{ "id": "048edcc4-82e2-4f1d-b3ab-45ef71d17995", "created_at": "2026-04-06T00:20:12.660942Z", "updated_at": "2026-04-10T03:37:33.208731Z", "deleted_at": null, "sha1_hash": "3e12cb61b1ed7d6978d8423440760770e0b2ef36", "title": "GitHub - mandiant/Mandiant-Azure-AD-Investigator", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 108084, "plain_text": "GitHub - mandiant/Mandiant-Azure-AD-Investigator\r\nBy Willi Ballenthin (Google)\r\nArchived: 2026-04-05 14:15:12 UTC\r\nFocusing on UNC2452 TTPs\r\nOverview\r\nThis repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other\r\nthreat actor activity. Some indicators are \"high-fidelity\" indicators of compromise, while other artifacts are so\r\ncalled \"dual-use\" artifacts. Dual-use artifacts may be related to threat actor activity, but also may be related to\r\nlegitimate functionality. Analysis and verification will be required for these. For a detailed description of the\r\ntechniques used by UNC2452 see our blog.\r\nThis tool is read-only. It does not make any changes to the Microsoft 365 environment.\r\nIn summary this module will:\r\nDo a best effort job at identifying indicators of compromise that will require further verification and\r\nanalysis\r\nIt will not:\r\nIdentify a compromise 100% of the time, or\r\nTell you if an artifact is legitimate admin activity or threat actor activity.\r\nWith community feedback, the tool may become more thorough in its detection of IOCs. Please open an issue,\r\nsubmit a PR, or contact the authors if you have problems, ideas, or feedback.\r\nFeatures\r\nFederated Domains (Invoke-MandiantAuditAzureADDomains)\r\nThis module uses MS Online PowerShell to look for and audit federated domains in Azure AD. All federated\r\ndomains will be output to the file federated domains.csv .\r\nSigning Certificate Unusual Validity Period - Alerts on a federated domain where the signing certificates\r\nhave a validity period of \u003e 1 year. AD FS managed certificates are valid for only one year. Validity periods\r\nthat are longer than one year could be an indication that a threat actor has tampered with the domain\r\nfederation settings. They may also be indicative of the use of a legitimate custom token-signing certificate.\r\nHave your administrators verify if this is the case.\r\nSigning Certificate Mismatch - Alerts on federated domains where the issuer or subject of the signing\r\ncertificates do not match. In most cases the token-signing certificates will always be from the same issuer\r\nhttps://github.com/fireeye/Mandiant-Azure-AD-Investigator\r\nPage 1 of 8\n\nand have the same subject. If there is a mismatch, then it could be an indication that a threat actor has\r\ntampered with the domain federation settings. Have your administrators verify if the subject and issuer\r\nnames are expected, and if not consider performing a forensic investigation to determine how the changes\r\nwere made and to identify any other evidence of compromise.\r\nAzure AD Backdoor (any.sts) - Alerts on federated domains configured with any.sts as the Issuer URI.\r\nThis is indicative of usage of the Azure AD Backdoor tool. Consider performing a forensic investigation to\r\ndetermine how the changes were made and to identify any other evidence of compromise.\r\nFederated Domains - Lists all federated domains and the token issuer URI. Verify that the domain should\r\nbe federated and that the issuer URI is expected.\r\nUnverified Domains - Lists all unverified domains in Azure AD. Unverified domains should not be kept in\r\nAzure AD for long in an unverified state. Consider removing them.\r\nExamples\r\n!! Evidence of AAD backdoor found.\r\nConsider performing a detailed forensic investigation\r\nDomain name: foobar.com\r\nDomain federation name:\r\nFederation issuer URI: http://any.sts/16B45E3B\r\n‼️ The script has identified a domain that has been federated with an issuer URI that is an indicator of an Azure\r\nAD Backdoor. The backdoor sets the issuer URI to hxxp://any.sts by default. Consider performing a forensic\r\ninvestigation to determine how the changes were made and identify any other evidence of compromise.\r\n!! A token signing certificate has a validity period of more than 365 days.\r\nThis may be evidence of a signing certificate not generated by AD FS.\r\nDomain name: foobar.com\r\nFederation issuer uri: http://sts.foobar.com\r\nSigning cert not valid before: 1/1/2020 00:00:00\r\nSigning cert not valid after: 12/31/2025 23:59:59\r\n⚠️ The script has identified a federated domain with a token-signing certificate that is valid for longer than the\r\nstandard 365 days. Consult with your administrators to see if the token-signing certificate is manually managed\r\nand if it is expected to have the stated validity period. Consider performing a forensic investigation if this is not\r\nexpected.\r\nService Principals (Invoke-MandiantAuditAzureADServicePrincipals)\r\nThis module uses Azure AD PowerShell to look for and audit Service Principals in Azure AD.\r\nFirst-party Service Principals with added credentials - First-party (Microsoft published) Service\r\nPrincipals should not have added credentials except in rare circumstances. Environments that are or were\r\npreviously in a hybrid-mode may have credentials added to Exchange Online, Skype for Business, and\r\nhttps://github.com/fireeye/Mandiant-Azure-AD-Investigator\r\nPage 2 of 8\n\nAAD Password Protection Proxy Service Principals. Verify that the Service Principal credential is part of a\r\nlegitimate use case. Consider performing a forensic investigation if the credential is not legitimate.\r\nService Principals with high level privileges and added credentials - Identifies Service Principals that\r\nhave high-risk API permissions assigned and added credentials. While the Service Principal and added\r\npermissions are likely legitimate, the added credentials may not be. Verify that the Service Principal\r\ncredentials are part of a legitimate use case. Verify that the Service Principal needs the listed permissions.\r\nExamples\r\n!! Identified first-party (Microsoft published) Service Principals with added credentials.\r\nOnly in rare cases should a first-party Service Principal have an added credential.\r\nVerify that the added credential has a legitimate use case and consider further investigation if not\r\n*******************************************************************\r\nObject ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nApp ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nDisplay Name : Office 365 Exchange Online\r\nKey Credentials :\r\nCustomKeyIdentifier :\r\nEndDate : 12/9/2017 2:10:29 AM\r\nKeyId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nStartDate : 12/9/2015 1:40:30 AM\r\nType : AsymmetricX509Cert\r\nUsage : Verify\r\nValue :\r\n⚠️ The script has identified a first-party (Microsoft) Service Principal with added credentials. First-party Service\r\nPrincipals should not have added credentials except in rare cases. Environments that are or were previously in a\r\nhybrid-mode may have credentials added to Exchange Online, Skype for Business, and AAD Password Protection\r\nProxy Service Principals. This may also be an artifact of UNC2452 activity in your environment. Consult with\r\nyour administrators and search the audit logs to verify the credential is legitimate. You can also use the \"Service\r\nPrincipal Sign-Ins\" tab in the Azure AD Sign-Ins blade to search for authentications to your tenant using this\r\nService Principal.\r\n!! Identified Service Principals with high-risk API permissions and added credentials.\r\nVerify that the added credential has a legitimate use case and consider further investigation if not\r\nObject ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nApp ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nDisplay Name : TestingApp\r\nKey Credentials :\r\n CustomKeyIdentifier :\r\n EndDate : 1/7/2025 12:00:00 AM\r\n KeyId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\n StartDate : 1/7/2021 12:00:00 AM\r\nhttps://github.com/fireeye/Mandiant-Azure-AD-Investigator\r\nPage 3 of 8\n\nType : Symmetric\r\n Usage : Verify\r\n Value :\r\nPassword Credentials :\r\nRisky Permissions : Domain.ReadWrite.All\r\n⚠️ The script has identified a Service Principal with high-risk API permissions and added credentials. This may\r\nbe expected, as some third-party or custom-built applications require added credentials in order to function. This\r\nmay also be an artifact of UNC2452 activity in your environment. Consult with your administrators and search the\r\naudit logs to verify the credential is legitimate. You can also use the \"Service Principal Sign-Ins\" tab in the Azure\r\nAD Sign-Ins blade to search for authentications to your tenant using this Service Principal.\r\nApplications (Invoke-MandiantAuditAzureADApplications)\r\nThis module uses Azure AD PowerShell to look for and audit Applications in Azure AD.\r\nApplications with high level privileges and added credentials - Alerts on Applications that have high-risk API permissions and added credentials. While the Applications and added permissions are likely\r\nlegitimate, the added credentials may not be. Verify that the Application credentials are part of a legitimate\r\nuse case. Verify that the Applications needs the listed permissions.\r\nExample\r\n!! High-privileged Application with credentials found.\r\nValidate that the application needs these permissions.\r\nValidate that the credentials added to the application are associated with a legitimate use case.\r\nObjectID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nAppID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nDisplayName: Acme Test App\r\nKeyCredentials:\r\nPasswordCredentials:\r\nCustomKeyIdentifier :\r\nEndDate : 12/22/2021 4:01:52 PM\r\nKeyId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nStartDate : 12/22/2020 4:01:52 PM\r\nValue :\r\nCustomKeyIdentifier :\r\nEndDate : 12/21/2021 6:32:54 PM\r\nKeyId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nStartDate : 12/21/2020 6:33:16 PM\r\nValue :\r\nRisky Permissions:\r\nhttps://github.com/fireeye/Mandiant-Azure-AD-Investigator\r\nPage 4 of 8\n\nMail.Read (Read mail in all mailboxes)\r\nDirectory.Read.All (Read all data in the organization directory)\r\n⚠️ The script has identified an Application with high-risk API permissions and added credentials. This may be\r\nexpected, as some third-party or custom-built applications require added credentials in order to function. This may\r\nalso be an artifact of UNC2452 activity in your environment. Consult with your administrators and search the\r\naudit logs to verify the credential is legitimate.\r\nCloud Solution Provider Program (Invoke-MandiantGetCSPInformation)\r\nThis module checks to see if the tenant is managed by a CSP, or partner, and if delegated administration is\r\nenabled. Delegated administration allows the CSP to access a customer tenant with the same privileges as a Global\r\nAdministrator. Although the CSP program enforces strong security controls on the partner's tenant, a threat actor\r\nthat compromises the CSP may be able to access customer environments. Organizations should verify if their\r\npartner needs delegated admin privileges and remove it if not. If the partner must maintain delegated admin\r\naccess, consider implementing Conditional Access Policies to restrict their access.\r\nOrganizations can check and manage partner relationships by navigating to the Admin Center and navigating to\r\nSettings -\u003e Partner Relationships on the left-hand menu bar.\r\nMailbox Folder Permissions (Get-MandiantMailboxFolderPermissions)\r\nThis module audits all the mailboxes in the tenant for the existance of suspicious folder permissions. Specifically,\r\nthis module will examine the \"Top of Information Store\" and \"Inbox\" folders in each mailbox and check the\r\npermissions assigned to the \"Default\" and \"Anonymous\" users. Any value other than \"None\" will result in the\r\nmailbox being flagged for analysis. In general the Default and Anonymous users should not have permissions on\r\nuser inboxes as this will allow any user to read their contents. Some organizations may find shared mailboxes with\r\nthis permission, but it is not recommended practice.\r\nApplication Impersonation (Get-MandiantApplicationImpersonationHolders)\r\nThis module outputs the list of users and groups that hold the ApplicationImpersonation role. Any user or member\r\nof a group in the output of this command can use impersonation to \"act as\" and access the mailbox of any other\r\nuser in the tenant. Organizations should audit the output of this command to ensure that only expected users and\r\ngroups are included, and where possible further restrict the scope.\r\nPurview Audit (Formerly Advanced Audity) (Invoke-MandiantCheckAuditing)\r\nThis module will enumerate all licensed users in the tenant that are licensed for Purview Audit Mail Items\r\nAccessed. It will generate a CSV report documenting whether or not the feature has been enabled on an eligible\r\nmailbox. Organizations should filter on mailboxes that are eligible for Mail Items Accessed but have the feature\r\ndisabled and verify that this is intentional.\r\nUnified Audit Log (Get-MandiantUnc2452AuditLogs)\r\nhttps://github.com/fireeye/Mandiant-Azure-AD-Investigator\r\nPage 5 of 8\n\nThis module is a helper script to search the Unified Audit Log. Searching the Unified Audit Log has many\r\ntechnical caveats that can be easy to overlook. This module can help simplify the search process by implementing\r\nbest practices for navigating these caveats and handling some common errors.\r\nBy default, the module will search for log entries that can record UNC2452 techniques. The log records may also\r\ncapture legitimate administrator activity, and will need to be verified.\r\nUpdate Application - Records actions taken to update App Registrations.\r\nSet Domain Auth - Records when authentication settings for a domain are changed, including the creation\r\nof federation realm objects. These events should occur rarely in an environment and may indicate a threat\r\nactor configuring an AAD backdoor.\r\nSet Federation Settings - Records when the federation realm object for a domain is modified. These\r\nevents should occur rarely in an environment and may indicate a threat actor preparing to execute a Golden\r\nSAML attack.\r\nUpdate Application Certificates and Secrets - Records when a secret or certificate is added to an App\r\nRegistration.\r\nPowerShell Mailbox Logins - Records Mailbox Login operations where the client application was\r\nPowerShell.\r\nUpdate Service Principal - Records when updates are made to an existing Service Principal.\r\nAdd Service Principal Credentials - Records when a secret or certificate is added to a Service Principal.\r\nAdd App Role Assignment - Records when an App Role (Application Permission) is added.\r\nApp Role Assignment for User - Records when an App Role is assigned to a user.\r\nPowerShell Authentication - Records when a user authenticates to Azure AD using a PowerShell client.\r\nNew Management Role Assignments - Records when new management role assignments are created.\r\nThis can be useful to identify new ApplicationImpersonation grants.\r\nUsage\r\nRequired Modules\r\nThe PowerShell module requires the installation of three Microsoft 365 PowerShell modules.\r\nAzureAD\r\nMSOnline\r\nExchangeOnlineManagement\r\nMicrosoft.Graph\r\nTo install the modules:\r\n1. Open a PowerShell window as a local administrator (right-click then select Run As Administrator)\r\n2. Run the command Install-Module \u003cMODULE NAME HERE\u003e and follow the prompts\r\nRequired User Permissions\r\nThe PowerShell module must be run with a Microsoft 365 account assigned specific privileges.\r\nhttps://github.com/fireeye/Mandiant-Azure-AD-Investigator\r\nPage 6 of 8\n\nGlobal Administrator or Global Reader role in the Azure AD portal\r\nView-Only Audit Logs in the Exchange Control Panel\r\nUser.Read.All and Directory.Read.All scopes. Global Reader role holders should have the ability\r\nto use these scopes automatically.\r\nTo grant an account View-Only Audit Logs in the Exchange Control Panel:\r\n1. Navigate to https://outlook.office365.com/ecp and login as a global admin or exchange admin (not the\r\nexact URL may differ if you are in an alternate cloud)\r\n2. Click admin roles in the dashboard, or expand the roles tab on the left and click admin roles if you\r\nare in the new UI\r\n3. Create a new admin role by clicking the + sign or clicking add new role group\r\n4. Give your role a name and default write-scope\r\n5. Add the View-Only Audit Logs permission to the role\r\n6. Add the user to the role\r\nNote it can take up to an hour for this role to apply\r\nRunning the tool\r\n1. Download this tool as a ZIP and unzip it, or clone the repository to your system\r\n2. Open a PowerShell window\r\n3. Change directories to the location of this module cd C:\\path\\to\\the\\module\r\n4. Import this module Import-Module .\\MandiantAzureADInvestigator.psd1 you should receive this output\r\n Mandiant Azure AD Investigator\r\n Focusing on UNC2452 Investigations\r\nPS C:\\Users\\admin\\Desktop\\mandiant\u003e\r\n5. Connect to Azure AD by running Connect-MandiantAzureEnvironment -UserPrincipalName \u003cyour\r\nusername here\u003e . You should receive a login prompt and output to the PowerShell window indicating the\r\nconnections have been established. Note: If you run into issues you may need to change your execution\r\npolicy by running Set-ExecutionPolicy -ExecutionPolicy RemoteSigned . This may require\r\nadministrator privileges.\r\n----------------------------------------------------------------------------\r\nThe module allows access to all existing remote PowerShell (V1) cmdlets in addition to the 9 new, faster, and mo\r\n|--------------------------------------------------------------------------|\r\n| Old Cmdlets | New/Reliable/Faster Cmdlets |\r\n|--------------------------------------------------------------------------|\r\n| Get-CASMailbox | Get-EXOCASMailbox |\r\n| Get-Mailbox | Get-EXOMailbox |\r\nhttps://github.com/fireeye/Mandiant-Azure-AD-Investigator\r\nPage 7 of 8\n\n| Get-MailboxFolderPermission | Get-EXOMailboxFolderPermission |\r\n| Get-MailboxFolderStatistics | Get-EXOMailboxFolderStatistics |\r\n| Get-MailboxPermission | Get-EXOMailboxPermission |\r\n| Get-MailboxStatistics | Get-EXOMailboxStatistics |\r\n| Get-MobileDeviceStatistics | Get-EXOMobileDeviceStatistics |\r\n| Get-Recipient | Get-EXORecipient |\r\n| Get-RecipientPermission | Get-EXORecipientPermission |\r\n|--------------------------------------------------------------------------|\r\nTo get additional information, run: Get-Help Connect-ExchangeOnline or check https://aka.ms/exops-docs\r\nSend your product improvement suggestions and feedback to exocmdletpreview@service.microsoft.com. For issues rel\r\n----------------------------------------------------------------------------\r\nAccount Environment TenantId TenantDoma\r\n------- ----------- -------- ----------\r\ndoug@test.onmicrosoft.com AzureCloud xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx test.onm...\r\n5. Run all checks Invoke-MandiantAllChecks -OutputPath \u003cpath\\to\\output\\files\u003e . You can also run\r\nindividual checks using the specific cmdlet.\r\n6. Review the output on the screen and the written CSV files.\r\nFurther Reading\r\nFor additional information from Mandiant regarding UNC2452, please see:\r\nHighly Evasive Attacker Leverages SolarWinds Supply chain to Compromise Multiple Global Victims\r\nwith SUNBURST Backdoor\r\nRemediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452\r\nThe response to UNC2452 has been a significant effort across the security industry and these blogs heavily cite\r\nadditional contributions that will be of value to users of this tool. We recommend reading the linked material from\r\nthese posts to best understand activity in your environment. As always, the Mandiant team is available to answer\r\nfollow-up questions or further assist on an investigation by contacting us here.\r\nSource: https://github.com/fireeye/Mandiant-Azure-AD-Investigator\r\nhttps://github.com/fireeye/Mandiant-Azure-AD-Investigator\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/fireeye/Mandiant-Azure-AD-Investigator" ], "report_names": [ "Mandiant-Azure-AD-Investigator" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434812, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e12cb61b1ed7d6978d8423440760770e0b2ef36.pdf", "text": "https://archive.orkl.eu/3e12cb61b1ed7d6978d8423440760770e0b2ef36.txt", "img": "https://archive.orkl.eu/3e12cb61b1ed7d6978d8423440760770e0b2ef36.jpg" } }