50_C0032.txt

During the C0032 campaign, TEMP.Veles used Virtual Private Server (VPS) infrastructure.During the C0032 campaign, TEMP.Veles used PowerShell to perform timestomping.During the C0032 campaign, TEMP.Veles used staging folders that are infrequently used by legitimate users or processes to store data for exfiltration and tool deployment.During the C0032 campaign, TEMP.Veles modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence.During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment.During the C0032 campaign, TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.During the C0032 campaign, TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.During the C0032 campaign, TEMP.Veles obtained and used tools such as Mimikatz and PsExec.During the C0032 campaign, TEMP.Veles used Mimikatz and a custom tool, SecHack, to harvest credentials.During the C0032 campaign, TEMP.Veles used encrypted SSH-based PLINK tunnels to transfer tools and enable RDP connections throughout the environment.During the C0032 campaign, TEMP.Veles utilized RDP throughout an operation.During the C0032 campaign, TEMP.Veles relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.During the C0032 campaign, TEMP.Veles used scheduled task XML triggers.During the C0032 campaign, TEMP.Veles planted Web shells on Outlook Exchange servers.During the C0032 campaign, TEMP.Veles used compromised VPN accounts.