{ "id": "8d695d95-2cf3-4c6f-b783-e4a57f99d744", "created_at": "2026-04-06T03:36:07.69901Z", "updated_at": "2026-04-10T03:35:26.752852Z", "deleted_at": null, "sha1_hash": "dc2311cff0c358b185cfb8dd52cd96e645c123e3", "title": "Malware-Free Intrusions: Adversary Tricks and CrowdStrike Treats »", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 576440, "plain_text": "Malware-Free Intrusions: Adversary Tricks and CrowdStrike\r\nTreats »\r\nBy Dmitri Alperovitch\r\nPublished: 2014-10-31 · Archived: 2026-04-06 03:34:30 UTC\r\n‘Tis the season for trick-or-treating, so I thought it might be a good time to share some of the new tricks we’re\r\nseeing from the land of targeted adversaries in evading existing security defenses and penetrating networks.\r\nOne of the key consistent trends that has been observed this year is a move on the part of the more advanced\r\nactors to a technique I call “malware-free intrusion.” The idea behind it is very simple — malware, even if it’s\r\nunknown to AV, is still very noisy. You have unknown and previously unseen binaries running in your\r\nenvironment; they’re making file and registry changes to your system; calling out to the network — all things that\r\ncan be observed and trigger eventual suspicion on the part of a proactive SOC analyst or incident responder. So if\r\nyou’re an attacker who’s trying to stay undetected for as long as possible, what do you do? The obvious answer is\r\nthat you break in without using malware and emulate legitimate insiders.\r\nInsider detection has always been one of the hardest problems to solve in cybersecurity because the attacker by\r\ndefinition looks like someone who is supposed to be inside your network and doing things that are largely\r\nlegitimate and expected. Thus, if the adversaries can emulate this behavior, they achieve their nirvana of\r\nstealthiness.\r\nIn the last year, we have seen a number of different Chinese nation-state affiliated actors (we track them under\r\ncryptonym of“Panda”), such as DEEP PANDA and HURRICANE PANDA, leverage the following interesting\r\ntradecraft.\r\nMalware-free Intrusion Tradecraft\r\nThe intrusion begins with a compromise of an external-facing web server, often a Windows IIS server. Such\r\ncompromise can be achieved via SQL injection, WebDAV exploit, or, as we’ve seen recently from DEEP PANDA\r\nin attacks against Linux web servers, the use of the recently discovered bash vulnerability (ShellShock). That\r\nallows actors to install a webshell on the server, with China Chopper being the most common tool of choice. The\r\nreason it’s so popular is that it is almost beautiful in its simplicity. The webshell is simply a tiny text file (often as\r\nlittle as 24 bytes in size) that consists of little more than an “eval()”, which allows the attacker to execute\r\nprocesses on the web server. That script can be trivially obfuscated to evade signature and IOC scanning\r\ntechnologies.\r\nhttps://web.archive.org/web/20191115195333/https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/\r\nPage 1 of 5\n\nChina Chopper WebShell Controller\r\nOn the attacker’s side, they run a controller application (screenshot showed above), which allows them to\r\nupload/download files and get access to a virtual terminal to execute commands.\r\nThrough that webshell, the adversary then uploads a credential theft tool to steal Windows passwords and hashes,\r\nand occasionally, even Kerberos Golden Tickets that can give an adversary persistent access to the network for a\r\ndecade! (Technically, one would call a tool like that malware, but usually traditional anti-malware defenses will\r\nnot catch it, as there are numerous repackaged/rewritten versions of these credential theft tools that will escape all\r\nsignature and IOC-based detections)\r\nOnce credentials are acquired, the adversary will move laterally using WMI commands or RDP sessions, just like\r\na Windows administrator might do, and use scheduled tasks with powershell scripts to maintain persistence.\r\nFrequently, we also see the use of the “sticky keys” trick for maintaining malware-free persistence on a victim\r\nnetwork. With such trick, the adversary will modify the registry on a remote machine (typically using WMI) to set\r\n“cmd.exe” as a Debugger for tools like sethc.exe (Sticky Keys) and osk.exe (On-screen keyboard). Once that’s\r\ndone, an attacker can RDP into that machine and press the Sticky Keys or On-Screen Keyboard hotkeys and\r\ninstantly get a command prompt running with System-level privileges without even requiring a login into the\r\nremote server. Thus, even if passwords are reset across the victim environment, the adversary may still maintain\r\npersistent access unless all the registry entries are cleaned up.\r\nExample command:\r\nwmic /user:\u003cREDACTED\u003e /password:\u003cREDACTED\u003e /node:\u003cREDACTED\u003e process call create\r\n“C:\\Windows\\system32\\reg.exe add \\”HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Image File Execution Options\\osk.exe\\” /v \\”Debugger\\” /t REG_SZ /d \\”cmd.exe\\”\r\n/f”\r\nhttps://web.archive.org/web/20191115195333/https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/\r\nPage 2 of 5\n\nOn Screen Keyboard triggered from Windows Logon prompt\r\nCommand Prompt running with SYSTEM privileges\r\nLastly, they will use standard FTP commands to exfiltrate the data out of the environment onto their C2 server,\r\nmaking sure to encrypt it beforehand (usually with RAR archiver) so as to evade network DLP solutions that may\r\nhttps://web.archive.org/web/20191115195333/https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/\r\nPage 3 of 5\n\nlook for confidential content leaving the network.\r\nHere is an example of one such attack we detected via our Falcon Host next-generation endpoint technology at a\r\ncustomer (the specific usernames/machine names have been replaced to protect confidentiality):\r\nAttack Process Tree from Falcon Host\r\nAs you can see from the full Falcon Host process tree, after initial reconnaissance (whoami/systeminfo/quser), the\r\nadversary uploaded and executed a custom-repacked version of Windows Credential Editor. Next, they proceeded\r\nto use WMI to edit remote registries for the “sticky keys” persistence trick and, afterward, copied files from\r\nremote shares via “net use,” and finally used RAR to encrypt and compress the exfil data and steal it out of the\r\nnetwork (this time, simply downloading it through the webshell).\r\nSo as you are thinking about next-generation security architecture, start thinking and asking your vendors about\r\nhow they would detect such adversary tricks and the use of malware-free intrusions.\r\n—-\r\nAnd now, here’s a treat for you – not only does CrowdStrike track and identify adversaries, but we also like to\r\nrepresent them via visual characters. Download these desktop backgrounds to remind you that the adversaries are\r\nalways watching and trying to trick you into letting them inside!\r\nDesktop Background 1:\r\nhttps://web.archive.org/web/20191115195333/https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/\r\nPage 4 of 5\n\n1024 x 768 | 1280 x 1024 | 1440 x 900 | 1920 x 1200\r\nPutter Panda is tracked as a likely part of the 12th Bureau, 3rd GSD of the PLA (Unit 61486). It conducts\r\nsignificant targeting of entities in the space, aerospace, and communications sectors.\r\nDesktop Background 2:\r\n1024 x 768 | 1280 x 1024 | 1440 x 900 | 1920 x 1200 \r\nA representation of some of the most popular adversaries over the past year behind our CrowdStrike\r\n“Hero”.\r\nSource: https://web.archive.org/web/20191115195333/https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/\r\nhttps://web.archive.org/web/20191115195333/https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20191115195333/https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/" ], "report_names": [ "adversary-tricks-crowdstrike-treats" ], "threat_actors": [ { "id": "abd17060-62f6-4743-95e8-3f23c82cc229", "created_at": "2022-10-25T15:50:23.428772Z", "updated_at": "2026-04-10T02:00:05.365894Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "Putter Panda", "APT2", "MSUpdater" ], "source_name": "MITRE:Putter Panda", "tools": [ "pngdowner", "3PARA RAT", "4H RAT", "httpclient" ], "source_id": "MITRE", "reports": null }, { "id": "4636526b-b3f7-4e75-8ad9-fb7ef0261b76", "created_at": "2023-01-06T13:46:38.295889Z", "updated_at": "2026-04-10T02:00:02.91629Z", "deleted_at": null, "main_name": "HURRICANE PANDA", "aliases": [], "source_name": "MISPGALAXY:HURRICANE PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "468b7acd-895c-4c93-b572-b42f4035b4d4", "created_at": "2023-01-06T13:46:38.265636Z", "updated_at": "2026-04-10T02:00:02.902436Z", "deleted_at": null, "main_name": "APT2", "aliases": [ "MSUpdater", "4HCrew", "SearchFire", "TG-6952", "G0024", "PLA Unit 61486", "PUTTER PANDA" ], "source_name": "MISPGALAXY:APT2", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4b066585-3591-4ddd-b3cc-f4e19e0e00ef", "created_at": "2022-10-25T16:07:24.086915Z", "updated_at": "2026-04-10T02:00:04.862463Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "4HCrew", "APT 2", "G0024", "Group 36", "Putter Panda", "SearchFire", "TG-6952" ], "source_name": "ETDA:Putter Panda", "tools": [ "3PARA RAT", "4H RAT", "4h_rat", "MSUpdater", "httpclient", "pngdowner" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "722b693d-cfdc-489e-a540-78c7d52ac5a8", "created_at": "2022-10-25T16:07:23.713768Z", "updated_at": "2026-04-10T02:00:04.7232Z", "deleted_at": null, "main_name": "Hurricane Panda", "aliases": [ "Operation Poisoned Hurricane" ], "source_name": "ETDA:Hurricane Panda", "tools": [ "CHINACHOPPER", "China Chopper", "Mimikatz", "SinoChopper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446567, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc2311cff0c358b185cfb8dd52cd96e645c123e3.pdf", "text": "https://archive.orkl.eu/dc2311cff0c358b185cfb8dd52cd96e645c123e3.txt", "img": "https://archive.orkl.eu/dc2311cff0c358b185cfb8dd52cd96e645c123e3.jpg" } }