APT1
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Comment Panda | (Citation: CrowdStrike Putter Panda) |
| Comment Crew | (Citation: Mandiant APT1) |
| Comment Group | (Citation: Mandiant APT1) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
APT1 used the commands |
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
APT1 has registered hundreds of domains for use in operations.(Citation: Mandiant APT1) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT1 has used RAR to compress files before moving them outside of the victim network.(Citation: Mandiant APT1) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.(Citation: Mandiant APT1) |
| Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
APT1 hijacked FQDNs associated with legitimate websites hosted by hop points.(Citation: Mandiant APT1) |
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.(Citation: Mandiant APT1) |
| .002 | Email Collection: Remote Email Collection |
APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.(Citation: Mandiant APT1) |
||
| Enterprise | T1585 | .002 | Establish Accounts: Email Accounts |
APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.(Citation: Mandiant APT1) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.(Citation: Mandiant APT1)(Citation: Mandiant APT1 Appendix) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT1 has been known to use credential dumping using Mimikatz.(Citation: Mandiant APT1) |
| Enterprise | T1588 | .001 | Obtain Capabilities: Malware |
APT1 used publicly available malware for privilege escalation.(Citation: Mandiant APT1) |
| .002 | Obtain Capabilities: Tool |
APT1 has used various open-source tools for privilege escalation purposes.(Citation: Mandiant APT1) |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT1 has sent spearphishing emails containing malicious attachments.(Citation: Mandiant APT1) |
| .002 | Phishing: Spearphishing Link |
APT1 has sent spearphishing emails containing hyperlinks to malicious files.(Citation: Mandiant APT1) |
||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
The APT1 group is known to have used RDP during operations.(Citation: FireEye PLA) |
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
The APT1 group is known to have used pass the hash.(Citation: Mandiant APT1) |
References
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- FireEye Labs. (2014, May 20). The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity. Retrieved November 17, 2024.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.