APT41

APT41Wicked PandaBrass TyphoonBARIUM

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre....

Techniques

Covered

Gaps

95%

Coverage

Coverage78/82

GAPS (4)

T1104Multi-Stage Channels T1480.001Environmental Keying T1596.005Scan Databases T1599Network Boundary Bridging

COVERED (78)

T1003.001LSASS Memory105 det.T1003.002Security Account Manager45 det.T1003.003NTDS34 det.T1005Data from Local System46 det.T1008Fallback Channels5 det.T1012Query Registry22 det.T1014Rootkit29 det.T1016System Network Configuration Discovery35 det.T1018Remote System Discovery46 det.T1021.001Remote Desktop Protocol51 det.T1021.002SMB/Windows Admin Shares67 det.T1027Obfuscated Files or Information525 det.T1027.002Software Packing1 det.T1030Data Transfer Size Limits6 det.T1033System Owner/User Discovery59 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1037Boot or Logon Initialization Scripts25 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1049System Network Connections Discovery21 det.T1053.005Scheduled Task82 det.T1055Process Injection76 det.T1056.001Keylogging4 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.004Unix Shell149 det.T1069Permission Groups Discovery24 det.T1070.001Clear Windows Event Logs15 det.T1070.003Clear Command History14 det.T1070.004File Deletion40 det.T1071.001Web Protocols74 det.T1071.002File Transfer Protocols1 det.T1071.004DNS31 det.T1078Valid Accounts252 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1087.001Local Account32 det.T1087.002Domain Account55 det.T1090Proxy44 det.T1098.007Additional Local or Domain Groups9 det.T1102.001Dead Drop Resolver7 det.T1105Ingress Tool Transfer170 det.T1110Brute Force85 det.T1112Modify Registry197 det.T1133External Remote Services72 det.T1135Network Share Discovery16 det.T1136.001Local Account42 det.T1190Exploit Public-Facing Application208 det.T1195.002Compromise Software Supply Chain23 det.T1197BITS Jobs23 det.T1203Exploitation for Client Execution71 det.T1213.003Code Repositories9 det.T1218.001Compiled HTML File13 det.T1218.011Rundll3273 det.T1484.001Group Policy Modification18 det.T1486Data Encrypted for Impact339 det.T1496.001Compute Hijacking2 det.T1542.003Bootkit3 det.T1543.003Windows Service79 det.T1546.008Accessibility Features8 det.T1547.001Registry Run Keys / Startup Folder50 det.T1550.002Pass the Hash9 det.T1553.002Code Signing3 det.T1555Credentials from Password Stores38 det.T1555.003Credentials from Web Browsers15 det.T1560.001Archive via Utility24 det.T1562.006Indicator Blocking16 det.T1566.001Spearphishing Attachment850 det.T1568.002Domain Generation Algorithms10 det.T1569.002Service Execution63 det.T1570Lateral Tool Transfer20 det.T1574.001DLL106 det.T1574.006Dynamic Linker Hijacking24 det.T1588.002Tool13 det.T1595.002Vulnerability Scanning12 det.T1595.003Wordlist Scanning7 det.T1656Impersonation172 det.