{ "id": "6ffd82ce-2f88-4201-bbd2-d0e979f342c1", "created_at": "2026-04-06T00:22:01.964281Z", "updated_at": "2026-04-10T13:12:32.668464Z", "deleted_at": null, "sha1_hash": "14ad1d4e9a4065506ccc03af146fa331786c3735", "title": "Identifying UNC2452-Related Techniques for ATT\u0026CK", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 466187, "plain_text": "Identifying UNC2452-Related Techniques for ATT\u0026CK\r\nBy Matt Malone\r\nPublished: 2022-04-27 · Archived: 2026-04-05 13:12:07 UTC\r\nBy\r\n(MITRE), (MITRE), (MITRE), and (MITRE)\r\nLast updated 27 April 2022 12:00pm EDT\r\nReporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial\r\ndisclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the\r\nactor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government\r\nand cyber community have also provided detailed information on how the campaign was likely conducted and\r\nsome of the malware used.\r\nMITRE’s ATT\u0026CK team — with the assistance of contributors — has been mapping techniques used by the actor\r\ngroup, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively and more recently attributed to\r\nthe existing APT29/Cozy Bear/The Dukes threat group by Mandiant, and members of the US Intelligence\r\nCommunity, as well as SUNBURST, SUNSPOT, Raindrop, and TEARDROP malware. We have now published a\r\npoint release to ATT\u0026CK, v8.2, with the information we’ve mapped and new techniques we’ve spotted so far.\r\nIt’s also been difficult keeping up with all the reporting and updates while trying to track down descriptions of\r\nadversary behavior, particularly as we’re looking for direct analysis of intrusion data rather than derivative\r\nreporting. We were originally listing reports we were tracking in this blog post itself, but have moved our tracking\r\nto a GitHub repository and are continuing to update that in partnership with MITRE Engenuity’s Center for\r\nThreat-Informed Defense.\r\nGet Matt Malone’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nA key challenge mapping current reporting is that the actor used a number of behaviors not currently described by\r\nATT\u0026CK Enterprise or Cloud techniques. We have added new techniques, sub-techniques, and expansions of\r\nscope on existing content to improve this coverage and wanted to describe what’s new in ATT\u0026CK in v8.2.\r\nUNC2452 Technique Analysis\r\nhttps://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714\r\nPage 1 of 4\n\nFirst and foremost, we would like to thank the individuals and teams responsible for analyzing, publishing,\r\nand/or contributing invaluable information to help the community react and respond to this incident. This\r\nwealth of publicly available intelligence has described many behaviors performed by the threat actor identified as\r\nUNC2452/Dark Halo/SolarStorm. Mapping these behaviors to ATT\u0026CK, we see a combination of very\r\ncommonly used techniques (such as T1059 Command and Scripting Interpreter, T1105 Ingress Tool Transfer, and\r\nT1218 Signed Binary Proxy Execution) as well others that are less often disclosed in public reporting (ex: T1195\r\nSupply Chain Compromise). You can see the techniques we currently have mapped in the ATT\u0026CK Navigator\r\nhere, or grab the Navigator layer file from our repository here.\r\nPress enter or click to view image in full size\r\nTechniques used by UNC across multiple reports.\r\nSeveral behaviors were identified that weren’t previously explicitly captured within existing techniques. We have\r\nnow released updates that include:\r\nNew procedural example variations of techniques, such as T1070 Indicator Removal on Host including\r\nUNC2452 reverting changes to legitimate utilities and tasks after abuse and T1098.002 Account\r\nManipulation: Exchange Email Delegate Permissions including them granting additional permissions to\r\nthe target Application or Service Principal to read mail content from Exchange Online via Microsoft Graph\r\nor Outlook REST\r\nExpansion of current technique scoping, such as the T1098.001 Account Manipulation: Additional Cloud\r\nCredentials description being amended to include adding credentials to legitimate OAuth Applications as\r\nwell as Service Principals in Azure AD\r\nNew (sub-)techniques not previously published within ATT\u0026CK, such as those necessary to describe\r\nUNC2452 forging web cookies (T1606.001 Forge Web Credentials: Web Cookies) and SAML tokens\r\n(T1606.002 Forge Web Credentials: SAML Tokens) via stolen secret keys and compromised signing\r\ncertificates (T1552.004 Unsecured Credentials: Private Keys) and making malicious modifications to\r\ndomain federation trust settings to include adversary owned objects (T1484.002 Domain Policy\r\nModification: Domain Trust Modification)\r\nhttps://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714\r\nPage 2 of 4\n\nNew Group/Software Entries\r\nAlong with new/updated techniques we have added several new group and software entries to ATT\u0026CK\r\nincluding:\r\nA new group representing the threat group responsible for the intrusions, added as UNC2452 with\r\nassociated group names of Solorigate, StellarParticle and Dark Halo.\r\nNew malware first spotted in this intrusion, including Sunburst, Teardrop, Sunspot, and Raindrop.\r\nAn existing tool used in this intrusion, AdFind.\r\nMore to Come?\r\nWe don’t expect to add more content to ATT\u0026CK itself before our next major release (announced as planned for\r\nApril 2021 in our recent State of the ATT\u0026CK), but anticipate that more reporting on this intrusion will continue\r\nto be released. We will be continuing to watch and add reporting to our public report tracking, as well as any new\r\ntechniques or software that appear to the next release of ATT\u0026CK.\r\nIf you see a technique we’re missing from existing reporting, a report with unique information that we’re missing\r\nout on, or want to share a mapping of a new report you’ve done, please reach out to us at attack@mitre.org.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714\r\nPage 3 of 4\n\n©2020-2021 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution\r\nunlimited 20–00841–22.\r\nSource: https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714\r\nhttps://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714" ], "report_names": [ "identifying-unc2452-related-techniques-9f7b6c7f3714" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434921, "ts_updated_at": 1775826752, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/14ad1d4e9a4065506ccc03af146fa331786c3735.pdf", "text": "https://archive.orkl.eu/14ad1d4e9a4065506ccc03af146fa331786c3735.txt", "img": "https://archive.orkl.eu/14ad1d4e9a4065506ccc03af146fa331786c3735.jpg" } }