Identifying UNC2452-Related Techniques for ATT&CK

July 29, 2021

By including UNC2452 reverting changes to legitimate utilities and tasks after abuse and T1098.002 Account Manipulation: Exchange Email Delegate Permissions including them granting additional permissions to the target Application or Service Principal to read mail content from Exchange Online via Microsoft Graph or Outlook REST

  • Expansion of current technique scoping, such as the T1098.001 Account Manipulation: Additional Cloud Credentials description being amended to include adding credentials to legitimate OAuth Applications as well as Service Principals in Azure AD
  • New (sub-)techniques not previously published within ATT&CK, such as those necessary to describe UNC2452 forging web cookies (T1606.001 Forge Web Credentials: Web Cookies) and SAML tokens (T1606.002 Forge Web Credentials: SAML Tokens) via stolen secret keys and compromised signing certificates (T1552.004 Unsecured Credentials: Private Keys) and making malicious modifications to domain federation trust settings to include adversary owned objects (T1484.002 Domain Policy Modification: Domain Trust Modification)
  • New Group/Software Entries

    Along with new/updated techniques we have added several new group and software entries to ATT&CK including:

    • A new group representing the threat group responsible for the intrusions, added as UNC2452 with associated group names of Solorigate, StellarParticle and Dark Halo.
    • New malware first spotted in this intrusion, including Sunburst, Teardrop, Sunspot, and Raindrop.
    • An existing tool used in this intrusion, AdFind.

    More to Come?

    We don’t expect to add more content to ATT&CK itself before our next major release (announced as planned for April 2021 in our recent State of the ATT&CK), but anticipate that more reporting on this intrusion will continue to be released. We will be continuing to watch and add reporting to our public report tracking, as well as any new techniques or software that appear to the next release of ATT&CK.

    If you see a technique we’re missing from existing reporting, a report with unique information that we’re missing out on, or want to share a mapping of a new report you’ve done, please reach out to us at [email protected].

    ©2020-2021 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 20–00841–22.

    Identifying UNC2452-Related Techniques for ATT&CK was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

    Article posted by:
    Infocerts, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India
    Contact us –

    This is the article generated by feed coming from and Infocerts is only displaying the content.

    Open Whatsapp chat
    Whatsapp Us
    Chat with us for faster replies.