Advanced Persistent Threat Groups
Advanced persistent threat (APT) groups are threat actors operated by nation states or state-sponsored groups. Our ready-made detection rules detect the following APT groups:
- APT-C-27
- APT-C-36
- APT-C-37
- APT1
- APT2
- APT3
- APT4
- APT5
- APT6
- APT10
- APT12
- APT15
- APT16
- APT17
- APT18
- APT19
- APT20
- APT27
- APT28
- APT29
- APT31
- APT32
- APT33
- APT34
- APT35
- APT36
- APT37
- APT38
- APT39
- APT40
- APT41
APT-C-27
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Suspicious DNS Request - APT-C-27 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT-C-27 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT-C-27 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT-C-36
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Suspicious DNS Request - APT-C-36 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT-C-36 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT-C-36 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT-C-37
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Suspicious DNS Request - APT-C-37 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT-C-37 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT-C-37 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT1
APT1 is a Chinese threat group attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, also referred to as its Military Unit Cover Designator (MUCD), Unit 61398.
Other names for this group include:
- Brown Fox
- Byzantine Candor
- Comment Crew
- Comment Group
- Comment Panda
- GIF89a, Group 3
- PLA Unit 61398
- ShadyRAT
- Shanghai Group
- Siesta
- TG-8223
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT1.
Suspicious DNS Request - APT1 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT1 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT1 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT2
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Suspicious DNS Request - APT2 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT2 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT2 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT3
APT3 is a Chinese-based threat group attributed to China’s Ministry of State Security. This group is responsible for the campaigns Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, this group appears to have shifted from targeting primarily United States victims to targeting political organizations in Hong Kong.
Other names for this group include:
- Boyusec
- Buckeye
- Gothic Panda
- Group 6
- Pirpi
- TG-0110
- Threat Group-0110
- UPS
- UPS Team
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT3.
Suspicious DNS Request - APT3 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT3 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT3 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT4
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Suspicious DNS Request - APT4 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT4 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT4 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT5
APT5 is suspected Chinese-based threat group that uses multiple types of malware to maintain command and control.
Other names associated with this group include:
- BRONZE FLEETWOOD
- MANGANESE
- Pitty Panda
- PittyTiger
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT5.
Suspicious DNS Request - APT5 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT5 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT5 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT6
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Suspicious DNS Request - APT6 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT6 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT6 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT10
APT10 is a threat group that appears to be Chinese-based and has been active since approximately 2009. This group has targeted the healthcare, defense, aerospace, and government industries and has targeted Japanese victims since at least 2014. In 2016 and 2017, this group targeted managed IT service providers, manufacturing and mining companies, and a university.
Other names for this group include:
- CVNX
- happyyongzi
- HOGFISH
- menuPass
- Menupass Team
- POTASSIUM
- Red Apollo
- Stone Panda
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT10.
Suspicious DNS Request - APT10 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT10 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT10 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT12
APT12 is a Chinese-based threat group that has targeted several victims, including media outlets, high-tech companies, and governments.
Other names for this group include:
- CBeeBus
- Calc Team
- Crimson Iron
- DNSCALC
- DynCalc
- Group 22
- IXESHE
- Numbered Panda
- TG-2754
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT12.
Suspicious DNS Request - APT12 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT12 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT12 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT15
APT15 is a Chinese-based threat group that has targeted several industries, including oil, government, and military.
Other names for this group include:
- GREF
- Ke3chang
- Mirage
- Playful Dragon
- RoyalAPT
- Vixen Panda
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT15.
Suspicious DNS Request - APT15 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT15 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT15 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT16
APT16 is a Chinese-based threat group that has launched spear phishing campaigns targeting Japanese and Taiwanese organizations.
This group is also known as:
- SVCMONDR
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT16.
Suspicious DNS Request - APT16 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT16 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT16 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT17
APT17 is a Chinese-based threat group that has conducted network intrusions against United States government entities, the defense industry, law firms, information technology and mining companies, and non-government organizations.
Other names for this group include:
- Aurora Panda
- Deputy Dog
- Dogfish
- Group 8
- Hidden Lynx
- Tailgater
- Tailgater Team
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT17.
Suspicious DNS Request - APT17 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT17 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT17 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT18
APT18 is a threat group that has operated since at least 2009, and has targeted several industries, including technology, manufacturing, human rights groups, government, and medical.
Other names for this group include:
- Dynamite Panda
- TG-0416
- Threat Group-0416
- Wekby
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT18.
Suspicious DNS Request - APT18 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT18 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT18 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT19
APT19 is a Chinese-based threat group that has targeted several industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, this group used a phishing campaign to target seven law and investment firms. Some researchers have linked APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.
Other names for this group include:
- C0d0so0
- Codoso
- Codoso Team
- Shell Crew
- Sunshop Group
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT19.
Suspicious DNS Request - APT19 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT19 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT19 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT20
APT20 is a Chinese-based threat group that primarily uses spear phishing and watering hole attacks against victims. The following is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Other names for this group include:
- APT8
- TH3Bug
- Violin Panda
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT20.
Suspicious DNS Request - APT20 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT20 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT20 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT27
APT27 is a Chinese-based threat group that has primarily used strategic web compromises to target victims. The group has been active since at least 2010, and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing industries.
Other names for this group include:
- BRONZE UNION
- Emissary Panda
- Group 35
- Hippo Team
- Iron Tiger
- Iron Tiger APT
- Lucky Mouse
- LuckyMouse
- TEMP.Hippo
- TG-3390
- Threat Group 3390
- Threat Group-3390
- ZipToken
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT27.
Suspicious DNS Request - APT27 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT27 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT27 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT28
APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
Other names for this group include:
- Tsar Team
- Sednit
- TG-4127
- Group 74
- Pawn Storm
- Fancy Bear
- SNAKEMACKEREL
- Threat Group-4127
- Sofacy
- STRONTIUM
- Swallowtail
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Suspicious DNS Request - APT28 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT28 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT28 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT29
APT29 is threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.
Other names for this group include:
- CozyCar
- CozyBear
- EuroAPT
- Cozy Duke
- SeaDuke
- Minidionis
- Office Monkeys
- Cozer
- Group 100
- Dukes
- Iron Hemlock
- Hammer Toss
- StellarParticle
- Dark Halo
- NOBELIUM
- Cozy Bear
- The Dukes
- CozyDuke
- UNC2452
- YTTRIUM
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Suspicious DNS Request - APT29 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT29 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT29 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT31
APT31 is a threat group specialized in intellectual property theft, focusing on data and projects that make a particular organization competitive in its field. Based on available data, APT31 appears to conduct network operations at the behest of the Chinese government. This threat group is also suspected of continuing to target upstream providers, such as law firms and managed service providers, to support additional intrusions against high-profile assets. In 2018, this threat group was observed using spear phishing, URL ‘web bugs’, and scheduled tasks to automate credential harvesting.
Other names for this group include:
- BRONZE VINEWOOD
- Hurricane Panda
- Judgment Panda
- TEMP.Avengers
- ZIRCONIUM
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT31.
Suspicious DNS Request - APT31 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT31 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT31 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT32
APT32 is a threat group that has been active since at least 2014. This group appears to be Vietnamese-based and has targeted multiple private sector industries, foreign governments, dissidents, and journalists with a focus on Southeast Asian countries, such as Vietnam, the Philippines, Laos, and Cambodia. This threat group has primarily used strategic web compromises on victims.
Other names for this group include:
- APT-C-00
- Cobalt Kitty
- Ocean Buffalo
- Ocean Lotus
- OceanLotus
- OceanLotus Group
- POND LOACH
- SeaLotus
- TIN WOODLAWN
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT32.
Suspicious DNS Request - APT32 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT32 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT32 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT33
APT33 is a suspected Iranian-based threat group that has been active since at least 2013. This threat group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a focus in the aviation and energy industries.
Other names for this group include:
- COBALT TRINITY
- Elfin, HOLMIUM
- MAGNALLIUM
- Refined Kitten
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT33.
Suspicious DNS Request - APT33 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT33 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT33 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT34
The OilRig hacker group is an Iran-linked APT, also known by the names: APT34, HelixKitten, and Crambus. The group started its operations around 2014.
This APT group targets various sectors, such as government agencies, banking, energy, chemicals, financial services, and technology companies in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait, Qatar, the United States, and Turkey.
Suspicious DNS Request - APT34 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT34 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT34 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT35
APT35 is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia.
The group compromise websites by using vulnerabilities, and inject links or entire BeEF web pages. Then, the victims are directed to BeEF servers.
This group is also linked to a malware called StoneDrill which was designed as a backdoor and a wiper.
Suspicious DNS Request - APT35 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT35 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT35 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT36
APT36 is a Pakistani-based threat group that has targeted the Indian Army or associated assets in India, and activists and civil society in Pakistan.
Other names for this group include:
- C-Major
- Mythic Leopard
- Operation C-Major
- ProjectM
- TMP.Lapis
- Transparent Tribe
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT36.
Suspicious DNS Request - APT36 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT36 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT36 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT37
APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but has also targeted victims in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016 and 2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. North Korean group definitions are reported to have significant overlap, and the name Lazarus Group reportedly encompasses a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups, such as Bluenoroff, APT37, and APT38 separately, while other organizations track some activity associated with those group names by the name Lazarus Group.
Other names for this group include:
- Group 123
- Group123
- Operation Daybreak
- Operation Erebus
- Reaper
- Reaper Group
- Red Eyes
- Ricochet Chollima
- ScarCruft
- Starcruft
- TEMP.Reaper
- Venus 121
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT37.
Suspicious DNS Request - APT37 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT37 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT37 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT38
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
Suspicious DNS Request - APT38 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT38 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT38 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT39
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.
APT39 is an Iranian cyber espionage group that has been active since at least 2014. This threat group has targeted the telecommunication and travel industries to collect personal information that aligns with Iran’s national priorities
Other names for this group include: Chafer COBALT HICKMAN IRIDIUM REMIX KITTEN
Suspicious DNS Request - APT39 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT39 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT39 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT40
APT40 is a cyber espionage group that has been active since at least 2013. This group primarily targets defense and government organizations, but has also targeted other industries, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea.
Other names for this group include:
- BRONZE MOHAWK
- GADOLINIUM
- Leviathan
- TEMP.Jumper
- TEMP.Periscope
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT40.
Suspicious DNS Request - APT40 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT40 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT40 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004
APT41
APT41 is a threat group that performs Chinese state-sponsored espionage and financially motivated activity. APT41 has been active since as early as 2012. The group has targeted healthcare, telecom, technology, and video game industries in 14 countries.
Other names associated with this group include:
- Axiom
- Blackfly
- Lead
- Wicked Panda
- Wicked Spider
- WinNTI
- Winnti Group
- Winnti Umbrella
Detection Rules
This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT41.
Suspicious DNS Request - APT41 Related Domain Observed
Description
This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Compromise Infrastructure - T1584
- Domains - T1584.001
Suspicious Process - APT41 Related Binary Executed
Description
This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
Suspicious Web Request - APT41 Related Domain Observed
Description
This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.
Recommendation
This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Acquire Infrastructure - T1583
- Domains - T1583.001
- Virtual Private Server - T1583.003
- Server - T1583.004
- Compromise Infrastructure - T1584
- Domains - T1584.001
- Virtual Private Server - T1584.003
- Server - T1584.004