Anticipating an adversary’s intentions, behaviors, or movements is nothing new. Generals from ancient times have prioritized this aspect of warfare and for good reason, "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. " Open-source Intelligence (OSINT) is the cornerstone of what we (Cyber Mongol) do. Specifically, the development of automation to locate, contextualize, classify and articulate emerging adversary behaviors is what we specialize in. Analyzing the triaged signals produced by our technology can allow analysts to make educated predictions on how adversaries may attack their IT assets. In this mini case study, we are going to use our technology to look at the tradecraft (behavior) profiles of Iranian threat actors (APT 39, APT 33, Chafer & OilRig) and make predictions on how those profiles may migrate (change) due to advances in defensive technologies.
Heavy Community Chatter
One aspect of our sensor’s technology is its ability to listen to what is being talked about within the security community, then distill the content (blog posts, exploits, tradecraft, social exchanges) being shared. It was through this functionality that we have seen heavy chatter regarding Iranian threat groups, and the campaigns they have undertaken. Specifically, we are seeing substantial signaling surrounding the Fox Kitten campaign , the continued exploitation of external remote services , Chafer’s activities  and CISA’s warning of continued webshell usage by Iranian APTs .
Building a Current Tradecraft Profile
Using the references stated above, and some resources from MITRE ATT&CK , , , we put together a behavior profile for Iranian threat actors based on current knowledge. We distilled key areas (specific to our in-house needs) of this current profile, so that we could perform predictive analysis that may indicate how these operators may change their offensive behaviors in the near future. Some bullets (behaviors/software used) at a high level of the profile are as follows:
-external remote services leveraging 1-day exploits (Citrix, BIG-IP, Pulse Secure, etc..)
-Mimikatz and variants
-Brute forcing of internally mapped assets
-stolen legitimate credentials (OWA)
-Invoke-TheHash (PowerShell pass-the-hash)
-PowerShell commands accessing remote computers via WMI and SMB protocols
-CrackMapExec (Impacket, LOLBAS)
-ports 80, 443 & 22
How Do We Predict
Predictions are made utilizing our technology and by employing two internally developed, predictive analysis techniques. The first technique focusses on graph analysis and the second makes assumptions based on current trends in offensive operator tactics and the current behavior profile of the adversary being observed. Below, in-house priority board for the hottest publicly available exploits, which are tracked by our CTI engine, over a 6-month period.
Social Reach and Graph Theory
Our research has concluded for some time now, that advanced adversaries look to the security community for ways in which to advance or migrate their tradecraft. Furthermore, the social reach and the relational structure of development clusters within the security community, can directly influence adversary adoption. We see this theory in play as we analyze APT 39, APT 33, Chafer & OilRig’s preferences for offensive tooling. In the graph depicted below, we can see the threat actors’ most favored tools (Indicated above and by green boxes in the graph) are tightly grouped amongst a smaller sub-cluster within the broader security community. We can definitely see adversary adoption within this sub-community is strong and can make the extrapolation that adoption may continue just as strongly. If that is the case, we can look to see what tools are closely connected to the groups preferred tooling and then look to see which of those connected tools are natural evolutions of the group’s tradecraft.
Connected within the subcommunity to CVE-2019-19781 (Remote Code Execution on Citrix ADC Netscaler) which is heavily exploited by Iranian operators , there is a sub-cluster connection to CVE-2020-0688 which exploits OWA by way of insecure deserialization. Given the group’s predisposition to attacking externally facing resources and OWA , we felt this may be a great introduction (if not already utilized) into insecure deserialization tradecraft. Furthermore, this small sub-cluster houses the two most popular (by sensor hits) tool systems for insecure deserialization, ysoserial  and ysoserial.net .
C# and other .NET Vectors for C2 and Post Exploitation
With the group’s tendency to PowerShell tooling like Empire, Invoke-TheHash and PowerSploit, we predict that these threat actors will migrate further into .NET, utilizing ports of tools they already know, and others that may be new but socially connected to tools they know and trust. SILENTRINITY  is connected to multiple tool systems the group leverages and combines disparate post exploitation tradecraft that the group employs, under one cohesive feature set – this C2 really seems like it was tailormade to match Iranian threat actor behaviors! For instance, one feature that matches Iranian behavior profiling is the framework’s ability to leverage WMI to execute remote commands and substitute credentials with stolen password hashes. Moreover, leveraging an open-source tool system provides operators with a level of anonymity, not otherwise attainable with custom tooling.
As modern endpoint defenses constrict malicious activity, dumping LSASS via Procdump, which is indicative of Iranian operators, is not an option without being flagged. Lsassy , a tool which leverages this method can be seen in the subcommunity and is also connected via functionality to CrackMapExec (another Iranian APT favorite). Even trying to dump LSASS as SYSTEM, leveraging comsvcs.dll will burn your operation to the ground. We see two potential migrations available for Iranian threat operators, in order to continue to dump credentials utilizing similar tradecraft. The first migration could use evasion techniques that are quite popular within the community, currently. API unhooking techniques, signed driver exploitations (kernel memory space), shellcode execution via fibers and direct system calls all are effective right now at evading endpoint defenses and may even facilitate the use of mimikatz directly (example unhooking). The other option is to use a tool like SharpMiniDump  which has built-in evasion techniques such as those mentioned above and utilizes the MiniDumpWriteDump API. We see this as a very probable migration for Iranian threat actors looking to dump LSASS as it is already present in some of the mimikatz permutations  utilized, just not articulated in threat reports that we’ve seen.
Privilege Escalation with the Potato
Iranian APT groups leverage juicy potato  for privilege escalations, more specifically to escalate Windows service accounts to SYSTEM through impersonation. For this migration we look at a trending tool meant to do a very similar task, PrintSpoofer .
CISA’s warning of continued webshells being leveraged by Iranian APTs is accompanied by growing signals across the board we see regarding webshells. There is a marked increase in webshell activity on the sensors  and we don’t see any type of migration deviation happening from this behavior. Webshells are here to stay.