Try in Splunk Security Cloud
Description
NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon’s Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Network_Traffic, Web
- Last Updated: 2020-12-14
- Author: Patrick Bareiss, Michael Haag, Mauricio Velazco, Splunk
- ID: 758196b5-2e21-424f-a50c-6e421ce926c2
Narrative
This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.
Detections
Name |
Technique |
Type |
Anomalous usage of 7zip |
Archive via Utility, Archive Collected Data |
Anomaly |
Anomalous usage of Archive Tools |
Archive via Utility, Archive Collected Data |
Anomaly |
Azure AD Admin Consent Bypassed by Service Principal |
Additional Cloud Roles |
TTP |
Azure AD FullAccessAsApp Permission Assigned |
Additional Email Delegate Permissions, Additional Cloud Roles |
TTP |
Azure AD High Number Of Failed Authentications From Ip |
Brute Force, Password Guessing, Password Spraying |
TTP |
Azure AD Multi-Source Failed Authentications Spike |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Hunting |
Azure AD Multiple Service Principals Created by SP |
Cloud Account |
Anomaly |
Azure AD Multiple Service Principals Created by User |
Cloud Account |
Anomaly |
Azure AD Privileged Graph API Permission Assigned |
Security Account Manager |
TTP |
Azure AD Privileged Role Assigned |
Account Manipulation, Additional Cloud Roles |
TTP |
Azure AD Privileged Role Assigned to Service Principal |
Account Manipulation, Additional Cloud Roles |
TTP |
Azure AD Service Principal Authentication |
Cloud Accounts |
TTP |
Azure AD Service Principal Created |
Cloud Account |
TTP |
Azure AD Service Principal New Client Credentials |
Account Manipulation, Additional Cloud Credentials |
TTP |
Azure AD Service Principal Owner Added |
Account Manipulation |
TTP |
Azure AD Tenant Wide Admin Consent Granted |
Account Manipulation, Additional Cloud Roles |
TTP |
Detect Outbound SMB Traffic |
File Transfer Protocols, Application Layer Protocol |
TTP |
Detect Prohibited Applications Spawning cmd exe |
Command and Scripting Interpreter, Windows Command Shell |
Hunting |
Detect Rundll32 Inline HTA Execution |
System Binary Proxy Execution, Mshta |
TTP |
First Time Seen Running Windows Service |
System Services, Service Execution |
Anomaly |
Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
O365 Added Service Principal |
Cloud Account, Create Account |
TTP |
O365 Application Registration Owner Added |
Account Manipulation |
TTP |
O365 ApplicationImpersonation Role Assigned |
Account Manipulation, Additional Email Delegate Permissions |
TTP |
O365 FullAccessAsApp Permission Assigned |
Additional Email Delegate Permissions, Additional Cloud Roles |
TTP |
O365 Multi-Source Failed Authentications Spike |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Hunting |
O365 Multiple Mailboxes Accessed via API |
Remote Email Collection |
TTP |
O365 Multiple Service Principals Created by SP |
Cloud Account |
Anomaly |
O365 Multiple Service Principals Created by User |
Cloud Account |
Anomaly |
O365 Multiple Users Failing To Authenticate From Ip |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
TTP |
O365 OAuth App Mailbox Access via EWS |
Remote Email Collection |
TTP |
O365 OAuth App Mailbox Access via Graph API |
Remote Email Collection |
TTP |
O365 Privileged Graph API Permission Assigned |
Security Account Manager |
TTP |
O365 Service Principal New Client Credentials |
Account Manipulation, Additional Cloud Credentials |
TTP |
O365 Tenant Wide Admin Consent Granted |
Account Manipulation, Additional Cloud Roles |
TTP |
Sc exe Manipulating Windows Services |
Windows Service, Create or Modify System Process |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
TTP |
Sunburst Correlation DLL and Network Event |
Exploitation for Client Execution |
TTP |
Supernova Webshell |
Web Shell, External Remote Services |
TTP |
TOR Traffic |
Proxy, Multi-hop Proxy |
TTP |
Windows AdFind Exe |
Remote System Discovery |
TTP |
Windows Rundll32 Inline HTA Execution |
System Binary Proxy Execution, Mshta |
TTP |
Reference
source | version: 3