Known TTPs
The actors used a combination of known TTPs in addition to their password spray operations to exploit target networks, access additional credentials, move laterally, and collect, stage, and exfiltrate data, as illustrated in the figure below. The actors used a variety of protocols, including HTTP(S), IMAP(S), POP3, and NTLM. The actors also utilized different combinations of defense evasion TTPs in an attempt to disguise some components of their operations; however, many detection opportunities remain viable to identify the malicious activity.
The following table summarizes the known TTPs used in conjunction with the password spray capability. As the structure of target networks can vary greatly, the 85th GTsSS may employ a subset of these TTPs, or other TTPs not included in this summary, against different victims.
Table I: Summary of known tactics, techniques, and procedures
1T1190 and similar references are MITRE ATT&CK® techniques and tactics. MITRE and ATT&CK are registered trademarks of The MITRE Corporation.