menuPass | APT Profile

Description

[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018) [menuPass](https://attack.mitre.org/groups/G0045) has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

Techniques Used (TTPs)

T1018 — Remote System Discovery (discovery)
T1047 — Windows Management Instrumentation (execution)
T1036 — Masquerading (defense-evasion)
T1070.004 — File Deletion (defense-evasion)
T1046 — Network Service Discovery (discovery)
T1049 — System Network Connections Discovery (discovery)
T1560.001 — Archive via Utility (collection)
T1566.001 — Spearphishing Attachment (initial-access)
T1105 — Ingress Tool Transfer (command-and-control)
T1588.002 — Tool (resource-development)
T1204.002 — Malicious File (execution)
T1090.002 — External Proxy (command-and-control)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1016 — System Network Configuration Discovery (discovery)
T1568.001 — Fast Flux DNS (command-and-control)
T1036.003 — Rename Legitimate Utilities (defense-evasion)
T1056.001 — Keylogging (collection, credential-access)
T1087.002 — Domain Account (discovery)
T1003.003 — NTDS (credential-access)
T1218.004 — InstallUtil (defense-evasion)
T1106 — Native API (execution)
T1003.002 — Security Account Manager (credential-access)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1199 — Trusted Relationship (initial-access)
T1190 — Exploit Public-Facing Application (initial-access)
T1074.002 — Remote Data Staging (collection)
T1070.003 — Clear Command History (defense-evasion)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1553.002 — Code Signing (defense-evasion)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1055.012 — Process Hollowing (defense-evasion, privilege-escalation)
T1074.001 — Local Data Staging (collection)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1039 — Data from Network Shared Drive (collection)
T1003.004 — LSA Secrets (credential-access)
T1083 — File and Directory Discovery (discovery)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1560 — Archive Collected Data (collection)
T1059.003 — Windows Command Shell (execution)
T1005 — Data from Local System (collection)
T1059.001 — PowerShell (execution)
T1210 — Exploitation of Remote Services (lateral-movement)
T1021.004 — SSH (lateral-movement)
T1119 — Automated Collection (collection)
T1583.001 — Domains (resource-development)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)

Total TTPs: 46

Malware & Tools

Malware: ChChes, Cobalt Strike, Ecipekac, EvilGrab, FYAnti, HUI Loader, P8RAT, PlugX, PoisonIvy, RedLeaves, SNUGRIDE, SodaMaster, UPPERCUT

Tools: AdFind, Impacket, Mimikatz, Net, Ping, PowerSploit, PsExec, QuasarRAT, certutil, cmd, esentutl, pwdump

← Return to Home ← Back to APT Search