G0006: APT1
Analyst context for executives and security teams
APT1 is an ATT&CK group entry for a Chinese threat group attributed in the cited reporting to PLA Unit 61398. The supplied relationships make this most useful as a defensive planning reference for credential theft, Windows administration-tool abuse, remote access malware, discovery, lateral movement, and local data collection. For leaders, the value is not in assuming current exposure to APT1, but in using the group’s mapped behaviors to test whether identity controls, endpoint visibility, and incident response processes can withstand a credential-driven intrusion.
Executive priority
Prioritize this object as a readiness and control-validation case study: can the organization detect and contain credential dumping, pass-the-hash-style authentication abuse, remote execution tooling, RDP use with valid accounts, and backdoor command-and-control patterns? The business risk is operational persistence after initial access: once credentials and remote execution paths are available, containment can become an enterprise-wide identity and endpoint response problem. Executives should ask whether privileged credential protections, Windows endpoint telemetry, lateral movement monitoring, and IR playbooks produce auditable evidence during an intrusion, not just whether named malware signatures exist.
Technical view
ATT&CK provides no group-specific detection text and no platforms on the intrusion-set itself. However, the relationship set is strongly Windows-oriented through tools such as Mimikatz, pwdump, gsecdump, Cachedump, Lslsass, PsExec, Net, ipconfig, PoisonIvy, BISCUIT, CALENDAR, GLOOXMAIL, WEBC2, and related credential-access and lateral-movement techniques including LSASS Memory, Remote Desktop Protocol, discovery commands, local data collection, and network connection/configuration discovery. SOC and IR teams should validate visibility across credential material access, LSASS-related activity, suspicious use of built-in admin utilities, remote service execution patterns, RDP logons, unusual process/file naming or placement, and outbound backdoor-like communications that may mimic legitimate web, Gmail Calendar, or Jabber/XMPP-style traffic as described in related software records.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for tools and utilities such as Net, Tasklist, ipconfig, PsExec-like execution, and credential dumpers
- Security event logs and authentication telemetry for privileged logons, RDP sessions, lateral authentication, and possible pass-the-hash-style use of account material
- Endpoint detection telemetry around LSASS access, memory dumping behavior, registry access for cached credentials, and execution from unusual paths or with misleading names
- Network telemetry for outbound connections, web traffic, and protocol patterns relevant to backdoors such as WEBC2, CALENDAR, and GLOOXMAIL as described in ATT&CK relationships
- File, registry, and service telemetry for backdoor persistence indicators, remote execution artifacts, and suspicious service or task enumeration
Detection direction
- Do not rely only on malware names. Several related items are legitimate or publicly available tools, so detection should focus on behavior: credential dumping, LSASS access, remote execution, discovery bursts, RDP use, and unusual administrative utility chains.
- Tune for context around legitimate administration. PsExec, Net, Tasklist, ipconfig, and RDP can be normal; higher-fidelity detections usually require baselines for admin hosts, service accounts, expected remote management paths, and change windows.
- Validate coverage for credential-access techniques first, especially LSASS Memory and tools that obtain password hashes or cached credentials, because the relationship set repeatedly references credential dumping and alternate authentication material.
- Correlate endpoint and identity evidence. A suspicious credential dump followed by RDP, PsExec-like execution, or remote command execution should be treated differently from isolated utility execution.
- Review network detections for backdoors that blend into expected traffic patterns, including web-based command retrieval and traffic mimicking legitimate services, while recognizing that ATT&CK does not provide detection logic for this group entry.
Mitigation priorities
- Start with identity hardening: reduce standing administrative privileges, protect privileged accounts, and limit where high-value credentials can log on.
- Harden credential exposure on Windows endpoints, including controls that reduce access to LSASS and cached credential material where applicable.
- Restrict and monitor remote administration paths such as RDP and PsExec-like execution; require strong authentication, approved admin workstations, and documented exceptions.
- Improve endpoint logging and retention before relying on detections; many relevant behaviors require process, command-line, authentication, and memory-access visibility.
- Segment systems and limit lateral movement paths so stolen credentials or remote execution tools do not provide broad enterprise reach.
Analyst notes and limits
This take is based on the official ATT&CK APT1 group object, its aliases, cited external references, and listed relationships to software and techniques. The relationship graph is the main source of defensive value because the group object itself has no official detection text, tactics, or platforms. The mapped software includes both malware and legitimate/public tools, so local baselining is essential to separate administration from suspicious use.
ATT&CK fields supplied here do not establish current activity, targeting, victim exposure, or guaranteed detection coverage. The intrusion-set platform and tactics fields are not specified, so platform references are derived only from related software and technique records. Local environment evidence is required to determine relevance, control gaps, and alert fidelity.
APT1
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1057 | Process Discovery | APT1 gathered a list of running processes on the system using |
| Enterprise | T1005 | Data from Local System | APT1 has collected files from a local victim.CitationMandiant APT1 |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | The APT1 group is known to have used pass the hash.CitationMandiant APT1 |
| Enterprise | T1583.001 | Domains Sub-technique | APT1 has registered hundreds of domains for use in operations.CitationMandiant APT1 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | APT1 has used RAR to compress files before moving them outside of the victim network.CitationMandiant APT1 |
| Enterprise | T1119 | Automated Collection | APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.CitationMandiant APT1 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.CitationMandiant APT1 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | APT1 has sent spearphishing emails containing hyperlinks to malicious files.CitationMandiant APT1 |
| Enterprise | T1016 | System Network Configuration Discovery | APT1 used the |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.CitationMandiant APT1 |
| Enterprise | T1588.001 | Malware Sub-technique | APT1 used publicly available malware for privilege escalation.CitationMandiant APT1 |
| Enterprise | T1049 | System Network Connections Discovery | APT1 used the |
| Enterprise | T1585.002 | Email Accounts Sub-technique | APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.CitationMandiant APT1 |
| Enterprise | T1584.001 | Domains Sub-technique | APT1 hijacked FQDNs associated with legitimate websites hosted by hop points.CitationMandiant APT1 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.CitationMandiant APT1CitationMandiant APT1 Appendix |
| Enterprise | T1087.001 | Local Account Sub-technique | APT1 used the commands |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT1 has sent spearphishing emails containing malicious attachments.CitationMandiant APT1 |
| Enterprise | T1135 | Network Share Discovery | APT1 listed connected network shares.CitationMandiant APT1 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.CitationMandiant APT1 |
| Enterprise | T1588.002 | Tool Sub-technique | APT1 has used various open-source tools for privilege escalation purposes.CitationMandiant APT1 |
| Enterprise | T1007 | System Service Discovery | APT1 used the commands |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | The APT1 group is known to have used RDP during operations.CitationFireEye PLA |
Groups, software, and campaigns
S0345: Seasalt
S0100: ipconfig
S0017: BISCUIT
S0119: Cachedump
S0029: PsExec
S0026: GLOOXMAIL
S0121: Lslsass
S0012: PoisonIvy
S0109: WEBC2
S0002: Mimikatz
S0008: gsecdump
S0122: Pass-The-Hash Toolkit
Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | e900813c68d3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT1
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Open source URL -
[2]
APT1
(Citation: Mandiant APT1)
-
[3]
Comment Crew
(Citation: Mandiant APT1)
-
[4]
Comment Group
(Citation: Mandiant APT1)
-
[5]
Comment Panda
(Citation: CrowdStrike Putter Panda)
-
[6]
CrowdStrike Putter Panda
Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
Open source URL -
[7]
mitre-attack G0006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.