Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
UAT-8837 is a China-nexus APT that has targeted North American critical infrastructure since 2025. It commonly enters via vulnerable servers or compromised credentials, then harvests credentials, Active Directory data, and configuration artifacts.
Investigation
Cisco Talos observed use of Earthworm for reverse tunneling, SharpHound for AD mapping, and DWAgent, Certipy, GoTokenTheft, Impacket, and Rubeus to enable discovery and lateral movement. The actor also exploited the Sitecore zero-day CVE-2025-53690 and used built-in command-line utilities to enumerate the environment.
CVE-2025-53690 Mitigation
Deploy signatures and behavioral detections for the tooling, and alert on registry changes that disable RestrictedAdmin. Block confirmed C2 IPs, enforce least privilege for service accounts, and prioritize patching of Sitecore and other exposed apps to mitigate CVE-2025-53690.
Response
On detection, isolate affected hosts, capture memory and logs, and hunt for Earthworm tunnels, newly created accounts, and credential-theft artifacts. Reset impacted credentials and sweep for persistence such as added domain users, scheduled tasks, or suspicious services.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff classDef operator fill:#ff9900 %% Nodes u2013 Actions step1_initial_access["<b>Action</b> – <b>T1190 Exploit Public-Facing Application</b><br/>Exploit CVE-2025-53690 (ViewState Deserialization) in SiteCore to gain foothold."] class step1_initial_access action step2_credential_valid["<b>Action</b> – <b>T1078 Valid Accounts</b><br/>Used compromised credentials to authenticate to systems."] class step2_credential_valid action step3_token_theft["<b>Action</b> – <b>T1212 Exploitation for Credential Access</b><br/>Used GoTokenTheft utility to steal access tokens for privileged actions."] class step3_token_theft action step4_registry_mod["<b>Action</b> – <b>T1012 Query Registry</b><br/>Modified registry (REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin …) to disable RestrictedAdmin for RDP."] class step4_registry_mod action step5_account_manip["<b>Action</b> – <b>T1098 Account Manipulation</b><br/>Created new domain user accounts and added them to privileged groups."] class step5_account_manip action step6_rdp_lateral["<b>Action</b> – <b>T1021.001 Remote Services: RDP</b><br/>Used RDP sessions after weakening settings to move laterally."] class step6_rdp_lateral action step7_tunnel["<b>Action</b> – <b>T1572 Protocol Tunneling</b><br/>Deployed Earthworm variant to establish reverse tunnel to 172.188.162.183."] class step7_tunnel action step8_rat["<b>Action</b> – <b>T1219 Remote Access Tools</b><br/>Earthworm, DWAgent, and GoExec function as RATs for persistent remote access."] class step8_rat action step9_tool_transfer["<b>Action</b> – <b>T1570 Lateral Tool Transfer</b><br/>Downloaded SharpHound, Certipy, Impacket, and GoExec to C:\Windows\Temp\."] class step9_tool_transfer action step10_execution["<b>Action</b> – <b>T1072 Software Deployment Tools</b><br/>Executed commands on remote hosts via WMI/GoExec (e.g., wmi proc u2026 -e cmd.exe)."] class step10_execution action step11_system_info["<b>Action</b> – <b>T1082 System Information Discovery</b><br/>Ran system queries: whoami, hostname, netstat, tasklist."] class step11_system_info action step12_ad_groups["<b>Action</b> – <b>T1069.002 Permission Groups Discovery</b><br/>Enumerated AD groups and users using dsquery, dsget, net group commands."] class step12_ad_groups action step13_sec_policies["<b>Action</b> – <b>T1592.002 Gather Victim Host Information</b><br/>Exported security policies with secedit /export."] class step13_sec_policies action step14_hw_info["<b>Action</b> – <b>T1592.001 Gather Victim Host Information</b><br/>Collected hardware and firmware details via system queries."] class step14_hw_info action step15_exfil["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Exfiltrated DLLu2011based shared libraries over the established C2 tunnel."] class step15_exfil action %% Nodes u2013 Tools tool_exploit["<b>Tool</b> – <b>Name</b>: CVEu20112025u201153690 Exploit<br/><b>Description</b>: Targeted ViewState deserialization exploit for SiteCore."] class tool_exploit tool tool_gotoken["<b>Tool</b> – <b>Name</b>: GoTokenTheft<br/><b>Description</b>: Utility that steals Windows access tokens for credential access."] class tool_gotoken tool tool_sharphound["<b>Tool</b> – <b>Name</b>: SharpHound<br/><b>Description</b>: BloodHound data collector for AD enumeration."] class tool_sharphound tool tool_certipy["<b>Tool</b> – <b>Name</b>: Certipy<br/><b>Description</b>: Tool for abusing AD certificate services."] class tool_certipy tool tool_impacket["<b>Tool</b> – <b>Name</b>: Impacket<br/><b>Description</b>: Python library for lowu2011level network protocol manipulation."] class tool_impacket tool tool_goexec["<b>Tool</b> – <b>Name</b>: GoExec<br/><b>Description</b>: Executes commands on remote hosts via WMI."] class tool_goexec tool %% Nodes u2013 Malware malware_earthworm["<b>Malware</b> – <b>Name</b>: Earthworm<br/><b>Description</b>: Remote access trojan that creates protocol tunnels and provides persistent access."] class malware_earthworm malware %% Connections u2013 Attack Flow step1_initial_access –>|uses| tool_exploit step2_credential_valid –>|leverages| step3_token_theft step3_token_theft –>|uses| tool_gotoken step4_registry_mod –>|modifies| step5_account_manip step5_account_manip –>|enables| step6_rdp_lateral step6_rdp_lateral –>|facilitates| step7_tunnel step7_tunnel –>|deploys| malware_earthworm step8_rat –>|operates| malware_earthworm step9_tool_transfer –>|downloads| tool_sharphound step9_tool_transfer –>|downloads| tool_certipy step9_tool_transfer –>|downloads| tool_impacket step9_tool_transfer –>|downloads| tool_goexec step10_execution –>|executes via| tool_goexec step10_execution –>|leads to| step11_system_info step11_system_info –>|leads to| step12_ad_groups step12_ad_groups –>|leads to| step13_sec_policies step13_sec_policies –>|leads to| step14_hw_info step14_hw_info –>|leads to| step15_exfil %% Class Assignments class step1_initial_access step2_credential_valid step3_token_theft step4_registry_mod step5_account_manip step6_rdp_lateral step7_tunnel step8_rat step9_tool_transfer step10_execution step11_system_info step12_ad_groups step13_sec_policies step14_hw_info step15_exfil action class tool_exploit tool_gotoken tool_sharphound tool_certipy tool_impacket tool_goexec tool class malware_earthworm malware "
Attack Flow
Detections
Possible Sharphound Tool Patterns (via cmdline)
View
Suspicious Restricted Admin Mode Enable (via registry_event)
View
Possible Account or Group Enumeration (via cmdline)
View
Probable Use of Windows Hacktools [Part2] (via cmdline)
View
Possible SPN Enumeration (via cmdline)
View
Possible Search Against Local/Remote File System or Registry for Passwords (via cmdline)
View
Possible Services Enumeration (via cmdline)
View
Possible System Network Configuration Discovery (via cmdline)
View
Possible Tunneling Tool Usage [Windows] (via cmdline)
View
Probable Use of Windows Hacktools [Part3] (via file_event)
View
Probable Use of Windows Hacktools [Part1] (via file_event)
View
Possible Admin Account or Group Enumeration (via cmdline)
View
Suspicious Domain Trusts Discovery (via cmdline)
View
Probable Use of Windows Hacktools [Part3] (via cmdline)
View
Probable Use of Windows Hacktools [Part1] (via cmdline)
View
Alternative Remote Access / Management Software (via audit)
View
IOCs (HashSha256) to detect: UAT-8837 targets critical infrastructure sectors in North America Part 1
View
IOCs (HashSha256) to detect: UAT-8837 targets critical infrastructure sectors in North America Part 2
View
IOCs (SourceIP) to detect: UAT-8837 targets critical infrastructure sectors in North America
View
IOCs (DestinationIP) to detect: UAT-8837 targets critical infrastructure sectors in North America
View
Detection of UAT-8837 Post-Compromise Tooling [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Stage the tools – The adversary copies three post‑compromise binaries to the locations referenced by the rule.
- Launch the tools via
cmd.exe– Using the Windows command shell, the attacker runs each binary. This mimics a “hands‑on‑keyboard” operator who prefers native shell execution to avoid PowerShell‑specific detections. - Each tool performs its native activity (SharpHound enumerates AD, DWAgent begins lateral movement, GoExec prepares remote execution). The focus here is on generating the initial process‑creation event that the rule watches.
-
Regression Test Script: (PowerShell – self‑contained; run as Administrator)
# ------------------------------------------------- # Simulation script for UAT‑8837 post‑compromise tooling # ------------------------------------------------- # 1. Deploy dummy binaries (use any .exe – here we use notepad.exe as placeholder) $tools = @( @{Path = "C:WindowsTempSharpHound.exe"; Source = "$env:SystemRootsystem32notepad.exe"}, @{Path = "C:UsersPublicDownloadsdwagent.exe"; Source = "$env:SystemRootsystem32notepad.exe"}, @{Path = "C:WindowsTempgoe.exe"; Source = "$env:SystemRootsystem32notepad.exe"} ) foreach ($t in $tools) { Copy-Item -Path $t.Source -Destination $t.Path -Force } # 2. Execute each tool via cmd.exe $cmdTemplate = 'cmd.exe /c "`"{0}`""' # ensures cmd.exe is the parent process foreach ($t in $tools) { $cmd = [string]::Format($cmdTemplate, $t.Path) Write-Host "Launching $($t.Path) via cmd.exe..." Invoke-Expression $cmd Start-Sleep -Seconds 2 # small pause to allow SIEM ingestion } # ------------------------------------------------- # End of simulation # ------------------------------------------------- -
Cleanup Commands: (PowerShell)
# Remove the dummy binaries created for the test Remove-Item -Path "C:WindowsTempSharpHound.exe" -ErrorAction SilentlyContinue Remove-Item -Path "C:UsersPublicDownloadsdwagent.exe" -ErrorAction SilentlyContinue Remove-Item -Path "C:WindowsTempgoe.exe" -ErrorAction SilentlyContinue Write-Host "Cleanup complete."