Threat Group-3390

Threat Group-3390Earth SmilodonTG-3390Emissary PandaBRONZE UNIONAPT27Iron TigerLuckyMouseLinen Typhoon

[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)

Techniques

Covered

Gaps

95%

Coverage

Coverage54/57

GAPS (3)

T1588.003Code Signing Certificates T1608.002Upload Tool T1608.004Drive-by Target

COVERED (54)

T1003.001LSASS Memory105 det.T1003.002Security Account Manager45 det.T1003.004LSA Secrets16 det.T1005Data from Local System46 det.T1012Query Registry22 det.T1016System Network Configuration Discovery35 det.T1018Remote System Discovery46 det.T1021.006Windows Remote Management22 det.T1027.002Software Packing1 det.T1027.013Encrypted/Encoded File7 det.T1027.015Compression2 det.T1030Data Transfer Size Limits6 det.T1033System Owner/User Discovery59 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1049System Network Connections Discovery21 det.T1053.002At17 det.T1055.012Process Hollowing8 det.T1056.001Keylogging4 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1068Exploitation for Privilege Escalation91 det.T1070.004File Deletion40 det.T1070.005Network Share Connection Removal6 det.T1071.001Web Protocols74 det.T1074.001Local Data Staging10 det.T1074.002Remote Data Staging3 det.T1078Valid Accounts252 det.T1087.001Local Account32 det.T1105Ingress Tool Transfer170 det.T1112Modify Registry197 det.T1119Automated Collection11 det.T1133External Remote Services72 det.T1140Deobfuscate/Decode Files or Information55 det.T1189Drive-by Compromise10 det.T1190Exploit Public-Facing Application208 det.T1195.002Compromise Software Supply Chain23 det.T1199Trusted Relationship6 det.T1203Exploitation for Client Execution71 det.T1204.002Malicious File397 det.T1210Exploitation of Remote Services33 det.T1505.003Web Shell57 det.T1543.003Windows Service79 det.T1547.001Registry Run Keys / Startup Folder50 det.T1548.002Bypass User Account Control83 det.T1555.005Password Managers4 det.T1560.002Archive via Library1 det.T1562.002Disable Windows Event Logging42 det.T1566.001Spearphishing Attachment850 det.T1567.002Exfiltration to Cloud Storage27 det.T1574.001DLL106 det.T1583.001Domains61 det.T1588.002Tool13 det.T1608.001Upload Malware2 det.