Description
[Axiom](https://attack.mitre.org/groups/G0001) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between [Axiom](https://attack.mitre.org/groups/G0001) and [Winnti Group](https://attack.mitre.org/groups/G0044) but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)
Techniques Used (TTPs)
- T1001.002 — Steganography (command-and-control)
- T1005 — Data from Local System (collection)
- T1560 — Archive Collected Data (collection)
- T1584.005 — Botnet (resource-development)
- T1189 — Drive-by Compromise (initial-access)
- T1553 — Subvert Trust Controls (defense-evasion)
- T1021.001 — Remote Desktop Protocol (lateral-movement)
- T1583.002 — DNS Server (resource-development)
- T1203 — Exploitation for Client Execution (execution)
- T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1583.003 — Virtual Private Server (resource-development)
- T1563.002 — RDP Hijacking (lateral-movement)
- T1546.008 — Accessibility Features (privilege-escalation, persistence)
- T1566 — Phishing (initial-access)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1003 — OS Credential Dumping (credential-access)
Total TTPs: 16