Description
[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)
Techniques Used (TTPs)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1104 — Multi-Stage Channels (command-and-control)
- T1110.002 — Password Cracking (credential-access)
- T1564.003 — Hidden Window (defense-evasion)
- T1555.003 — Credentials from Web Browsers (credential-access)
- T1059.003 — Windows Command Shell (execution)
- T1016 — System Network Configuration Discovery (discovery)
- T1049 — System Network Connections Discovery (discovery)
- T1090.002 — External Proxy (command-and-control)
- T1218.011 — Rundll32 (defense-evasion)
- T1027 — Obfuscated Files or Information (defense-evasion)
- T1566.002 — Spearphishing Link (initial-access)
- T1098.007 — Additional Local or Domain Groups (persistence, privilege-escalation)
- T1204.001 — Malicious Link (execution)
- T1041 — Exfiltration Over C2 Channel (exfiltration)
- T1552.001 — Credentials In Files (credential-access)
- T1074.001 — Local Data Staging (collection)
- T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1005 — Data from Local System (collection)
- T1203 — Exploitation for Client Execution (execution)
- T1021.002 — SMB/Windows Admin Shares (lateral-movement)
- T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
- T1087.001 — Local Account (discovery)
- T1070.004 — File Deletion (defense-evasion)
- T1083 — File and Directory Discovery (discovery)
- T1546.008 — Accessibility Features (privilege-escalation, persistence)
- T1560.001 — Archive via Utility (collection)
- T1082 — System Information Discovery (discovery)
- T1059.001 — PowerShell (execution)
- T1543.003 — Windows Service (persistence, privilege-escalation)
- T1003.001 — LSASS Memory (credential-access)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1021.001 — Remote Desktop Protocol (lateral-movement)
- T1057 — Process Discovery (discovery)
- T1095 — Non-Application Layer Protocol (command-and-control)
- T1069 — Permission Groups Discovery (discovery)
- T1018 — Remote System Discovery (discovery)
- T1056.001 — Keylogging (collection, credential-access)
- T1036.010 — Masquerade Account Name (defense-evasion)
- T1027.002 — Software Packing (defense-evasion)
- T1136.001 — Local Account (persistence)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1033 — System Owner/User Discovery (discovery)
- T1027.005 — Indicator Removal from Tools (defense-evasion)
Total TTPs: 44