APT17

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. ^[1]

ID: G0025

ⓘ

Associated Groups: Deputy Dog

Version: 1.1

Created: 31 May 2017

Last Modified: 04 September 2024

Associated Group Descriptions

Name	Description
Deputy Dog	^[1]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1585		建立账户	APT17 has created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, APT17 has created biographical sections and posted in forum threads.^[1]
Enterprise	T1583	.006	获取基础设施: Web Services	APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.^[1]

Software

ID	Name	References	Techniques
S0069	BLACKCOFFEE	^[1]	命令与脚本解释器: Windows Command Shell, 多阶段信道, 文件和目录发现, 移除指标: File Deletion, 网络服务: Dead Drop Resolver, 网络服务: Bidirectional Communication, 进程发现

References

FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.

APT17

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References