APT3

APT3Gothic PandaPirpiUPS TeamBuckeyeThreat Group-0110TG-0110

[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)

Techniques

Covered

Gaps

95%

Coverage

Coverage42/44

GAPS (2)

T1036.010Masquerade Account Name T1104Multi-Stage Channels

COVERED (42)

T1003.001LSASS Memory105 det.T1005Data from Local System46 det.T1016System Network Configuration Discovery35 det.T1018Remote System Discovery46 det.T1021.001Remote Desktop Protocol51 det.T1021.002SMB/Windows Admin Shares67 det.T1027Obfuscated Files or Information525 det.T1027.002Software Packing1 det.T1027.005Indicator Removal from Tools6 det.T1033System Owner/User Discovery59 det.T1041Exfiltration Over C2 Channel30 det.T1049System Network Connections Discovery21 det.T1053.005Scheduled Task82 det.T1056.001Keylogging4 det.T1057Process Discovery18 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1069Permission Groups Discovery24 det.T1070.004File Deletion40 det.T1074.001Local Data Staging10 det.T1078.002Domain Accounts26 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1087.001Local Account32 det.T1090.002External Proxy6 det.T1095Non-Application Layer Protocol23 det.T1098.007Additional Local or Domain Groups9 det.T1105Ingress Tool Transfer170 det.T1110.002Password Cracking2 det.T1136.001Local Account42 det.T1203Exploitation for Client Execution71 det.T1204.001Malicious Link9 det.T1218.011Rundll3273 det.T1543.003Windows Service79 det.T1546.008Accessibility Features8 det.T1547.001Registry Run Keys / Startup Folder50 det.T1552.001Credentials In Files53 det.T1555.003Credentials from Web Browsers15 det.T1560.001Archive via Utility24 det.T1564.003Hidden Window11 det.T1566.002Spearphishing Link837 det.T1574.001DLL106 det.