APT41

APT41Wicked PandaBrass TyphoonBARIUM

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre....

Techniques

Covered

Gaps

94%

Coverage

Coverage80/85

GAPS (5)

T1104Multi-Stage Channels T1480.001Environmental Keying T1596.005Scan Databases T1599Network Boundary Bridging T1684.001Impersonation

COVERED (80)

T1003.001LSASS Memory111 det.T1003.002Security Account Manager49 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1008Fallback Channels5 det.T1012Query Registry24 det.T1014Rootkit30 det.T1016System Network Configuration Discovery39 det.T1018Remote System Discovery50 det.T1021.001Remote Desktop Protocol53 det.T1021.002SMB/Windows Admin Shares73 det.T1027Obfuscated Files or Information561 det.T1027.002Software Packing1 det.T1030Data Transfer Size Limits7 det.T1033System Owner/User Discovery61 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1037Boot or Logon Initialization Scripts25 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation87 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task99 det.T1055Process Injection79 det.T1056.001Keylogging4 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.004Unix Shell155 det.T1069Permission Groups Discovery31 det.T1070.001Clear Windows Event Logs16 det.T1070.003Clear Command History15 det.T1070.004File Deletion42 det.T1071.001Web Protocols80 det.T1071.002File Transfer Protocols1 det.T1071.004DNS34 det.T1078Valid Accounts280 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.001Local Account33 det.T1087.002Domain Account57 det.T1090Proxy46 det.T1098.007Additional Local or Domain Groups10 det.T1102.001Dead Drop Resolver7 det.T1105Ingress Tool Transfer183 det.T1110Brute Force90 det.T1112Modify Registry203 det.T1133External Remote Services72 det.T1135Network Share Discovery20 det.T1136.001Local Account43 det.T1190Exploit Public-Facing Application216 det.T1195.002Compromise Software Supply Chain23 det.T1197BITS Jobs25 det.T1203Exploitation for Client Execution75 det.T1213.003Code Repositories9 det.T1218.001Compiled HTML File14 det.T1218.011Rundll3275 det.T1484.001Group Policy Modification19 det.T1486Data Encrypted for Impact360 det.T1496.001Compute Hijacking2 det.T1542.003Bootkit4 det.T1543.003Windows Service79 det.T1546.008Accessibility Features8 det.T1547.001Registry Run Keys / Startup Folder53 det.T1550.002Pass the Hash10 det.T1553.002Code Signing3 det.T1555Credentials from Password Stores40 det.T1555.003Credentials from Web Browsers16 det.T1560.001Archive via Utility26 det.T1562.006Indicator Blocking16 det.T1566.001Spearphishing Attachment905 det.T1568.002Domain Generation Algorithms10 det.T1569.002Service Execution64 det.T1570Lateral Tool Transfer22 det.T1574.001DLL109 det.T1574.006Dynamic Linker Hijacking24 det.T1588.002Tool13 det.T1595.002Vulnerability Scanning12 det.T1595.003Wordlist Scanning7 det.T1656Impersonation184 det.T1685Disable or Modify Tools278 det.T1685.005Clear Windows Event Logs11 det.