/
APT1_G0006.json
1 lines (1 loc) · 5.38 KB
/
APT1_G0006.json
1
{"description": "Enterprise techniques used by APT1, ATT&CK group G0006 v1.0", "name": "APT1 (G0006)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1057", "techniqueName": "Process Discovery", "comment": "[APT1](https://attack.mitre.org/groups/G0006) gathered a list of running processes on the system using <code>tasklist /v</code>."}, {"score": 1, "techniqueID": "T1135", "techniqueName": "Network Share Discovery", "comment": "[APT1](https://attack.mitre.org/groups/G0006) listed connected network shares."}, {"score": 1, "techniqueID": "T1016", "techniqueName": "System Network Configuration Discovery", "comment": "[APT1](https://attack.mitre.org/groups/G0006) used the <code>ipconfig /all</code> command to gather network configuration information."}, {"score": 1, "techniqueID": "T1119", "techniqueName": "Automated Collection", "comment": "[APT1](https://attack.mitre.org/groups/G0006) used a batch script to perform a series of discovery techniques and saves it to a text file."}, {"score": 1, "techniqueID": "T1087", "techniqueName": "Account Discovery", "comment": "[APT1](https://attack.mitre.org/groups/G0006) used the commands <code>net localgroup</code>,<code>net user</code>, and <code>net group</code> to find accounts on the system."}, {"score": 1, "techniqueID": "T1049", "techniqueName": "System Network Connections Discovery", "comment": "[APT1](https://attack.mitre.org/groups/G0006) used the <code>net use</code> command to get a listing on network connections."}, {"score": 1, "techniqueID": "T1007", "techniqueName": "System Service Discovery", "comment": "[APT1](https://attack.mitre.org/groups/G0006) used the commands <code>net start</code> and <code>tasklist</code> to get a listing of the services on the system."}, {"score": 1, "techniqueID": "T1005", "techniqueName": "Data from Local System", "comment": "[APT1](https://attack.mitre.org/groups/G0006) has collected files from a local victim."}, {"score": 1, "techniqueID": "T1002", "techniqueName": "Data Compressed", "comment": "[APT1](https://attack.mitre.org/groups/G0006) has used RAR to compress files before moving them outside of the victim network."}, {"score": 1, "techniqueID": "T1003", "techniqueName": "Credential Dumping", "comment": "[APT1](https://attack.mitre.org/groups/G0006) has been known to use credential dumping."}, {"score": 1, "techniqueID": "T1076", "techniqueName": "Remote Desktop Protocol", "comment": "The [APT1](https://attack.mitre.org/groups/G0006) group is known to have used RDP during operations."}, {"score": 1, "techniqueID": "T1059", "techniqueName": "Command-Line Interface", "comment": "[APT1](https://attack.mitre.org/groups/G0006) has used the Windows command shell to execute commands."}, {"score": 1, "techniqueID": "T1064", "techniqueName": "Scripting", "comment": "[APT1](https://attack.mitre.org/groups/G0006) has used batch scripting to automate execution of commands."}, {"score": 1, "techniqueID": "T1036", "techniqueName": "Masquerading", "comment": "The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by [APT1](https://attack.mitre.org/groups/G0006) as a name for malware."}, {"score": 1, "techniqueID": "T1114", "techniqueName": "Email Collection", "comment": "[APT1](https://attack.mitre.org/groups/G0006) uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files, and MAPIGET steals email still on Exchange servers that has not yet been archived."}, {"score": 1, "techniqueID": "T1075", "techniqueName": "Pass the Hash", "comment": "The [APT1](https://attack.mitre.org/groups/G0006) group is known to have used pass the hash."}, {"score": 1, "techniqueID": "T1326", "techniqueName": "Domain registration hijacking", "comment": "[APT1](https://attack.mitre.org/groups/G0006) hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be \u201chijacked\u201d since they were originally registered for a legitimate reason but are used by APT1 for malicious purposes."}, {"score": 1, "techniqueID": "T1334", "techniqueName": "Compromise 3rd party infrastructure to support delivery", "comment": "[APT1](https://attack.mitre.org/groups/G0006) hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be \u201chijacked\u201d since they were originally registered for a legitimate reason but were used by APT1 for malicious purposes."}, {"score": 1, "techniqueID": "T1334", "techniqueName": "Compromise 3rd party infrastructure to support delivery", "comment": "[APT1](https://attack.mitre.org/groups/G0006) compromised a vast set of 3rd party victim hop points as part of their network infrastructure."}, {"score": 1, "techniqueID": "T1333", "techniqueName": "Dynamic DNS", "comment": "[APT1](https://attack.mitre.org/groups/G0006) used dynamic DNS to register hundreds of FQDNs."}, {"score": 1, "techniqueID": "T1346", "techniqueName": "Obtain/re-use payloads", "comment": "[APT1](https://attack.mitre.org/groups/G0006) used publicly available privilege escalation tools."}, {"score": 1, "techniqueID": "T1330", "techniqueName": "Acquire and/or use 3rd party software services", "comment": "[APT1](https://attack.mitre.org/groups/G0006) used third party email services in the registration of whois records."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT1", "color": "#ff6666"}]}