{"id":18655,"date":"2025-06-13T11:02:47","date_gmt":"2025-06-13T08:02:47","guid":{"rendered":"https:\/\/oberig-it.com\/uncategorized\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/"},"modified":"2025-07-01T11:26:36","modified_gmt":"2025-07-01T08:26:36","slug":"frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign","status":"publish","type":"post","link":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/","title":{"rendered":"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign"},"content":{"rendered":"<p>Joint Cybersecurity Advisory (CSA) <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa25-141a\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">AA25-141A<\/span><\/a> exposes a sustained and multifaceted cyber-espionage campaign attributed to Russia\u2019s GRU Unit 26165, also known as <a href=\"https:\/\/attack.mitre.org\/groups\/G0007\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">APT28<\/span><\/a>, Fancy Bear, Forest Blizzard, and a host of other monikers. Since early 2022, this group has relentlessly targeted Western logistics and technology companies involved in supporting Ukraine, exploiting both legacy and zero-day vulnerabilities to gain access and siphon sensitive data. Their operations span credential harvesting, spearphishing, exploitation of public-facing services, and even the compromise of surveillance systems used to track aid shipments.<\/p>\n<p>This blog unpacks the key findings of the advisory and demonstrates how Logpoint\u2019s platform equips security teams with the visibility and tools to detect, investigate, and mitigate such threats across every stage of the attack lifecycle.<\/p>\n<h4>Introduction<\/h4>\n<p>Russia\u2019s GRU Unit 26165, also known by several aliases, including APT28, is a name synonymous with cyber espionage, having cast a long shadow over the geopolitical landscape for over two decades. Its target sectors, government institutions, militaries, and security organizations, clearly reflect its motives, which are stealing sensitive information for political and military gain. In our previous coverage of APT28, also known as Forest Blizzard, we explored their long-standing espionage capabilities, custom malware arsenal, and disruptive operations across geopolitical hotspots. Our past research outlined how Logpoint empowers defenders to detect this adversary\u2019s toolsets, especially focusing on GooseEgg, multiple credential harvesting techniques.<\/p>\n<p>In this latest update, our focus shifts to GRU\u2019s recent campaigns targeting Western logistics entities and technology companies, as detailed in the <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa25-141a\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">CISA Advisory<\/span><\/a>. These attacks are part of a broader post-invasion escalation by GRU Unit 26165, reflecting a strategic effort to compromise supply chains supporting Ukraine. Since the onset of the Ukraine conflict, cyber operations have become a strategic extension of geopolitical aggression. These operations demonstrate a refined and persistent effort to infiltrate organizations that support Ukrainian aid and defense logistics<\/p>\n<p>This blog focuses specifically on post-compromise tactics, techniques, and procedures (TTPs), rather than discussing the initial infection vectors. GRU doesn\u2019t always rely on flashy malware; instead, they move quietly, using built-in tools like PowerShell, PsExec, or RDP to explore the network, harvest credentials, and dig deeper into high-value systems.<\/p>\n<p>What makes these actions dangerous also makes them detectable: they leave behind patterns. Whether it\u2019s suspicious mailbox permission changes, zipped data staged for exfiltration, or logs suddenly being wiped clean, these activities generate signals that defenders can pick up on, with the right visibility. Our goal here is to highlight post-compromise behaviors that are not just common but practical to detect actions that defenders can catch in the real world with good logging, smart rules, and a solid understanding of what normal looks like. For the sake of clarity, we will refer to GRU Unit 26165 as GRU in the following blog.<\/p>\n<h4>Detection<\/h4>\n<p>Required log sources:<\/p>\n<p>To follow up on below threat hunting and detection approach below log sources must be configured.<\/p>\n<ol>\n<li>Windows<br \/>\n&#8211; Process creation with command-line auditing should be enabled.<br \/>\n&#8211; Registry Auditing<\/li>\n<li>Windows Sysmon<br \/>\n&#8211; To get started, you can <a href=\"https:\/\/docs.logpoint.com\/docs\/windows\/en\/latest\/NXLog_Sample_Configuration.html#sysmon-configuration\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">use our sysmon baseline<\/span><\/a> configuration.<\/li>\n<li>NDR<\/li>\n<li><a href=\"https:\/\/docs.logpoint.com\/docs\/office365\/en\/latest\/Configuring%20Office365.html\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">Office365<\/span><\/a><\/li>\n<\/ol>\n<h3>Initial Access TTPs Discovery<\/h3>\n<h4>Outlook NTLM vulnerability (CVE-2023-23397)<\/h4>\n<p>GRU\u2019s abused an Outlook NTLM flaw:<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-23397\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\"> CVE-2023-23397<\/span><\/a> by sending crafted calendar invites that silently harvest NTLM hashes and user credentials.<a href=\"https:\/\/www.logpoint.com\/en\/blog\/cve-2023-23397-detecting-exploitation\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\"> Check out our blog<\/span><\/a> for a deeper dive into this technique and guidance on how to spot it in your environment.<\/p>\n<h4>Roundcube CVEs<\/h4>\n<p>Adversaries have exploited several Roundcube flaws, namely<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-12641\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\"> CVE-2020-12641<\/span><\/a>, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-35730\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">CVE-2020-35730<\/span><\/a>, and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44026\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">CVE-2021-44026<\/span><\/a>, to launch arbitrary shell commands via Visual Basic scripts. To catch this behavior in your environment, use the Suspicious File Execution Using Wscript or Cscript alert, which flags any unexpected uses of these script hosts.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=Create<\/li>\n<li><span style=\"color: #800000;\">&#8220;process&#8221;<\/span> IN [<span style=\"color: #800000;\">&#8220;*\\wscript.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\cscript.exe&#8221;<\/span>]<\/li>\n<li>command IN [<span style=\"color: #800000;\">&#8220;*.jse*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*.vbe*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*.js*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*.vba*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*.vbs*&#8221;<\/span>]<\/li>\n<li><span style=\"color: #0000ff;\">-path<\/span> IN [<span style=\"color: #800000;\">&#8220;C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\*&#8221;<\/span>]<\/li>\n<li><span style=\"color: #0000ff;\">-command<\/span> IN [<span style=\"color: #800000;\">&#8220;*.json*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*C:\\Windows\\system32\\slmgr.vbs*-rearm*&#8221;<\/span>]<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18461 size-full\" src=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog01.png\" alt=\"Logpoint buy\" width=\"1920\" height=\"637\" srcset=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog01.png 1920w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog01-300x100.png 300w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog01-1024x340.png 1024w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog01-768x255.png 768w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog01-1536x510.png 1536w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog01-24x8.png 24w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog01-36x12.png 36w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog01-48x16.png 48w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/p>\n<h4>Exploitation of WinRAR vulnerability (CVE-2023-38831)<\/h4>\n<p>GRU has exploited a WinRAR vulnerability (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2023-38831\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">CVE-2023-38831<\/span><\/a>) to gain initial access. To spot this in your environment, look for WinRAR spawning unexpected child processes\u2014for example:<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=Create <span style=\"color: #0000ff;\">parent_process<\/span>=<span style=\"color: #800000;\">&#8220;*\\winRAR.exe&#8221;<\/span><\/li>\n<li><span style=\"color: #800000;\">&#8220;process&#8221;<\/span> IN [<span style=\"color: #800000;\">&#8220;*\\cmd.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\cscript.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\mshta.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\powershell.exe&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*\\pwsh.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\regsvr32.exe&#8221;<\/span>,<span style=\"color: #800000;\"> &#8220;*\\rundll32.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\wscript.exe&#8221;<\/span>]<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18464 size-full\" src=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog02.png\" alt=\"Logpoint solutions buy\" width=\"1459\" height=\"334\" srcset=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog02.png 1459w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog02-300x69.png 300w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog02-1024x234.png 1024w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog02-768x176.png 768w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog02-24x5.png 24w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog02-36x8.png 36w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog02-48x11.png 48w\" sizes=\"auto, (max-width: 1459px) 100vw, 1459px\" \/><\/p>\n<p>This alert will flag any unusual script or shell hosts launched by WinRAR. For a deep dive into the CVE-2023-38831 flaw and additional detection guidance, <a href=\"https:\/\/www.logpoint.com\/en\/blog\/emerging-threats\/cve-2023-38831-winrar-decompression-or-arbitrary-code-execution\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">check out our blog<\/span><\/a>:<\/p>\n<h4>Post-Compromise TTPs Detection<\/h4>\n<p>Initial access techniques are countless and constantly evolving\u2014catching every one of them as they hit is like chasing shadows. What really matters is what happens after the attacker lands. By shining a spotlight on post-compromise behaviors\u2014privilege escalation, credential harvesting, lateral movement, data exfiltration\u2014you\u2019ll catch adversaries when they\u2019re most exposed, and stop the attack before real damage is done.<\/p>\n<h4>Impacket and Psexec Detection<\/h4>\n<p>Adversaries frequently lean on built-in Windows tools and popular open-source frameworks, like Impacket and PsExec, to hop laterally through a network. PsExec\u2019s default behavior is to drop an 8-character executable and spin it up as a service with a 4-character name. You can spot this activity with below rule<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">norm_id<\/span>=WinServer <span style=\"color: #0000ff;\">label<\/span>=Service <span style=\"color: #0000ff;\">label<\/span>=Install <span style=\"color: #0000ff;\">label<\/span>=Successful<\/li>\n<li>| process regex(<span style=\"color: #800000;\">&#8220;(?P&lt;new_file_name&gt;[A-Za-z]{8}\\.exe)&#8221;<\/span>, file)<\/li>\n<li>| process regex(<span style=\"color: #800000;\">&#8220;(?P&lt;new_service&gt;[A-Za-z]{4})&#8221;<\/span>, service)<\/li>\n<li>|filter <span style=\"color: #0000ff;\">new_file_name<\/span>=*<\/li>\n<li>|filter <span style=\"color: #0000ff;\">new_service<\/span>=*<\/li>\n<li>|chart count() by host, new_file_name, new_service, image_file<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18467 size-full\" src=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog03.png\" alt=\"Logpoint SIEM buy\" width=\"1920\" height=\"726\" srcset=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog03.png 1920w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog03-300x113.png 300w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog03-1024x387.png 1024w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog03-768x290.png 768w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog03-1536x581.png 1536w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog03-24x9.png 24w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog03-36x14.png 36w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog03-48x18.png 48w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/p>\n<p>PsExec sets up a named pipe (usually prefixed with RemCom_) to shuttle commands and their output between hosts. You can spot this from Sysmon logs by looking for pipe creation events. This will catch any RemCom\u2010style pipes or the common stdin\/stdout\/stderr pipes PsExec uses.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">norm_id<\/span>=WindowsSysmon event_id IN [17, <span style=\"color: #008000;\">18<\/span>]<\/li>\n<li><span style=\"color: #000000;\">pipe IN<\/span> [<span style=\"color: #800000;\">&#8220;*RemCom*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*-stdin&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*-stderr&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*-stdout&#8221;<\/span>]<\/li>\n<\/ol>\n<p>Most Impacket tools ultimately invoke the command prompt to execute the payload. They\u2019ll often be launched by services or admin processes. Below hunting query can be used to detect such events.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=Create<\/li>\n<li><span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*cmd.exe*&#8221;<\/span> <span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*\/c*&#8221;<\/span> <span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*&amp;1*&#8221;<\/span><\/li>\n<li>(parent_process In [<span style=\"color: #800000;\">&#8220;*\\wmiprvse.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\mmc.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\explorer.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\services.exe&#8221;<\/span>]<\/li>\n<li><span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*\/Q*&#8221;<\/span> )<\/li>\n<li>OR (parent_command IN [<span style=\"color: #800000;\">&#8220;*svchost.exe -k netsvcs*&#8221;<\/span>,<span style=\"color: #800000;\"> &#8220;*taskeng.exe*&#8221;<\/span>]<\/li>\n<li><span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*Windows\\Temp\\*&#8221;<\/span>)<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18470 size-full\" src=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog04.png\" alt=\"Logpoint SOAR buy\" width=\"1920\" height=\"855\" srcset=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog04.png 1920w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog04-300x134.png 300w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog04-1024x456.png 1024w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog04-768x342.png 768w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog04-1536x684.png 1536w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog04-24x11.png 24w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog04-36x16.png 36w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog04-48x21.png 48w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/p>\n<h4>Active Directory Database Dump via NTDSUTIL<\/h4>\n<p>After moving laterally (often over RDP) onto a Domain Controller, GRU operators use Windows\u2019 built-in ntdsutil.exe to extract the NTDS.dit database. CISA describes the exact steps they take:<\/p>\n<ol>\n<li>C:\\Windows\\System32\\ntdsutil.exe <span style=\"color: #800000;\">&#8220;activate instance ntds&#8221;<\/span> ifm <span style=\"color: #800000;\">&#8220;create full C:\\temp\\&lt;3-letter-folder&gt;&#8221;<\/span> quit quit<\/li>\n<\/ol>\n<p>For detection, you can leverage our built-in \u201cActive Directory Database Dump Attempt\u201d alert\u2014it\u2019s specifically tuned to catch NTDS.dit dump attempts.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=Create<\/li>\n<li>((<span style=\"color: #800000;\">&#8220;process<\/span>&#8221; IN [<span style=\"color: #800000;\">&#8220;*\\NTDSDump.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\NTDSDumpEx.exe&#8221;<\/span>,<span style=\"color: #800000;\">&#8220;*\\ntdsutil.exe&#8221;<\/span>]) OR (<span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*ntds.dit*&#8221;<\/span> <span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*system.hiv*&#8221;<\/span>) OR (<span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*NTDSgrab.ps1*&#8221;<\/span>))<\/li>\n<li>OR (<span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*ac i ntds*&#8221;<\/span><span style=\"color: #0000ff;\"> command<\/span>=<span style=\"color: #800000;\">&#8220;*create full*&#8221;<\/span>)<\/li>\n<li>OR (<span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*\/c copy *&#8221;<\/span> <span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*\\windows\\ntds\\ntds.dit*&#8221;<\/span>)<\/li>\n<li>OR (<span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*activate instance ntds*&#8221;<\/span> <span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*create full*&#8221;<\/span>)<\/li>\n<li>OR (<span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*powershell*&#8221;<\/span> <span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*ntds.dit*&#8221;<\/span>)<\/li>\n<li>OR (<span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;*ntds.dit*&#8221;<\/span> <span style=\"color: #800000;\">&#8220;process&#8221;<\/span> IN [<span style=\"color: #800000;\">&#8220;*\\apache*&#8221;<\/span>,<span style=\"color: #800000;\"> &#8220;*\\tomcat*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\AppData\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\Temp\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\Public\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\PerfLogs\\*&#8221;<\/span>] OR <span style=\"color: #800000;\">&#8220;parent_process&#8221;<\/span> IN [<span style=\"color: #800000;\">&#8220;*\\apache*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\tomcat*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\AppData\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\Temp\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\Public\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\PerfLogs\\*&#8221;<\/span>])<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18488 size-full\" src=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog05.png\" alt=\"SIEM buy\" width=\"1920\" height=\"653\" srcset=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog05.png 1920w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog05-300x102.png 300w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog05-1024x348.png 1024w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog05-768x261.png 768w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog05-1536x522.png 1536w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog05-24x8.png 24w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog05-36x12.png 36w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog05-48x16.png 48w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/p>\n<h4>Post\u2013AD Database Dump Activities<\/h4>\n<p>After dumping the NTDS.dit, GRU\u2019s operators employed two key tools, ADExplorer and Certipy, to harvest and exfiltrate directory data. They also installed Python on compromised hosts to run Certipy.<\/p>\n<p>ADExplorer (a Sysinternals utility) can take \u201csnapshots\u201d of the AD hierarchy. You can detect its use with our alert ADExplorer Snapshot Detection.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span><span style=\"color: #0000ff;\"> label<\/span>=Create<\/li>\n<li>(<span style=\"color: #800000;\">&#8220;process&#8221;<\/span>=<span style=\"color: #800000;\">&#8220;*\\adexplorer.exe&#8221;<\/span> OR <span style=\"color: #800000;\">&#8220;file&#8221;<\/span>=<span style=\"color: #800000;\">&#8220;AdExp&#8221;<\/span>)<\/li>\n<li>command=<span style=\"color: #800000;\">&#8220;*snapshot*&#8221; <\/span><\/li>\n<\/ol>\n<h4>Certipy Execution Detection<\/h4>\n<p>Certipy\u2019s command set (e.g., auth, find, relay, shadow), combined with its BloodHound export flags, makes its usage distinct. Detection can be done using an alert, Certipy Tool Execution for AD CS Abuse.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=Create<\/li>\n<li>(<span style=\"color: #800000;\">&#8220;process&#8221;<\/span>=<span style=\"color: #800000;\">&#8220;*\\Certipy.exe&#8221;<\/span> OR <span style=\"color: #0000ff;\">file<\/span>=<span style=\"color: #800000;\">&#8220;Certipy.exe&#8221;<\/span> OR <span style=\"color: #0000ff;\">description<\/span>=<span style=\"color: #800000;\">&#8220;*Certipy*&#8221;<\/span>)<\/li>\n<li>OR<\/li>\n<li>(command IN [<span style=\"color: #800000;\">&#8220;* auth *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* find *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* forge *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* relay *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* req *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* shadow *&#8221;<\/span>]<\/li>\n<li>command IN [<span style=\"color: #800000;\">&#8220;* -bloodhound*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -ca-pfx *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -dc-ip *&#8221;<\/span>,<span style=\"color: #800000;\"> &#8220;* -kirbi*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -old-bloodhound*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -pfx *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -target*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -username *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -vulnerable*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*auth -pfx*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*shadow auto*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*shadow list*&#8221;<\/span>])<\/li>\n<\/ol>\n<p>Or a following hunt query can be utilized for Certipy\u2019s activities.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=&#8221;Process&#8221;<span style=\"color: #0000ff;\"> label<\/span>=Create<\/li>\n<li>(<span style=\"color: #800000;\">&#8220;process&#8221;<\/span>=<span style=\"color: #800000;\">&#8220;*\\Certipy.exe&#8221;<\/span> OR <span style=\"color: #0000ff;\">file<\/span>=<span style=\"color: #800000;\">&#8220;Certipy.exe&#8221;<\/span> OR <span style=\"color: #0000ff;\">description<\/span>=<span style=\"color: #800000;\">&#8220;*Certipy*&#8221;<\/span>)<\/li>\n<li>OR<\/li>\n<li>(command IN [<span style=\"color: #800000;\">&#8220;* auth *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* find *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* forge *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* relay *&#8221;<\/span>,<span style=\"color: #800000;\"> &#8220;* req *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* shadow *&#8221;<\/span>]<\/li>\n<li>command IN [<span style=\"color: #800000;\">&#8220;* -bloodhound*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -ca-pfx *&#8221;<\/span>,<span style=\"color: #800000;\"> &#8220;* -dc-ip *&#8221;<\/span>,<span style=\"color: #800000;\"> &#8220;* -kirbi*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -old-bloodhound*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -pfx *&#8221;<\/span>,<span style=\"color: #800000;\"> &#8220;* -target*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -username *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* -vulnerable*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*auth -pfx*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*shadow auto*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*shadow list*&#8221;<\/span>])<\/li>\n<\/ol>\n<h4>Python Installation Hunting<\/h4>\n<p>Since Certipy runs under Python, spotting unexpected Python installs or launches can pre-empt its use. For example, detect MSI-based installs or direct Python executables:<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=Install<span style=\"color: #0000ff;\"> label<\/span>=Application<span style=\"color: #0000ff;\"> label<\/span>=Successful <span style=\"color: #0000ff;\">rule_description<\/span>=<span style=\"color: #800000;\">&#8220;*python*&#8221;<\/span><\/li>\n<li>| chart count() by user,host,rule_description<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18485 size-full\" src=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog06.png\" alt=\"SOAR buy\" width=\"1920\" height=\"497\" srcset=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog06.png 1920w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog06-300x78.png 300w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog06-1024x265.png 1024w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog06-768x199.png 768w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog06-1536x398.png 1536w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog06-24x6.png 24w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog06-36x9.png 36w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog06-48x12.png 48w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/p>\n<h4>Mailbox Folder Permission Modification and Multiple Mailbox Access<\/h4>\n<p>According to the <a href=\"https:\/\/www.wojsko-polskie.pl\/woc\/articles\/aktualnosci-w\/detecting-malicious-activity-against-microsoft-exchange-servers\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">Polish Cybercommand blog<\/span><\/a>, the adversary modified folder permissions across mailboxes to gain unfettered access to all users\u2019 mail. In Exchange Online, you can detect this behavior with these alerts:<\/p>\n<h4>Exchange Mailbox Folder Delegation Configured<\/h4>\n<ol>\n<li><span style=\"color: #0000ff;\">norm_id<\/span>=Office365<\/li>\n<li>((action IN [<span style=\"color: #800000;\">&#8220;Add-MailBoxFolderPermission&#8221;, &#8220;Set-MailBoxFolderPermission&#8221;<\/span>] <span style=\"color: #0000ff;\">-identity<\/span> IN [<span style=\"color: #800000;\">&#8220;*:\\Calendar&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*:\\Contacts&#8221;<\/span>])<\/li>\n<li>OR<\/li>\n<li>(action IN [<span style=\"color: #800000;\">&#8220;AddFolderPermissions&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;ModifyFolderPermissions&#8221;<\/span>]<\/li>\n<li><span style=\"color: #0000ff;\">item_parent_folder_member_rights<\/span>=<span style=\"color: #800000;\">&#8220;*ReadAny*&#8221;<\/span> <span style=\"color: #0000ff;\">-item_parent_folder_name<\/span> IN [<span style=\"color: #800000;\">&#8220;Calendar&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;Contacts&#8221;<\/span>]))<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18482 size-full\" src=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog07.png\" alt=\"buy Logpoint\" width=\"1920\" height=\"646\" srcset=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog07.png 1920w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog07-300x101.png 300w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog07-1024x345.png 1024w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog07-768x258.png 768w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog07-1536x517.png 1536w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog07-24x8.png 24w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog07-36x12.png 36w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog07-48x16.png 48w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/p>\n<h4>\u0414\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u0434\u0435\u043a\u0456\u043b\u044c\u043a\u043e\u0445 \u043f\u043e\u0448\u0442\u043e\u0432\u0438\u0445 \u0441\u043a\u0440\u0438\u043d\u044c\u043e\u043a Exchange \u0447\u0435\u0440\u0435\u0437 API \u0437\u0430 \u043a\u043e\u0440\u043e\u0442\u043a\u0438\u0439 \u043f\u0440\u043e\u043c\u0456\u0436\u043e\u043a \u0447\u0430\u0441\u0443<\/h4>\n<ol>\n<li><span style=\"color: #0000ff;\">norm_id<\/span>=Office365 action=<span style=\"color: #800000;\">&#8220;MailItemsAccessed&#8221;<\/span> <span style=\"color: #0000ff;\">user_type<\/span>=<span style=\"color: #800000;\">&#8220;Application&#8221;<\/span><\/li>\n<li>| process eval(<span style=\"color: #800000;\">&#8220;match=like(client_information, &#8216;Client=WebServices;ExchangeWebServices%&#8217;)&#8221;<\/span>)<\/li>\n<li>| process eval(<span style=\"color: #800000;\">&#8220;search_result=if(match) {return 1}<\/span><\/li>\n<li><span style=\"color: #800000;\">else-if(target_application==&#8217;Microsoft Graph&#8217;) {return 1}<\/span><\/li>\n<li><span style=\"color: #800000;\">else {return 0}&#8221;<\/span>)<\/li>\n<li>| filter <span style=\"color: #0000ff;\">search_result<\/span>=1<\/li>\n<li>| timechart distinct_count(upn) as user_mailbox_count, distinct_list(user) as user_list, distinct_list(source_address) as source_address by target_application every 10 minutes<\/li>\n<li>| filter user_mailbox_count &gt; 5<\/li>\n<\/ol>\n<h4>Defense Evasion<\/h4>\n<p>The GRU routinely used native Windows utilities like wevtutil to wipe event logs after gaining access or escalating privileges. This tactic helped them hide their tracks and delay detection during post-compromise activity.<\/p>\n<p>Detection can be done using an alert, Suspicious Eventlog Clear or Configuration Using Wevtutil Detected.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span><span style=\"color: #0000ff;\"> label<\/span>=Create<\/li>\n<li>(<\/li>\n<li>((<span style=\"color: #800000;\">&#8220;process&#8221;<\/span> IN [<span style=\"color: #800000;\">&#8220;*\\powershell.exe&#8221;<\/span>,<span style=\"color: #800000;\">&#8220;*\\pwsh.exe*&#8221;<\/span>] command IN [<span style=\"color: #800000;\">&#8220;*Clear-EventLog*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*Remove-EventLog*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*Limit-EventLog*&#8221;<\/span>,<span style=\"color: #800000;\">&#8220;*Clear-WinEvent*&#8221;<\/span>])<\/li>\n<li>OR<br \/>\n(<span style=\"color: #800000;\">&#8220;process&#8221;<\/span>=<span style=\"color: #800000;\">&#8220;*\\wmic.exe&#8221;<\/span> command=<span style=\"color: #800000;\">&#8220;* ClearEventLog *&#8221;<\/span>))<\/li>\n<li>OR<br \/>\n(<span style=\"color: #800000;\">&#8220;process&#8221;<\/span>=<span style=\"color: #800000;\">&#8220;*\\wevtutil.exe&#8221;<\/span> <span style=\"color: #0000ff;\">command<\/span> IN [<span style=\"color: #800000;\">&#8220;*clear-log*&#8221;<\/span>,<span style=\"color: #800000;\"> &#8220;* cl *&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*set-log*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;* sl *&#8221;<\/span>,<span style=\"color: #800000;\">&#8220;*lfn: &#8220;<\/span>])<\/li>\n<li>)<\/li>\n<li>-(parent_process IN [<span style=\"color: #800000;\">&#8220;C:\\Windows\\SysWOW64\\msiexec.exe&#8221;<\/span>,<span style=\"color: #800000;\">&#8220;C:\\Windows\\System32\\msiexec.exe&#8221;<\/span>] command=<span style=\"color: #800000;\">&#8220;* sl *&#8221;<\/span>)<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18479 size-full\" src=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog08.jpg\" alt=\"\" width=\"1748\" height=\"506\" srcset=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog08.jpg 1748w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog08-300x87.jpg 300w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog08-1024x296.jpg 1024w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog08-768x222.jpg 768w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog08-1536x445.jpg 1536w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog08-24x7.jpg 24w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog08-36x10.jpg 36w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog08-48x14.jpg 48w\" sizes=\"auto, (max-width: 1748px) 100vw, 1748px\" \/><\/p>\n<p>They have also exploited the way Windows <a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/001\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">loads DLLs<\/span><\/a> by planting malicious ones in directories that are searched first. This lets them execute code through trusted binaries, bypassing traditional security scans.<\/p>\n<p>Detection can be done using an alert, Safe DLL Search Mode Disabled.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\"> norm_id<\/span>=WindowSysmon <span style=\"color: #0000ff;\">event_id<\/span>=13<\/li>\n<li><span style=\"color: #0000ff;\">target_object<\/span>=<span style=\"color: #800000;\">&#8216;*\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode&#8217;<\/span><\/li>\n<li><span style=\"color: #0000ff;\">detail<\/span>=<span style=\"color: #800000;\">&#8220;DWORD (0x00000000)&#8221;<\/span><\/li>\n<\/ol>\n<h4>Persistence Techniques<\/h4>\n<p>GRU operators rely on tried-and-true persistence methods to maintain access, including scheduled tasks, Run-key modifications, and Startup folder payloads. Here\u2019s how to spot each:<\/p>\n<h4>Schedule Tasks<\/h4>\n<p>You can leverage the Scheduled Task Creation Detected alert to catch every new scheduled task created in your environment.<\/p>\n<ol>\n<li>(<span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=Create <span style=\"color: #800000;\">&#8220;process&#8221;<\/span>=<span style=\"color: #800000;\">&#8220;*\\schtasks.exe&#8221;<\/span> <span style=\"color: #0000ff;\">command<\/span>=<span style=\"color: #800000;\">&#8220;* \/create *&#8221;<\/span> <span style=\"color: #0000ff;\">-user<\/span> IN EXCLUDED_USERS)<\/li>\n<li>OR<\/li>\n<li>(<span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Registry&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Key&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Map&#8221; &#8220;target_object&#8221;<\/span>=<span style=\"color: #800000;\">&#8220;*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\*&#8221;<\/span> <span style=\"color: #0000ff;\">-target_object<\/span> IN [<span style=\"color: #800000;\">&#8220;*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\UpdateOrchestrator*&#8221;<\/span>] <span style=\"color: #0000ff;\">event_type<\/span>=CreateKey)<\/li>\n<li>OR<\/li>\n<li>(<span style=\"color: #0000ff;\">norm_id<\/span>=WinServer <span style=\"color: #0000ff;\">event_id<\/span>=<span style=\"color: #008000;\">4698<\/span><\/li>\n<li>(-command IN [<span style=\"color: #800000;\">&#8220;*MpCmdRun.exe&#8221;<\/span>,<span style=\"color: #800000;\">&#8220;*msfeedssync.exe&#8221;<\/span>,<span style=\"color: #800000;\">&#8220;*usoclient.exe&#8221;<\/span>] OR (<span style=\"color: #0000ff;\">-task<\/span>=<span style=\"color: #800000;\">&#8220;\\CreateExplorerShellUnelevatedTask&#8221;<\/span> command=<span style=\"color: #800000;\">&#8220;*explorer.exe&#8221;<\/span>)))<\/li>\n<\/ol>\n<p>Because the generic alert covers every new task (and can yield a high volume of results), you can instead use the Suspicious Scheduled Task Creation alert to pinpoint only those tasks originating from locations commonly abused by malware.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">norm_id<\/span>=WinServer <span style=\"color: #0000ff;\">label<\/span>=Schedule <span style=\"color: #0000ff;\">label<\/span>=Task <span style=\"color: #0000ff;\">label<\/span>=Create<\/li>\n<li>command IN [<span style=\"color: #800000;\">&#8220;*C:\\Users\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*C:\\Windows\\Temp\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*C:\\ProgramData\\*&#8221;<\/span>]<\/li>\n<li><span style=\"color: #0000ff;\">-command<\/span>=<span style=\"color: #800000;\">&#8220;C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*&#8221; <\/span><\/li>\n<\/ol>\n<p>According to CISA\u2019s IOC section, the threat actor created the scheduled task using an XML file so you can detect this specific technique with the Suspicious Scheduled Task Creation via Masqueraded XML File alert.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=Create<span style=\"color: #800000;\"> &#8220;process&#8221;<\/span>=<span style=\"color: #800000;\">&#8220;*\\schtasks.exe&#8221;<\/span><\/li>\n<li>command IN [<span style=\"color: #800000;\">&#8220;*\/create*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*-create*&#8221;<\/span>] command IN [<span style=\"color: #800000;\">&#8220;*\/xml*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*-xml*&#8221;<\/span>]<\/li>\n<li>(<span style=\"color: #0000ff;\">-integrity_level<\/span>=system OR <span style=\"color: #0000ff;\">-integrity_label<\/span>=*system*)<\/li>\n<li><span style=\"color: #0000ff;\">-command<\/span> = *.xml*<\/li>\n<li>((<span style=\"color: #0000ff;\">-parent_process<\/span> IN [<span style=\"color: #800000;\">&#8220;*:\\ProgramData\\OEM\\UpgradeTool\\CareCenter_*\\BUnzip\\Setup_msi.exe&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*:\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*:\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*:\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*:\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe&#8221;<\/span> ] )<\/li>\n<li>OR (<span style=\"color: #0000ff;\">-parent_process<\/span> = <span style=\"color: #800000;\">&#8220;*\\rundll32.exe&#8221;<\/span> command = <span style=\"color: #800000;\">&#8220;*:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc&#8221;<\/span> ))<\/li>\n<\/ol>\n<h4>Autorun and Startup<\/h4>\n<p>Adding entries to the Autorun registry keys or dropping payloads into the Startup folder is a widely abused persistence method\u2014used by both legitimate software and malware\u2014to launch programs at Windows startup. You can catch any of these changes with the Autorun Keys Modification Detected alert, which monitors registry writes and file events against the key Run locations and Startup directories.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=Registry <span style=\"color: #0000ff;\">label<\/span>=Set label=Value <span style=\"color: #0000ff;\">-event_type<\/span>=info<\/li>\n<li>target_object IN [<span style=\"color: #800000;\">&#8220;*\\software\\Microsoft\\Windows\\CurrentVersion\\Run*&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit*&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell*&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows*&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*&#8221;<\/span>]<\/li>\n<li>detail IN [<span style=\"color: #800000;\">&#8220;*C:\\Windows\\Temp\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*C:\\$Recycle.bin\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*C:\\Temp\\*&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*C:\\Users\\Public\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\C:ProgramData\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*C:\\Users\\Default\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*C:\\Users\\Desktop\\*&#8221;<\/span>,<\/li>\n<li><span style=\"color: #800000;\">&#8220;*\\AppData\\Local\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*Public\\*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*wscript*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*cscript*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*powershell.exe*&#8221;<\/span>]<\/li>\n<li><span style=\"color: #0000ff;\">-detail<\/span>=<span style=\"color: #800000;\">&#8220;*\\AppData\\Local\\Microsoft\\Teams\\Update.exe *&#8221; <\/span><\/li>\n<\/ol>\n<h4>Impact<\/h4>\n<p>The GRU employs impact-focused techniques not to destroy systems outright, but rather to erase evidence, disrupt recovery, and maintain stealth during and after their operations. They utilize legitimate Windows utilities such as wevtutil.exe to clear event logs and vssadmin.exe to manipulate volume shadow copies, indicating preparations to disable backup and forensic recovery.<\/p>\n<p>Detects use of system tools like vssadmin, wbadmin, or PowerShell to create or manipulate shadow copies, potentially for staging data or disabling recovery.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span><span style=\"color: #0000ff;\"> label<\/span>=Create<\/li>\n<li>(( <span style=\"color: #800000;\">&#8220;process&#8221; IN [&#8220;*\\vssadmin.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\wbadmin.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\diskshadow.exe&#8221;<\/span>]<\/li>\n<li>OR file IN [<span style=\"color: #800000;\">&#8220;VSSADMIN.EXE&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;WBADMIN.EXE&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;diskshadow.exe&#8221;<\/span>])<\/li>\n<li>command IN [<span style=\"color: #800000;\">&#8220;*create*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*shadow*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*resize*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*shadowstorage*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\/MaxSize=*&#8221;<\/span>])<\/li>\n<li>OR (<span style=\"color: #800000;\">&#8220;process&#8221; IN<\/span> [<span style=\"color: #800000;\">&#8220;*\\powershell.exe&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*\\pwsh.exe&#8221;<\/span>]<\/li>\n<li>command IN [<span style=\"color: #800000;\">&#8220;*Get-WmiObject*&#8221;<\/span>, &#8220;*gwmi*&#8221;, &#8220;*Get-CimInstance*&#8221;, &#8220;*gcim*&#8221;]<\/li>\n<li><span style=\"color: #0000ff;\">command<\/span>=&#8221;*Win32_ShadowCopy*&#8221;<\/li>\n<li>command IN [&#8220;*Create()*&#8221;, &#8220;*CreateShadowCopy*&#8221;, &#8220;*Enable-ComputerRestore*&#8221;, &#8220;*Checkpoint-Computer*&#8221;])<\/li>\n<\/ol>\n<h4>Hunting Malware Families<\/h4>\n<p>In this campaign, the GRU employed various malware families to perform essential post-compromise functions, such as persistence, credential theft, and data exfiltration. Notable among these were HEADLACE, a multi-stage backdoor recognized for its use of headless browser automation and discreet script execution, and MASEPIE, an exfiltration tool that has been previously observed in GRU operations aimed at Ukrainian interests.<\/p>\n<h4>HEADLACE Execution Traces hunting query<\/h4>\n<p>Detects use of legitimate utilities with command-line patterns often associated with malicious activity, such as data staging, headless browser automation, or scheduled task creation<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=Create command IN [<span style=\"color: #800000;\">&#8220;*headless-new -disable-gpu*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*activate instance ntds*&#8221;<\/span> ,<span style=\"color: #800000;\">&#8220;*ssh -Nf*&#8221;<\/span> ,<span style=\"color: #800000;\">&#8220;*schtasks \/create \/xml*&#8221;<\/span>]<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18476 size-full\" src=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog09.jpg\" alt=\"\" width=\"1920\" height=\"445\" srcset=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog09.jpg 1920w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog09-300x70.jpg 300w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog09-1024x237.jpg 1024w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog09-768x178.jpg 768w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog09-1536x356.jpg 1536w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog09-24x6.jpg 24w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog09-36x8.jpg 36w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/blog09-48x11.jpg 48w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/p>\n<h4>HEADLACE Batch Script Artifact Hunting query<\/h4>\n<p>Detects command-line patterns and batch scripting behavior used in GRU&#8217;s HEADLACE malware, including headless browser abuse, system recon, and deletion of local artifacts.<\/p>\n<ol>\n<li><span style=\"color: #0000ff;\">label<\/span>=<span style=\"color: #800000;\">&#8220;Process&#8221;<\/span> <span style=\"color: #0000ff;\">label<\/span>=Create<\/li>\n<li>command IN [<span style=\"color: #800000;\">&#8220;*headless-new -disable-gpu*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*chcp 65001*&#8221;<\/span>]<\/li>\n<li>command IN [<span style=\"color: #800000;\">&#8220;*taskkill \/im msedge.exe \/f*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*whoami*%programdata%*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*timeout*&#8221;<\/span>, <span style=\"color: #800000;\">&#8220;*copy*%programdata%*&#8221;<\/span>,<span style=\"color: #800000;\">&#8220;*del \/q \/f *%programdata%*&#8221;<\/span>,<span style=\"color: #800000;\">&#8220;*del \/q \/f *%userprofile%\\Downloads\\*&#8221;<\/span>,<span style=\"color: #800000;\">&#8220;*del \/q \/f*&#8221;<\/span>]<\/li>\n<\/ol>\n<h4>Detection via Logpoint Muninn<\/h4>\n<p>Logpoint\u2019s Network Detection and Response (NDR) Muninn can play a vital role in detecting and responding to post-compromise behaviors commonly employed by the GRU. While many of the group\u2019s techniques rely on built-in system tools and credential abuse, they also generate distinct network patterns that can be detected in real-time with the right behavioral analytics.<\/p>\n<p>Some of the notifications listed below can be useful in detecting their presence in the network :<\/p>\n<ul>\n<li>RDP brute force external to internal<\/li>\n<li>Lateral movement and execution<\/li>\n<li>Lateral movement using SMB admin shares<\/li>\n<li>DarkNet or Tor activity detected<\/li>\n<li>Credential dumping using RPC<\/li>\n<li>Exfiltration of many files<\/li>\n<li>Event log clearing or forced reboot using RPC<\/li>\n<li>Large Transfer Sent<\/li>\n<\/ul>\n<h3>Mitigations &amp; Recommendations<\/h3>\n<h4>Recommendations:<\/h4>\n<h4>Train for Social-Engineering Resilience<\/h4>\n<ul>\n<li>Regular phishing simulations: Run realistic email and messaging drills that include phishing, smishing, and pretexting scenarios.<\/li>\n<li>Prompt reporting: Establish a clear, easy-to-use process for employees to report suspected phishing or social-engineering attempts.<\/li>\n<li>Reinforce learnings: Provide targeted follow-up training for users who fall for simulations, turning mistakes into teachable moments.<\/li>\n<\/ul>\n<h4>Keep Software Updated<\/h4>\n<ul>\n<li>Apply vendor updates promptly: Ensure operating systems, browsers, mail clients, and third-party applications install the latest security patches as soon as they\u2019re available.<\/li>\n<li>Use vendor mitigations: If a patch isn\u2019t immediately available, implement any temporary workarounds or configuration changes recommended by the vendor.<\/li>\n<li>Prioritize by severity: When multiple vulnerabilities exist, triage and remediate critical or actively exploited flaws first.<\/li>\n<\/ul>\n<h4>Enforce Least-Privilege Access<\/h4>\n<ul>\n<li>Restrict permissions: Grant each user\u2014and every service account\u2014only the rights they need to do their job.<\/li>\n<li>Segment elevated roles: Separate administrative logins from everyday user environments to limit credential exposure.<\/li>\n<li>Review regularly: Audit access rights quarterly (or after organizational changes) and remove any stale or excessive privileges.<\/li>\n<\/ul>\n<h4>Require Strong Authentication<\/h4>\n<ul>\n<li>Multi-Factor Authentication (MFA): Require MFA for all accounts\u2014especially remote, administrative, and cloud-based logins\u2014to ensure that stolen passwords alone aren\u2019t enough to gain access.<\/li>\n<li>Robust Password Policies: Enforce minimum length and complexity, prevent password reuse, and lock accounts after repeated failed logins. These controls help thwart brute-force and credential-stuffing attacks.<\/li>\n<\/ul>\n<h4>Segment Your Network<\/h4>\n<ul>\n<li>Micro-segmentation: Divide your network into logical zones (e.g., user workstations, servers, domain controllers) and enforce strict traffic controls between them.<\/li>\n<li>Protect critical assets: Place high-value systems\u2014like DCs, mail servers, and backup repositories\u2014behind additional firewalls or jump-hosts.<\/li>\n<\/ul>\n<h4>Privileged Access Management<\/h4>\n<ul>\n<li>Day-to-Day Least Privilege: Have every administrator operate under a standard user account for routine tasks\u2014only switch to a dedicated admin account when performing elevated activities. This separation helps contain malware or phishing impacts on high-privilege credentials.<\/li>\n<li>Admin Isolation: Prevent admin accounts from signing into non-privileged workstations. Restrict their login to hardened, monitored jump hosts or dedicated admin workstations to reduce the chance of credential theft or lateral movement.<\/li>\n<\/ul>\n<h4>Centralized Auditing and Logging<\/h4>\n<ul>\n<li>Comprehensive Log Collection: Define and enforce logging policies across every layer\u2014Windows Event Logs, application and database logs, cloud service and API logs, and network telemetry. Forward all of this data into your SIEM to ensure full visibility and streamline real-time analysis.<\/li>\n<li>Retention Policy: Implement a minimum six-month retention window (or longer to meet regulatory or business requirements). This guarantees that historical logs remain available for thorough incident investigations and forensic analysis.<\/li>\n<\/ul>\n<h4>Deploy EDR and NDR Solutions<\/h4>\n<ul>\n<li>Endpoint Detection and Response (EDR):<br \/>\nDeploy endpoint agents that continuously monitor host activity, automatically detect and block malicious behavior, shrink the attack surface, and feed detailed telemetry into your security platform for faster investigations.<\/li>\n<li>Network Detection and Response (NDR):<br \/>\nCollect and analyze network telemetry (packet captures, flow records, DNS and HTTP logs) to spot lateral movement, command-and-control traffic, or data exfiltration that EDR might miss. NDR provides a complementary view, ensuring you catch adversaries even if an endpoint agent is disabled.<\/li>\n<\/ul>\n<h4>Exercise Incident-Response Readiness<\/h4>\n<ul>\n<li>Tabletop and live drills: Regularly test your playbooks against simulated intrusion scenarios to identify gaps in detection, escalation, and containment.<\/li>\n<li>After-action reviews: Document lessons learned and update procedures to strengthen your next response.<\/li>\n<\/ul>\n<h4>Maintain Robust Backups<\/h4>\n<ul>\n<li>3-2-1 rule: Keep three copies of critical data, stored on two different media types, with one copy offline or offsite.<\/li>\n<li>Automated verification: Regularly test backup restores to ensure data integrity and availability during an incident.<\/li>\n<\/ul>\n<p>Source: <a href=\"https:\/\/www.logpoint.com\/en\/blog\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/\" target=\"_blank\" rel=\"noopener\">Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Joint Cybersecurity Advisory (CSA) AA25-141A exposes a sustained and multifaceted cyber-espionage campaign attributed to Russia\u2019s GRU Unit 26165, also known as APT28, Fancy Bear, Forest Blizzard, and a host of other monikers. Since early 2022, this group has relentlessly targeted Western logistics and technology companies involved in supporting Ukraine, exploiting both legacy and zero-day vulnerabilities [&hellip;]<\/p>\n","protected":false},"author":7163,"featured_media":18456,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[142],"tags":[],"class_list":["post-18655","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign \u261d Oberig IT blog<\/title>\n<meta name=\"description\" content=\"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign \u26a1 Oberig IT blog for integrator partners, vendors and end customers\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign \u261d Oberig IT blog\" \/>\n<meta property=\"og:description\" content=\"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign \u26a1 Oberig IT blog for integrator partners, vendors and end customers\" \/>\n<meta property=\"og:url\" content=\"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"Oberig IT\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Oberig.disti\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-13T08:02:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-01T08:26:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/dajdzhest-cherven25-3.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1350\" \/>\n\t<meta property=\"og:image:height\" content=\"450\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Iryna Vlasenko\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Iryna Vlasenko\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign \u261d Oberig IT blog","description":"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign \u26a1 Oberig IT blog for integrator partners, vendors and end customers","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/","og_locale":"en_US","og_type":"article","og_title":"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign \u261d Oberig IT blog","og_description":"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign \u26a1 Oberig IT blog for integrator partners, vendors and end customers","og_url":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/","og_site_name":"Oberig IT","article_publisher":"https:\/\/www.facebook.com\/Oberig.disti","article_published_time":"2025-06-13T08:02:47+00:00","article_modified_time":"2025-07-01T08:26:36+00:00","og_image":[{"width":1350,"height":450,"url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/dajdzhest-cherven25-3.jpg","type":"image\/jpeg"}],"author":"Iryna Vlasenko","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Iryna Vlasenko","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/#article","isPartOf":{"@id":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/"},"author":{"name":"Iryna Vlasenko","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/fd0fd95a6b9813571f62adee41332887"},"headline":"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign","datePublished":"2025-06-13T08:02:47+00:00","dateModified":"2025-07-01T08:26:36+00:00","mainEntityOfPage":{"@id":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/"},"wordCount":3192,"commentCount":0,"publisher":{"@id":"https:\/\/oberig-it.com\/en\/#organization"},"image":{"@id":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/dajdzhest-cherven25-3.jpg","articleSection":["Articles"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/","url":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/","name":"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign \u261d Oberig IT blog","isPartOf":{"@id":"https:\/\/oberig-it.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/#primaryimage"},"image":{"@id":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/dajdzhest-cherven25-3.jpg","datePublished":"2025-06-13T08:02:47+00:00","dateModified":"2025-07-01T08:26:36+00:00","description":"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign \u26a1 Oberig IT blog for integrator partners, vendors and end customers","breadcrumb":{"@id":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/#primaryimage","url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/dajdzhest-cherven25-3.jpg","contentUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/dajdzhest-cherven25-3.jpg","width":1350,"height":450},{"@type":"BreadcrumbList","@id":"https:\/\/oberig-it.com\/en\/articles\/frontline-intel-pinpointing-grus-ttps-in-the-recent-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/oberig-it.com\/en\/"},{"@type":"ListItem","position":2,"name":"Frontline Intel: Pinpointing GRU\u2019s TTPs in the Recent Campaign"}]},{"@type":"WebSite","@id":"https:\/\/oberig-it.com\/en\/#website","url":"https:\/\/oberig-it.com\/en\/","name":"Oberig IT","description":"Distribution of complex IT and information security solutions","publisher":{"@id":"https:\/\/oberig-it.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/oberig-it.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/oberig-it.com\/en\/#organization","name":"Oberig IT","url":"https:\/\/oberig-it.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2023\/06\/logo-new.svg","contentUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2023\/06\/logo-new.svg","caption":"Oberig IT"},"image":{"@id":"https:\/\/oberig-it.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Oberig.disti"]},{"@type":"Person","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/fd0fd95a6b9813571f62adee41332887","name":"Iryna Vlasenko","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/1994031a0cacb6e8d8f7847ecb9b980006657a175510f6d475283dc893f8ebc9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1994031a0cacb6e8d8f7847ecb9b980006657a175510f6d475283dc893f8ebc9?s=96&d=mm&r=g","caption":"Iryna Vlasenko"}}]}},"_links":{"self":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/18655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/users\/7163"}],"replies":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/comments?post=18655"}],"version-history":[{"count":5,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/18655\/revisions"}],"predecessor-version":[{"id":18660,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/18655\/revisions\/18660"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/media\/18456"}],"wp:attachment":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/media?parent=18655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/categories?post=18655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/tags?post=18655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}