An adversary can reduce their footprint by using credentials to directly connect to the network as a legitimate user, instead of relying on the RAT.

Malware/Threat actors

Name	Type	Years	Source
HURRICANE PANDA	threat actor	2014	GlobalThreatIntelReport.pdf ICIT-Brief-China-Espionage-Dynasty.pdf Threat%20Group%20Cards.pdf GlobalThreatIntelReport.pdf

Preventions

<Mitigation techniques>

Detections

• Monitor source IP addresses connecting to your VPN instance and compare these addresses to a GeoIP database. Your users should be connecting to your VPN from locations that relative to office locations.
• Monitor timestamps when connections are initiated to your VPN instance. Look for timestamps of users connecting to the VPN at irregular times.

Toolkit

<Toolkit instructions, if applicable>

Similar techniques

• Trusted third party
• Reverse RDP tunnel
• Certificate impersonation
• Domain spoofing
• ARP spoofing

References

• [<Source name>](<Source link>)