishing emails with an attachment to deliver files with exploits to initial victims.(Citation: F-Secure The Dukes)(Citation: MSTIC NOBELIUM May 2021)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.(Citation: Mandiant No Easy Breach)(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.003", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used the legitimate mailing service Constant Contact to send phishing e-mails.(Citation: MSTIC NOBELIUM May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used multiple command-line utilities to enumerate running processes.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of [Cobalt Strike](https://attack.mitre.org/software/S0154) to use a network pipe over SMB.(Citation: CrowdStrike StellarParticle January 2022)(Citation: Symantec RAINDROP January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) uses compromised residential endpoints as proxies for defense evasion and network access.(Citation: NCSC et al APT29 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "A backdoor used by [APT29](https://attack.mitre.org/groups/G0016) created a [Tor](https://attack.mitre.org/software/S0183) hidden service to forward traffic from the [Tor](https://attack.mitre.org/software/S0183) client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.(Citation: Mandiant No Easy Breach)(Citation: MSTIC Nobelium Oct 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.004", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used the meek domain fronting plugin for [Tor](https://attack.mitre.org/software/S0183) to hide the destination of C2 traffic.(Citation: Mandiant No Easy Breach)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used RDP sessions from public-facing systems to internal servers.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used administrative accounts to connect over SMB to targeted users.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1021.006", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used WinRM via PowerShell to execute commands and payloads on remote hosts.(Citation: Symantec RAINDROP January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1021.007", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally into a cloud environment, including through the use of Azure AD PowerShell.(Citation: Mandiant Remediation and Hardening Strategies for Microsoft 365)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used [AdFind](https://attack.mitre.org/software/S0552) to enumerate remote systems.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used named and hijacked scheduled tasks to establish persistence.(Citation: Mandiant No Easy Breach)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used `scheduler` and `schtasks` to create new tasks on remote host as part of their lateral movement. They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. [APT29](https://attack.mitre.org/groups/G0016) also created a scheduled task to maintain [SUNSPOT](https://attack.mitre.org/software/S0562) persistence when the host booted.(Citation: Volexity SolarWinds)(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: CrowdStrike SUNSPOT Implant January 2021)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has installed web shells on exploited Microsoft Exchange servers.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Mandiant APT29 Eye Spy Email Nov 22)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1528", "comment": "[APT29](https://attack.mitre.org/groups/G0016) uses stolen tokens to access victim accounts, without needing a password.(Citation: NCSC et al APT29 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1649", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.(Citation: Mandiant APT29 Trello)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1558", "showSubtechniques": true}, {"techniqueID": "T1558.003", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) stole Chrome browser cookies by copying the Chrome profile directories of targeted users.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) was able to get [SUNBURST](https://attack.mitre.org/software/S0559) signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1553.005", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.(Citation: ESET T3 Threat Report 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1195", "showSubtechniques": true}, {"techniqueID": "T1195.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) gained initial network access to some victims via a trojanized update of SolarWinds Orion software.(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has use `mshta` to execute malicious scripts on a compromised host.(Citation: ESET T3 Threat Report 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used `Rundll32.exe` to execute payloads.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used `fsutil` to check available free space before executing actions that might create large files on disk.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1016", "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has ensured web servers in a victim environment are Internet accessible before copying tools or malware to it.(Citation: Mandiant APT29 Eye Spy Email Nov 22)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used [GoldFinder](https://attack.mitre.org/software/S0597) to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1199", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has compromised IT, cloud services, and managed services providers to gain broad access to multiple customers for subsequent operations.(Citation: MSTIC Nobelium Oct 2021)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) obtained PKI keys, certificate files, and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.(Citation: Microsoft 365 Defender Solorigate)(Citation: Cybersecurity Advisory SVR TTP May 2021)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1550", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling [APT29](https://attack.mitre.org/groups/G0016) to access enterprise cloud applications and services.(Citation: Microsoft 365 Defender Solorigate)(Citation: Secureworks IRON RITUAL Profile)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1550.001", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used compromised service principals to make changes to the Office 365 environment.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1550.003", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used Kerberos ticket attacks for lateral movement.(Citation: Mandiant No Easy Breach)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550.004", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used stolen cookies to access cloud resources and a forged `duo-sid` cookie to bypass MFA set on an email account.(Citation: Volexity SolarWinds)(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to click on a malicious link.(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. (Citation: F-Secure The Dukes)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has used a compromised account to access an organization's VPN infrastructure.(Citation: Mandiant APT29 Microsoft 365 2022)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used different compromised credentials for remote access and to move laterally.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: Cybersecurity Advisory SVR TTP May 2021)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used domain administrators' accounts to help facilitate lateral movement on compromised networks.(Citation: CrowdStrike StellarParticle January 2022)For [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) used stolen administrator credentials for lateral movement on compromised networks.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "[APT29](https://attack.mitre.org/groups/G0016) targets dormant or inactive user accounts, accounts belonging to individuals no longer at the organization but whose accounts remain on the system, for access and persistence.(Citation: NCSC et al APT29 2024)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used compromised local accounts to access victims' networks.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "[APT29](https://attack.mitre.org/groups/G0016) has gained access to a global administrator account in Azure AD and has used `Service Principal` credentials in Exchange.(Citation: Mandiant APT29 Microsoft 365 2022)(Citation: Mandiant APT29 Eye Spy Email Nov 22)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used a compromised O365 administrator account to create a new Service Principal.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "For [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) used social media platforms to hide communications to C2 servers.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[APT29](https://attack.mitre.org/groups/G0016) used WMI to steal credentials and execute backdoors at a future time.(Citation: Mandiant No Easy Breach)During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used WMI for the remote execution of files for lateral movement.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT29", "color": "#66b1ff"}, {"label": "used by a campaign attributed to APT29", "color": "#ff6666"}, {"label": "used by APT29 and used by a campaign attributed to APT29", "color": "#ff66f4"}]}