{"description": "Enterprise techniques used by APT28 Nearest Neighbor Campaign, ATT&CK campaign C0051 (v1.0)", "name": "APT28 Nearest Neighbor Campaign (C0051)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used built-in PowerShell capabilities (Compress-Archive cmdlet) to compress collected data.(Citation: Nearest Neighbor Volexity)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.003", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) performed password-spray attacks against public facing services to validate credentials.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used PowerShell cmdlet Get-ChildItem to access credentials, among other PowerShell functions deployed.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used cmd.exe for execution.(Citation: Nearest Neighbor Volexity) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) compromised third-party infrastructure in physical proximity to targets of interest for follow-on activities.(Citation: Nearest Neighbor Volexity)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) staged captured credential information in the C:\\ProgramData directory.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) unarchived data using the GUI version of WinRAR.(Citation: Nearest Neighbor Volexity)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1006", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) accessed volume shadow copies through executing vssadmin in order to dump the NTDS.dit file.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1686", "showSubtechniques": true}, {"techniqueID": "T1686.003", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) added rules to a victim's Windows firewall to set up a series of port-forwards allowing traffic to target systems.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used the native Microsoft utility [cipher.exe](https://attack.mitre.org/software/S1205) to securely wipe files and folders \u2013 overwriting the deleted data using cmd.exe /c cipher /W:C.(Citation: Nearest Neighbor Volexity)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1567", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) exfiltrated data over public-facing webservers \u2013 such as Google Drive.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used the following commands to dump SAM, SYSTEM, and SECURITY hives: reg save hklm\\sam, reg save hklm\\system, and reg save hklm\\security.(Citation: Nearest Neighbor Volexity)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) dumped NTDS.dit through creating volume shadow copies via vssadmin.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used the built-in netsh portproxy command to create internal proxies on compromised systems.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) used RDP for lateral movement.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) leveraged SMB to transfer files and move laterally.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "showSubtechniques": true}, {"techniqueID": "T1016.002", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) collected information on wireless interfaces within range of a compromised system.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1669", "comment": "During [APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051), [APT28](https://attack.mitre.org/groups/G0007) established wireless connections to secure, enterprise Wi-Fi networks belonging to a target organization for initial access into the environment.(Citation: Nearest Neighbor Volexity)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT28 Nearest Neighbor Campaign", "color": "#66b1ff"}]}