Check out the results from our first round of ATT&CK Evaluations at!


APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. [1] [2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. [1] [3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. [4]

APT3 Adversary Emulation Plan - [5]

ID: G0022
Aliases: APT3, Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110
Version: 1.0

Alias Descriptions

APT3[1] [2] [4]
Gothic Panda[11] [2] [4]
UPS Team[1] [2] [4]
Threat Group-0110[2] [4]
TG-0110[2] [4]

Techniques Used

EnterpriseT1015Accessibility FeaturesAPT3 replaces the Sticky Keys binary C:\Windows\System32\sethc.exe for persistence.[6]
EnterpriseT1087Account DiscoveryAPT3 has used a tool that can obtain info about local and global group users, power users, and administrators.[4]
EnterpriseT1098Account ManipulationAPT3 has been known to add created accounts to local admin groups to maintain elevated access.[6]
EnterpriseT1110Brute ForceAPT3 has been known to brute force password hashes to be able to leverage plain text credentials.[5]
EnterpriseT1059Command-Line InterfaceAn APT3 downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers.[3][4]
EnterpriseT1043Commonly Used PortAPT3 uses commonly used ports (like HTTPS/443) for command and control.[7]
EnterpriseT1090Connection ProxyAn APT3 downloader establishes SOCKS5 connections for its initial C2.[3]
EnterpriseT1136Create AccountAPT3 has been known to create or enable accounts, such as support_388945a0.[6]
EnterpriseT1003Credential DumpingAPT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig." The group has also used a tools to dump passwords from browsers.[4]
EnterpriseT1081Credentials in FilesAPT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.[4]
EnterpriseT1002Data CompressedAPT3 has used tools to compress data before exfilling it.[6]
EnterpriseT1005Data from Local SystemAPT3 will identify Microsoft Office documents on the victim's computer.[6]
EnterpriseT1074Data StagedAPT3 has been known to stage files for exfiltration in a single location.[6]
EnterpriseT1073DLL Side-LoadingAPT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[8][9]
EnterpriseT1041Exfiltration Over Command and Control ChannelAPT3 has a tool that exfiltrates data over the C2 channel.[8]
EnterpriseT1083File and Directory DiscoveryAPT3 has a tool that looks for files and directories on the local file system.[8][7]
EnterpriseT1107File DeletionAPT3 has a tool that can delete files.[8]
EnterpriseT1061Graphical User InterfaceAPT3 has interacted with compromised systems to browse and copy files through its graphical user interface in Remote Desktop Protocol sessions.[10]
EnterpriseT1066Indicator Removal from ToolsAPT3 has been known to remove indicators of compromise from tools.[5]
EnterpriseT1056Input CaptureAPT3 has used a keylogging tool that records keystrokes in encrypted files.[4]
EnterpriseT1104Multi-Stage ChannelsAn APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.[3]
EnterpriseT1050New ServiceAPT3 has a tool that creates a new service for persistence.[3]
EnterpriseT1027Obfuscated Files or InformationAPT3 obfuscates files or information to help evade defensive measures.[4]
EnterpriseT1069Permission Groups DiscoveryAPT3 has a tool that can enumerate the permissions associated with Windows groups.[4]
EnterpriseT1086PowerShellAPT3 has used PowerShell on victim systems to download and run payloads after exploitation.[3]
EnterpriseT1057Process DiscoveryAPT3 has a tool that can list out currently running processes.[8][7]
EnterpriseT1108Redundant AccessAPT3 has been known to use multiple backdoors per campaign.[5]
EnterpriseT1060Registry Run Keys / Startup FolderAPT3 places scripts in the startup folder for persistence.[3]
EnterpriseT1076Remote Desktop ProtocolAPT3 enables the Remote Desktop Protocol for persistence.[6]
EnterpriseT1105Remote File CopyAPT3 has a tool that can copy files to remote machines.[8]
EnterpriseT1018Remote System DiscoveryAPT3 has a tool that can detect the existence of remote systems.[4][8]
EnterpriseT1085Rundll32APT3 has a tool that can run DLLs.[8]
EnterpriseT1053Scheduled TaskAn APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".[3]
EnterpriseT1064ScriptingAPT3 has used PowerShell on victim systems to download and run payloads after exploitation.[3]
EnterpriseT1045Software PackingAPT3 has been known to pack their tools.[5]
EnterpriseT1095Standard Non-Application Layer ProtocolAn APT3 downloader establishes SOCKS5 connections for its initial C2.[3]
EnterpriseT1082System Information DiscoveryAPT3 has a tool that can obtain information about the local system.[4][7]
EnterpriseT1016System Network Configuration DiscoveryA keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.[4][7]
EnterpriseT1049System Network Connections DiscoveryAPT3 has a tool that can enumerate current network connections.[4][8][7]
EnterpriseT1033System Owner/User DiscoveryAn APT3 downloader uses the Windows command "cmd.exe" /C whoami to verify that it is running with the elevated privileges of “System.”[3]
EnterpriseT1065Uncommonly Used PortAn APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.[3]
EnterpriseT1078Valid AccountsAPT3 leverages valid accounts after gaining credentials for use within the victim domain.[4]
EnterpriseT1077Windows Admin SharesAPT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.[4]


S0165OSInfoAccount Discovery, Network Share Discovery, Permission Groups Discovery, Query Registry, Remote System Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery
S0013PlugXCommand-Line Interface, Commonly Used Port, Custom Command and Control Protocol, DLL Side-Loading, Execution through API, Masquerading, Multiband Communication, New Service, Query Registry, Registry Run Keys / Startup Folder, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, Trusted Developer Utilities, Web Service
S0166RemoteCMDRemote File Copy, Scheduled Task, Service Execution
S0111schtasksScheduled Task
S0063SHOTPUTAccount Discovery, File and Directory Discovery, Obfuscated Files or Information, Process Discovery, Remote System Discovery, System Network Connections Discovery