APT32

APT32SeaLotusOceanLotusAPT-C-00Canvas CycloneBISMUTH

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)

Techniques

Covered

Gaps

96%

Coverage

Coverage76/79

GAPS (3)

T1027.016Junk Code Insertion T1585.001Social Media Accounts T1608.004Drive-by Target

COVERED (76)

T1003OS Credential Dumping113 det.T1003.001LSASS Memory111 det.T1012Query Registry24 det.T1016System Network Configuration Discovery39 det.T1018Remote System Discovery50 det.T1021.002SMB/Windows Admin Shares73 det.T1027.010Command Obfuscation38 det.T1027.011Fileless Storage3 det.T1027.013Encrypted/Encoded File8 det.T1033System Owner/User Discovery61 det.T1036Masquerading525 det.T1036.003Rename Legitimate Utilities47 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1041Exfiltration Over C2 Channel31 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation87 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol21 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task99 det.T1055Process Injection79 det.T1056.001Keylogging4 det.T1059Command and Scripting Interpreter486 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.005Visual Basic68 det.T1059.007JavaScript61 det.T1068Exploitation for Privilege Escalation99 det.T1070.001Clear Windows Event Logs16 det.T1070.004File Deletion42 det.T1070.006Timestomp10 det.T1071.001Web Protocols80 det.T1071.003Mail Protocols4 det.T1072Software Deployment Tools13 det.T1078.003Local Accounts23 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.001Local Account33 det.T1102Web Service34 det.T1105Ingress Tool Transfer183 det.T1112Modify Registry203 det.T1135Network Share Discovery20 det.T1137Office Application Startup18 det.T1189Drive-by Compromise10 det.T1203Exploitation for Client Execution75 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1216.001PubPrn2 det.T1218.005Mshta49 det.T1218.010Regsvr3243 det.T1218.011Rundll3275 det.T1222.002Linux and Mac Permissions18 det.T1505.003Web Shell63 det.T1543.003Windows Service79 det.T1547.001Registry Run Keys / Startup Folder53 det.T1550.002Pass the Hash10 det.T1550.003Pass the Ticket13 det.T1552.002Credentials in Registry7 det.T1560Archive Collected Data12 det.T1564.001Hidden Files and Directories25 det.T1564.003Hidden Window11 det.T1564.004NTFS File Attributes36 det.T1566.001Spearphishing Attachment905 det.T1566.002Spearphishing Link904 det.T1569.002Service Execution64 det.T1570Lateral Tool Transfer22 det.T1571Non-Standard Port16 det.T1574.001DLL109 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1589.002Email Addresses2 det.T1598.003Spearphishing Link285 det.T1608.001Upload Malware3 det.T1685.005Clear Windows Event Logs11 det.