APT1
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 23 attack patterns (mitre), 6 malware, 11 tool
Aliases
Comment Crew Comment Group Comment Panda
Description
Marking (TLP)
Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (23)
-
T1566.001 usesSpearphishing Attachment MITRE
-
T1114.001 usesLocal Email Collection MITRE
-
T1057 usesProcess Discovery MITRE
-
T1560.001 usesArchive via Utility MITRE
-
T1583.001 usesDomains MITRE
-
Email Accounts usesT1585.002 MITRE
-
T1566.002 usesSpearphishing Link MITRE
-
T1550.002 usesPass the Hash MITRE
-
T1114.002 usesRemote Email Collection MITRE
-
T1087.001 usesLocal Account MITRE
-
T1059.003 usesWindows Command Shell MITRE
Malware (6)
-
CALENDAR uses
-
PoisonIvy uses
-
BISCUIT uses
-
GLOOXMAIL uses
-
Seasalt uses
-
WEBC2 uses
Tool (11)
-
xCmd usesThe MITRE Corporation Confidence 100
[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)
-
Lslsass usesThe MITRE Corporation Confidence 100
[Lslsass](https://attack.mitre.org/software/S0121) is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)
-
Cachedump usesThe MITRE Corporation Confidence 100
[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
gsecdump usesThe MITRE Corporation Confidence 100
[gsecdump](https://attack.mitre.org/software/S0008) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
The MITRE Corporation Confidence 100
[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)
-
pwdump usesThe MITRE Corporation Confidence 100
[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)