Description
[Velvet Ant](https://attack.mitre.org/groups/G1047) is a threat actor operating since at least 2021. [Velvet Ant](https://attack.mitre.org/groups/G1047) is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.(Citation: Sygnia VelvetAnt 2024A)(Citation: Sygnia VelvetAnt 2024B)
Techniques Used (TTPs)
- T1090.001 — Internal Proxy (command-and-control)
- T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
- T1132 — Data Encoding (command-and-control)
- T1562.001 — Disable or Modify Tools (defense-evasion)
- T1047 — Windows Management Instrumentation (execution)
- T1059.004 — Unix Shell (execution)
- T1571 — Non-Standard Port (command-and-control)
- T1133 — External Remote Services (persistence, initial-access)
- T1570 — Lateral Tool Transfer (lateral-movement)
- T1040 — Network Sniffing (credential-access, discovery)
- T1083 — File and Directory Discovery (discovery)
- T1573.002 — Asymmetric Cryptography (command-and-control)
- T1569.002 — Service Execution (execution)
- T1049 — System Network Connections Discovery (discovery)
- T1037.004 — RC Scripts (persistence, privilege-escalation)
- T1055 — Process Injection (defense-evasion, privilege-escalation)
- T1071 — Application Layer Protocol (command-and-control)
- T1211 — Exploitation for Defense Evasion (defense-evasion)
- T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1021.002 — SMB/Windows Admin Shares (lateral-movement)
- T1562.004 — Disable or Modify System Firewall (defense-evasion)
Total TTPs: 22