From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users
Tags
cmtmf-attack-pattern: Command And Scripting Interpreter Masquerading Scheduled Task/Job
country: China
maec-delivery-vectors: Watering Hole
attack-pattern: Data Archive Collected Data - T1560 Archive Collected Data - T1532 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Credentials From Password Stores - T1555 Default Accounts - T1078.001 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Dll Search Order Hijacking - T1574.001 Domain Groups - T1069.002 Exfiltration Over C2 Channel - T1646 File Deletion - T1070.004 File Deletion - T1630.002 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Impair Defenses - T1562 Impair Defenses - T1629 Ip Addresses - T1590.005 Malicious File - T1204.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Process Discovery - T1424 System Information Discovery - T1426 Pass The Hash - T1550.002 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Python - T1059.006 Reflective Code Loading - T1620 Remote Desktop Protocol - T1021.001 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Software - T1592.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 System Services - T1569 Windows Command Shell - T1059.003 Use Alternate Authentication Material - T1550 Tool - T1588.002 Vulnerabilities - T1588.006 Command-Line Interface - T1059 Connection Proxy - T1090 Credential Dumping - T1003 Data Encoding - T1132 Dll Search Order Hijacking - T1038 Exfiltration Over Command And Control Channel - T1041 File Deletion - T1107 Indicator Removal On Host - T1070 Masquerading - T1036 New Service - T1050 Pass The Hash - T1075 Permission Groups Discovery - T1069 Powershell - T1086 Process Discovery - T1057 Remote Desktop Protocol - T1076 Remote Services - T1021 Scheduled Task - T1053 Service Execution - T1035 Spearphishing Attachment - T1193 System Information Discovery - T1082 System Owner/User Discovery - T1033 Valid Accounts - T1078 User Execution - T1204 Masquerading Spearphishing Attachment Valid Accounts User Execution
Show in Graph
Common Information
Type Value
UUID b82dc92e-1bdc-4b92-b13b-052c7d874886
Fingerprint b5a01d99220792c1
Analysis status DONE
Considered CTI value 2
Text language
Published Aug. 30, 2024, 5:09 p.m.
Added to db Oct. 1, 2024, 2:57 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users
Title From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users
Detected Hints/Tags/Attributes 167/4/97
Source URLs
Redirection Url
Details Source https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/
URL Provider
Details Provider Source level domain
Details securonix.com www.securonix.com
Attributes
Details Type #Events CTI Value
Details Domain 911 
any.run
Details Domain 37 
psexec.py
Details Domain 1 
bloodhound.zip
Details Domain 7 
myip.ipip.net
Details Domain 3 
360-1305242994.cos.ap-nanjing.myqcloud.com
Details Domain 13 
archive.zip
Details Domain 36 
book.hacktricks.xyz
Details Domain 124 
www.sentinelone.com
Details File 5 
20240739人员名单信息.zip
Details File 9 
违规远程控制软件人员名单.docx
Details File 10 
1.docx
Details File 24 
dui70.dll
Details File 14 
ui.exe
Details File 10 
licensingui.exe
Details File 3 
mall_100_100.html
Details File 22 
runonce.exe
Details File 4 
fpr.exe
Details File 10 
iox.exe
Details File 9 
fscan.exe
Details File 32 
result.txt
Details File 4 
netspy.exe
Details File 2 
netspy.log
Details File 8 
alive.txt
Details File 8 
lld.exe
Details File 7 
tmp.log
Details File 6 
xxx.txt
Details File 9 
sharpdecryptpwd.exe
Details File 5 
pvefindaduser.exe
Details File 12 
document.txt
Details File 4 
gogo_windows_amd64.exe
Details File 63 
output.txt
Details File 2125 
cmd.exe
Details File 2 
mstc.exe
Details File 74 
mstsc.exe
Details File 29 
ip.txt
Details File 34 
psexec.py
Details File 1 
bloodhound.zip
Details File 4 
sb.exe
Details File 3 
sa64.gif
Details File 1 
c:\\windows\\system32\\runonce.exe
Details File 1 
searchall64.exe
Details File 6 
sharpweb.exe
Details File 10 
archive.zip
Details File 1 
recharge.json
Details File 3 
%windir%\\syswow64\\runonce.exe
Details File 3 
%windir%\\sysnative\\runonce.exe
Details File 748 
kernel32.dll
Details sha256 3 
8e77101d3f615a58b8d759e8b82ca3dffd4823b9f72dc5c6989bb4311bdffa86
Details sha256 3 
04bcf25d07e5cf060e742325d6123242f262888705acac649f8d5010a5eb6a87
Details sha256 3 
c35ea8498ed7ae33513e26fac321fecf0fc9306dda8c783904968e3c51648c37
Details sha256 3 
3a9b64a61f6373ee427f27726460e7047b21ddcfd1d0d45ee4145192327a0408
Details sha256 3 
28030e8cf4c9c39665a0552e82da86781b00f099e240db83f1d1a3ae0e990ab6
Details sha256 3 
1ba77dd1f5bf31d45fdb160c52ebe5829ec373350cde35818fb90d45352b3601
Details sha256 3 
1189d34e983a6fc9d2dc37ad591287c9e3e4d4ba83f66c7ede692c36274ba648
Details sha256 3 
706bd7e05f275814c3b86eec1a87148662029d91d0ce9b80386aaffe7aa3753b
Details sha256 1 
c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731
Details sha256 3 
0bd048e0bce956edfbcee6edf32b8b67e08275bd38125b40a98665fab4926c9d
Details sha256 3 
97c5cd06b543b0bdb270666092348efba0a9670af05b11f3b56bf4b418dec43a
Details sha256 3 
7dc0e13a5f1a70c4e41f4b92372259b050a395104650d57385ecaa148481ae5c
Details sha256 3 
1f510ded0d181b4636e83c69b66c92465dc0e64f6db946fa4c246e7741f66141
Details sha256 3 
9f650117288b26312e84f32e23783fe3c81fcba771c8ae58119be92344c006cc
Details sha256 3 
efe53f18d282516149bc6feac44c17dde9f0704d95598aecba3e7d734727b07e
Details sha256 3 
33a910162eafe750316adfad4ab0955be24c1ba048c2ec236c95e4a795c42932
Details IPv4 6 
123.207.74.22
Details IPv4 3 
49.235.152.72
Details IPv4 3 
123.56.168.30
Details MITRE ATT&CK Techniques 41 
T1078.001
Details MITRE ATT&CK Techniques 310 
T1566.001
Details MITRE ATT&CK Techniques 157 
T1560
Details MITRE ATT&CK Techniques 96 
T1132
Details MITRE ATT&CK Techniques 289 
T1003
Details MITRE ATT&CK Techniques 172 
T1555
Details MITRE ATT&CK Techniques 297 
T1070.004
Details MITRE ATT&CK Techniques 298 
T1562.001
Details MITRE ATT&CK Techniques 70 
T1574.001
Details MITRE ATT&CK Techniques 91 
T1620
Details MITRE ATT&CK Techniques 230 
T1033
Details MITRE ATT&CK Techniques 433 
T1057
Details MITRE ATT&CK Techniques 65 
T1069
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 333 
T1059.003
Details MITRE ATT&CK Techniques 59 
T1059.006
Details MITRE ATT&CK Techniques 174 
T1569.002
Details MITRE ATT&CK Techniques 106 
T1204.001
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 160 
T1021.001
Details MITRE ATT&CK Techniques 38 
T1550.002
Details MITRE ATT&CK Techniques 480 
T1053
Details MITRE ATT&CK Techniques 422 
T1041
Details Url 1 
http://123.207.74.22/mall_100_100.html
Details Url 7 
http://myip.ipip.net
Details Url 3 
https://360-1305242994.cos.ap-nanjing.myqcloud.com/wel/ns/sa64.gif
Details Url 4 
https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature
Details Url 3 
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking
Details Url 5 
https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors
Details Windows Registry Key 1 
HKLM\System\CurrentControlSet\control\lsa