|Enterprise||T1568||.003||Dynamic Resolution: DNS Calculation||
APT12 has used multiple variants of DNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.
|Enterprise||T1203||Exploitation for Client Execution||
APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.
|Enterprise||T1204||.002||User Execution: Malicious File||
APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.
|Enterprise||T1102||.002||Web Service: Bidirectional Communication||
APT12 has used blogs and WordPress for C2 infrastructure.
|S0040||HTRAN||||Process Injection, Proxy, Rootkit|
|S0015||Ixeshe||||Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Process Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery|
|S0003||RIPTIDE||||Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography|