Skip to content

G0143 Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.1

Item Value
ID G0143
Associated Names
Version 1.0
Created 18 January 2022
Last Modified 21 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1595 Active Scanning -
enterprise T1595.002 Vulnerability Scanning Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Aquatic Panda has used WinRAR to compress memory dumps prior to exfiltration.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.1
enterprise T1059.003 Windows Command Shell Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Aquatic Panda has used DLL search-order hijacking to load exe, dll, and dat files into memory.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Aquatic Panda has deleted malicious executables from compromised machines.1
enterprise T1105 Ingress Tool Transfer Aquatic Panda has downloaded additional malware onto compromised hosts.1
enterprise T1027 Obfuscated Files or Information Aquatic Panda has encoded commands in Base64.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware Aquatic Panda has acquired and used njRAT in its operations.1
enterprise T1588.002 Tool Aquatic Panda has acquired and used Cobalt Strike in its operations.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.1
enterprise T1082 System Information Discovery Aquatic Panda has used native OS commands to understand privilege levels and system details.1
enterprise T1007 System Service Discovery Aquatic Panda has attempted to discover services for third party EDR products.1

Software

ID Name References Techniques
S0154 Cobalt Strike 1 Bypass User Account Control:Abuse Elevation Control Mechanism Sudo and Sudo Caching:Abuse Elevation Control Mechanism Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Domain Account:Account Discovery Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Multiband Communication Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services SSH:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0385 njRAT - Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal on Host Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture

References

Back to top