APT 29 Initial Access Killchain -MITRE ATT@CK Mapping

Michael Koczwara
3 min readMay 23, 2023
Cozy Bear

APT29/Nobelium Initial Access & ATT@CK Mapping

TA0042: Resource Development

  • T1650: Aquire Infrastructure
  • T1584: Compromised Infrastructure
  • T1587: Develop Capabilities
  • T1587.001: Develop Capabilities: Malware
  • T1588: Obtain Capabilities
  • T1588.002: Obtain Capabilities: Tool

APT29/Nobelium Cobalt Strike C2 setup with custom certificates and redirections (Pay attention to how similar threat actor communitypowersports[.]com domain is to the genuine sanjosemotosport[.]com).

These domain similarities or sometimes typosquatting SSL domains are techniques used frequently by Threat Actors.

APT29/Nobelium Cobalt Strike C2 redirector setup

Here you can see how the mode rewrite redirector works.

Cobalt Strike C2 mode rewrite setup

Initial Access Attack Analysis HTML (EnvyScout) dropper used by Russian APT29/Nobelium in recent