Aquatic Panda | APT Profile

Description

[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021)

Techniques Used (TTPs)

T1027.010 — Command Obfuscation (defense-evasion)
T1087 — Account Discovery (discovery)
T1070.004 — File Deletion (defense-evasion)
T1059.004 — Unix Shell (execution)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1036.004 — Masquerade Task or Service (defense-evasion)
T1574.006 — Dynamic Linker Hijacking (persistence, privilege-escalation, defense-evasion)
T1070.003 — Clear Command History (defense-evasion)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1005 — Data from Local System (collection)
T1070.001 — Clear Windows Event Logs (defense-evasion)
T1105 — Ingress Tool Transfer (command-and-control)
T1007 — System Service Discovery (discovery)
T1654 — Log Enumeration (discovery)
T1021.004 — SSH (lateral-movement)
T1112 — Modify Registry (defense-evasion, persistence)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1588.001 — Malware (resource-development)
T1518.001 — Security Software Discovery (discovery)
T1059.003 — Windows Command Shell (execution)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1033 — System Owner/User Discovery (discovery)
T1047 — Windows Management Instrumentation (execution)
T1588.002 — Tool (resource-development)
T1595.002 — Vulnerability Scanning (reconnaissance)
T1003.001 — LSASS Memory (credential-access)
T1021 — Remote Services (lateral-movement)
T1082 — System Information Discovery (discovery)
T1218.011 — Rundll32 (defense-evasion)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1560.001 — Archive via Utility (collection)
T1059.001 — PowerShell (execution)

Total TTPs: 35

Malware & Tools

Malware: Cobalt Strike, ShadowPad, Winnti for Linux, Winnti for Windows, njRAT

Tools: Wevtutil

← Return to Home ← Back to APT Search