APT1
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery:Local Account | APT1 used the commands |
| Enterprise | T1583 | .001 | Acquire Infrastructure:Domains | APT1 has registered hundreds of domains for use in operations.[1] |
| Enterprise | T1560 | .001 | Archive Collected Data:Archive via Utility | APT1 has used RAR to compress files before moving them outside of the victim network.[1] |
| Enterprise | T1119 | Automated Collection | APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.[1] | |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.[1] |
| Enterprise | T1584 | .001 | Compromise Infrastructure:Domains | APT1 hijacked FQDNs associated with legitimate websites hosted by hop points.[1] |
| Enterprise | T1005 | Data from Local System | ||
| Enterprise | T1114 | .001 | Email Collection:Local Email Collection | APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.[1] |
| .002 | Email Collection:Remote Email Collection | APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.[1] | ||
| Enterprise | T1585 | .002 | Establish Accounts:Email Accounts | APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.[1] |
| Enterprise | T1036 | .005 | Masquerading:Match Legitimate Resource Name or Location | The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used byAPT1 as a name for malware.[1][3] |
| Enterprise | T1135 | Network Share Discovery | ||
| Enterprise | T1588 | .001 | Obtain Capabilities:Malware | APT1 used publicly available malware for privilege escalation.[1] |
| .002 | Obtain Capabilities:Tool | APT1 has used various open-source tools for privilege escalation purposes.[1] | ||
| Enterprise | T1003 | .001 | OS Credential Dumping:LSASS Memory | APT1 has been known to use credential dumping usingMimikatz.[1] |
| Enterprise | T1566 | .001 | Phishing:Spearphishing Attachment | APT1 has sent spearphishing emails containing malicious attachments.[1] |
| .002 | Phishing:Spearphishing Link | APT1 has sent spearphishing emails containing hyperlinks to malicious files.[1] | ||
| Enterprise | T1057 | Process Discovery | APT1 gathered a list of running processes on the system using | |
| Enterprise | T1021 | .001 | Remote Services:Remote Desktop Protocol | TheAPT1 group is known to have used RDP during operations.[4] |
| Enterprise | T1016 | System Network Configuration Discovery | APT1 used the | |
| Enterprise | T1049 | System Network Connections Discovery | APT1 used the | |
| Enterprise | T1007 | System Service Discovery | APT1 used the commands | |
| Enterprise | T1550 | .002 | Use Alternate Authentication Material:Pass the Hash | |
Software
References
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- FireEye Labs. (2014, May 20). The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity. Retrieved November 17, 2024.
- Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.