Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
.004 | Application Layer Protocol: DNS | |||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT18 establishes persistence via the |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
APT18 uses cmd.exe to execute commands on the victim’s machine.[4][3] |
Enterprise | T1133 | External Remote Services |
APT18 actors leverage legitimate credentials to log into external remote services.[5] |
|
Enterprise | T1083 | File and Directory Discovery |
APT18 can list files information for specific directories.[4] |
|
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
APT18 actors deleted tools and batch files from victim systems.[1] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File | |
Enterprise | T1053 | .002 | Scheduled Task/Job: At |
APT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.[1] |
Enterprise | T1082 | System Information Discovery |
APT18 can collect system information from the victim’s machine.[4] |
|
Enterprise | T1078 | Valid Accounts |
APT18 actors leverage legitimate credentials to log into external remote services.[5] |