Frontline Intel: Pinpointing GRU’s TTPs in the Recent Campaign

Logpoint

Award winning SIEM

Go To Section

Tags

Introduction

Russia’s GRU Unit 26165, also known by several aliases, including APT28, is a name synonymous with cyber espionage, having cast a long shadow over the geopolitical landscape for over two decades. Its target sectors, government institutions, militaries, and security organizations, clearly reflect its motives, which are stealing sensitive information for political and military gain. In our previous coverage of APT28, also known as Forest Blizzard, we explored their long-standing espionage capabilities, custom malware arsenal, and disruptive operations across geopolitical hotspots. Our past research outlined how Logpoint empowers defenders to detect this adversary’s toolsets, especially focusing on GooseEgg, multiple credential harvesting techniques.

In this latest update, our focus shifts to GRU’s recent campaigns targeting Western logistics entities and technology companies, as detailed in the CISA Advisory. These attacks are part of a broader post-invasion escalation by GRU Unit 26165, reflecting a strategic effort to compromise supply chains supporting Ukraine. Since the onset of the Ukraine conflict, cyber operations have become a strategic extension of geopolitical aggression. These operations demonstrate a refined and persistent effort to infiltrate organizations that support Ukrainian aid and defense logistics

This blog focuses specifically on post-compromise tactics, techniques, and procedures (TTPs), rather than discussing the initial infection vectors. GRU doesn’t always rely on flashy malware; instead, they move quietly, using built-in tools like PowerShell, PsExec, or RDP to explore the network, harvest credentials, and dig deeper into high-value systems.

What makes these actions dangerous also makes them detectable: they leave behind patterns. Whether it’s suspicious mailbox permission changes, zipped data staged for exfiltration, or logs suddenly being wiped clean, these activities generate signals that defenders can pick up on, with the right visibility. Our goal here is to highlight post-compromise behaviors that are not just common but practical to detect actions that defenders can catch in the real world with good logging, smart rules, and a solid understanding of what normal looks like. For the sake of clarity, we will refer to GRU Unit 26165 as GRU in the following blog.

Detection

Required log sources:

To follow up on below threat hunting and detection approach below log sources must be configured.

1. Windows
   • Process creation with command-line auditing should be enabled.
   • Registry Auditing
2. Windows Sysmon
   • To get started, you can use our sysmon baseline configuration.
3. NDR
4. Office365

Initial Access TTPs Discovery

Outlook NTLM vulnerability (CVE-2023-23397)

GRU’s abused an Outlook NTLM flaw: CVE-2023-23397 by sending crafted calendar invites that silently harvest NTLM hashes and user credentials. Check out our blog for a deeper dive into this technique and guidance on how to spot it in your environment.

Roundcube CVEs

Adversaries have exploited several Roundcube flaws, namely CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026, to launch arbitrary shell commands via Visual Basic scripts. To catch this behavior in your environment, use the Suspicious File Execution Using Wscript or Cscript alert, which flags any unexpected uses of these script hosts.

Syntax Highlighterlabel="Process" label=Create "process" IN ["*\wscript.exe", "*\cscript.exe"] command IN ["*.jse*", "*.vbe*", "*.js*", "*.vba*","*.vbs*"] -path IN ["C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\*"] -command IN ["*.json*","*C:\Windows\system32\slmgr.vbs*-rearm*"]

Exploitation of WinRAR vulnerability (CVE-2023-38831)

GRU has exploited a WinRAR vulnerability (CVE-2023-38831) to gain initial access. To spot this in your environment, look for WinRAR spawning unexpected child processes—for example:

Syntax Highlighterlabel="Process" label=Create parent_process="*\winRAR.exe" "process" IN ["*\cmd.exe", "*\cscript.exe", "*\mshta.exe", "*\powershell.exe", "*\pwsh.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\wscript.exe"]

This alert will flag any unusual script or shell hosts launched by WinRAR. For a deep dive into the CVE-2023-38831 flaw and additional detection guidance, check out our blog:

Post-Compromise TTPs Detection

Initial access techniques are countless and constantly evolving—catching every one of them as they hit is like chasing shadows. What really matters is what happens after the attacker lands. By shining a spotlight on post-compromise behaviors—privilege escalation, credential harvesting, lateral movement, data exfiltration—you’ll catch adversaries when they’re most exposed, and stop the attack before real damage is done.

Impacket and Psexec Detection

Adversaries frequently lean on built-in Windows tools and popular open-source frameworks, like Impacket and PsExec, to hop laterally through a network. PsExec’s default behavior is to drop an 8-character executable and spin it up as a service with a 4-character name. You can spot this activity with below rule

Syntax Highlighternorm_id=WinServer label=Service label=Install label=Successful | process regex("(?P<new_file_name>[A-Za-z]{8}\.exe)", file) | process regex("(?P<new_service>[A-Za-z]{4})", service) |filter new_file_name=* |filter new_service=* |chart count() by host, new_file_name, new_service, image_file

PsExec sets up a named pipe (usually prefixed with RemCom_) to shuttle commands and their output between hosts. You can spot this from Sysmon logs by looking for pipe creation events. This will catch any RemCom‐style pipes or the common stdin/stdout/stderr pipes PsExec uses.

Syntax Highlighternorm_id=WindowsSysmon event_id IN [17, 18] pipe IN ["*RemCom*", "*-stdin", "*-stderr", "*-stdout"]

Most Impacket tools ultimately invoke the command prompt to execute the payload. They’ll often be launched by services or admin processes. Below hunting query can be used to detect such events.

Syntax Highlighterlabel="Process" label=Create command="*cmd.exe*" command="*/c*" command="*&1*" (parent_process In ["*\wmiprvse.exe", "*\mmc.exe", "*\explorer.exe", "*\services.exe"] command="*/Q*" ) OR (parent_command IN ["*svchost.exe -k netsvcs*", "*taskeng.exe*"] command="*Windows\Temp\*")

For an in-depth understanding of Impacket and its utilities, refer to our blog.

Active Directory Database Dump via NTDSUTIL

After moving laterally (often over RDP) onto a Domain Controller, GRU operators use Windows’ built-in ntdsutil.exe to extract the NTDS.dit database. CISA describes the exact steps they take:

Syntax HighlighterC:\Windows\System32\ntdsutil.exe "activate instance ntds" ifm "create full C:\temp\<3-letter-folder>" quit quit

For detection, you can leverage our built-in “Active Directory Database Dump Attempt” alert—it’s specifically tuned to catch NTDS.dit dump attempts.

Syntax Highlighterlabel="Process" label=Create (("process" IN ["*\NTDSDump.exe", "*\NTDSDumpEx.exe","*\ntdsutil.exe"]) OR (command="*ntds.dit*" command="*system.hiv*") OR (command="*NTDSgrab.ps1*")) OR (command="*ac i ntds*" command="*create full*") OR (command="*/c copy *" command="*\windows\ntds\ntds.dit*") OR (command="*activate instance ntds*" command="*create full*") OR (command="*powershell*" command="*ntds.dit*") OR (command="*ntds.dit*" "process" IN ["*\apache*", "*\tomcat*", "*\AppData\*", "*\Temp\*", "*\Public\*", "*\PerfLogs\*"] OR "parent_process" IN ["*\apache*", "*\tomcat*", "*\AppData\*", "*\Temp\*", "*\Public\*", "*\PerfLogs\*"])

Post–AD Database Dump Activities

After dumping the NTDS.dit, GRU’s operators employed two key tools, ADExplorer and Certipy, to harvest and exfiltrate directory data. They also installed Python on compromised hosts to run Certipy.

ADExplorer (a Sysinternals utility) can take “snapshots” of the AD hierarchy. You can detect its use with our alert ADExplorer Snapshot Detection.

Syntax Highlighterlabel="Process" label=Create ("process"="*\adexplorer.exe" OR "file"="AdExp") command="*snapshot*"

Certipy Execution Detection

Certipy’s command set (e.g., auth, find, relay, shadow), combined with its BloodHound export flags, makes its usage distinct. Detection can be done using an alert, Certipy Tool Execution for AD CS Abuse.

Syntax Highlighterlabel="Process" label=Create ("process"="*\Certipy.exe" OR file="Certipy.exe" OR description="*Certipy*") OR (command IN ["* auth *", "* find *", "* forge *", "* relay *", "* req *", "* shadow *"] command IN ["* -bloodhound*", "* -ca-pfx *", "* -dc-ip *", "* -kirbi*", "* -old-bloodhound*", "* -pfx *", "* -target*", "* -username *", "* -vulnerable*", "*auth -pfx*", "*shadow auto*", "*shadow list*"])

Or a following hunt query can be utilized for Certipy’s activities.

Syntax Highlighterlabel="Process" label=Create ("process"="*\Certipy.exe" OR file="Certipy.exe" OR description="*Certipy*") OR (command IN ["* auth *", "* find *", "* forge *", "* relay *", "* req *", "* shadow *"] command IN ["* -bloodhound*", "* -ca-pfx *", "* -dc-ip *", "* -kirbi*", "* -old-bloodhound*", "* -pfx *", "* -target*", "* -username *", "* -vulnerable*", "*auth -pfx*", "*shadow auto*", "*shadow list*"])

Python Installation Hunting

Since Certipy runs under Python, spotting unexpected Python installs or launches can pre-empt its use. For example, detect MSI-based installs or direct Python executables:

Syntax Highlighterlabel=Install label=Application label=Successful rule_description="*python*" | chart count() by user,host,rule_description

Mailbox Folder Permission Modification and Multiple Mailbox Access

According to the Polish Cybercommand blog, the adversary modified folder permissions across mailboxes to gain unfettered access to all users’ mail. In Exchange Online, you can detect this behavior with these alerts:

Exchange Mailbox Folder Delegation Configured

Syntax Highlighternorm_id=Office365 ((action IN ["Add-MailBoxFolderPermission", "Set-MailBoxFolderPermission"] -identity IN ["*:\Calendar", "*:\Contacts"]) OR (action IN ["AddFolderPermissions", "ModifyFolderPermissions"] item_parent_folder_member_rights="*ReadAny*" -item_parent_folder_name IN ["Calendar", "Contacts"]))

Multiple Exchange Mailboxes Accessed via API in a Short Span

Syntax Highlighternorm_id=Office365 action="MailItemsAccessed" user_type="Application" | process eval("match=like(client_information, 'Client=WebServices;ExchangeWebServices%')") | process eval("search_result=if(match) {return 1} else-if(target_application=='Microsoft Graph') {return 1} else {return 0}") | filter search_result=1 | timechart distinct_count(upn) as user_mailbox_count, distinct_list(user) as user_list, distinct_list(source_address) as source_address by target_application every 10 minutes | filter user_mailbox_count > 5

Defense Evasion

The GRU routinely used native Windows utilities like wevtutil to wipe event logs after gaining access or escalating privileges. This tactic helped them hide their tracks and delay detection during post-compromise activity.

Detection can be done using an alert, Suspicious Eventlog Clear or Configuration Using Wevtutil Detected.

Syntax Highlighterlabel="Process" label=Create ( (("process" IN ["*\powershell.exe","*\pwsh.exe*"] command IN ["*Clear-EventLog*", "*Remove-EventLog*", "*Limit-EventLog*","*Clear-WinEvent*"]) OR ("process"="*\wmic.exe" command="* ClearEventLog *")) OR ("process"="*\wevtutil.exe" command IN ["*clear-log*", "* cl *", "*set-log*", "* sl *","*lfn: "]) ) -(parent_process IN ["C:\Windows\SysWOW64\msiexec.exe","C:\Windows\System32\msiexec.exe"] command="* sl *")

They have also exploited the way Windows loads DLLs by planting malicious ones in directories that are searched first. This lets them execute code through trusted binaries, bypassing traditional security scans.

Detection can be done using an alert, Safe DLL Search Mode Disabled.

Syntax Highlighter norm_id=WindowSysmon event_id=13 target_object='*\CurrentControlSet\Control\Session Manager\SafeDllSearchMode' detail="DWORD (0x00000000)"

Persistence Techniques

GRU operators rely on tried-and-true persistence methods to maintain access, including scheduled tasks, Run-key modifications, and Startup folder payloads. Here’s how to spot each:

Schedule Tasks

You can leverage the Scheduled Task Creation Detected alert to catch every new scheduled task created in your environment.

Syntax Highlighter(label="Process" label=Create "process"="*\schtasks.exe" command="* /create *" -user IN EXCLUDED_USERS) OR (label="Registry" label="Key" label="Map" "target_object"="*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\*" -target_object IN ["*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator*"] event_type=CreateKey) OR (norm_id=WinServer event_id=4698 (-command IN ["*MpCmdRun.exe","*msfeedssync.exe","*usoclient.exe"] OR (-task="\CreateExplorerShellUnelevatedTask" command="*explorer.exe")))

Because the generic alert covers every new task (and can yield a high volume of results), you can instead use the Suspicious Scheduled Task Creation alert to pinpoint only those tasks originating from locations commonly abused by malware.

Syntax Highlighternorm_id=WinServer label=Schedule label=Task label=Create command IN ["*C:\Users\*", "*C:\Windows\Temp\*", "*C:\ProgramData\*"] -command="C:\ProgramData\Microsoft\Windows Defender\Platform\*"

According to CISA’s IOC section, the threat actor created the scheduled task using an XML file so you can detect this specific technique with the Suspicious Scheduled Task Creation via Masqueraded XML File alert.

Syntax Highlighterlabel="Process" label=Create "process"="*\schtasks.exe" command IN ["*/create*", "*-create*"] command IN ["*/xml*", "*-xml*"] (-integrity_level=system OR -integrity_label=*system*) -command = *.xml* ((-parent_process IN ["*:\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe", "*:\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe", "*:\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe", "*:\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe", "*:\Program Files\Dell\SupportAssist\pcdrcui.exe" ] ) OR (-parent_process = "*\rundll32.exe" command = "*:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc" ))

Autorun and Startup

Adding entries to the Autorun registry keys or dropping payloads into the Startup folder is a widely abused persistence method—used by both legitimate software and malware—to launch programs at Windows startup. You can catch any of these changes with the Autorun Keys Modification Detected alert, which monitors registry writes and file events against the key Run locations and Startup directories.

Syntax Highlighterlabel=Registry label=Set label=Value -event_type=info target_object IN ["*\software\Microsoft\Windows\CurrentVersion\Run*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell*", "*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", "*\software\Microsoft\Windows NT\CurrentVersion\Windows*", "*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders*"] detail IN ["*C:\Windows\Temp\*", "*C:\$Recycle.bin\*", "*C:\Temp\*", "*C:\Users\Public\*", "*\C:ProgramData\*", "*C:\Users\Default\*", "*C:\Users\Desktop\*", "*\AppData\Local\*", "*Public\*", "*wscript*", "*cscript*", "*powershell.exe*"] -detail="*\AppData\Local\Microsoft\Teams\Update.exe *"

Impact

The GRU employs impact-focused techniques not to destroy systems outright, but rather to erase evidence, disrupt recovery, and maintain stealth during and after their operations. They utilize legitimate Windows utilities such as wevtutil.exe to clear event logs and vssadmin.exe to manipulate volume shadow copies, indicating preparations to disable backup and forensic recovery.

Detects use of system tools like vssadmin, wbadmin, or PowerShell to create or manipulate shadow copies, potentially for staging data or disabling recovery.

Syntax Highlighterlabel="Process" label=Create (( "process" IN ["*\vssadmin.exe", "*\wbadmin.exe", "*\diskshadow.exe"] OR file IN ["VSSADMIN.EXE", "WBADMIN.EXE", "diskshadow.exe"]) command IN ["*create*", "*shadow*", "*resize*", "*shadowstorage*", "*/MaxSize=*"]) OR ("process" IN ["*\powershell.exe", "*\pwsh.exe"] command IN ["*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*"] command="*Win32_ShadowCopy*" command IN ["*Create()*", "*CreateShadowCopy*", "*Enable-ComputerRestore*", "*Checkpoint-Computer*"])

Hunting Malware Families

In this campaign, the GRU employed various malware families to perform essential post-compromise functions, such as persistence, credential theft, and data exfiltration. Notable among these were HEADLACE, a multi-stage backdoor recognized for its use of headless browser automation and discreet script execution, and MASEPIE, an exfiltration tool that has been previously observed in GRU operations aimed at Ukrainian interests.

HEADLACE Execution Traces hunting query

Detects use of legitimate utilities with command-line patterns often associated with malicious activity, such as data staging, headless browser automation, or scheduled task creation

Syntax Highlighterlabel="Process" label=Create command IN ["*headless-new -disable-gpu*", "*activate instance ntds*" ,"*ssh -Nf*" ,"*schtasks /create /xml*"]

HEADLACE Batch Script Artifact Hunting query

Detects command-line patterns and batch scripting behavior used in GRU's HEADLACE malware, including headless browser abuse, system recon, and deletion of local artifacts

Syntax Highlighterlabel="Process" label=Create command IN ["*headless-new -disable-gpu*", "*chcp 65001*"] command IN ["*taskkill /im msedge.exe /f*","*whoami*%programdata%*", "*timeout*", "*copy*%programdata%*","*del /q /f *%programdata%*","*del /q /f *%userprofile%\Downloads\*","*del /q /f*"]

Detection via Logpoint Muninn

Logpoint’s Network Detection and Response (NDR) Muninn can play a vital role in detecting and responding to post-compromise behaviors commonly employed by the GRU. While many of the group’s techniques rely on built-in system tools and credential abuse, they also generate distinct network patterns that can be detected in real-time with the right behavioral analytics.

Some of the notifications listed below can be useful in detecting their presence in the network :

• RDP brute force external to internal
• Lateral movement and execution
• Lateral movement using SMB admin shares
• DarkNet or Tor activity detected
• Credential dumping using RPC
• Exfiltration of many files
• Event log clearing or forced reboot using RPC
• Large Transfer Sent

Mitigations & Recommendations

Recommendations:

Train for Social-Engineering Resilience

• Regular phishing simulations: Run realistic email and messaging drills that include phishing, smishing, and pretexting scenarios.
• Prompt reporting: Establish a clear, easy-to-use process for employees to report suspected phishing or social-engineering attempts.
• Reinforce learnings: Provide targeted follow-up training for users who fall for simulations, turning mistakes into teachable moments.

Keep Software Updated

• Apply vendor updates promptly: Ensure operating systems, browsers, mail clients, and third-party applications install the latest security patches as soon as they’re available.
• Use vendor mitigations: If a patch isn’t immediately available, implement any temporary workarounds or configuration changes recommended by the vendor.
• Prioritize by severity: When multiple vulnerabilities exist, triage and remediate critical or actively exploited flaws first.

Enforce Least-Privilege Access

• Restrict permissions: Grant each user—and every service account—only the rights they need to do their job.
• Segment elevated roles: Separate administrative logins from everyday user environments to limit credential exposure.
• Review regularly: Audit access rights quarterly (or after organizational changes) and remove any stale or excessive privileges.

Require Strong Authentication

• Multi-Factor Authentication (MFA): Require MFA for all accounts—especially remote, administrative, and cloud-based logins—to ensure that stolen passwords alone aren’t enough to gain access.
• Robust Password Policies: Enforce minimum length and complexity, prevent password reuse, and lock accounts after repeated failed logins. These controls help thwart brute-force and credential-stuffing attacks.

Segment Your Network

• Micro-segmentation: Divide your network into logical zones (e.g., user workstations, servers, domain controllers) and enforce strict traffic controls between them.
• Protect critical assets: Place high-value systems—like DCs, mail servers, and backup repositories—behind additional firewalls or jump-hosts.

Privileged Access Management

• Day-to-Day Least Privilege: Have every administrator operate under a standard user account for routine tasks—only switch to a dedicated admin account when performing elevated activities. This separation helps contain malware or phishing impacts on high-privilege credentials.
• Admin Isolation: Prevent admin accounts from signing into non-privileged workstations. Restrict their login to hardened, monitored jump hosts or dedicated admin workstations to reduce the chance of credential theft or lateral movement.

Centralized Auditing and Logging

• Comprehensive Log Collection: Define and enforce logging policies across every layer—Windows Event Logs, application and database logs, cloud service and API logs, and network telemetry. Forward all of this data into your SIEM to ensure full visibility and streamline real-time analysis.
• Retention Policy: Implement a minimum six-month retention window (or longer to meet regulatory or business requirements). This guarantees that historical logs remain available for thorough incident investigations and forensic analysis.

Deploy EDR and NDR Solutions

• Endpoint Detection and Response (EDR):
  Deploy endpoint agents that continuously monitor host activity, automatically detect and block malicious behavior, shrink the attack surface, and feed detailed telemetry into your security platform for faster investigations.
• Network Detection and Response (NDR):
  Collect and analyze network telemetry (packet captures, flow records, DNS and HTTP logs) to spot lateral movement, command-and-control traffic, or data exfiltration that EDR might miss. NDR provides a complementary view, ensuring you catch adversaries even if an endpoint agent is disabled.

Exercise Incident-Response Readiness

• Tabletop and live drills: Regularly test your playbooks against simulated intrusion scenarios to identify gaps in detection, escalation, and containment.
• After-action reviews: Document lessons learned and update procedures to strengthen your next response.

Maintain Robust Backups

• 3-2-1 rule: Keep three copies of critical data, stored on two different media types, with one copy offline or offsite.
• Automated verification: Regularly test backup restores to ensure data integrity and availability during an incident.