← Back to Actors
APT41
APT41Wicked PandaBrass TyphoonBARIUM
[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre....
85
Techniques
80
Covered
5
Gaps
94%
Coverage
Coverage80/85
GAPS (5)
COVERED (80)
T1003.001LSASS Memory111 det.T1003.002Security Account Manager49 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1008Fallback Channels5 det.T1012Query Registry25 det.T1014Rootkit30 det.T1016System Network Configuration Discovery40 det.T1018Remote System Discovery51 det.T1021.001Remote Desktop Protocol53 det.T1021.002SMB/Windows Admin Shares74 det.T1027Obfuscated Files or Information606 det.T1027.002Software Packing2 det.T1030Data Transfer Size Limits7 det.T1033System Owner/User Discovery61 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location45 det.T1037Boot or Logon Initialization Scripts26 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation88 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task100 det.T1055Process Injection81 det.T1056.001Keylogging4 det.T1059.001PowerShell372 det.T1059.003Windows Command Shell83 det.T1059.004Unix Shell165 det.T1069Permission Groups Discovery35 det.T1070.001Clear Windows Event Logs16 det.T1070.003Clear Command History15 det.T1070.004File Deletion43 det.T1071.001Web Protocols81 det.T1071.002File Transfer Protocols1 det.T1071.004DNS35 det.T1078Valid Accounts297 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.001Local Account33 det.T1087.002Domain Account57 det.T1090Proxy48 det.T1098.007Additional Local or Domain Groups10 det.T1102.001Dead Drop Resolver8 det.T1105Ingress Tool Transfer184 det.T1110Brute Force90 det.T1112Modify Registry203 det.T1133External Remote Services74 det.T1135Network Share Discovery20 det.T1136.001Local Account43 det.T1190Exploit Public-Facing Application227 det.T1195.002Compromise Software Supply Chain23 det.T1197BITS Jobs25 det.T1203Exploitation for Client Execution79 det.T1213.003Code Repositories9 det.T1218.001Compiled HTML File14 det.T1218.011Rundll3275 det.T1484.001Group Policy Modification19 det.T1486Data Encrypted for Impact374 det.T1496.001Compute Hijacking2 det.T1542.003Bootkit4 det.T1543.003Windows Service79 det.T1546.008Accessibility Features8 det.T1547.001Registry Run Keys / Startup Folder53 det.T1550.002Pass the Hash10 det.T1553.002Code Signing4 det.T1555Credentials from Password Stores41 det.T1555.003Credentials from Web Browsers16 det.T1560.001Archive via Utility26 det.T1562.006Indicator Blocking16 det.T1566.001Spearphishing Attachment979 det.T1568.002Domain Generation Algorithms11 det.T1569.002Service Execution64 det.T1570Lateral Tool Transfer23 det.T1574.001DLL111 det.T1574.006Dynamic Linker Hijacking24 det.T1588.002Tool13 det.T1595.002Vulnerability Scanning13 det.T1595.003Wordlist Scanning8 det.T1656Impersonation223 det.T1685Disable or Modify Tools279 det.T1685.005Clear Windows Event Logs12 det.