December 21, 2021

APT31 Intrusion Set from ANSSI

Industry: N/A | Level: Tactical | Source: Cert.Fr

French national cyber-security agency ANSSI, provided details about a APT31 intrusion, the agency has been tracking since January 2021. Tactics observed are mapped based on the MITRE ATT&CK framework. Initial intrusion vectors are observed through brute force, valid accounts, and exploitation of vulnerabilities (Proxylogon, Fortinet, and SQL injection). The threat group is persistent scheduling tasks, creating accounts and web shells. They also move laterally with the use of RDP, FTP, and SMB to transfer code and tools. Additional threat activity and detection areas include the use of native discovery commands, creating firewall rules, and disabling AV/monitoring solutions like Windows Defender. The groups endgame has been data exfiltration through email, DNS, and/or SMB after collection.

  • Anvilogic Use Cases:
    • Potential Web Shell
    • Cscript or Wscript execution
    • Create/Modify Schtasks
    • Create/Add Local/Domain User
    • Windows Firewall Rule Creation
    • Modify Windows Defender
    • Common Reconnaissance Commands
    • RDP Hijacking
    • Utility Archive Data