APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [1]

ID: G0006
Version: 1.1

Associated Group Descriptions

NameDescription
Comment Crew[1]
Comment Group[1]
Comment Panda[4]

Techniques Used

DomainIDNameUse
PRE-ATT&CKT1330Acquire and/or use 3rd party software servicesAPT1 used third party email services in the registration of whois records.[1]
PRE-ATT&CKT1334Compromise 3rd party infrastructure to support deliveryAPT1 comrpomised a vast set of 3rd party victim hop points as part of their network infrastructure.[1]
PRE-ATT&CKT1334Compromise 3rd party infrastructure to support deliveryAPT1 hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be “hijacked” since they were originally registered for a legitimate reason but were used by APT1 for malicious purposes.[1]
PRE-ATT&CKT1326Domain registration hijackingAPT1 hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be “hijacked” since they were originally registered for a legitimate reason but are used by APT1 for malicious purposes.[1]
PRE-ATT&CKT1333Dynamic DNSAPT1 used dynamic DNS to register hundreds of FQDNs.[1]
PRE-ATT&CKT1346Obtain/re-use payloadsAPT1 used publicly available privilege escalation tools.[1]
EnterpriseT1087Account DiscoveryAPT1 used the commands net localgroup,net user, and net group to find accounts on the system.[1]
EnterpriseT1119Automated CollectionAPT1 used a batch script to perform a series of discovery techniques and saves it to a text file.[1]
EnterpriseT1059Command-Line InterfaceAPT1 has used the Windows command shell to execute commands.[1]
EnterpriseT1003Credential DumpingAPT1 has been known to use credential dumping.[1]
EnterpriseT1002Data CompressedAPT1 has used RAR to compress files before moving them outside of the victim network.[1]
EnterpriseT1005Data from Local SystemAPT1 has collected files from a local victim.[1]
EnterpriseT1114Email CollectionAPT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files, and MAPIGET steals email still on Exchange servers that has not yet been archived.[1]
EnterpriseT1036MasqueradingThe file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[1][2]
EnterpriseT1135Network Share DiscoveryAPT1 listed connected network shares.[1]
EnterpriseT1075Pass the HashThe APT1 group is known to have used pass the hash.[1]
EnterpriseT1057Process DiscoveryAPT1 gathered a list of running processes on the system using tasklist /v.[1]
EnterpriseT1076Remote Desktop ProtocolThe APT1 group is known to have used RDP during operations.[3]
EnterpriseT1064ScriptingAPT1 has used batch scripting to automate execution of commands.[1]
EnterpriseT1016System Network Configuration DiscoveryAPT1 used the ipconfig /all command to gather network configuration information.[1]
EnterpriseT1049System Network Connections DiscoveryAPT1 used the net use command to get a listing on network connections.[1]
EnterpriseT1007System Service DiscoveryAPT1 used the commands net start and tasklist to get a listing of the services on the system.[1]

Software

IDNameReferencesTechniques
S0017BISCUIT[1]Command-Line Interface, Custom Command and Control Protocol, Fallback Channels, Input Capture, Process Discovery, Remote File Copy, Screen Capture, Standard Cryptographic Protocol, System Information Discovery, System Owner/User Discovery
S0119Cachedump[1]Credential Dumping
S0025CALENDAR[1]Command-Line Interface, Web Service
S0026GLOOXMAIL[1]Web Service
S0008gsecdump[1]Credential Dumping
S0100ipconfig[1]System Network Configuration Discovery
S0121Lslsass[1]Credential Dumping
S0002Mimikatz[1]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039Net[1]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0122Pass-The-Hash Toolkit[1]Pass the Hash
S0012PoisonIvy[1]Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0029PsExec[1]Service Execution, Windows Admin Shares
S0006pwdump[1]Credential Dumping
S0345Seasalt[2][5]Command-Line Interface, Custom Command and Control Protocol, File and Directory Discovery, File Deletion, Masquerading, New Service, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol
S0057Tasklist[1]Process Discovery, Security Software Discovery, System Service Discovery
S0109WEBC2[1]Command-Line Interface, DLL Search Order Hijacking, Remote File Copy
S0123xCmd[2]Service Execution

References