Skip to content

C0032 C0032

C0032 was an extended campaign suspected to involve the Triton adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the Triton Safety Instrumented System Attack.1

Item Value
ID C0032
Associated Names
First Seen October 2014
Last Seen January 2017
Version 1.0
Created 28 March 2024
Last Modified 15 April 2024
Navigation Layer View In ATT&CK® Navigator

Groups

ID Name References
G0088 TEMP.Veles 1

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.003 Virtual Private Server During the C0032 campaign, TEMP.Veles used Virtual Private Server (VPS) infrastructure.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell During the C0032 campaign, TEMP.Veles used PowerShell to perform timestomping.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging During the C0032 campaign, TEMP.Veles used staging folders that are infrequently used by legitimate users or processes to store data for exfiltration and tool deployment.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.012 Image File Execution Options Injection During the C0032 campaign, TEMP.Veles modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence.1
enterprise T1133 External Remote Services During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion During the C0032 campaign, TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.1
enterprise T1070.006 Timestomp During the C0032 campaign, TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Resource Name or Location During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.1
enterprise T1571 Non-Standard Port During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool During the C0032 campaign, TEMP.Veles obtained and used tools such as Mimikatz and PsExec.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory During the C0032 campaign, TEMP.Veles used Mimikatz and a custom tool, SecHack, to harvest credentials.1
enterprise T1572 Protocol Tunneling During the C0032 campaign, TEMP.Veles used encrypted SSH-based PLINK tunnels to transfer tools and enable RDP connections throughout the environment.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol During the C0032 campaign, TEMP.Veles utilized RDP throughout an operation.1
enterprise T1021.004 SSH During the C0032 campaign, TEMP.Veles relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task During the C0032 campaign, TEMP.Veles used scheduled task XML triggers.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell During the C0032 campaign, TEMP.Veles planted Web shells on Outlook Exchange servers.1
enterprise T1078 Valid Accounts During the C0032 campaign, TEMP.Veles used compromised VPN accounts.1

Software

ID Name Description
S0002 Mimikatz 1

References

  1. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.