BRONZE BUTLER

BRONZE BUTLERREDBALDKNIGHTTick

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

Techniques

Covered

Gaps

98%

Coverage

Coverage39/40

GAPS (1)

T1573.001Symmetric Cryptography

COVERED (39)

T1003.001LSASS Memory105 det.T1005Data from Local System46 det.T1007System Service Discovery11 det.T1018Remote System Discovery46 det.T1027.001Binary Padding3 det.T1027.003Steganography5 det.T1036Masquerading493 det.T1036.002Right-to-Left Override6 det.T1036.005Match Legitimate Resource Name or Location44 det.T1039Data from Network Shared Drive6 det.T1053.002At17 det.T1053.005Scheduled Task82 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1059.006Python43 det.T1070.004File Deletion40 det.T1071.001Web Protocols74 det.T1080Taint Shared Content2 det.T1083File and Directory Discovery48 det.T1087.002Domain Account55 det.T1102.001Dead Drop Resolver7 det.T1105Ingress Tool Transfer170 det.T1113Screen Capture17 det.T1124System Time Discovery4 det.T1132.001Standard Encoding5 det.T1140Deobfuscate/Decode Files or Information55 det.T1189Drive-by Compromise10 det.T1203Exploitation for Client Execution71 det.T1204.002Malicious File397 det.T1518Software Discovery15 det.T1547.001Registry Run Keys / Startup Folder50 det.T1548.002Bypass User Account Control83 det.T1550.003Pass the Ticket11 det.T1560.001Archive via Utility24 det.T1562.001Disable or Modify Tools300 det.T1566.001Spearphishing Attachment850 det.T1574.001DLL106 det.T1588.002Tool13 det.