Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [1]

ID: G0006
Aliases: APT1, Comment Crew, Comment Group, Comment Panda
Version: 1.0

Alias Descriptions

NameDescription
APT1[1]
Comment Crew[1]
Comment Group[1]
Comment Panda[4]

Techniques Used

DomainIDNameUse
PRE-ATT&CKT1308Acquire and/or use 3rd party software servicesAPT1 used third party email services in the registration of whois records.[1]
PRE-ATT&CKT1312Compromise 3rd party infrastructure to support deliveryAPT1 hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be “hijacked” since they were originally registered for a legitimate reason but were used by APT1 for malicious purposes.[1]
PRE-ATT&CKT1334Compromise 3rd party infrastructure to support deliveryAPT1 comrpomised a vast set of 3rd party victim hop points as part of their network infrastructure.[1]
PRE-ATT&CKT1326Domain registration hijackingAPT1 hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be “hijacked” since they were originally registered for a legitimate reason but are used by APT1 for malicious purposes.[1]
PRE-ATT&CKT1311Dynamic DNSAPT1 used dynamic DNS to register hundreds of FQDNs.[1]
PRE-ATT&CKT1346Obtain/re-use payloadsAPT1 used publicly available privilege escalation tools.[1]
EnterpriseT1059Command-Line InterfaceAPT1 has used the Windows command shell to execute commands.[1]
EnterpriseT1003Credential DumpingAPT1 has been known to use credential dumping.[1]
EnterpriseT1002Data CompressedAPT1 has used RAR to compress files before moving them outside of the victim network.[1]
EnterpriseT1005Data from Local SystemAPT1 has collected files from a local victim.[1]
EnterpriseT1114Email CollectionAPT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files, and MAPIGET steals email still on Exchange servers that has not yet been archived.[1]
EnterpriseT1036MasqueradingThe file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[1][2]
EnterpriseT1075Pass the HashThe APT1 group is known to have used pass the hash.[1]
EnterpriseT1076Remote Desktop ProtocolThe APT1 group is known to have used RDP during operations.[3]
EnterpriseT1064ScriptingAPT1 has used batch scripting to automate execution of commands.[1]

Software

IDNameTechniques
S0017BISCUITFallback Channels
S0119CachedumpCredential Dumping
S0025CALENDARWeb Service
S0026GLOOXMAILWeb Service
S0008gsecdumpCredential Dumping
S0100ipconfigSystem Network Configuration Discovery
S0121LslsassCredential Dumping
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039NetAccount Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0122Pass-The-Hash ToolkitPass the Hash
S0012PoisonIvyApplication Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0006pwdumpCredential Dumping
S0057TasklistProcess Discovery, Security Software Discovery, System Service Discovery
S0109WEBC2DLL Search Order Hijacking
S0123xCmdService Execution

References