APT3

APT3Gothic PandaPirpiUPS TeamBuckeyeThreat Group-0110TG-0110

[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)

Techniques

Covered

Gaps

95%

Coverage

Coverage42/44

GAPS (2)

T1036.010Masquerade Account Name T1104Multi-Stage Channels

COVERED (42)

T1003.001LSASS Memory111 det.T1005Data from Local System47 det.T1016System Network Configuration Discovery39 det.T1018Remote System Discovery50 det.T1021.001Remote Desktop Protocol53 det.T1021.002SMB/Windows Admin Shares73 det.T1027Obfuscated Files or Information561 det.T1027.002Software Packing1 det.T1027.005Indicator Removal from Tools6 det.T1033System Owner/User Discovery61 det.T1041Exfiltration Over C2 Channel31 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task99 det.T1056.001Keylogging4 det.T1057Process Discovery20 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1069Permission Groups Discovery31 det.T1070.004File Deletion42 det.T1074.001Local Data Staging10 det.T1078.002Domain Accounts28 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.001Local Account33 det.T1090.002External Proxy6 det.T1095Non-Application Layer Protocol23 det.T1098.007Additional Local or Domain Groups10 det.T1105Ingress Tool Transfer183 det.T1110.002Password Cracking2 det.T1136.001Local Account43 det.T1203Exploitation for Client Execution75 det.T1204.001Malicious Link10 det.T1218.011Rundll3275 det.T1543.003Windows Service79 det.T1546.008Accessibility Features8 det.T1547.001Registry Run Keys / Startup Folder53 det.T1552.001Credentials In Files61 det.T1555.003Credentials from Web Browsers16 det.T1560.001Archive via Utility26 det.T1564.003Hidden Window11 det.T1566.002Spearphishing Link904 det.T1574.001DLL109 det.