APT32

APT32SeaLotusOceanLotusAPT-C-00Canvas CycloneBISMUTH

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)

Techniques

Covered

Gaps

96%

Coverage

Coverage75/78

GAPS (3)

T1027.016Junk Code Insertion T1585.001Social Media Accounts T1608.004Drive-by Target

COVERED (75)

T1003OS Credential Dumping106 det.T1003.001LSASS Memory105 det.T1012Query Registry22 det.T1016System Network Configuration Discovery35 det.T1018Remote System Discovery46 det.T1021.002SMB/Windows Admin Shares67 det.T1027.010Command Obfuscation31 det.T1027.011Fileless Storage3 det.T1027.013Encrypted/Encoded File7 det.T1033System Owner/User Discovery59 det.T1036Masquerading493 det.T1036.003Rename Legitimate Utilities47 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1041Exfiltration Over C2 Channel30 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol20 det.T1049System Network Connections Discovery21 det.T1053.005Scheduled Task82 det.T1055Process Injection76 det.T1056.001Keylogging4 det.T1059Command and Scripting Interpreter462 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1059.007JavaScript58 det.T1068Exploitation for Privilege Escalation91 det.T1070.001Clear Windows Event Logs15 det.T1070.004File Deletion40 det.T1070.006Timestomp9 det.T1071.001Web Protocols74 det.T1071.003Mail Protocols4 det.T1072Software Deployment Tools13 det.T1078.003Local Accounts23 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1087.001Local Account32 det.T1102Web Service33 det.T1105Ingress Tool Transfer170 det.T1112Modify Registry197 det.T1135Network Share Discovery16 det.T1137Office Application Startup17 det.T1189Drive-by Compromise10 det.T1203Exploitation for Client Execution71 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1216.001PubPrn2 det.T1218.005Mshta46 det.T1218.010Regsvr3241 det.T1218.011Rundll3273 det.T1222.002Linux and Mac File and Directory Permissions Modification17 det.T1505.003Web Shell57 det.T1543.003Windows Service79 det.T1547.001Registry Run Keys / Startup Folder50 det.T1550.002Pass the Hash9 det.T1550.003Pass the Ticket11 det.T1552.002Credentials in Registry7 det.T1560Archive Collected Data11 det.T1564.001Hidden Files and Directories23 det.T1564.003Hidden Window11 det.T1564.004NTFS File Attributes31 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1569.002Service Execution63 det.T1570Lateral Tool Transfer20 det.T1571Non-Standard Port16 det.T1574.001DLL106 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1589.002Email Addresses2 det.T1598.003Spearphishing Link271 det.T1608.001Upload Malware2 det.