Skip to content

G0006 APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. 1

Item Value
ID G0006
Associated Names Comment Crew, Comment Group, Comment Panda
Version 1.4
Created 31 May 2017
Last Modified 26 May 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Comment Crew 1
Comment Group 1
Comment Panda 2

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account APT1 used the commands net localgroup,net user, and net group to find accounts on the system.1
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains APT1 has registered hundreds of domains for use in operations.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility APT1 has used RAR to compress files before moving them outside of the victim network.1
enterprise T1119 Automated Collection APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.1
enterprise T1584 Compromise Infrastructure -
enterprise T1584.001 Domains APT1 hijacked FQDNs associated with legitimate websites hosted by hop points.1
enterprise T1005 Data from Local System APT1 has collected files from a local victim.1
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.1
enterprise T1114.002 Remote Email Collection APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.1
enterprise T1585 Establish Accounts -
enterprise T1585.002 Email Accounts APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location The file name AcroRD32.exe, a legitimate process name for Adobe’s Acrobat Reader, was used by APT1 as a name for malware.14
enterprise T1135 Network Share Discovery APT1 listed connected network shares.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware APT1 used publicly available malware for privilege escalation.1
enterprise T1588.002 Tool APT1 has used various open-source tools for privilege escalation purposes.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory APT1 has been known to use credential dumping using Mimikatz.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT1 has sent spearphishing emails containing malicious attachments.1
enterprise T1566.002 Spearphishing Link APT1 has sent spearphishing emails containing hyperlinks to malicious files.1
enterprise T1057 Process Discovery APT1 gathered a list of running processes on the system using tasklist /v.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol The APT1 group is known to have used RDP during operations.3
enterprise T1016 System Network Configuration Discovery APT1 used the ipconfig /all command to gather network configuration information.1
enterprise T1049 System Network Connections Discovery APT1 used the net use command to get a listing on network connections.1
enterprise T1007 System Service Discovery APT1 used the commands net start and tasklist to get a listing of the services on the system.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash The APT1 group is known to have used pass the hash.1

Software

ID Name References Techniques
S0017 BISCUIT 1 Windows Command Shell:Command and Scripting Interpreter Asymmetric Cryptography:Encrypted Channel Fallback Channels Ingress Tool Transfer Keylogging:Input Capture Process Discovery Screen Capture System Information Discovery System Owner/User Discovery
S0119 Cachedump 1 Cached Domain Credentials:OS Credential Dumping
S0025 CALENDAR 1 Windows Command Shell:Command and Scripting Interpreter Bidirectional Communication:Web Service
S0026 GLOOXMAIL 1 Bidirectional Communication:Web Service
S0008 gsecdump 1 LSA Secrets:OS Credential Dumping Security Account Manager:OS Credential Dumping
S0100 ipconfig 1 System Network Configuration Discovery
S0121 Lslsass 1 LSASS Memory:OS Credential Dumping
S0002 Mimikatz 1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 1 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0122 Pass-The-Hash Toolkit 1 Pass the Hash:Use Alternate Authentication Material
S0012 PoisonIvy 1 Application Window Discovery Active Setup:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0029 PsExec 1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0006 pwdump 1 Security Account Manager:OS Credential Dumping
S0345 Seasalt 45 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Masquerade Task or Service:Masquerading Obfuscated Files or Information Process Discovery
S0057 Tasklist 1 Process Discovery Security Software Discovery:Software Discovery System Service Discovery
S0109 WEBC2 1 Windows Command Shell:Command and Scripting Interpreter DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer
S0123 xCmd 4 Service Execution:System Services

References

  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  2. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  3. FireEye Labs. (2014, May 20). The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity. Retrieved November 4, 2014. 

  4. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  5. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.