ioc[.]one - OSINT Cyber Threat Intelligence Database

Joint Cybersecurity Advisory People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

Show in Graph

Common Information

Type	Value
UUID	91e777c8-3837-4f3a-beb8-c86d32e5ce74
Fingerprint	1ba216c39a5dd90c9f7549235eca363a31ccb6532ff4bef1cae7b1d4b023f7d3
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 1, 2023, 11:56 a.m.
Added to db	March 10, 2024, 1:57 a.m.
Last updated	Aug. 31, 2024, 3:36 a.m.
Headline	Joint Cybersecurity Advisory People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
Title	Joint Cybersecurity Advisory People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
Detected Hints/Tags/Attributes	174/3/114

Source URLs

	Redirection	Url
Details	Source	https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

URL Provider

Details	Provider	Source level domain
Details	defense.gov	media.defense.gov

Attributes

Details	Type	#Events	Value
Details	CVE	67	cve-2021-40539
Details	CVE	5	cve-2021-27860
Details	Domain	152	cisa.gov
Details	Domain	88	secretsdump.py
Details	Domain	49	wmiexec.py
Details	Domain	3	www.ip-api.com
Details	Domain	469	www.cisa.gov
Details	Domain	167	www.ic3.gov
Details	Domain	2	210829-020000.zip
Details	Domain	4127	github.com
Details	Domain	207	learn.microsoft.com
Details	Domain	397	www.microsoft.com
Details	Domain	36	media.defense.gov
Details	Domain	182	www.mandiant.com
Details	Domain	55	cisa.dhs.gov
Details	Domain	128	www.fbi.gov
Details	Domain	29	nsa.gov
Details	Domain	8	cyber.nsa.gov
Details	Domain	16	cyber.gov.au
Details	Domain	20	cyber.gc.ca
Details	Domain	5	ncsc.govt.nz
Details	Domain	53	ncsc.gov.uk
Details	Email	6	report@cisa.dhs.gov
Details	Email	7	cybersecurityreports@nsa.gov
Details	Email	8	dib_defense@cyber.nsa.gov
Details	Email	14	mediarelations@nsa.gov
Details	Email	8	contact@cyber.gc.ca
Details	Email	4	incidents@ncsc.govt.nz
Details	File	1	stix_.xml
Details	File	3	cisco_up.exe
Details	File	4	cl64.exe
Details	File	7	vm3dservice.exe
Details	File	4	watchdogd.exe
Details	File	25	win.exe
Details	File	4	wmipresv.exe
Details	File	142	wmiprvse.exe
Details	File	2126	cmd.exe
Details	File	59	ntdsutil.exe
Details	File	85	secretsdump.py
Details	File	45	wmiexec.py
Details	File	2	ldifde.exe
Details	File	76	mimikatz.exe
Details	File	4	ss.dat
Details	File	3	sy.dat
Details	File	40	7z.exe
Details	File	2	c:\windows\system32\pcwrun.exe
Details	File	2	c:\users\administrator\desktop\win.exe
Details	File	2	c:\windows\system32\cmdbak.exe
Details	File	2	c:\windows\temp\putty.log
Details	File	2	c:\windows\temp\tmp.log
Details	File	96	rar.exe
Details	File	3	211117-2.pdf
Details	File	2	c:\pstools\psexec.exe
Details	File	2	c:\windows\temp\cisco_up.txt
Details	File	2	210829-020000.zip
Details	File	2	c:\windows\temp\dmbc2c61.tmp
Details	File	9	backup.bat
Details	File	24	update.bat
Details	File	3	billagent.exe
Details	File	33	nc.exe
Details	File	175	update.exe
Details	File	3	billaudit.exe
Details	File	4	smsvcservice.exe
Details	File	1	embrace_20220622.pdf
Details	Github username	7	fatedier
Details	sha256	6	f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
Details	sha256	4	ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
Details	sha256	4	d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
Details	sha256	7	472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
Details	sha256	4	66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7
Details	sha256	9	3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
Details	sha256	4	41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597
Details	sha256	4	c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99
Details	sha256	4	3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f
Details	sha256	4	fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15
Details	sha256	4	ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484
Details	IPv4	1441	127.0.0.1
Details	IPv4	619	0.0.0.0
Details	MITRE ATT&CK Techniques	152	T1090
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	67	T1003.003
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	49	T1110.003
Details	MITRE ATT&CK Techniques	125	T1110
Details	MITRE ATT&CK Techniques	245	T1016
Details	MITRE ATT&CK Techniques	74	T1069.002
Details	MITRE ATT&CK Techniques	32	T1069.001
Details	MITRE ATT&CK Techniques	172	T1555
Details	MITRE ATT&CK Techniques	289	T1003
Details	MITRE ATT&CK Techniques	92	T1070.001
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	104	T1505.003
Details	MITRE ATT&CK Techniques	36	T1090.002
Details	MITRE ATT&CK Techniques	247	T1070
Details	Url	2	https://www.cisa.gov/uscert/ncas/alerts/aa21-259a.
Details	Url	3	https://www.ic3.gov/media/news/2021/211117-2.pdf
Details	Url	1	https://learn.microsoft.com/en-us/windows-server/identity/ad-
Details	Url	4	https://www.microsoft.com/en-
Details	Url	1	https://learn.microsoft.com/en-us/previous-versions/windows/it-
Details	Url	1	https://media.defense.gov/2022/jun/22/2003021689/-1/-
Details	Url	2	https://www.mandiant.com/resources/blog/greater-visibility
Details	Url	1	https://learn.microsoft.com/en-us/windows/security/threat-
Details	Url	1	https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-
Details	Url	1	https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-
Details	Url	1	https://learn.microsoft.com/en-
Details	Url	1	https://www.fbi.gov/contact-us/field-
Details	Windows Registry Key	2	HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
Details	Yara rule	2	rule ShellJSP { strings: $s1 = "decrypt(fpath)" $s2 = "decrypt(fcontext)" $s3 = "decrypt(commandEnc)" $s4 = "upload failed!" $s5 = "aes.encrypt(allStr)" $s6 = "newid" condition: filesize < 50KB and 4 of them }
Details	Yara rule	3	rule EncryptJSP { strings: $s1 = "AEScrypt" $s2 = "AES/CBC/PKCS5Padding" $s3 = "SecretKeySpec" $s4 = "FileOutputStream" $s5 = "getParameter" $s6 = "new ProcessBuilder" $s7 = "new BufferedReader" $s8 = "readLine()" condition: filesize < 50KB and 6 of them }
Details	Yara rule	1	rule CustomFRPClient { meta: description = "Identify instances of the actor's custom FRP tool based on unique strings chosen by the actor and included in the tool" strings: $s1 = "%!PS-Adobe-" ascii wide nocase $s2 = "github.com/fatedier/frp/cmd/frpc" ascii wide nocase $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" ascii wide nocase $s4 = "MAGA2024!!!" ascii wide nocase $s5 = "HTTP_PROXYHost: %s" ascii wide nocase condition: all of them }
Details	Yara rule	1	rule HACKTOOL_FRPClient { meta: description = "Identify instances of FRP tool (Note: This tool is known to be used by multiple actors, so hits would not necessarily imply activity by the specific actor described in this report)" strings: $s1 = "%!PS-Adobe-" ascii wide nocase $s2 = "github.com/fatedier/frp/cmd/frpc" ascii wide nocase $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" ascii wide nocase $s4 = "HTTP_PROXYHost: %s" ascii wide nocase condition: 3 of them }