Mustang Panda

Mustang PandaTA416RedDeltaBRONZE PRESIDENTSTATELY TAURUSFIREANTCAMARO DRAGONEARTH PRETAHIVE0154TWILL TYPHOONTANTALUMLUMINOUS MOTHUNC6384TEMP.HexRed Lich

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myan...

Techniques

Covered

Gaps

86%

Coverage

Coverage73/85

GAPS (12)

T1027.007Dynamic API Resolution T1027.012LNK Icon Smuggling T1027.016Junk Code Insertion T1176.002IDE Extensions T1219.001IDE Tunneling T1560.003Archive via Custom Method T1573.001Symmetric Cryptography T1585.002Email Accounts T1586.002Email Accounts T1588.003Code Signing Certificates T1593Search Open Websites/Domains T1678Delay Execution

COVERED (73)

T1001.003Protocol or Service Impersonation2 det.T1003OS Credential Dumping106 det.T1003.001LSASS Memory105 det.T1003.003NTDS34 det.T1003.006DCSync14 det.T1016System Network Configuration Discovery35 det.T1018Remote System Discovery46 det.T1027Obfuscated Files or Information525 det.T1036.005Match Legitimate Resource Name or Location44 det.T1036.007Double File Extension4 det.T1036.008Masquerade File Type4 det.T1041Exfiltration Over C2 Channel30 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol20 det.T1049System Network Connections Discovery21 det.T1052.001Exfiltration over USB4 det.T1053.005Scheduled Task82 det.T1057Process Discovery18 det.T1059Command and Scripting Interpreter462 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1059.007JavaScript58 det.T1069.002Domain Groups42 det.T1070Indicator Removal56 det.T1070.004File Deletion40 det.T1070.006Timestomp9 det.T1071.001Web Protocols74 det.T1072Software Deployment Tools13 det.T1074.001Local Data Staging10 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1087.002Domain Account55 det.T1091Replication Through Removable Media8 det.T1095Non-Application Layer Protocol23 det.T1102Web Service33 det.T1105Ingress Tool Transfer170 det.T1106Native API27 det.T1119Automated Collection11 det.T1129Shared Modules10 det.T1140Deobfuscate/Decode Files or Information55 det.T1203Exploitation for Client Execution71 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1205Traffic Signaling1 det.T1218.004InstallUtil15 det.T1218.005Mshta46 det.T1219.002Remote Desktop Software48 det.T1505.003Web Shell57 det.T1518Software Discovery15 det.T1546.003Windows Management Instrumentation Event Subscription17 det.T1547.001Registry Run Keys / Startup Folder50 det.T1553.002Code Signing3 det.T1557Adversary-in-the-Middle27 det.T1560.001Archive via Utility24 det.T1564.001Hidden Files and Directories23 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1567.002Exfiltration to Cloud Storage27 det.T1572Protocol Tunneling51 det.T1574.001DLL106 det.T1574.005Executable Installer File Permissions Weakness2 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1587.001Malware9 det.T1588.002Tool13 det.T1588.004Digital Certificates1 det.T1598.003Spearphishing Link271 det.T1608Stage Capabilities6 det.T1608.001Upload Malware2 det.T1622Debugger Evasion1 det.T1654Log Enumeration1 det.