APT29

APT29IRON RITUALIRON HEMLOCKNobleBaronDark HaloNOBELIUMUNC2452YTTRIUMThe DukesCozy BearCozyDukeSolarStormBlue KitsuneUNC3524Midnight Blizzard

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Cr...

Techniques

Covered

Gaps

97%

Coverage

Coverage65/67

GAPS (2)

T1586.002Email Accounts T1665Hide Infrastructure

COVERED (65)

T1003.002Security Account Manager49 det.T1003.004LSA Secrets18 det.T1005Data from Local System47 det.T1016.001Internet Connection Discovery6 det.T1021.007Cloud Services12 det.T1027.001Binary Padding3 det.T1027.002Software Packing1 det.T1027.006HTML Smuggling1 det.T1036.005Match Legitimate Resource Name or Location44 det.T1037Boot or Logon Initialization Scripts25 det.T1037.004RC Scripts11 det.T1047Windows Management Instrumentation87 det.T1053.005Scheduled Task99 det.T1059.001PowerShell368 det.T1059.006Python49 det.T1059.009Cloud API6 det.T1068Exploitation for Privilege Escalation99 det.T1070.004File Deletion42 det.T1070.006Timestomp10 det.T1078Valid Accounts280 det.T1078.003Local Accounts23 det.T1078.004Cloud Accounts167 det.T1087.004Cloud Account17 det.T1090.002External Proxy6 det.T1090.003Multi-hop Proxy9 det.T1090.004Domain Fronting1 det.T1098.002Additional Email Delegate Permissions9 det.T1098.005Device Registration22 det.T1105Ingress Tool Transfer183 det.T1110.001Password Guessing35 det.T1110.003Password Spraying66 det.T1114.002Remote Email Collection18 det.T1133External Remote Services72 det.T1136.003Cloud Account33 det.T1190Exploit Public-Facing Application216 det.T1199Trusted Relationship6 det.T1203Exploitation for Client Execution75 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1218.005Mshta49 det.T1505.003Web Shell63 det.T1528Steal Application Access Token47 det.T1546.003Windows Management Instrumentation Event Subscription18 det.T1546.008Accessibility Features8 det.T1547.001Registry Run Keys / Startup Folder53 det.T1548.002Bypass User Account Control84 det.T1550.003Pass the Ticket13 det.T1553.005Mark-of-the-Web Bypass11 det.T1556.007Hybrid Identity3 det.T1562.008Disable or Modify Cloud Logs46 det.T1566.001Spearphishing Attachment905 det.T1566.002Spearphishing Link904 det.T1566.003Spearphishing via Service88 det.T1568Dynamic Resolution10 det.T1573Encrypted Channel32 det.T1583.006Web Services1 det.T1586.003Cloud Accounts36 det.T1587.001Malware10 det.T1587.003Digital Certificates1 det.T1588.002Tool13 det.T1595.002Vulnerability Scanning12 det.T1621Multi-Factor Authentication Request Generation23 det.T1649Steal or Forge Authentication Certificates25 det.T1651Cloud Administration Command9 det.T1685.002Disable or Modify Cloud Log22 det.