TTP Tuesday: APT40 - Government Organizations
Gaining a foothold via the Oasis Chain
Theme Overview
Our last release looked at the APT40 targeting the maritime industry and associated persistence techniques.
For this week’s TTP Tuesday we are releasing a new APT40-themed chain based on how APT40 gains a foothold into organizations. This chain utilizes techniques found in watering-hole and password reuse attacks. The chain contains 5 TTPs with the end goal of identifying valid credentials for SMB or RDP connections.
The Watering Hole
A watering hole attack has quite a few definitions, but essentially you are setting up a resource that will eventually be visited by the target you are interested in. Typically, you would inject your code into a website that is accessed by numerous parties, with the goal of successfully exploiting the target you have your sights on.
In the chain, we set up a single-page website that requests a user to log in. Upon entering your information, the website will send the credentials that were entered into the form, as well as the operating system listed in the user-agent header back to Operator.
Checking for Password Reuse
Utilizing the credentials gained from a detected Windows OS, the next TTPs will check those credentials against SMB and RDP for the remote host. Your initial agent running these TTPs will be notified if the credentials were valid.
Check it out on the Prelude chains website.
Watch a demonstration:
Staying up to date
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Get our products
Download Prelude Operator: https://www.prelude.org/download
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Join our community
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Read, watch, and listen
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
Follow our team
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Kris: https://twitter.com/Xanthonus
Octavia: https://twitter.com/VV_X_7
Sam: https://twitter.com/wasupwithuman