Description
[APT19](https://attack.mitre.org/groups/G0073) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. (Citation: FireEye APT19) Some analysts track [APT19](https://attack.mitre.org/groups/G0073) and [Deep Panda](https://attack.mitre.org/groups/G0009) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016) (Citation: FireEye APT Groups) (Citation: Unit 42 C0d0so0 Jan 2016)
Techniques Used (TTPs)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1059.001 — PowerShell (execution)
- T1564.003 — Hidden Window (defense-evasion)
- T1016 — System Network Configuration Discovery (discovery)
- T1033 — System Owner/User Discovery (discovery)
- T1218.011 — Rundll32 (defense-evasion)
- T1112 — Modify Registry (defense-evasion, persistence)
- T1189 — Drive-by Compromise (initial-access)
- T1543.003 — Windows Service (persistence, privilege-escalation)
- T1071.001 — Web Protocols (command-and-control)
- T1059 — Command and Scripting Interpreter (execution)
- T1027.013 — Encrypted/Encoded File (defense-evasion)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1204.002 — Malicious File (execution)
- T1082 — System Information Discovery (discovery)
- T1132.001 — Standard Encoding (command-and-control)
- T1588.002 — Tool (resource-development)
- T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
- T1218.010 — Regsvr32 (defense-evasion)
- T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
- T1027.010 — Command Obfuscation (defense-evasion)
Total TTPs: 21
Malware & Tools
Malware: Cobalt Strike
Tools: Empire