← Back to Actors
APT29
APT29IRON RITUALIRON HEMLOCKNobleBaronDark HaloNOBELIUMUNC2452YTTRIUMThe DukesCozy BearCozyDukeSolarStormBlue KitsuneUNC3524Midnight Blizzard
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Cr...
67
Techniques
65
Covered
2
Gaps
97%
Coverage
Coverage65/67
COVERED (65)
T1003.002Security Account Manager49 det.T1003.004LSA Secrets18 det.T1005Data from Local System47 det.T1016.001Internet Connection Discovery6 det.T1021.007Cloud Services12 det.T1027.001Binary Padding3 det.T1027.002Software Packing2 det.T1027.006HTML Smuggling1 det.T1036.005Match Legitimate Resource Name or Location45 det.T1037Boot or Logon Initialization Scripts26 det.T1037.004RC Scripts11 det.T1047Windows Management Instrumentation88 det.T1053.005Scheduled Task100 det.T1059.001PowerShell372 det.T1059.006Python51 det.T1059.009Cloud API6 det.T1068Exploitation for Privilege Escalation99 det.T1070.004File Deletion43 det.T1070.006Timestomp10 det.T1078Valid Accounts297 det.T1078.003Local Accounts23 det.T1078.004Cloud Accounts183 det.T1087.004Cloud Account22 det.T1090.002External Proxy8 det.T1090.003Multi-hop Proxy9 det.T1090.004Domain Fronting2 det.T1098.002Additional Email Delegate Permissions9 det.T1098.005Device Registration26 det.T1105Ingress Tool Transfer184 det.T1110.001Password Guessing35 det.T1110.003Password Spraying66 det.T1114.002Remote Email Collection18 det.T1133External Remote Services74 det.T1136.003Cloud Account33 det.T1190Exploit Public-Facing Application227 det.T1199Trusted Relationship6 det.T1203Exploitation for Client Execution79 det.T1204.001Malicious Link11 det.T1204.002Malicious File441 det.T1218.005Mshta49 det.T1505.003Web Shell65 det.T1528Steal Application Access Token52 det.T1546.003Windows Management Instrumentation Event Subscription18 det.T1546.008Accessibility Features8 det.T1547.001Registry Run Keys / Startup Folder53 det.T1548.002Bypass User Account Control84 det.T1550.003Pass the Ticket14 det.T1553.005Mark-of-the-Web Bypass11 det.T1556.007Hybrid Identity3 det.T1562.008Disable or Modify Cloud Logs47 det.T1566.001Spearphishing Attachment979 det.T1566.002Spearphishing Link1005 det.T1566.003Spearphishing via Service96 det.T1568Dynamic Resolution11 det.T1573Encrypted Channel35 det.T1583.006Web Services1 det.T1586.003Cloud Accounts36 det.T1587.001Malware10 det.T1587.003Digital Certificates1 det.T1588.002Tool13 det.T1595.002Vulnerability Scanning13 det.T1621Multi-Factor Authentication Request Generation24 det.T1649Steal or Forge Authentication Certificates25 det.T1651Cloud Administration Command13 det.T1685.002Disable or Modify Cloud Log22 det.