{
	"id": "d2ada363-24fc-4018-85b4-4c9428ab8234",
	"created_at": "2026-04-10T03:21:57.644834Z",
	"updated_at": "2026-04-10T13:11:56.464454Z",
	"deleted_at": null,
	"sha1_hash": "b520b9cb7fe1850b3915d6c3ee8ac09a0c6d8037",
	"title": "Attack Graph Response to UNC1151 Continued Targeting of Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 161385,
	"plain_text": "Attack Graph Response to UNC1151 Continued Targeting of\r\nUkraine\r\nBy AttackIQ, Inc.\r\nPublished: 2022-04-29 · Archived: 2026-04-10 02:26:17 UTC\r\nSince the beginning of the Russian invasion of Ukraine at the end of February 2022, there has been a substantial\r\nincrease in cyberattacks against Ukrainian targets by groups closely aligned with Russian state interests.  Uncover\r\nnew attacks from a threat actor likely operating out of Belarus known as UNC1151 or Ghostwriter. The threat\r\nactor was first identified in July 2020 by FireEye who identified attacks aligned to Russian security interests\r\ninvolving Lithuania, Latvia, and Poland going back to July 2016.\r\nIn March 2020 the Ghostwriter campaign began targeting Ukraine with the actor primarily engaged in credential\r\nharvesting and malware campaigns delivering HALFSHELL. A recent report from Cluster25 identified a  as they\r\nbegan to leverage the open-source tool MicroBackdoor for command and control operations prior to Russia’s\r\ninvasion of Ukraine.\r\nTo protect our customers from these threats, AttackIQ has released an attack graph emulating newly observed\r\nbehaviors and an additional larger atomic assessment covering UNC1151’s historical tool, techniques, and\r\nprocedures. Customers can use these templates to validate their security program performance against this\r\nadversary.\r\nClick for larger view.\r\nUNC1151 – 2022-03 – MicroBackdoor Campaign – this attack graph linearly emulates a realistic attack, starting\r\nfrom the adversary’s initial persistence and leading towards the ultimate goal of data exfiltration. Specifically, the\r\nattack graph takes the following steps:\r\nScenario 1: Registry Run Keys / Startup Folder (T1547.001): After the initial delivery of a malicious Microsoft\r\nCompressed HTML Help (CHM) file, a Visual Basic script creates a shortcut (LNK) file in the Startup folder for\r\nall users. Placing an executable or shortcut file in that directory will cause the file to be launched when a user logs\r\nin to the system.\r\n1a. Detection Process\r\nUsing a SIEM or EDR Platform to see modifications to the Run and RunOnce keys will alert when unauthorized\r\nusers or software makes modifications to\r\n“HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run”\r\nProcess name: reg.exe\r\nhttps://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/\r\nPage 1 of 6\n\nCommand Line Contains (“ADD” AND “Microsoft\\Windows\\CurrentVersion\\Run” AND “/V”)\r\nOptionally you can include a search for users NOT IN to lower the chance of false positives.\r\n1b. Mitigation Policies\r\nThis type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of\r\nsystem features. For best protection, ensure group policy is set to only allow specific users with need to utilize\r\nreg.exe as well as have anti-virus enabled to statically and dynamically scan files for possible malicious use of the\r\nregistry\r\nScenario 2: Signed Binary Proxy Execution: Regsvcs / Regasm (T1218.009): The next step is loading a\r\nmalicious Dynamic-Link Library (DLL) by abusing the Assembly Registration Tool (Regasm) to proxy execution\r\nof code through a trusted Windows utility. This tool is digitally signed by Microsoft and allows the actor to bypass\r\ncode signing restrictions.\r\n2a. Detection Process\r\nAlthough this attack uses living off the land binaries, searching your EDR or SIEM for the following suspicious\r\nprocess activity can give great visibility to possible malicious use of regasm.exe and regsvcs.exe:\r\nParent Process Name == (cmd.exe OR powershell.exe)\r\nParent Process Command Line CONTAINS “.bat”\r\nProcess Name == (Regasm.exe OR Regsvcs.exe)\r\nProcess Command Line CONTAINS (“temp” OR “tmp”) AND “.dll”\r\nThe above query will see if a command line interpreter of some sort is running a batch file to run regasm.exe or\r\nregsvcs.exe with command line parameters indicating a .dll execution located in a writable temp folder. This is a\r\nspecific detection and removing temp command line parameters as well as parent process and command line\r\ndetails will widen the window of detection possibilities, yet produce larger amounts of false positives.\r\n2b. Mitigation Policies\r\nUtilizing Group Policy or Application Whitelisting Software, ensure that only authorized and expected users are\r\nable to run command line interpreters such as cmd.exe and Powershell, as well as .dll services such as regasm.exe\r\nand regsvcs.exe.\r\nScenario 3: Deobfuscate / Decode Files or Information (T1140): The threat actor uses various techniques to\r\nobfuscate their scripts and malware to make static analysis difficult. One of the methods leveraged by UNC1151 is\r\nto use the Windows “certutil“ application’s built-in functionality to decode base64 encoded files.\r\n3a. Detection Process\r\nAlthough this attack uses living off the land binaries, searching your EDR or SIEM for the following suspicious\r\nprocess activity can give great visibility to possible malicious use of certutil.exe:\r\nProcess Name == Certutil.exe\r\nCommand Line CONTAINS “-decode” AND “.exe”\r\nhttps://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/\r\nPage 2 of 6\n\n3b. Mitigation Policies\r\nUtilizing Group Policy or Application Whitelisting Software, ensure that only authorized and expected users are\r\nable to run command line interpreters such as cmd.exe and Powershell, as well as certutil.exe which can not only\r\nbe used for this decode technique, but file transferring as well.\r\nScenario 4: Ingress Tool Transfer (T1105): The MicroBackdoor sample used in this attack is downloaded and\r\nwritten to disk. This scenario is testing the effectiveness of the AV controls in your network and endpoint tools.\r\n4a. Detection Process\r\nMalicious Downloading of files is often done by living off the land binaries such as Certutil.exe and\r\nPowershell.exe. Below are some detections for each method of downloading:\r\nPowershell download:\r\nProcess Name == Powershell.exe\r\nCommand Line CONTAINS (“DownloadData” AND Hidden”)\r\nCertutil Download:\r\nProcess Name == Certutil.exe\r\nCommand Line CONTAINS (“-urlcache AND -f”)\r\n4b. Mitigation Policies\r\nUtilizing Group Policy or Application Whitelisting Software, ensure that only authorized and expected users are\r\nable to run command line interpreters such as cmd.exe and Powershell, as well as certutil.exe.\r\nScenario 5: Process Discovery (T1057): The attack graph then engages in discovery techniques using the native\r\nWindows commands “tasklist” to collect what processes are running. This data is then sent to the actor’s\r\ncommand-and-control server.\r\n5a. Detection Process\r\nUsing an EDR or SIEM product, use the following parameters for identifying possible enumeration of system\r\nprocesses:\r\nProcess Name == (“cmd.exe” OR “powershell.exe”)\r\nCommand Line CONTAINS (“Tasklist” AND “/FO”)\r\nUser = [\u003clist of expected administrators to be issuing these commands\u003e]\r\n5b. Mitigation Policies\r\nEnsure application whitelisting is in place to allow only permitted users/administrators the right to run utility\r\nbinaries such as cmd.exe, powershell.exe, tasklist.exe, and WMIC.exe.\r\nScenario 6: System Information Discovery (T1082): In this step, the actor seeks to obtain system information\r\nthrough execution of the “systeminfo” command, the results are collected for later exfiltration.\r\nhttps://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/\r\nPage 3 of 6\n\n6a. Detection Process\r\nAlthough commands such as “systeminfo” are utilized as administrators frequently, there should still be alerts in\r\nplace when unexpected users are running these commands as they could be a sign of possible user enumeration\r\nand system discovery.\r\nWith an EDR, if possible, look for the following details:\r\nProcess Name == (cmd.exe OR powershell.exe)\r\nCommand Line CONTAINS (“systeminfo”)\r\nUser != [\u003clist of expected administrators to be issuing these commands\u003e]\r\n6b. Mitigation Policies\r\nEnsure that Group Policy enforces only authorized users / administrators to be able to run cmd.exe or\r\npowershell.exe. These interpreters can be limited to lower privileged or unneeded users to prevent enumeration or\r\nabuse.\r\nScenario 7: Screen Capture (T1113): MicroBackdoor has the capability to take screen shots of the active user’s\r\ndesktop. This scenario emulates the behavior by executing a PowerShell script that uses a native Windows library,\r\n“System.Drawing”, to make a copy of the screen.\r\n7a. Detection Process\r\nProcess Name == Powershell.exe\r\nCommand Line CONTAINS (“Graphics.CopyFromScreen” OR “System.Drawing”)\r\n7b. Mitigation Policies\r\nUtilizing Group Policy or Application Whitelisting Software, ensure that only authorized and expected users are\r\nable to run command line interpreters such as cmd.exe and Powershell\r\nScenario 8: System Network Configuration Discovery (T1016): The threat actor uses various Window’s\r\nutilities to identify information about the infected host’s network. The following commands are executed and\r\ninformation collected:\r\nRouting information:  route print\r\nIP information:  ipconfig /all\r\nConnected Domain Controller:  nltest /DSGETDC:\r\nNetwork Shares:  net use\r\nARP information:  arp -a\r\n8a. Detection Process\r\nUsing an EDR or SIEM tool, you can monitor usage of windows network discovery tools. Keep in mind, these are\r\nbinaries used rather frequently. We strongly recommend querying these commands with an “exclude user” option\r\nto limit false positives if that option is available in your EDR/SIEM product.\r\nProcess Name == (“cmd.exe” OR “powershell.exe”)\r\nhttps://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/\r\nPage 4 of 6\n\nCommand Line CONTAINS (“route print” OR “ipconfig /all” OR “nltest /DSGETDC” OR “net use” OR “arp -a”)\r\nUser NOT IN [\u003clist of expected administrators to be issuing these commands\u003e]\r\n8b. Mitigation Policies\r\nEnsure application whitelisting is in place to allow only permitted users/administrators the right to run utility\r\nbinaries such as cmd.exe, powershell.exe, route.exe, ipconfig.exe, nltest.exe, net.exe, and arp.exe. Although some\r\nof these may be used on a day-to-day basis, only authorized users should have the right to run these executables to\r\nprevent misuse.\r\nScenario 9: Exfiltrate Files over C2 Channel (T1041): Finally, the last step is the exfiltration of system files\r\nover HTTP.\r\n8b. Mitigation Policies\r\nEnsure any Data Loss Prevention (DLP) products, or network products that monitor exfiltration of data are set\r\nwith policies to alert on sensitive/large file exfiltration. Rules in place to look for anomalies for data size transfers\r\nand file types are smart ways for identifying exfiltration.\r\nUNC1151 – Intrusion Set – This atomic assessment template focuses on emulating all Tactics, Techniques, and\r\nProcedures (TTPs) used by the adversary since at least 2016. This template is the result of combining multiple\r\nreports on the adversary and their respective campaigns.\r\nMandiant: Ghostwriter Campaign (2021-04-28)\r\nProofpoint: Asylum Ambuscade (2022-03-01)\r\nUkraine CERT Alert (2022-03-07)\r\nQI-ANXIN: MicroBackdoor Campaign (2022-03-14)\r\nThe template contains multiple scenarios organized into the following tactics:\r\nInitial Access: The adversary specializes in carrying out phishing attacks by using attachments, either\r\nOffice documents with embedded VBA macros acting as downloaders or compressed archive files.\r\nPersistence: UNC1151 has been observed using both Registry Run keys and shortcut files in the Startup\r\ndirectory order to establish persistence on the compromised system.\r\nDefense Evasion: Various techniques have been observed in order to evade the system’s defense, such as\r\nmasquerading as legitimate software, information encoding, and abuse of Regasm utility to bypass security\r\ncontrols.\r\nDiscovery: The threat actor performs multiple reconnaissance techniques on the victim’s host and network\r\nto ensure the proper target has been infiltrated.\r\nCollection: The malware utilized by adversary has been observed using additional modules to collect\r\nkeystrokes and screenshots for the purpose of harvesting credentials.\r\nCommand and Control: The adversary has typically leveraged the HTTP protocol to carry out\r\ncommunications between its infrastructure and the compromised systems. Within this tactic are scenarios\r\nthat download and save the MicroBackdoor, HALFSHELL, and SunSeed malware families.\r\nIn summary, the combination of this attack graph and atomic assessment will evaluate security and incident\r\nresponse processes and support the improvement of your security control posture against this threat actor and\r\nhttps://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/\r\nPage 5 of 6\n\nothers who leverage similar techniques. With data generated from continuous testing and use of this attack graph,\r\nyou can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate\r\nyour total security program effectiveness against a known and dangerous threat. For further information about\r\nhow to use attack graphs and the AttackIQ Security Optimization Platform to improve your security program\r\nperformance, please see our recent CISO’s Guide to Attack Graphs and MITRE ATT\u0026CK.\r\nSource: https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/\r\nhttps://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/"
	],
	"report_names": [
		"attack-graph-response-to-unc1151-continued-targeting-of-ukraine"
	],
	"threat_actors": [],
	"ts_created_at": 1775791317,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b520b9cb7fe1850b3915d6c3ee8ac09a0c6d8037.pdf",
		"text": "https://archive.orkl.eu/b520b9cb7fe1850b3915d6c3ee8ac09a0c6d8037.txt",
		"img": "https://archive.orkl.eu/b520b9cb7fe1850b3915d6c3ee8ac09a0c6d8037.jpg"
	}
}