Analytics Story: Nexus APT Threat Activity

Date: 2025-01-27 ID: 43f8062d-4da0-4f48-8cad-6a20e108961b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, an advanced persistent threat (APT) group known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss.

Why it matters

Chinese state-nexus threat actors are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Detect Renamed WinRAR Archive via Utility, Archive Collected Data Hunting
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Linux Auditd File Permission Modification Via Chmod Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification Anomaly
Linux Auditd Nopasswd Entry In Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Auditd Possible Access To Credential Files /etc/passwd and /etc/shadow, OS Credential Dumping Anomaly
Linux Auditd Possible Access To Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Auditd Preload Hijack Library Calls Dynamic Linker Hijacking, Hijack Execution Flow TTP
Linux Common Process For Elevation Control Setuid and Setgid, Abuse Elevation Control Mechanism Hunting
Linux File Creation In Init Boot Directory RC Scripts, Boot or Logon Initialization Scripts Anomaly
Linux Iptables Firewall Modification Disable or Modify System Firewall, Impair Defenses Anomaly
Linux NOPASSWD Entry In Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Possible Access To Credential Files /etc/passwd and /etc/shadow, OS Credential Dumping Anomaly
Linux Possible Access To Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Preload Hijack Library Calls Dynamic Linker Hijacking, Hijack Execution Flow TTP
Linux Sudoers Tmp File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Archive Collected Data via Rar Archive via Utility, Archive Collected Data Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows Replication Through Removable Media Replication Through Removable Media TTP
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows Unsigned DLL Side-Loading DLL Side-Loading Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL Side-Loading, Hijack Execution Flow TTP
Windows Unsigned MS DLL Side-Loading DLL Side-Loading, Boot or Logon Autostart Execution Anomaly
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
Detect Large Outbound ICMP Packets Non-Application Layer Protocol TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Linux Auditd Execve Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Path Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Proctitle Linux icon Linux linux:audit /var/log/audit/audit.log
Palo Alto Network Traffic Network icon Network pan:traffic screenconnect_palo_traffic
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1