APT29

APT29IRON RITUALIRON HEMLOCKNobleBaronDark HaloNOBELIUMUNC2452YTTRIUMThe DukesCozy BearCozyDukeSolarStormBlue KitsuneUNC3524Midnight Blizzard

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Cr...

Techniques

Covered

Gaps

95%

Coverage

Coverage63/66

GAPS (3)

T1090.004Domain Fronting T1586.002Email Accounts T1665Hide Infrastructure

COVERED (63)

T1003.002Security Account Manager45 det.T1003.004LSA Secrets16 det.T1005Data from Local System46 det.T1016.001Internet Connection Discovery6 det.T1021.007Cloud Services10 det.T1027.001Binary Padding3 det.T1027.002Software Packing1 det.T1027.006HTML Smuggling1 det.T1036.005Match Legitimate Resource Name or Location44 det.T1037Boot or Logon Initialization Scripts25 det.T1037.004RC Scripts11 det.T1047Windows Management Instrumentation85 det.T1053.005Scheduled Task82 det.T1059.001PowerShell338 det.T1059.006Python43 det.T1059.009Cloud API5 det.T1068Exploitation for Privilege Escalation91 det.T1070.004File Deletion40 det.T1070.006Timestomp9 det.T1078Valid Accounts252 det.T1078.003Local Accounts23 det.T1078.004Cloud Accounts149 det.T1087.004Cloud Account13 det.T1090.002External Proxy6 det.T1090.003Multi-hop Proxy8 det.T1098.002Additional Email Delegate Permissions8 det.T1098.005Device Registration15 det.T1105Ingress Tool Transfer170 det.T1110.001Password Guessing35 det.T1110.003Password Spraying65 det.T1114.002Remote Email Collection18 det.T1133External Remote Services72 det.T1136.003Cloud Account30 det.T1190Exploit Public-Facing Application208 det.T1199Trusted Relationship6 det.T1203Exploitation for Client Execution71 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1218.005Mshta46 det.T1505.003Web Shell57 det.T1528Steal Application Access Token42 det.T1546.003Windows Management Instrumentation Event Subscription17 det.T1546.008Accessibility Features8 det.T1547.001Registry Run Keys / Startup Folder50 det.T1548.002Bypass User Account Control83 det.T1550.003Pass the Ticket11 det.T1553.005Mark-of-the-Web Bypass11 det.T1556.007Hybrid Identity2 det.T1562.008Disable or Modify Cloud Logs44 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1566.003Spearphishing via Service85 det.T1568Dynamic Resolution10 det.T1573Encrypted Channel31 det.T1583.006Web Services1 det.T1586.003Cloud Accounts36 det.T1587.001Malware9 det.T1587.003Digital Certificates1 det.T1588.002Tool13 det.T1595.002Vulnerability Scanning12 det.T1621Multi-Factor Authentication Request Generation23 det.T1649Steal or Forge Authentication Certificates24 det.T1651Cloud Administration Command7 det.