Home  >  APT29  >  Operational Flow

APT29 Evaluation: Operational Flow


The Operational Flow separated technique execution into sequences we referred to as “Steps”. Organizing our execution into Steps ensured that the detection displayed was correctly associated with the technique that was being tested. Each Step corresponded to an adversary’s intended goal during an operation. We performed 20 Steps in total across two scenarios: 10 Steps corresponded to our first scenario (which used Pupy, Meterpreter, and custom tooling), and 10 Steps corresponded to our second scenario (which used PoshC2 and custom tooling). We further divided each Step into Sub-Steps that are denoted by letters (e.g. 1A, 1B, etc.). Those Steps and the corresponding techniques are outlined below.

This information is also available in a single, downloadable PDF document.

First Scenario

The content to execute this scenario was tested and developed using Pupy, Meterpreter, and other custom/modified scripts and payloads. Pupy and Meterpreter were chosen based on their available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors. More information, including the required resources, setup instructions, and step by step instructions on how to execute the Day 1 scenario, is available at ATT&CK Arsenal.

Step 1 - Initial Compromise: Malware is executed on victim; establishes C2 connection

Step 2 - Collection and Exfiltration: Adversary performs smash-and-grab data theft

Step 3 - Deploy Stealth Toolkit: Adversary drops secondary malware, elevates privileges, and establishes new C2 connection

Step 4 - Clean Up and Reconnaissance: Adversary drops new tools, cleans up artifacts of breach, and surveys the victim environment

Step 5 - Establish Persistence: Adversary establishes two separate means of persistent access to the victim

Step 6 - Credential Access: Adversary gathers various forms of credential materials

Step 7 - Collection and Exfiltration: Adversary collects data from victim user, exfiltrates data to attacker-controller infrastructure

Step 8 - Expand Access: Adversary enumerates then executes payload on a remote workstation

Step 9 - Clean Up, Collection, and Exfiltration: Adversary drops new tools, performs smash-and-grab data theft, then cleans up artifacts of breach on a remote workstation

Step 10 - Persistence Execution: Adversary persistence mechanisms are executed when the initial victim machine is rebooted


Second Scenario

The content to execute this scenario was tested and developed using PoshC2 and other custom/modified scripts and payloads. PoshC2 was chosen based on its available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors. More information, including the required resources, setup instructions, and step by step instructions on how to execute the Day 2 scenario, is available at ATT&CK Arsenal.

Step 11 - Initial Compromise: Malware is executed on victim; surveys victim then establishes persistence access and C2 connection

Step 12 - Fortify Access: Adversary attempts to hide artifacts of breach, enumerates victim software

Step 13 - Reconnaissance: Adversary surveys the victim environment

Step 14 - Elevation & Credential Access: Adversary elevates privileges and dumps credential materials

Step 15 - Establish Persistence: Adversary establishes a secondary means of persistent access to the victim

Step 16 - Expand Access: Adversary enumerates then dumps credential materials from domain controller

Step 17 - Collection: Adversary collects, stages, and obfuscates data from victim user

Step 18 - Exfiltration: Adversary exfiltrates data to attacker-controller web infrastructure

Step 19 - Clean Up: Adversary cleans up artifacts of breach

Step 20 - Persistence Execution: Adversary persistence mechanisms are executed when the initial victim machine is rebooted, access is used to create credential material and access new victim workstation