Threat Actor TTPs — Flashcards

Flashcard Set 1: Nation-State Threat Actors

Q: What are the primary TTPs of APT29 (Cozy Bear, Russia)? A:

  • Tactics: Initial access, persistence, credential access
  • Techniques: Spear-phishing, DLL side-loading, stolen credentials
  • Procedures: Slow and stealthy data exfiltration, using legitimate services for C2

Attack Chain Example:

  1. Initial Access: Phishing email with malicious attachment
  2. Execution: User opens the attachment, triggering a PowerShell payload
  3. Persistence: Malware installs itself as a scheduled task
  4. Credential Access: Dumps credentials with Mimikatz
  5. Exfiltration: Data sent to C2 server over HTTPS

Q: What techniques does APT28 (Fancy Bear) commonly use? A: Brute force, PowerShell scripts, malware implants, and exploiting zero-day vulnerabilities.

Attack Chain Example:

  1. Initial Access: Brute force attack on OWA (Outlook Web Access)
  2. Privilege Escalation: Exploits a local privilege vulnerability
  3. Lateral Movement: Uses stolen credentials to access file shares
  4. Collection: Gathers sensitive political documents
  5. Exfiltration: Uses custom malware to exfiltrate via DNS tunneling

Q: Which threat actor is known for targeting cryptocurrency platforms and using destructive payloads? A: Lazarus Group (North Korea)

Attack Chain Example:

  1. Initial Access: Watering hole attack on cryptocurrency exchange site
  2. Execution: Remote code execution via a malicious JavaScript payload
  3. Persistence: Installs a backdoor with custom RAT
  4. Impact: Deploys ransomware to cover tracks
  5. Exfiltration: Transfers stolen crypto wallets to North Korean servers

Q: What TTPs are associated with APT41 (China)? A:

  • Tactics: Privilege escalation, lateral movement, exfiltration
  • Techniques: Exploiting web-facing apps, remote access tools (RATs)
  • Procedures: Mixing cyber espionage with financial crime

Attack Chain Example:

  1. Initial Access: SQL injection to gain access to web server
  2. Execution: Drops a web shell for remote access
  3. Discovery: Scans internal network for valuable systems
  4. Lateral Movement: Uses RDP with stolen admin creds
  5. Exfiltration: Compresses and exfiltrates sensitive files via FTP

Flashcard Set 2: Cybercriminal Groups

Q: What are the signature TTPs of the Conti ransomware group? A:

  • Tactics: Impact, data encryption, defense evasion
  • Techniques: RDP brute force, Cobalt Strike for lateral movement
  • Procedures: Double extortion (encrypt + leak data)

Attack Chain Example:

  1. Initial Access: RDP brute force into exposed server
  2. Execution: Deploys Cobalt Strike beacon
  3. Lateral Movement: Moves through network with pass-the-hash
  4. Impact: Encrypts files with ransomware
  5. Exfiltration: Uploads stolen data to leak site

Q: Which ransomware group is known for its rapid file encryption and extortion practices? A: LockBit

Attack Chain Example:

  1. Initial Access: Phishing email with malicious macro
  2. Execution: Macro downloads and executes LockBit payload
  3. Discovery: Scans local network for shared drives
  4. Impact: Encrypts files and drops ransom note
  5. Exfiltration: Steals sensitive data before encryption

Q: How does FIN7 typically gain access to victim systems? A: Spear-phishing, script-based attacks, and credential dumping.

Attack Chain Example:

  1. Initial Access: Phishing email with malicious link
  2. Execution: Link downloads and executes JavaScript backdoor
  3. Persistence: Schedules task to maintain access
  4. Credential Access: Dumps credentials from LSASS
  5. Collection: Collects financial data and sends to C2

Flashcard Set 3: Hacktivist Groups

Q: What are the common techniques used by Anonymous? A: DDoS attacks, website defacement, information leaks

Attack Chain Example:

  1. Initial Access: Anonymous scans for vulnerable websites
  2. Execution: Uses SQL injection to dump databases
  3. Impact: Defaces homepage with hacktivist message
  4. Exfiltration: Publishes leaked data on public forums

Q: Which group gained notoriety for SQL injection attacks and publicizing their hacks for amusement? A: LulzSec

Attack Chain Example:

  1. Initial Access: SQL injection attack on corporate website
  2. Execution: Exploits SQL vulnerability to dump user credentials
  3. Impact: Posts user data and admin credentials online

Flashcard Set 4: MITRE ATT&CK Stages

Q: What are the 3 components of TTPs? A: Tactics, Techniques, and Procedures

Q: Name three initial access techniques in the MITRE ATT&CK framework. A: Spear-phishing, exploiting public-facing apps, using valid accounts

Q: What tactic involves stealing credentials to escalate privileges? A: Credential Access