{ "id": "5f027895-65fa-4a05-8cc6-a7c9253c1c80", "created_at": "2026-04-06T01:29:03.540316Z", "updated_at": "2026-04-10T13:12:12.042184Z", "deleted_at": null, "sha1_hash": "c527e7648e148e65f269d9c75cd233fc19c6addb", "title": "Abusing cloud services to fly under the radar", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 265318, "plain_text": "Abusing cloud services to fly under the radar\r\nBy Wouter Jansen\r\nPublished: 2021-01-12 · Archived: 2026-04-06 00:26:26 UTC\r\ntl;dr\r\nNCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property\r\n(IP) from victims in the semiconductors industry through to data from the airline industry.\r\nIn their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals. NCC\r\nGroup and Fox-IT observed this threat actor during various incident response engagements performed between\r\nOctober 2019 until April 2020. Our threat intelligence analysts noticed clear overlap between the various cases in\r\ninfrastructure and capabilities, and as a result we assess with moderate confidence that one group was carrying out\r\nthe intrusions across multiple victims operating in Chinese interests.\r\nIn open source this actor is referred to as Chimera by CyCraft.\r\nNCC Group and Fox-IT have seen this actor remain undetected, their dwell time, for up to three years. As such, if\r\nyou were a victim, they might still be active in your network looking for your most recent crown jewels.\r\nWe contained and eradicated the threat from our client’s networks during incident response whilst our Managed\r\nDetection and Response (MDR) clients automatically received detection logic.\r\nWith this publication, NCC Group and Fox-IT aim to provide the wider community with information and\r\nintelligence that can be used to hunt for this threat in historic data and improve detections for intrusions by this\r\nintrusion set.\r\nThroughout we use terminology to describe the various phases, tactics, and techniques of the intrusions standardized\r\nby MITRE with their ATT\u0026CK framework . Near the end of this article all the tactics and techniques used by the\r\nadversary are listed with links to the MITRE website with more information.\r\nFrom initial access to defense evasion: how it is done\r\nIn all the intrusions we have observed they are performed in similar ways by the adversary: from initial access all\r\nthe way to actions on objectives. The objective in these cases appear to be stealing sensitive data from the victim’s\r\nnetworks.\r\nCredential theft and password spraying to Cobalt Strike\r\nThis adversary starts with obtaining usernames and passwords of their victim from previous breaches. These\r\ncredentials are used in a credential stuffing or password spraying attack against the victim’s remote services, such as\r\nwebmail or other internet reachable mail services. After obtaining a valid account, they use this account to access\r\nthe victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 1 of 25\n\nregarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the\r\ncompromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they\r\ncheck the permissions of the account on that system, and attempt to obtain a list of accounts with administrator\r\nprivileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a\r\nvalid admin account is compromised. With this valid admin account, a Cobalt Strike beacon is loaded into memory\r\nof patient zero. From here on the adversary stops using the victim’s remote service to access the victim’s network,\r\nand starts using the Cobalt Strike beacon for remote access and command and control.\r\nNetwork discovery and lateral movement\r\nThe adversary continues their discovery of the victim’s network from patient zero. Various scans and queries are\r\nused to find proxy settings, domain controllers, remote desktop services, Citrix services, and network shares. If the\r\nobtained valid account is already member of the domain admins group, the first lateral move in the network is\r\nusually to a domain controller where the adversary also deploys a Cobalt Strike beacon. Otherwise, a jump host or\r\nother system likely used by domain admins is found and equipped with a Cobalt Strike beacon. After this the\r\nadversary dumps the domain admin credentials from the memory of this machine, continues lateral moving through\r\nthe network, and places Cobalt Strike beacons on servers for increased persistent access into the victim’s network. If\r\nthe victim’s network contains other Windows domains or different network security zones, the adversary scans and\r\nfinds the trust relationships and jump hosts, attempting to move into the other domains and security zones. The\r\nadversary is typically able to perform all the steps described above within one day.\r\nDuring this process, the adversary identifies data of interest from the network of the victim. This can be anything\r\nfrom file and directory-listings, configuration files, manuals, email stores in the guise of OST- and PST-files, file\r\nshares with intellectual property (IP), and data scraped from memory. If the data is small enough, it is exfiltrated\r\nthrough the command and control channel of the Cobalt Strike beacons. However, usually the data is compressed\r\nwith WinRAR, staged on another system of the victim, and from there copied to a OneDrive-account controlled by\r\nthe adversary.\r\nAfter the adversary completes their initial exfiltration, they return every few weeks to check for new data of interest\r\nand user accounts. At times they have been observed attempting to perform a degree of anti-forensic activities\r\nincluding clearing event logs, time stomping files, and removing scheduled tasks created for some objectives. But\r\nthis isn’t done consistently across their engagements.\r\nFraming the adversary’s work in the MITRE ATT\u0026CK framework\r\nCredential access (TA0006)\r\nThe earliest and longest lasting intrusion by this threat we observed, was at a company in the semiconductors\r\nindustry in Europe and started early Q4 2017. The more recent intrusions took place in 2019 at companies in the\r\naviation industry. The techniques used to achieve access at the companies in the aviation industry closely resembles\r\ntechniques used at victims in the semiconductors industry.\r\nThe threat used valid accounts against remote services: Cloud-based applications utilizing federated authentication\r\nprotocols. Our incident responders analysed the credentials used by the adversary and the traces of the intrusion in\r\nlog files. They uncovered an obvious overlap in the credentials used by this threat and the presence of those same\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 2 of 25\n\naccounts in previously breached databases. Besides that, the traces in log files showed more than usual login\r\nattempts with a username formatted as email address, e.g.\u003cusername\u003e@\u003cemail domain\u003e. While usernames for\r\nlegitimate logins at the victim’s network were generally formatted like \u003cdomain\u003e\\\u003cusername\u003e. And attempted\r\nlogins came from a relative small set of IP-addresses.\r\nFor the investigators at NCC Group and Fox-IT these pieces of evidence supported the hypothesis of the adversary\r\nachieving credentials access by brute force, and more specifically by credential stuffing or password spraying.\r\nInitial access (TA0001)\r\nIn some of the intrusions the adversary used the valid account to directly login to a Citrix environment and\r\ncontinued their work from there.\r\nIn one specific case, the adversary now armed with the valid account, was able to access a document stored in\r\nSharePoint Online, part of Microsoft Office 365. This specific document described how to access the internet facing\r\ncompany portal and the web-based VPN client into the company network. Within an hour after grabbing this\r\ndocument, the adversary accessed the company portal with the valid account.\r\nFrom this portal it was possible to launch the web-based VPN. The VPN was protected by two-factor authentication\r\n(2FA) by sending an SMS with a one-time password (OTP) to the user account’s primary or alternate phone number.\r\nIt was possible to configure an alternate phone number for the logged in user account at the company portal. The\r\nadversary used this opportunity to configure an alternate phone number controlled by the adversary.\r\nBy performing two-factor authentication interception by receiving the OTP on their own telephone number, they\r\ngained access to the company network via the VPN. However, they also made a mistake during this process within\r\none incident. Our hypothesis is that they tested the 2FA-system first or selected the primary phone number to send a\r\nSMS to. However the European owner of the account received a text message with Simplified Chinese characters on\r\nthe primary phone number in the middle of the night Eastern European Time (EET). NCC Group and Fox-IT\r\nidentified that the language in the text-message for 2FA is based on the web browser’s language settings used during\r\nthe authentication flow. Thus the 2FA code was sent with supporting Chinese text.\r\nAccount discovery (T1087)\r\nWith access into the network of the victim, the adversary finds a way to install a Cobalt Strike beacon on a system\r\nof the victim (see Execution). But before doing so, we observed the adversary checking the current permissions of\r\nthe obtained user account with the following commands:\r\nnet user\r\nnet user Administrator\r\nnet user \u003cusername\u003e /domain\r\nnet localgroup administrators\r\nIf the user account doesn’t have local administrative or domain administrative permissions, the adversary attempts\r\nto discover which local or domain admin accounts exist, and exfiltrates the admin’s usernames. To identify if\r\nprivileged users are active on remote servers, the adversary makes use of PsLogList from Microsoft Sysinternals to\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 3 of 25\n\nretrieve the Security event logs. The built-in Windows quser-command to show logged on users is also heavily used\r\nby them. If such a privileged user was recently active on a server the adversary executes Cobalt Strike’s built-in\r\nMimikatz to dump its password hashes.\r\nPrivilege escalation (TA0004)\r\nThe adversary started a password spraying attack against those domain admin accounts, and successfully got a valid\r\ndomain admin account this way. In other cases, the adversary moved laterally to another system with a domain\r\nadmin logged in. We observed the use of Mimikatz on this system and saw the hashes of the logged in domain\r\nadmin account going through the command and control channel of the adversary. The adversary used a tool called\r\nNtdsAudit to dump the password hashes of domain users as well as we observed the following command:\r\nmsadcs.exe \"NTDS.dit\" -s \"SYSTEM\" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv\r\nNote: the adversary renamed ntdsaudit.exe to msadcs.exe.\r\nBut we also observed the adversary using the tool ntdsutil to create a copy of the Active Directory database\r\nNTDS.dit followed by a repair action with esentutl to fix a possible corrupt NTDS.dit:\r\nntdsutil \"ac i ntds\" \"ifm\" \"create full C:\\Windows\\Temp\\tmp\" q q\r\nesentutl /p /o ntds.dit\r\nBoth ntdsutil and esentutl are by default installed on a domain controller.\r\nA tool used by the adversary which wasn’t installed on the servers by default, was DSInternals. DSInternals is a\r\nPowerShell module that makes use of internal Active Directory features. The files and directories found on various\r\nsystems of a victim match with DSInternals version 2.16.1. We have found traces that indicate DSInternals was\r\nexecuted and at which time, which match with the rest of the traces of the intrusion. We haven’t recovered traces of\r\nhow the adversary used DSInternals, but considering the phase of the intrusion the adversary used the tool, it is\r\nlikely they used it for either account discovery or privilege escalation, or both.\r\nExecution (TA0002)\r\nThe adversary installs a hackers best friend during the intrusion: Cobalt Strike. Cobalt Strike is a framework\r\ndesigned for adversary simulation intended for penetration testers and red teams. It has been widely adopted by\r\nmalicious threats as well.\r\nThe Cobalt Strike beacon is installed in memory by using a PowerShell one-liner. At least the following three\r\nversions of Cobalt Strike have been in use by the adversary:\r\nCobalt Strike v3.8, observed Q2 2017\r\nCobalt Strike v3.12, observed Q3 2018\r\nCobalt Strike v3.14, observed Q2 2019\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 4 of 25\n\nFox-IT has been collecting information about Cobalt Strike team servers since January 2015. This research project\r\ncovers the fingerprinting of Cobalt Strike servers and is described in Fox-IT blog “Identifying Cobalt Strike team\r\nservers in the wild”. The collected information allows Fox-IT to correlate Cobalt Strike team servers, based on\r\nvarious configuration settings. Because of this, historic information was available during this investigation.\r\nWhenever a Cobalt Strike C2 channel was identified, Fox-IT performed lookups into the collection database. If a\r\nmatch was found, the configuration of the Cobalt Strike team server was analysed. This configuration was then\r\ncompared against the other Cobalt Strike team servers to check for similarities in for example domain names,\r\nversion number, URL, and various other settings.\r\nThe adversary heavily relies on scheduled tasks for executing a batch-file (.bat) to perform their tasks. An example\r\nof the creation of such a scheduled task by the adversary:\r\nschtasks /create /ru \"SYSTEM\" /tn \"update\" /tr \"cmd /c c:\\windows\\temp\\update.bat\" /sc once /f /st 06:59:00\r\nThe batch-files appear to be used to load the Cobalt Strike beacon, but also to perform discovery commands on the\r\ncompromised system.\r\nPersistence (TA0003)\r\nThe adversary loads the Cobalt Strike beacon in memory, without any persistence mechanisms on the compromised\r\nsystem. Once the system is rebooted, the beacon is gone. The adversary is still able to have persistent access by\r\ninstalling the beacon on systems with high uptimes, such as server. Besides using the Cobalt Strike beacon, the\r\nadversary also searches for VPN and firewall configs, possibly to function as a backup access into the network. We\r\nhaven’t seen the adversary use those access methods after the first Cobalt Strike beacons were installed. Maybe\r\nbecause it was never necessary.\r\nAfter the first bulk of data is exfiltrated, the persistent access into the victim’s network is periodically used by the\r\nadversary to check if new data of interest is available. They also create a copy of the NTDS.dit and SYSTEM-registry hive file for new credentials to crack.\r\nDiscovery (TA0007)\r\nThe adversary applied a wide range of discovery tactics. In the list below we have highlighted a few specific tools\r\nthe adversary used for discovery purposes. You can find a summary of most of the commands used by the adversary\r\nto perform discovery at the end of this article.\r\nAccount discovery tool: PsLogList\r\nCommand used:\r\npsloglist.exe -accepteula -x security -s -a \u003cdate\u003e\r\nThis command exports a text file with comma separated fields. The text files contain the contents of the Security\r\nEvent log after the specified date.\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 5 of 25\n\nPsloglist is part of the Sysinternals toolkit from Mark Russinovich (Microsoft). The tool was used by the adversary\r\non various systems to write events from the Windows Security Event Log to a text file. A possible intent of the\r\nadversary could be to identify if privileged users are active on the systems. If such a privileged user was recently\r\nactive on a server the actor executes Cobalt Strike’s built-in Mimikatz to dump its credentials or password hash.\r\nAccount discovery tool: NtdsAudit\r\nCommand used:\r\nmsadcs.exe \"NTDS.dit\" -s \"SYSTEM\" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv\r\nIt imports the specified Active Directory database NTDS.dit and registry file SYSTEM and exports the found\r\npassword hashes into RecordedTV_pdump.txt and user details in RecordedTV_users.csv.\r\nThe NtdsAudit utility is an auditing tool for Active Directory databases. It allows the user to collect useful statistics\r\nrelated to accounts and passwords. The utility was found on various systems of a victim and matches the\r\nNtdsAudit.exe program file version v2.0.5 published on the GitHub project page.\r\nNetwork service scanning\r\nCommand used:\r\nget -b \u003cstart ip\u003e -e \u003cend ip\u003e -p\r\nget -b \u003cstart ip\u003e -e \u003cend ip\u003e\r\nGet.exe appears to be a custom tool used to scan IP-ranges for HTTP service information. NCC Group and Fox-IT\r\ndecompiled the tool for analysis. This showed the tool was written in the Python scripting language and packed into\r\na Windows executable file. Though Fox-IT didn’t find any direct occurrences of the tool on the internet, the\r\ndecompiled code showed strong similarities with the source code of a tool named GetHttpsInfo. GetHttpsInfo scans\r\nthe internal network for HTTP \u0026 HTTPS services. The reconnaissance tool getHttpsInfo is able to discover HTTP\r\nservers within the range of a network.\r\nThe tool was shared on a Chinese forum around 2016.\r\nFigure 1: Example of a download location for GetHttpsInfo.exe\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 6 of 25\n\nLateral movement (TA0008)\r\nThe adversary used the built-in lateral movement possibilities in Cobalt Strike. Cobalt Strike has various methods\r\nfor deploying its beacons at newly compromised systems. We have seen the adversary using SMB, named pipes,\r\nPsExec, and WinRM. The adversary attempts to move to a domain controller as soon as possible after getting\r\nfoothold into the victim’s network. They continue lateral movement and discovery in an attempt to identify the data\r\nof interest. This could be a webserver to carve data from memory, or a fileserver to copy IP, as we have both\r\nobserved.\r\nAt one customer, the data of interest was stored in a separate security zone. The adversary was able to find a dual\r\nhomed system and compromise it. From there on they used it as a jump host into the higher security zone and started\r\ncollecting the intellectual property stored on a file server in that zone.\r\nIn one event we saw the adversary compromise a Linux-system through SSH. The user account was possibly\r\ncompromised on the Linux server by using credential stuffing or password spraying: Logfiles on the Linux-system\r\nshow traces which can be attributed to a credential stuffing or password spraying attack.\r\nLateral tool transfer (T1570)\r\nThe adversary is applying living off the land techniques very well by incorporating default Windows tools in its\r\narsenal. But not all tools used by the adversary are so called lolbins: As said before, they use Cobalt Strike. But they\r\nalso rely on a custom tool for network scanning (get.exe), carving data from memory, compression of data, and\r\nexfiltrating data.\r\nBut first: How did they get the tools on the victim’s systems? The adversary copied those tools over SMB from\r\ncompromised system to compromised system wherever they needed these tools. A few examples of commands we\r\nobserved:\r\ncopy get.exe \\\\\u003cip\u003e\\c$\\windows\\temp\\\r\ncopy msadc* \\\\\u003chostname\u003e\\c$\\Progra~1\\Common~1\\System\\msadc\\\r\ncopy update.exe \\\\\u003cip\u003e\\c$\\windows\\temp\\\r\nmove ak002.bat \\\\\u003cip\u003e\\c$\\windows\\temp\\update.bat\r\nCollection (TA0009)\r\nIn preparation of exfiltration of the data needed for their objective, the adversary collected the data from various\r\nsources within the victim’s network. As described before, the adversary collected data from an information\r\nrepository, Microsoft SharePoint Online in this case. This document was exfiltrated and used to continue the\r\nintrusion via a company portal and VPN.\r\nIn all cases we’ve seen the adversary copying results of the discovery phase, like file- and directory lists from local\r\nsystems, network shared drives, and file shares on remote systems. But email collection is also important for this\r\nadversary: with every intrusion we saw the mailbox of some users being copied, from both local and remote\r\nsystems:\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 7 of 25\n\nwmic /node:\u003cip\u003e process call create \"cmd /c copy c:\\Users\\\u003cusername\u003e\\\u003cpath\u003e\\backup.pst c:\\windows\\temp\\backup.pst\r\ncopy \"i:\\\u003cpath\u003e\\\u003cusername\u003e\\My Documents\\\u003cfilename\u003e.pst\"\r\ncopy \\\\\u003chostname\u003e\\c$\\Users\\\u003cusername\u003e\\AppData\\Local\\Microsoft\\Outlook*.ost\r\nFiles and folders of interest are collected as well and staged for exfiltration.\r\nThe goal of targeting some victims appears to be to obtain data. How this data is obtained likely differs per victim,\r\nbut we observed the usage of several custom DLL files used to continuously retrieve data from memory of systems\r\nwhere such data is typically processed.\r\nThe DLL’s used were side-loaded in memory on compromised systems. After placing the DLL in the appropriate\r\ndirectory, the actor would change the date and time stamps on the DLL files to blend in with the other legitimate\r\nfiles in the directory.\r\nAdversaries aiming to exfiltrate large amounts of data will often use one or more systems or storage locations for\r\nintermittent storage of the collected data. This process is called staging and is one of the of the activities that NCC\r\nGroup and Fox-IT has observed in the analysed C2 traffic.\r\nWe’ve seen the adversary staging data on a remote system or on the local system. Most of the times the data is\r\ncompressed and copied at the same time. Only a handful of times the adversary copies the data first before\r\ncompressing (archive collected data) and exfiltrating it. The adversary compresses and encrypts the data by using\r\nWinRAR from the command-line. The filename of the command-line executable for WinRAR is RAR.exe by\r\ndefault.\r\nThis activity group always uses a renamed version of rar.exe. We have observed the following filenames\r\noverlapping all intrusions:\r\njucheck.exe\r\nRecordedTV.ms\r\nteredo.tmp\r\nupdate.exe\r\nmsadcs1.exe\r\nThe adversary typically places the executables in the following folders:\r\nC:\\Users\\Public\\Libraries\\\r\nC:\\Users\\Public\\Videos\\\r\nC:\\Windows\\Temp\\\r\nThe following four different variants of the use of rar.exe as update.exe we have observed:\r\nupdate a -m5 -hp\u003cpassword\u003e \u003ctarget_filename\u003e \u003csource\u003e\r\nupdate a -m5 -r -hp\u003cpassword\u003e \u003ctarget_filename\u003e \u003csource\u003e\r\nupdate a -m5 -inul -hp\u003cpassword\u003e \u003ctarget_filename\u003e \u003csource\u003e\r\nupdate a -m5 -r -inul -hp\u003cpassword\u003e \u003ctarget_filename\u003e \u003csource\u003e\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 8 of 25\n\nThe command lines parameters have the following effect:\r\na = add to archive.\r\nm5 = use compression level 5.\r\nr = recurse subfolders.\r\ninul = suppress error messages.\r\nhp\u003cpassword\u003e = encrypt both file data and headers with password.\r\nThe used password, file extensions for the staged data differ per intrusion. We’ve seen the use of .css, .rar, .log.txt,\r\nand no extension for staged pieces of data.\r\nAfter compromising a host with a Linux operating systems, data is also compressed. This time the adversary\r\ncompresses the data as a gzipped tar-file: tar.gz. Sometimes no file extension is used, or the file extension is .il.\r\nMost of the times the files names are prepended with adsDL_ or contain the word “list”. The files are staged in the\r\nhome folder of the compromised user account: /home/\u003cusername\u003e/\r\nCommand and control (TA0011)\r\nThe adversary uses Cobalt Strike as framework to manage their compromised systems. We observed the use of\r\nCobalt Strike’s C2 protocol encapsulated in DNS by the adversary in 2017 and 2018. They switched to C2\r\nencapsulated in HTTPS in Q3 2019. An interesting observation is they made use of a cracked/patched trial version\r\nof Cobalt Strike. This is important to note because the functionalities of Cobalt Strike’s trial version are limited.\r\nMore importantly: the trial version doesn’t support encryption of command and control traffic in cases where the\r\nprotocol itself isn’t encrypted, such as DNS. In one intrusion we investigated, the victim had years of logging\r\navailable of outgoing DNS-requests. The DNS-responses weren’t logged. This means that only the DNS C2 leaving\r\nthe victim’s network was logged. We developed a Python script that decoded and combined most of the logged C2\r\ncommunication into a human readable format. As the adversary used Cobalt Strike with DNS as command \u0026 control\r\nprotocol, we were able to reconstruct more than two years of adversary activity. With all this activity data, it was\r\npossible for us to create some insight into the ‘office’-hours of this adversary. The activity took place six days a\r\nweek, rarely on Sundays. The activity started on average at 02:36 UTC and ended rarely after 13:00 UTC. We\r\nobserved some periods where we expected activity of the adversary, but almost none was observed. These periods\r\nmatch with the Chinese Golden Week holiday.\r\nFigure 2: Heatmap of activity. Times on the X-axis are in UTC.\r\nThe adversary also changed their domains for command \u0026 control around the same time they switched C2\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 9 of 25\n\nprotocols. They used a subdomain under a regular parent domain with a .com TLD in 2017 and 2018, but they\r\nstarted using sub-domains under the parent domain appspot.com and azureedge.net in 2019. The parent domain\r\nappspot.com is a domain owned by Google, and part of Google’s App Engine platform as a service. Azureedge.net is\r\na parent domain owned by Microsoft, and part of Microsoft’s Azure content delivery network.\r\nExfiltration (TA0010)\r\nThe adversary uses the command and control channel to exfiltrate small amounts of data. This is usually information\r\ncontaining account details. For large amounts of data, such as the mailboxes and network shares with intellectual\r\nproperty, they use something else.\r\nOnce the larger chunks of data are compressed, encrypted, and staged, the data is exfiltrated using a custom built\r\ntool. This tool exfiltrates specified files to cloud storage web services. The following cloud storage web services are\r\nsupported by the malware:\r\nDropbox\r\nGoogle Drive\r\nOneDrive\r\nThe actor specifies the following arguments when running the exfiltration tool:\r\nName of the web service to be used\r\nParameters used for the web service, such as a client ID and/or API key\r\nPath of the file to read and exfiltrate to the web service\r\nWe have observed the exfiltration tool in the following locations:\r\nC:\\Windows\\Temp\\msadcs.exe\r\nC:\\Windows\\Temp\\OneDrive.exe\r\nHashes of these files are listed at the end of this article.\r\nDefense evasion (TA0005)\r\nThe adversary attempts to clean-up some of the traces from their intrusions. While we don’t know what was deleted\r\nand we were unable to recover, we did see some of their anti-forensics activity:\r\nWindows event logs clearing,\r\nFile deletion,\r\nTimestomping\r\nAn overview of the observed commands can be found in the appendix.\r\nFor indicator removal on host: Timestomp the adversary uses a Windows version of the Linux touch command. This\r\ntool is included in the UnxUtils repository. This makes sure the used tools by the adversary blend in with the other\r\nfiles in the directory when shown in a timeline. Creating a timeline is a common thing to do for forensic analysts to\r\nget a chronological view of events on a system.\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 10 of 25\n\nThe same activity group?\r\nA number of our intrusions involved tips from an industry partner who was able to correlate some of their upstream\r\nactivity.\r\nOur threat intelligence analysts observed clear overlap between the various cases that NCC Group and Fox-IT\r\nworked in the threat’s infrastructure and capabilities, and as a result we assess with moderate confidence one activity\r\ngroup was carrying out the intrusions across the different type of victims.\r\nSome overlap is very generic for a lot for a lot of groups, like the use of Cobalt Strike, or exfiltration to OneDrive.\r\nBut the tool used for exfiltration to OneDrive is very specific for this adversary. The use of appspot and azureedge\r\ndomains as well. The naming convention for their subdomains, tools and scripts overlap too. In summary:\r\nThe adversary: Working hours match with GMT+8.\r\nInfrastructure: appspot.com and azureedge.net for C2 with a strong overlap in naming convention for subdomains\r\nand actual overlap in some subdomains between intrusions.\r\nCapability: Password spraying/credential stuffing. Cobalt Strike. Copy NTDS.dit. Use scheduled tasks and batch\r\nfiles for automation. The use of LOLBins. WinRAR. Cloud exfil tool and exfil to OneDrive. Erasing Windows\r\nEvent Logs, files and tasks. Overlap in filenames for tools, staged data, and folders.\r\nVictim: Semiconductors and aviation industry.\r\nWe considered labelling them as two activity groups, as of the difference in victims between various intrusions. But\r\nall the other overlap is strong enough for us to consider it as one group right now. This group might have gotten a\r\nnew customer interested in different data which changed the intent and victims of the adversary.\r\nBut most importantly: The largest overlap is in the top half of the pyramid of pain: domain names, host artifacts,\r\ntools, and TTPs. And these are the hardest for the adversary to change, and most effective for long-lasting detection!\r\nFigure 3: Pyramid of pain by David J Bianco\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 11 of 25\n\nFox-IT and NCC Group found some very strong overlap between what we’ve seen in our intrusion, and what\r\nCycraft describes in their APT Group Chimera report and Blackhat presentation. The bulk of the victims they\r\ndescribe are in different regions than we observed which is likely caused by field of view bias. SentinelOne also\r\ndescribes an attack and shares IOC’s that show strong overlap with the intrusions we investigated.\r\nConclusion\r\nAt this moment we believe based on the evidence observed that the various intrusions were performed by the same\r\ngroup. We can only report what we observed: first they stole intellectual property in the high tech sector, later they\r\nstole record, both across geographical locations. Both types of stolen data are very useful for nation states.\r\nAnswering if this group has an advanced persistent threat (APT) technique, has some sort of state affiliation, or\r\nwhere they come from goes beyond the scope of this write-up. The threat intelligence and IOC’s we are sharing are\r\nintended to help discover and present intrusions by this and adversaries.\r\nA word of thanks goes out to all the forensic experts, incident responders, and threat intelligence analysts who\r\nhelped victims identifying and eradicating the adversary. And everybody from NCC Group and Fox-IT (part of NCC\r\nGroup) for all the contributions to this article.\r\nIOC\r\nType Data Observed Note\r\nBinary\r\nMD5\r\n133a159e86ff48c59e79e67a3b740c1e –\r\nget.exe\r\n(GetHttpsInfo)\r\nBinary\r\nMD5\r\n328ba584bd06c3083e3a66cb47779eac – psloglist.exe\r\nBinary\r\nMD5\r\n65cf35ddcb42c6ff5dc56d6259cc05f3 –\r\nupdate.exe\r\n(WinRAR)\r\nBinary\r\nMD5\r\n4d5440282b69453f4eb6232a1689dd4a –\r\nmsadcs.exe\r\n(Cloud exfil\r\ntool)\r\nBinary\r\nMD5\r\n90508ff4d2fc7bc968636c716d84e6b4 –\r\nmsadcs.exe\r\n(Cloud exfil\r\ntool)\r\nBinary\r\nMD5\r\nc9b8cab697f23e6ee9b1096e312e8573 –\r\njucheck.exe\r\n(WinRAR)\r\nBinary\r\nMD5\r\ndd138a8bc1d4254fed9638989da38ab1 –\r\nmsadcs.exe\r\n(NTDSAudit)\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 12 of 25\n\nC2\r\ndomain\r\nEuDbSyncUp[.]com\r\nQ4 2017\r\n– Q4\r\n0218\r\n–\r\nC2\r\ndomain\r\nUsMobileSos[.]com\r\nQ4 2017\r\n– Q4\r\n2018\r\n–\r\nC2\r\ndomain\r\nofficeeuupdate.appspot[.]com\r\nQ4 2017\r\n– Q4\r\n2018\r\n–\r\nC2\r\ndomain\r\nMsCupDb[.]com\r\nQ4 2017\r\n– Q4\r\n2018\r\n–\r\nC2\r\ndomain\r\nofficeeuropupd.appspot[.]com\r\nQ3 2019\r\n– Q1\r\n2020\r\n–\r\nC2\r\ndomain\r\nplatform-appses.appspot[.]com\r\nQ4 2019\r\n– Q1\r\n2020\r\n–\r\nC2\r\ndomain\r\nwatson-telemetry.azureedge[.]net\r\nQ4 2019\r\n– Q1\r\n2020\r\n–\r\nC2\r\ndomain\r\neurope-s03213.appspot[.]com 2019 –\r\nC2\r\ndomain\r\neustylejssync.appspot[.]com  2019 –\r\nC2\r\ndomain\r\nfsdafdsfdsaflkjkxvzcuifsad.azureedge[.]net 2019 –\r\nC2\r\ndomain\r\nictsyncserver.appspot[.]com 2019 –\r\nC2\r\ndomain\r\nsowfksiw38f2aflwfif.azureedge[.]net  2019 –\r\nFilename fs_action*.bat –\r\nTask\r\nautomation\r\nFilename fs_action*.ps1 –\r\nTask\r\nautomation\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 13 of 25\n\nFilename update.bat –\r\nTask\r\nautomation\r\nFilename update*.bat –\r\nTask\r\nautomation\r\nFilename *dsinternals*.dll  –\r\nDsinternals lib\r\nfiles \r\nFilename get.exe – GetHttpsInfo\r\nFilename adsDL_\u003cdir\u003e.log – Staging data\r\nFilename group_membership.csv –\r\nSharpHound\r\noutput\r\nFilename local_admins.csv –\r\nSharpHound\r\noutput\r\nFilename msadcs.exe – Various tools\r\nFilename msadcs1.exe – WinRAR\r\nFilename OneDrive.exe –\r\nCloud data\r\nexfil\r\nFilename sessions.csv –\r\nSharpHound\r\noutput\r\nFilename RecordedTV.ms – WinRAR\r\nFilename RecordedTV_*.csv – Staging data\r\nFilename RecordedTV_*.ms – Staging data\r\nFilename RecordedTV_*.rar – Staging data\r\nFilename RecordedTV_*.txt – Staging data\r\nFilename teredo.tmp – WinRAR\r\nFilename update.exe – WinRAR\r\nFilename hsperfdata.sqm –\r\nArchive with\r\ntools\r\nFilename update*.log – Staging data\r\nHostname DESKTOP-0FVJ37C –\r\nOrigin of\r\nlogin to\r\nExchange\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 14 of 25\n\nIPv4\r\naddress\r\n47.75.0[.]147 Q2 2019\r\nPassword\r\nspray\r\nIPv4\r\naddress\r\n59.47.4[.]27 Q2 2019 ADFS login\r\nIPv4\r\naddress\r\n45.9.248[.]74 Q2 2019 Citrix login\r\nIPv4\r\naddress\r\n172.111.210[.]53 Q2 2019 Citrix login\r\nIPv4\r\naddress\r\n103.51.145[.]123  2019 Initial access \r\nIPv4\r\naddress\r\n119.39.248[.]32  2019 Initial access\r\nIPv4\r\naddress\r\n120.227.35[.]98  2019 Initial access\r\nIPv4\r\naddress\r\n14.229.140[.]66  2019\r\nMount the\r\nfile-share \r\nIPv4\r\naddress\r\n172.111.210[.]53  2019 Initial access\r\nIPv4\r\naddress\r\n188.72.99[.]41  2019 Initial access\r\nIPv4\r\naddress\r\n45.9.248[.]74  2019 Initial access\r\nIPv4\r\naddress\r\n47.75.0[.]147  2019\r\nPassword\r\nspray\r\nIPv4\r\naddress\r\n5.254.112[.]226  2019 Initial access\r\nIPv4\r\naddress\r\n5.254.64[.]234  2019 Initial access\r\nIPv4\r\naddress\r\n59.47.4[.]27  2019 Initial access\r\nIPv4\r\naddress\r\n39.109.5[.]135 Q3 2017\r\nVPN server\r\nlogin\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 15 of 25\n\nIPv4\r\naddress\r\n43.250.200[.]106 Q3 2017\r\nVPN server\r\nlogin\r\nIPv4\r\naddress\r\n119.39.248[.]101 Q3 2017\r\nVPN server\r\nlogin\r\nIPv4\r\naddress\r\n220.202.152[.]47 Q3 2017\r\nVPN server\r\nlogin\r\nIPv4\r\naddress\r\n119.39.248[.]20 Q3 2017\r\nVPN server\r\nlogin\r\nIPv4\r\naddress\r\n185.170.210[.]84 Q3 2017\r\nVPN server\r\nlogin\r\nIPv4\r\naddress\r\n43.250.201[.]71 Q3 2017\r\nVPN server\r\nlogin\r\nIPv4\r\naddress\r\n23.236.77[.]94 Q3 2017 ADFS login\r\nPath C:\\Code\\NtdsAudit\\src\\NtdsAudit\\obj\\Release\\ –\r\nNTDSAudit\r\nartifacts\r\nPath C:\\Users\\Public\\Appdata\\Local\\ –\r\nStaging and\r\ntools\r\nPath C:\\Users\\Public\\Appdata\\Local\\Microsoft\\Windows\\INetCache –\r\nStaging and\r\ntools\r\nPath C:\\Users\\Public\\Libraries\\ –\r\nStaging and\r\ntools\r\nPath C:\\Users\\Public\\Videos\\ –\r\nStaging and\r\ntools\r\nPath C:\\Windows\\Temp\\ –\r\nStaging and\r\ntools\r\nPath C:\\Windows\\Temp\\tmp –\r\nStaging and\r\ntools\r\nURI in\r\nCS\r\nbeacon\r\n/externalscripts/jquery/jquery-3.3.1.min.js \r\nQ3 2019\r\n– Q1\r\n2020\r\n–\r\nURI in\r\nCS\r\nbeacon\r\n/externalscripts/jquery/jquery-3.3.2.min.js\r\nQ2 2019\r\n– Q3\r\n2019\r\n–\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 16 of 25\n\nURI in\r\nCS\r\nbeacon\r\n/jquery-3.3.2.slim.min.js Q1 2020 –\r\nUser-agentMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)\r\nlike Gecko\r\n–\r\nWeb VPN\r\nlogin\r\nUser-agent\r\nMozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko –\r\nCobalt Strike\r\nbeacon\r\nObserved discovery commands\r\nTechnique Command\r\nAccount discovery net user\r\nAccount discovery net user Administrator\r\nAccount discovery net user /domain\r\nAccount discovery dir \\\\\u003chostname\u003e\\c$\\users\r\nAccount discovery dsquery user -limit 0 -s \u003chostname\u003e\r\nAccount discovery psloglist.exe -accepteula -x security -s -a \u003ccurrent_date\u003e\r\nAccount discovery\r\nmsadcs.exe  “NTDS.dit” -s “SYSTEM” -p RecordedTV_pdmp.txt –\r\nusers-csv RecordedTV_users.csv\r\nBrowser bookmark\r\ndiscovery\r\ntype \\\\\u003chostname\u003e\\c$\\Users\\\u003cusername\u003e\\Favorites\\Links\\Bookmarks\r\nbar\\Imported From IE\\*citrix*\r\nDomain trust\r\ndiscovery\r\nnltest /domain_trusts\r\nFile and directory\r\ndiscovery\r\ndir \\\\\u003chostname\u003e\\c$\\\r\nFile and directory\r\ndiscovery\r\ndir /o:d /x /s c:\\\r\nFile and directory\r\ndiscovery\r\ndir /o:d /x \\\\\u003chostname\u003e\\\u003cfileshare\u003e\r\nFile and directory\r\ndiscovery\r\ncacl \u003cpath to file\u003e\r\nNetwork service\r\nscanning\r\nget -b \u003cstart ip\u003e -e \u003cend ip\u003e -p\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 17 of 25\n\nNetwork service\r\nscanning\r\nget -b \u003cstart ip\u003e -e \u003cend ip\u003e\r\nNetwork share\r\ndiscovery\r\nnet share\r\nNetwork share\r\ndiscovery\r\nnet view \\\\\u003chostname\u003e\r\nPermission groups\r\ndiscovery\r\nnet localgroup administrators\r\nProcess discovery tasklist /v |findstr explorer\r\nProcess discovery tasklist /v |findstr taskhost\r\nProcess discovery tasklist /v |findstr 1716\r\nProcess discovery tasklist /v /s \u003chostname/ip\u003e\r\nQuery registry\r\nreg query \\\\\u003chost\u003e\\HKU\\\u003cSID\u003e\\SOFTWARE\\Microsoft\\Terminal\r\nServer Client\\Servers\r\nQuery registry\r\nreg query \\\\\u003chost\u003e\\HKU\\\r\n\u003cSID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\r\nRemote system\r\ndiscovery\r\ntype \\\\\u003chost\u003e\\c$\\Users\\\u003cusername\u003e\\Favorites\\Links\\Bookmarks\r\nbar\\Imported From IE\\*citrix*\r\nRemote system\r\ndiscovery\r\ntype \\\\\u003chost\u003e\\\u003cpath\u003e\\Cookies\\*ctx*\r\nRemote system\r\ndiscovery\r\nreg query \\\\\u003chost\u003e\\HKU\\\u003cSID\u003e\\SOFTWARE\\Microsoft\\Terminal\r\nServer Client\\Servers\r\nRemote system\r\ndiscovery\r\ndir /o:d /x \\\\\u003chostname\u003e\\c$\\users\\\u003cusername\u003e\\Favorites\r\nRemote system\r\ndiscovery\r\nnet view \\\\hostname\r\nRemote system\r\ndiscovery\r\ndsquery server -limit 0\r\nSystem information\r\ndiscovery\r\nfsutil fsinfo drives\r\nSystem information\r\ndiscovery\r\nsysteminfo\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 18 of 25\n\nSystem information\r\ndiscovery\r\nvssadmin list shadows\r\nSystem network\r\nconfiguration\r\ndiscovery\r\nipconfig\r\nSystem network\r\nconfiguration\r\ndiscovery\r\nipconfig /all\r\nSystem network\r\nconfiguration\r\ndiscovery\r\nping -n 1 -a \u003cip\u003e\r\nSystem network\r\nconfiguration\r\ndiscovery\r\nping -n 1 \u003chostname\u003e\r\nSystem network\r\nconfiguration\r\ndiscovery\r\ntracert \u003cip\u003e\r\nSystem network\r\nconfiguration\r\ndiscovery\r\npathping \u003cip\u003e\r\nSystem network\r\nconnections\r\ndiscovery\r\nnetstat -ano | findstr EST\r\nSystem Owner/User\r\nDiscovery\r\nquser\r\nSystem service\r\ndiscovery\r\nnet start\r\nSystem service\r\ndiscovery\r\nnet use\r\nSystem time\r\ndiscovery\r\ntime /t\r\nSystem time\r\ndiscovery\r\nnet time \\\\\u003cip/hostname\u003e\r\nObserved Defense evasion commands\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 19 of 25\n\nIndicator Removal on Host: Clear Windows Event Logs\r\nwevtutil cl \"Windows PowerShell\"\r\nwevtutil cl application\r\nwevtutil cl security\r\nwevtutil cl setup\r\nwevtutil cl system\r\nIndicator Removal on Host: File Deletion\r\ndel /f/q *.csv *.bin\r\ndel /f/q *.exe\r\ndel /f/q *.exe *log.txt\r\ndel /f/q *.ost\r\ndel /f/q .rar update .txt\r\ndel /f/q \\\\c$\\windows\\temp*.txt\r\ndel /f/q \\\\c$\\Progra~1\\Common~1\\System\\msadc\\msadcs.dmp\r\ndel /f/q msadcs*\r\ndel /f/q psloglist.exe\r\ndel /f/q update*\r\ndel /f/q update* .txt del /f/q update.rar\r\ndel /f/q update*rar\r\ndel /f/q update12321312.rarschtasks /delete /s /tn \"update\" /f\r\nschtasks /delete /tn \"update\" /f\r\nshred -n 123 -z -u .tar.gz\r\nMITRE ATT\u0026CK references\r\nName Type ID More info\r\nInitial Access Tactic TA0001 https://attack.mitre.org/tactics/TA0001/\r\nExternal Remote\r\nServices\r\nTechnique T1133 https://attack.mitre.org/techniques/T1133/\r\nValid Accounts Technique T1078 https://attack.mitre.org/techniques/T1078/\r\nExecution Tactic TA0002 https://attack.mitre.org/tactics/TA0002/\r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\nTechnique T1059.001 https://attack.mitre.org/techniques/T1059/001/\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 20 of 25\n\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows Command\r\nShell\r\nTechnique T1059.003 https://attack.mitre.org/techniques/T1059/003/\r\nScheduled Task/Job:\r\nScheduled Task\r\nTechnique T1053.005 https://attack.mitre.org/techniques/T1053/005/\r\nSystem Services:\r\nService Execution\r\nTechnique T1569.002 https://attack.mitre.org/techniques/T1569/002/\r\nWindows\r\nManagement\r\nInstrumentation\r\nTechnique T1047 https://attack.mitre.org/techniques/T1047/\r\nPersistence Tactic TA0003 https://attack.mitre.org/tactics/TA0003/\r\nExternal Remote\r\nServices\r\nTechnique T1133 https://attack.mitre.org/techniques/T1133/\r\nHijack Execution\r\nFlow: DLL Side-LoadingTechnique T1574.002 https://attack.mitre.org/techniques/T1574/002/\r\nValid Accounts Technique T1078 https://attack.mitre.org/techniques/T1078/\r\nPrivilege\r\nEscalation\r\nTactic TA0004 https://attack.mitre.org/tactics/TA0004/\r\nValid Accounts Technique T1078 https://attack.mitre.org/techniques/T1078/\r\nDefense Evasion Tactic TA0005 https://attack.mitre.org/tactics/TA0005/\r\nDeobfuscate/Decode\r\nFiles or Information\r\nTechnique T1140 https://attack.mitre.org/techniques/T1140/\r\nIndicator Removal\r\non Host: Clear\r\nWindows Event\r\nLogs\r\nTechnique T1070.001 https://attack.mitre.org/techniques/T1070/001/\r\nIndicator Removal\r\non Host: File\r\nDeletion\r\nTechnique T1070.004 https://attack.mitre.org/techniques/T1070/004/\r\nIndicator Removal\r\non Host: Timestomp\r\nTechnique T1070.006 https://attack.mitre.org/techniques/T1070/006/\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 21 of 25\n\nHijack Execution\r\nFlow: DLL Side-LoadingTechnique T1574.002 https://attack.mitre.org/techniques/T1574/002/\r\nMasquerading:\r\nRename System\r\nUtilities\r\nTechnique T1036.003 https://attack.mitre.org/techniques/T1036/003/\r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\nTechnique T1036.005 https://attack.mitre.org/techniques/T1036/005/\r\nUse Alternate\r\nAuthentication\r\nMaterial: Pass the\r\nHash\r\nTechnique T1550.002 https://attack.mitre.org/techniques/T1550/002/\r\nValid Accounts Technique T1078 https://attack.mitre.org/techniques/T1078/\r\nCredential Access Tactic TA0006 https://attack.mitre.org/tactics/TA0006/\r\nBrute Force:\r\nPassword Spraying\r\nTechnique T1110.003 https://attack.mitre.org/techniques/T1110/003/\r\nBrute Force:\r\nCredential Stuffing\r\nTechnique T1110.004 https://attack.mitre.org/techniques/T1110/004/\r\nOS Credential\r\nDumping: LSASS\r\nMemory\r\nTechnique T1003.001 https://attack.mitre.org/techniques/T1003/001/\r\nOS Credential\r\nDumping: NTDS\r\nTechnique T1003.003 https://attack.mitre.org/techniques/T1003/003/\r\nTwo-Factor\r\nAuthentication\r\nInterception\r\nTechnique T1111 https://attack.mitre.org/techniques/T1111/\r\nDiscovery Tactic TA0007 https://attack.mitre.org/tactics/TA0007/\r\nAccount Discovery Technique T1087  \r\nAccount Discovery:\r\nLocal Account\r\nTechnique T1087.001 https://attack.mitre.org/techniques/T1087/001/\r\nAccount Discovery:\r\nDomain Account\r\nTechnique T1087.002 https://attack.mitre.org/techniques/T1087/002/\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 22 of 25\n\nBrowser Bookmark\r\nDiscovery\r\nTechnique T1217 https://attack.mitre.org/techniques/T1217/\r\nDomain Trust\r\nDiscovery\r\nTechnique T1482 https://attack.mitre.org/techniques/T1482/\r\nFile and Directory\r\nDiscovery\r\nTechnique T1083 https://attack.mitre.org/techniques/T1083\r\nNetwork Service\r\nScanning\r\nTechnique T1046 https://attack.mitre.org/techniques/T1046\r\nNetwork Share\r\nDiscovery\r\nTechnique T1135 https://attack.mitre.org/techniques/T1135\r\nPermission Groups\r\nDiscovery\r\nTechnique T1069 https://attack.mitre.org/techniques/T1069\r\nProcess Discovery Technique T1057 https://attack.mitre.org/techniques/T1057\r\nQuery Registry Technique T1012 https://attack.mitre.org/techniques/T1012\r\nRemote System\r\nDiscovery\r\nTechnique T1018 https://attack.mitre.org/techniques/T1018\r\nSystem Information\r\nDiscovery\r\nTechnique T1082 https://attack.mitre.org/techniques/T1082\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nTechnique T1016 https://attack.mitre.org/techniques/T1016\r\nSystem Network\r\nConnections\r\nDiscovery\r\nTechnique T1049 https://attack.mitre.org/techniques/T1049\r\nSystem Owner/User\r\nDiscovery\r\nTechnique T1033 https://attack.mitre.org/techniques/T1033\r\nSystem Service\r\nDiscovery\r\nTechnique T1007 https://attack.mitre.org/techniques/T1007\r\nSystem Time\r\nDiscovery\r\nTechnique T1124 https://attack.mitre.org/techniques/T1124\r\nLateral Movement Tactic TA0008 https://attack.mitre.org/tactics/TA0008/\r\nLateral Tool\r\nTransfer\r\nTechnique T1570 https://attack.mitre.org/techniques/T1570/\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 23 of 25\n\nRemote Services:\r\nSMB/Windows\r\nAdmin Shares\r\nTechnique T1021.002 https://attack.mitre.org/techniques/T1021/002/\r\nRemote Services:\r\nSSH\r\nTechnique T1021.004 https://attack.mitre.org/techniques/T1021/004/\r\nRemote Services:\r\nWindows Remote\r\nManagement\r\nTechnique T1021.006 https://attack.mitre.org/techniques/T1021/006/\r\nUse Alternate\r\nAuthentication\r\nMaterial: Pass the\r\nHash\r\nTechnique T1550.002 https://attack.mitre.org/techniques/T1550/002/\r\nCollection Tactic TA0009 https://attack.mitre.org/tactics/TA0009/\r\nArchive Collected\r\nData: Archive via\r\nUtility\r\nTechnique T1560.001 https://attack.mitre.org/techniques/T1560/001/\r\nAutomated\r\nCollection\r\nTechnique T1119 https://attack.mitre.org/techniques/T1119/\r\nData from\r\nInformation\r\nRepositories:\r\nSharePoint\r\nTechnique T1213.002 https://attack.mitre.org/techniques/T1213/002/\r\nData from Local\r\nSystem\r\nTechnique T1005 https://attack.mitre.org/techniques/T1005/\r\nData from Network\r\nShared Drive\r\nTechnique T1039 https://attack.mitre.org/techniques/T1039/\r\nData Staged: Local\r\nData Staging\r\nTechnique T1074.001 https://attack.mitre.org/techniques/T1074/001/\r\nData Staged:\r\nRemote Data\r\nStaging\r\nTechnique T1074.002 https://attack.mitre.org/techniques/T1074/002/\r\nEmail Collection:\r\nLocal Email\r\nCollection\r\nTechnique T1114.001 https://attack.mitre.org/techniques/T1114/001/\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 24 of 25\n\nCommand and\r\nControl\r\nTactic TA0011 https://attack.mitre.org/tactics/TA0011/\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nTechnique T1071.001 https://attack.mitre.org/techniques/T1071/001/\r\nApplication Layer\r\nProtocol: DNS\r\nTechnique T1071.004 https://attack.mitre.org/techniques/T1071/004/\r\nEncrypted Channel:\r\nAsymmetric\r\nCryptography\r\nTechnique T1573.002 https://attack.mitre.org/techniques/T1573/002/\r\nProtocol Tunneling Technique T1572 https://attack.mitre.org/techniques/T1572/\r\nExfiltration Tactic TA0010 https://attack.mitre.org/tactics/TA0010/\r\nAutomated\r\nExfiltration\r\nTechnique T1020 https://attack.mitre.org/techniques/T1020/\r\nData Transfer Size\r\nLimits\r\nTechnique T1030 https://attack.mitre.org/techniques/T1030/\r\nExfiltration Over C2\r\nChannel\r\nTechnique T1041 https://attack.mitre.org/techniques/T1041/\r\nExfiltration Over\r\nWeb Service:\r\nExfiltration to\r\nCloud Storage\r\nTechnique T1567.002 https://attack.mitre.org/techniques/T1567/002/\r\nSource: https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nhttps://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" ], "report_names": [ "abusing-cloud-services-to-fly-under-the-radar" ], "threat_actors": [ { "id": "f88b16bc-df4b-48e7-ae35-f4117240ff24", "created_at": "2022-10-25T15:50:23.556699Z", "updated_at": "2026-04-10T02:00:05.312313Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Chimera" ], "source_name": "MITRE:Chimera", "tools": [ "PsExec", "esentutl", "Mimikatz", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438943, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c527e7648e148e65f269d9c75cd233fc19c6addb.pdf", "text": "https://archive.orkl.eu/c527e7648e148e65f269d9c75cd233fc19c6addb.txt", "img": "https://archive.orkl.eu/c527e7648e148e65f269d9c75cd233fc19c6addb.jpg" } }