← Back to Actors
MirrorFace
MirrorFaceEarth Kasha
[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent [MirrorFace](https://attack.mitre.org/groups/G1054) operations included targets in Centra...
43
Techniques
40
Covered
3
Gaps
93%
Coverage
Coverage40/43
GAPS (3)
COVERED (40)
T1003.001LSASS Memory111 det.T1003.002Security Account Manager49 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1007System Service Discovery15 det.T1016System Network Configuration Discovery40 det.T1018Remote System Discovery51 det.T1021.001Remote Desktop Protocol53 det.T1021.002SMB/Windows Admin Shares74 det.T1027.013Encrypted/Encoded File8 det.T1033System Owner/User Discovery61 det.T1036.008Masquerade File Type5 det.T1047Windows Management Instrumentation88 det.T1057Process Discovery21 det.T1059.003Windows Command Shell83 det.T1059.005Visual Basic69 det.T1070.004File Deletion43 det.T1071.002File Transfer Protocols1 det.T1074.002Remote Data Staging3 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.002Domain Account57 det.T1090Proxy48 det.T1114.001Local Email Collection11 det.T1190Exploit Public-Facing Application227 det.T1204.002Malicious File441 det.T1221Template Injection1 det.T1482Domain Trust Discovery41 det.T1553.002Code Signing4 det.T1556.002Password Filter DLL3 det.T1560.001Archive via Utility26 det.T1566.001Spearphishing Attachment979 det.T1566.002Spearphishing Link1005 det.T1574.001DLL111 det.T1587.001Malware10 det.T1588.002Tool13 det.T1614.001System Language Discovery2 det.T1685Disable or Modify Tools279 det.T1685.005Clear Windows Event Logs12 det.T1686.003Windows Host Firewall20 det.