Cyber Threats from China
Understand more about cyber threat actors and intrusion sets attributed to China.
Cyber Threat Graph
Explore how the related entities on the cyber threat graph.
Intrusion Sets
Cyber intrusion sets attributed to China.
APT1
APT1 was one of the first publicly attributed advanced persistent threats following the APT1 report published by Mandiant. Mandiant linked them to ...
APT2
APT2 is an intrusion set tracked by Mandiant. They were first observed in 2010 and have been observed conducting theft of intellectual property.
APT3
APT3 is an intrusion set which Mandiant attribute to China. Mandiant reports that the group has targeted organisations in aerospace and defense, ...
APT31
APT31, attributed to China, is a cyber espionage actor. The groups primary focus is to obtain information that can provide the Chinese government ...
APT40
APT40 is a threat actor originally identified by researchers at Mandiant an attributed to the Chinese government. A 2021 US Department of Justice ...
APT41
APT41 is a Chinese state-sponsored group involved in espionage and cyber crime, targeting sectors aligned with China's economic plans. The group ...
BRONZE PRESIDENT
BRONZE PRESIDENT is an intrusion set tracked by Secureworks and linked to the Chinese government. The group has been active since at least 2018, ...
BlackTech
BlackTech is a cyber espionage group reported as being active since at least 2010 and linked to the People's Republic of China. The group is known ...
Earth Hundun
Earth Hundun is a cyber espionage intrusion set tracked by researchers at TrendMicro. The group is believed to be based in China and has been ...
Earth Krahang
Earth Krahang is an intrusion set tracked by researchers at Trend Micro since early 2022. The group has been observed targeting government ...
Earth Lusca
Earth Lusca is an intrusion set which has been observed by Trend Micro since 2021. The group use spear phishing and watering holes to gain initial ...
Ethereal Panda
ETHEREAL PANDA is a China based intrusion set tracked by CrowdStrike and with suspected overlap with Flax Typhoon (an intrusion set tracked by ...
Evasive Panda
Evasive Panda is an intrusion set originally identified by researchers from Malwarebytes. The group has been active since at least 2014 and is ...
Evil Eye
Evil Eye is an intrusion set tracked by Volexity researchers since at least 2019. According to Volexity, Evil Eye has been observed targeting ...
EvilBamboo
EvilBamboo is a cyber intrusion set tracked by researchers at Volexity. The group was originally tracked under the name Evil Eye. According to ...
Flax Typhoon
Flax Typhoon is a cyber intrusion set tracked by researchers at Microsoft Threat Intelligence who attribute the group as a nation-state adversary ...
HAFNIUM
HAFNIUM is an intrusion set originally identified by Microsoft researchers. In March 2021, HAFNIUM were observed targeting Microsoft Exchange ...
Insidious Taurus
Insidious Taurus is an intrusion set identified researchers from Palo Alto which is also known as Volt Typhoon. The group have been called out by ...
JACKPOT PANDA
JACKPOT PANDA is a cyber intrusion set tracked by CrowdStrike who state that the actor has been active since at least May 2020 and likely operates ...
Leviathan
Leviathan is a cyber espionage actor originally identified by researchers at Proofpoint who report the actor as being active since at least 2014. ...
Muddling Meerkat
Muddling Meerkat is an actor tracked by researchers at Infoblox and assorted partners. Infoblox suggest that the group appear to be a People's ...
Mustang Panda
MUSTANG PANDA is an adversary attribute to China and originally identified by CrowdStrike. The group has been observed using exploits and ...
Naikon
The Naikon intrusion set has reportedly been active since 2010. Threat researchers from Kaspersky, ThreatConnect, Bitdefender and more have ...
Putter Panda
Putter Panda is an intrusion set identified by Crowd Strike and attributed to China.
RedAlpha
The RedAlpha group is an advanced persistent threat (APT) group tracked by analysts at Recorded Future. The group is thought to have been active ...
RedFoxtrot
RedFoxtrot is a suspected Chinese state-sponsored intrusion set tracked by Recorded Future's Insikt Group and linked to the People's Liberation ...
RedHotel
RedHotel is a group tracked by Recorded Future's Insikt Group and formerly referred to as TAG-22. RedHotel is a highly active Chinese state- ...
Silk Typhoon
Silk Typhoon is an intrusion set originally identified by Microsoft researchers. In March 2021, the group was observed targeting Microsoft ...
Storm-0558
Storm-0558 is an intrusion set tracked by researchers at Microsoft and attributed as a China based threat actor. In May 2023, the group was able ...
TAG-22
TAG-22 is an intrusion set tracked by Recorded Future and later designated as Red Hotel. The group shows overlaps with the 'Winnti Group' and is ...
TeleBoyi
TeleBoyi is an intrusion set tracked by TeamT5. According to researchers, TeleBoyi is a China-nexus group which has been active since at least ...
Tonto Team
Tonto Team is an intrusion set which has been linked to China and observed targeting military, diplomatic and infrastructure organisations in Asia ...
UNC2630
UNC2630 is an 'uncategorized' intrusion set tracked by cyber threat researchers at Mandiant. The group is reported as conducting espionage ...
UNC2717
UNC2717 is an 'uncategorized' intrusion set tracked by cyber threat researchers at Mandiant. The group is reported as conducting espionage ...
UNC3886
UNC3886 is an intrusion set tracked by researchers at Google's Mandiant. Although the group has not been formally attributed or identified as a ...
UNC5174
UNC5174 is an uncategorised intrusion set tracked by Mandiant. Although UNC5174 has not been formally designated, Mandiant state with moderate ...
Violet Typhoon
Violet Typhoon is an intrusion set tracked by Microsoft and formerly known as ZIRCONIUM. The group, who Microsoft link to APT31, is attributed to ...
Volt Typhoon
Volt Typhoon is a cyber intrusion set first identified by Microsoft. Threat researchers at Microsoft state that the group has been active since ...
Wicked Panda
WICKED PANDA is an intrusion set tracked by researchers at CrowdStrike who they identify as 'one of the most prolific and effective China-based ...
Wicked Spider
WICKED SPIDER is an intrusion set tracked by CrowdStrike. The actor behind WICKED SPIDER operates with two distinct motivations: targeted ...
Winnti
Over time, Winnti (also known as Winnti Group) has become an umbrella term which likely covers multiple overlapping threat groups linked to the ...
Zirconium
Zirconium is an intrusion set tracked by Microsoft, which shows overlap with APT31. Microsoft subsequently renamed the group as 'Violet Typhoon'. ...
Threat Actors
Cyber threat actors attributed to China.
Chengdu 404
Chengdu 404, or Chengdu 404 Network Technology is a PRC (People's Republic of China) company which has been identified by the US justice ...
Chinese Ministry of State Security
The Chinese Ministry of State Security (MSS) has been linked by CISA and other agencies to multiple cyber APTs (Advanced Persistent Threats). CISA ...
Guangzhou Boyu Information Technology Company (Boyusec)
Guangzhou Boyu Information Technology Company, known as Boyusec, is a Chinese company based in Guangzhou with reported links to the Chinese ...
Hainan State Security Department
According to the US Department of Justice, Hainan State Security Department (HSSD) is a provincial arm of China’s Ministry of State Security ...
Hainan Xiandun Technology Development Company
According to the US Department of Justice, Hainan Xiandun Technology Development Co. Ltd (Hainan Xiandun) was established as a front company by ...
People’s Liberation Army (PLA) Unit 61398
PLA 61398's full title is China's 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department (Military Cover ...
People’s Liberation Army (PLA) Unit 61486
In June 2014, CrowdStrike researchers identified Chinese PLA 3rd Department 12th Bureau Unit 61486 as the threat actor likely to be behind the ...
People’s Liberation Army (PLA) Unit 65017
PLA Unit 65017 was identified by FireEye as the Chinese cyber threat actor potentially behind the Tonto Team intrusion set.
People’s Liberation Army (PLA) Unit 69010
According to analysis by Recorded Future, Unit 69010 is likely the Military Unit Cover Designator (MUCD) for a Technical Reconnaissance Bureau ...
People’s Liberation Army (PLA) Unit 78020
The Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau, or PLA Unit 78020, was identified by ...
Wuhan Xiaoruizhi Science and Technology Company Limited
According to the US and UK governments, Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ) is a front company for China's ...
i-SOON
According to public reporting, i-SOON is a Chinese cyber security company which develops malware and carries out cyber espionage operations on ...
Threat Reports
Publicly available threat reporting on cyber attacks and campaigns attributed to China.
APT1: Exposing One of China's Cyber Espionage Units
The APT1 report represents years of work by Mandiant, who analysed data across hundreds of breaches globally. The report identifies APT1 as a ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
APT41 Has Arisen From the DUST
This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and ...
Cloaked and Covert: Uncovering UNC3886 Espionage Operations
This article by researchers from Google's Mandiant outlines intrusion activity by UNC3886, a suspected China-nexus cyber espionage group. The ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
ANALYSIS OF THE APT31 INDICTMENT
Blog post providing analysis of a March 2024 US Department of Justice indictment of 7 hackers associated with APT31. The post details attribution ...
MUDDLING MEERKAT: THE GREAT FIREWALL MANIPULATOR
This research from infoblox details a sophisticated cyber operation involving DNS queries, open DNS resolvers, and China's Great Firewall, ...
Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021
This short post from Mandiant researchers details how UNC3886 were observed exploiting a zero-day vulnerability in VMWare tools for approximately ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation
This 2022 report by researchers at FireEye threat intelligence outlines the intrusion set they designate as APT41. They describe the group as 'a ...
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
This presentation from TeamT5 describes the intrusion set they refer to as TeleBoyi and was presented at JPCERT's JSAC2024 conference on January ...
Review of the Summer 2023 Microsoft Exchange Online Intrusion
This report by the US Cyber Safety Review Board presents the findings of an investigation into compromise of Microsoft Exchange Online mailboxes ...
Ministry of Defence of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT
This report by the Dutch AIVD and MIVD is a cybersecurity advisory covering activity which they attribute to Chinese threat actors. The report ...
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Putter Panda Intelligence Report
This intelligence report published by CrowdStrike outlines cyber espionage activity against Western companies which they attribute to Putter ...
HAFNIUM targeting Exchange Servers with 0-day exploits
In March 2021 Microsoft detected multiple zero-day exploits being used as part of a widespread campaign by HAFNIUM / Silk Typhoon. This report ...
Project CAMERASHY
This report by ThreatConnect and Defense Group Inc outlines activities by the Naikon APT (advanced persistent threat) group and attributes them to ...
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Blog post from researchers at Trend Micro discussing Earth Lusca and potential links to Chinese contractor I-Soon. Earth Lusca is a China-linked ...
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
I-Soon leak: KELA’s insights
This blog post outlines KELA's analysis of the 2024 I-SOON data leak. According to the article, I-Soon had relationships with Chinese governmental ...
People's Republic of China-Linked Cyber Actors Hide in Router Firmware
This Cybersecurity Advisory from CISA and partners details activities of the People's Republic of China (PRC)-linked cyber actors known as ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by China.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1027.003 | Steganography | Defense Evasion |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1047 | Windows Management Instrumentation | Execution |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1010 | Application Window Discovery | Discovery |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1112 | Modify Registry | Defense Evasion |
| T1587.003 | Digital Certificates | Resource Development |
| T1587.001 | Malware | Resource Development |
| T1046 | Network Service Discovery | Discovery |
| T1203 | Exploitation for Client Execution | Execution |
| T1070.004 | File Deletion | Defense Evasion |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1187 | Forced Authentication | Credential Access |
| T1090.003 | Multi-hop Proxy | Command and Control |
| T1027.002 | Software Packing | Defense Evasion |
| T1001.003 | Protocol Impersonation | Command and Control |
| T1590.001 | Domain Properties | Reconnaissance |
| T1036 | Masquerading | Defense Evasion |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1102.003 | One-Way Communication | Command and Control |
| T1087.003 | Email Account | Discovery |
| T1583 | Acquire Infrastructure | Resource Development |
| T1572 | Protocol Tunneling | Command and Control |
| T1074.001 | Local Data Staging | Collection |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1049 | System Network Connections Discovery | Discovery |
| T1137.001 | Office Template Macros | Persistence |
| T1552.001 | Credentials In Files | Credential Access |
| T1135 | Network Share Discovery | Discovery |
| T1218.010 | Regsvr32 | Defense Evasion |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1055.003 | Thread Execution Hijacking | Defense Evasion, Privilege Escalation |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1204.002 | Malicious File | Execution |
| T1069.002 | Domain Groups | Discovery |
| T1555.001 | Keychain | Credential Access |
| T1595.002 | Vulnerability Scanning | Reconnaissance |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1059.003 | Windows Command Shell | Execution |
| T1039 | Data from Network Shared Drive | Collection |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1056.001 | Keylogging | Collection, Credential Access |
| T1036.004 | Masquerade Task or Service | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1546.004 | Unix Shell Configuration Modification | Persistence, Privilege Escalation |
| T1497.001 | System Checks | Defense Evasion, Discovery |
| T1594 | Search Victim-Owned Websites | Reconnaissance |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1111 | Multi-Factor Authentication Interception | Credential Access |
| T1057 | Process Discovery | Discovery |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1090.001 | Internal Proxy | Command and Control |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1014 | Rootkit | Defense Evasion |
| T1555 | Credentials from Password Stores | Credential Access |
| T1564.003 | Hidden Window | Defense Evasion |
| T1124 | System Time Discovery | Discovery |
| T1528 | Steal Application Access Token | Credential Access |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1583.001 | Domains | Resource Development |
| T1115 | Clipboard Data | Collection |
| T1056.003 | Web Portal Capture | Collection, Credential Access |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1589.002 | Email Addresses | Reconnaissance |
| T1071.001 | Web Protocols | Command and Control |
| T1189 | Drive-by Compromise | Initial Access |
| T1496 | Resource Hijacking | Impact |
| T1059 | Command and Scripting Interpreter | Execution |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1114 | Email Collection | Collection |
| T1083 | File and Directory Discovery | Discovery |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1560.002 | Archive via Library | Collection |
| T1021 | Remote Services | Lateral Movement |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1059.002 | AppleScript | Execution |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1114.002 | Remote Email Collection | Collection |
| T1218.005 | Mshta | Defense Evasion |
| T1553.002 | Code Signing | Defense Evasion |
| T1588.003 | Code Signing Certificates | Resource Development |
| T1202 | Indirect Command Execution | Defense Evasion |
| T1110.002 | Password Cracking | Credential Access |
| T1087.001 | Local Account | Discovery |
| T1566 | Phishing | Initial Access |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1584 | Compromise Infrastructure | Resource Development |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1588.004 | Digital Certificates | Resource Development |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1585.003 | Cloud Accounts | Resource Development |
| T1106 | Native API | Execution |
| T1090 | Proxy | Command and Control |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1016.001 | Internet Connection Discovery | Discovery |
| T1587.002 | Code Signing Certificates | Resource Development |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1033 | System Owner/User Discovery | Discovery |
| T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1505.003 | Web Shell | Persistence |
| T1059.005 | Visual Basic | Execution |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1571 | Non-Standard Port | Command and Control |
| T1074.002 | Remote Data Staging | Collection |
| T1586 | Compromise Accounts | Resource Development |
| T1489 | Service Stop | Impact |
| T1102 | Web Service | Command and Control |
| T1592.002 | Software | Reconnaissance |
| T1018 | Remote System Discovery | Discovery |
| T1005 | Data from Local System | Collection |
| T1560 | Archive Collected Data | Collection |
| T1003.001 | LSASS Memory | Credential Access |
| T1119 | Automated Collection | Collection |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1562 | Impair Defenses | Defense Evasion |
| T1589.001 | Credentials | Reconnaissance |
| T1087.002 | Domain Account | Discovery |
| T1569.002 | Service Execution | Execution |
| T1573 | Encrypted Channel | Command and Control |
| T1213 | Data from Information Repositories | Collection |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
| T1110.001 | Password Guessing | Credential Access |
| T1561 | Disk Wipe | Impact |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1070.006 | Timestomp | Defense Evasion |
| T1007 | System Service Discovery | Discovery |
| T1559 | Inter-Process Communication | Execution |
| T1482 | Domain Trust Discovery | Discovery |
| T1102.002 | Bidirectional Communication | Command and Control |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1059.006 | Python | Execution |
| T1012 | Query Registry | Discovery |
| T1059.004 | Unix Shell | Execution |
| T1558.003 | Kerberoasting | Credential Access |
| T1003.006 | DCSync | Credential Access |
| T1082 | System Information Discovery | Discovery |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1003.003 | NTDS | Credential Access |
| T1518 | Software Discovery | Discovery |
| T1529 | System Shutdown/Reboot | Impact |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1027.004 | Compile After Delivery | Defense Evasion |
| T1620 | Reflective Code Loading | Defense Evasion |
| T1583.002 | DNS Server | Resource Development |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1560.001 | Archive via Utility | Collection |
| T1003 | OS Credential Dumping | Credential Access |
| T1071 | Application Layer Protocol | Command and Control |
| T1546 | Event Triggered Execution | Persistence, Privilege Escalation |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1505 | Server Software Component | Persistence |
| T1598.003 | Spearphishing Link | Reconnaissance |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1129 | Shared Modules | Execution |
| T1218.011 | Rundll32 | Defense Evasion |
| T1555.005 | Password Managers | Credential Access |
| T1552 | Unsecured Credentials | Credential Access |
| T1070.003 | Clear Command History | Defense Evasion |
| T1087 | Account Discovery | Discovery |
| T1497 | Virtualization/Sandbox Evasion | Defense Evasion, Discovery |
| T1070 | Indicator Removal | Defense Evasion |
| T1021.004 | SSH | Lateral Movement |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1016 | System Network Configuration Discovery | Discovery |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1565.001 | Stored Data Manipulation | Impact |
| T1090.002 | External Proxy | Command and Control |
| T1069.001 | Local Groups | Discovery |
| T1110.003 | Password Spraying | Credential Access |
| T1110 | Brute Force | Credential Access |
| T1113 | Screen Capture | Collection |
| T1074 | Data Staged | Collection |
| T1021.007 | Cloud Services | Lateral Movement |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1614 | System Location Discovery | Discovery |
| T1069 | Permission Groups Discovery | Discovery |
| T1120 | Peripheral Device Discovery | Discovery |
| T1654 | Log Enumeration | Discovery |
| T1217 | Browser Information Discovery | Discovery |
| T1552.004 | Private Keys | Credential Access |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1006 | Direct Volume Access | Defense Evasion |
| T1588.005 | Exploits | Resource Development |
| T1587.004 | Exploits | Resource Development |
| T1584.004 | Server | Resource Development |
| T1584.005 | Botnet | Resource Development |
| T1583.003 | Virtual Private Server | Resource Development |
| T1593 | Search Open Websites/Domains | Reconnaissance |
| T1591 | Gather Victim Org Information | Reconnaissance |
| T1590 | Gather Victim Network Information | Reconnaissance |
| T1589 | Gather Victim Identity Information | Reconnaissance |
| T1136 | Create Account | Persistence |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1592.004 | Client Configurations | Reconnaissance |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1554 | Compromise Client Software Binary | Persistence |
| T1600 | Weaken Encryption | Defense Evasion |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1001 | Data Obfuscation | Command and Control |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1204.001 | Malicious Link | Execution |
| T1059.007 | JavaScript | Execution |
| T1036.007 | Double File Extension | Defense Evasion |
| T1132 | Data Encoding | Command and Control |
| T1566.002 | Spearphishing Link | Initial Access |
| T1020 | Automated Exfiltration | Exfiltration |
| T1608.004 | Drive-by Target | Resource Development |
| T1195.002 | Compromise Software Supply Chain | Initial Access |
| T1583.006 | Web Services | Resource Development |
| T1583.004 | Server | Resource Development |
| T1601.001 | Patch System Image | Defense Evasion |
| T1199 | Trusted Relationship | Initial Access |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1562.003 | Impair Command History Logging | Defense Evasion |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1595.003 | Wordlist Scanning | Reconnaissance |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1586.002 | Email Accounts | Resource Development |
| T1608.005 | Link Target | Resource Development |
| T1003.002 | Security Account Manager | Credential Access |
| T1588.001 | Malware | Resource Development |
| T1608.001 | Upload Malware | Resource Development |
| T1608.002 | Upload Tool | Resource Development |
| T1595.001 | Scanning IP Blocks | Reconnaissance |
| T1534 | Internal Spearphishing | Lateral Movement |
| T1656 | Impersonation | Defense Evasion |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1531 | Account Access Removal | Impact |
| T1608.003 | Install Digital Certificate | Resource Development |
| T1136.001 | Local Account | Persistence |