← Back to Actors
APT32
APT32SeaLotusOceanLotusAPT-C-00Canvas CycloneBISMUTH
[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)
79
Techniques
76
Covered
3
Gaps
96%
Coverage
Coverage76/79
COVERED (76)
T1003OS Credential Dumping113 det.T1003.001LSASS Memory111 det.T1012Query Registry25 det.T1016System Network Configuration Discovery40 det.T1018Remote System Discovery51 det.T1021.002SMB/Windows Admin Shares74 det.T1027.010Command Obfuscation38 det.T1027.011Fileless Storage4 det.T1027.013Encrypted/Encoded File8 det.T1033System Owner/User Discovery61 det.T1036Masquerading572 det.T1036.003Rename Legitimate Utilities47 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location45 det.T1041Exfiltration Over C2 Channel32 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation88 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol22 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task100 det.T1055Process Injection81 det.T1056.001Keylogging4 det.T1059Command and Scripting Interpreter514 det.T1059.001PowerShell372 det.T1059.003Windows Command Shell83 det.T1059.005Visual Basic69 det.T1059.007JavaScript63 det.T1068Exploitation for Privilege Escalation99 det.T1070.001Clear Windows Event Logs16 det.T1070.004File Deletion43 det.T1070.006Timestomp10 det.T1071.001Web Protocols81 det.T1071.003Mail Protocols4 det.T1072Software Deployment Tools13 det.T1078.003Local Accounts23 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.001Local Account33 det.T1102Web Service35 det.T1105Ingress Tool Transfer184 det.T1112Modify Registry203 det.T1135Network Share Discovery20 det.T1137Office Application Startup18 det.T1189Drive-by Compromise10 det.T1203Exploitation for Client Execution79 det.T1204.001Malicious Link11 det.T1204.002Malicious File441 det.T1216.001PubPrn2 det.T1218.005Mshta49 det.T1218.010Regsvr3243 det.T1218.011Rundll3275 det.T1222.002Linux and Mac Permissions18 det.T1505.003Web Shell65 det.T1543.003Windows Service79 det.T1547.001Registry Run Keys / Startup Folder53 det.T1550.002Pass the Hash10 det.T1550.003Pass the Ticket14 det.T1552.002Credentials in Registry7 det.T1560Archive Collected Data12 det.T1564.001Hidden Files and Directories25 det.T1564.003Hidden Window11 det.T1564.004NTFS File Attributes36 det.T1566.001Spearphishing Attachment979 det.T1566.002Spearphishing Link1005 det.T1569.002Service Execution64 det.T1570Lateral Tool Transfer23 det.T1571Non-Standard Port17 det.T1574.001DLL111 det.T1583.001Domains62 det.T1583.006Web Services1 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1589.002Email Addresses2 det.T1598.003Spearphishing Link312 det.T1608.001Upload Malware3 det.T1685.005Clear Windows Event Logs12 det.