ioc[.]one - OSINT Cyber Threat Intelligence Database

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection | CISA

Tags

cmtmf-attack-pattern:	Command And Scripting Interpreter Exploit Public-Facing Application
country:	China New Zealand United Kingdom United States Of America
attack-pattern:	Data Direct Clear Windows Event Logs - T1070.001 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Credentials From Password Stores - T1555 Domain Groups - T1069.002 Exploit Public-Facing Application - T1377 External Proxy - T1090.002 Ip Addresses - T1590.005 Local Groups - T1069.001 System Network Configuration Discovery - T1422 Malware - T1587.001 Malware - T1588.001 System Information Discovery - T1426 Network Devices - T1584.008 Network Topology - T1590.004 Ntds - T1003.003 Password Cracking - T1110.002 Password Spraying - T1110.003 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Server Software Component - T1505 Software - T1592.002 Ssh - T1021.004 Windows Command Shell - T1059.003 Web Shell - T1505.003 Web Services - T1583.006 Web Services - T1584.006 Tool - T1588.002 Vulnerabilities - T1588.006 Brute Force - T1110 Command-Line Interface - T1059 Connection Proxy - T1090 Credential Dumping - T1003 Exploit Public-Facing Application - T1190 Indicator Removal On Host - T1070 Permission Groups Discovery - T1069 Powershell - T1086 Scripting - T1064 System Information Discovery - T1082 System Network Configuration Discovery - T1016 System Owner/User Discovery - T1033 Windows Management Instrumentation - T1047 Web Shell - T1100 Exploit Public-Facing Application Scripting

Show in Graph

Common Information

Type	Value
UUID	ddf645a0-9c87-4a3b-a1b8-6b3f1f5cb92b
Fingerprint	b49da3772461d4a1
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 24, 2023, noon
Added to db	Aug. 13, 2023, 2:51 a.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
Title	People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection \| CISA
Detected Hints/Tags/Attributes	177/3/112

Source URLs

	Redirection	Url
Details	Source	https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

URL Provider

Details	Provider	Source level domain
Details	cisa.gov	www.cisa.gov

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	257	✔	—	https://us-cert.cisa.gov/ncas/alerts.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	67	cve-2021-40539
Details	CVE	5	cve-2021-27860
Details	Domain	88	secretsdump.py
Details	Domain	49	wmiexec.py
Details	Domain	3	www.ip-api.com
Details	Domain	469	www.cisa.gov
Details	Domain	167	www.ic3.gov
Details	Domain	2	210829-020000.zip
Details	Domain	4127	github.com
Details	Domain	182	www.mandiant.com
Details	Domain	207	learn.microsoft.com
Details	Domain	55	cisa.dhs.gov
Details	Domain	152	cisa.gov
Details	Domain	128	www.fbi.gov
Details	Domain	29	nsa.gov
Details	Domain	8	cyber.nsa.gov
Details	Domain	16	cyber.gov.au
Details	Domain	20	cyber.gc.ca
Details	Domain	5	ncsc.govt.nz
Details	Domain	53	ncsc.gov.uk
Details	Email	6	report@cisa.dhs.gov
Details	Email	7	cybersecurityreports@nsa.gov
Details	Email	8	dib_defense@cyber.nsa.gov
Details	Email	14	mediarelations@nsa.gov
Details	Email	8	contact@cyber.gc.ca
Details	Email	4	incidents@ncsc.govt.nz
Details	File	2	stix.json
Details	File	3	cisco_up.exe
Details	File	4	cl64.exe
Details	File	7	vm3dservice.exe
Details	File	4	watchdogd.exe
Details	File	25	win.exe
Details	File	4	wmipresv.exe
Details	File	142	wmiprvse.exe
Details	File	2126	cmd.exe
Details	File	59	ntdsutil.exe
Details	File	85	secretsdump.py
Details	File	45	wmiexec.py
Details	File	2	ldifde.exe
Details	File	76	mimikatz.exe
Details	File	4	ss.dat
Details	File	3	sy.dat
Details	File	40	7z.exe
Details	File	2	c:\windows\system32\pcwrun.exe
Details	File	2	c:\users\administrator\desktop\win.exe
Details	File	2	c:\windows\system32\cmdbak.exe
Details	File	2	c:\windows\temp\putty.log
Details	File	2	c:\windows\temp\tmp.log
Details	File	96	rar.exe
Details	File	3	211117-2.pdf
Details	File	2	c:\pstools\psexec.exe
Details	File	2	c:\windows\temp\cisco_up.txt
Details	File	2	210829-020000.zip
Details	File	2	c:\windows\temp\dmbc2c61.tmp
Details	File	9	backup.bat
Details	File	24	update.bat
Details	File	3	billagent.exe
Details	File	33	nc.exe
Details	File	175	update.exe
Details	File	3	billaudit.exe
Details	File	4	smsvcservice.exe
Details	File	1	csi_keeping_powershell_security_measures_to_use_and_embrace_20220622.pdf
Details	Github username	7	fatedier
Details	sha256	6	f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
Details	sha256	4	ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
Details	sha256	4	d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
Details	sha256	7	472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
Details	sha256	4	66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7
Details	sha256	9	3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
Details	sha256	4	41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597
Details	sha256	4	c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99
Details	sha256	4	3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f
Details	sha256	4	fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15
Details	sha256	4	ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484
Details	IPv4	1441	127.0.0.1
Details	IPv4	619	0.0.0.0
Details	MITRE ATT&CK Techniques	152	T1090
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	67	T1003.003
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	49	T1110.003
Details	MITRE ATT&CK Techniques	125	T1110
Details	MITRE ATT&CK Techniques	245	T1016
Details	MITRE ATT&CK Techniques	74	T1069.002
Details	MITRE ATT&CK Techniques	32	T1069.001
Details	MITRE ATT&CK Techniques	172	T1555
Details	MITRE ATT&CK Techniques	289	T1003
Details	MITRE ATT&CK Techniques	92	T1070.001
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	104	T1505.003
Details	MITRE ATT&CK Techniques	36	T1090.002
Details	MITRE ATT&CK Techniques	247	T1070
Details	Url	2	https://www.cisa.gov/uscert/ncas/alerts/aa21-259a.
Details	Url	3	https://www.ic3.gov/media/news/2021/211117-2.pdf
Details	Url	1	https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
Details	Url	3	https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques
Details	Url	1	https://media.defense.gov/2022/jun/22/2003021689/-1/-1/0/csi_keeping_powershell_security_measures_to_use_and_embrace_20220622.pdf
Details	Url	2	https://www.mandiant.com/resources/blog/greater-visibility
Details	Url	1	https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring
Details	Url	1	https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log
Details	Url	1	https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity#obtaining
Details	Url	1	https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
Details	Url	1	https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
Details	Url	3	https://www.fbi.gov/contact-us/field-offices.
Details	Windows Registry Key	2	HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
Details	Yara rule	2	rule ShellJSP { strings: $s1 = "decrypt(fpath)" $s2 = "decrypt(fcontext)" $s3 = "decrypt(commandEnc)" $s4 = "upload failed!" $s5 = "aes.encrypt(allStr)" $s6 = "newid" condition: filesize < 50KB and 4 of them }
Details	Yara rule	3	rule EncryptJSP { strings: $s1 = "AEScrypt" $s2 = "AES/CBC/PKCS5Padding" $s3 = "SecretKeySpec" $s4 = "FileOutputStream" $s5 = "getParameter" $s6 = "new ProcessBuilder" $s7 = "new BufferedReader" $s8 = "readLine()" condition: filesize < 50KB and 6 of them }
Details	Yara rule	1	rule CustomFRPClient { meta: description = "Identify instances of the actor's custom FRP tool based on unique strings chosen by the actor and included in the tool" strings: $s1 = "%!PS-Adobe-" ascii wide nocase $s2 = "github.com/fatedier/frp/cmd/frpc" ascii wide nocase $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" ascii wide nocase $s4 = "MAGA2024!!!" ascii wide nocase $s5 = "HTTP_PROXYHost: %s" ascii wide nocase condition: all of them }
Details	Yara rule	1	rule HACKTOOL_FRPClient { meta: description = "Identify instances of FRP tool (Note: This tool is known to be used by multiple actors, so hits would not necessarily imply activity by the specific actor described in this report)" strings: $s1 = "%!PS-Adobe-" ascii wide nocase $s2 = "github.com/fatedier/frp/cmd/frpc" ascii wide nocase $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" ascii wide nocase $s4 = "HTTP_PROXYHost: %s" ascii wide nocase condition: 3 of them }