APT1
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[1][3] |
| Enterprise | T1550 | .002 | 使用备用认证材料: Pass the Hash | |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.[1] |
| Enterprise | T1584 | .001 | 基础设施妥协: Domains |
APT1 hijacked FQDNs associated with legitimate websites hosted by hop points.[1] |
| Enterprise | T1585 | .002 | 建立账户: Email Accounts |
APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.[1] |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
APT1 has used RAR to compress files before moving them outside of the victim network.[1] |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
APT1 has been known to use credential dumping using Mimikatz.[1] |
| Enterprise | T1114 | .001 | 电子邮件收集: Local Email Collection |
APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.[1] |
| .002 | 电子邮件收集: Remote Email Collection |
APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.[1] |
||
| Enterprise | T1007 | 系统服务发现 |
APT1 used the commands |
|
| Enterprise | T1049 | 系统网络连接发现 |
APT1 used the |
|
| Enterprise | T1016 | 系统网络配置发现 |
APT1 used the |
|
| Enterprise | T1135 | 网络共享发现 | ||
| Enterprise | T1119 | 自动化收集 |
APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.[1] |
|
| Enterprise | T1583 | .001 | 获取基础设施: Domains |
APT1 has registered hundreds of domains for use in operations.[1] |
| Enterprise | T1588 | .001 | 获取能力: Malware |
APT1 used publicly available malware for privilege escalation.[1] |
| .002 | 获取能力: Tool |
APT1 has used various open-source tools for privilege escalation purposes.[1] |
||
| Enterprise | T1087 | .001 | 账号发现: Local Account |
APT1 used the commands |
| Enterprise | T1057 | 进程发现 |
APT1 gathered a list of running processes on the system using |
|
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
The APT1 group is known to have used RDP during operations.[4] |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
APT1 has sent spearphishing emails containing malicious attachments.[1] |
| .002 | 钓鱼: Spearphishing Link |
APT1 has sent spearphishing emails containing hyperlinks to malicious files.[1] |
||
Software
References
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- FireEye Labs. (2014, May 20). The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity. Retrieved November 4, 2014.
- Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.