G0006: APT1
Analyst context for executives and security teams
APT1 is an ATT&CK group entry for a Chinese threat group attributed in the cited reporting to PLA Unit 61398. The supplied relationships make this most useful as a defensive planning reference for credential theft, Windows administration-tool abuse, remote access malware, discovery, lateral movement, and local data collection. For leaders, the value is not in assuming current exposure to APT1, but in using the group’s mapped behaviors to test whether identity controls, endpoint visibility, and incident response processes can withstand a credential-driven intrusion.
Executive priority
Prioritize this object as a readiness and control-validation case study: can the organization detect and contain credential dumping, pass-the-hash-style authentication abuse, remote execution tooling, RDP use with valid accounts, and backdoor command-and-control patterns? The business risk is operational persistence after initial access: once credentials and remote execution paths are available, containment can become an enterprise-wide identity and endpoint response problem. Executives should ask whether privileged credential protections, Windows endpoint telemetry, lateral movement monitoring, and IR playbooks produce auditable evidence during an intrusion, not just whether named malware signatures exist.
Technical view
ATT&CK provides no group-specific detection text and no platforms on the intrusion-set itself. However, the relationship set is strongly Windows-oriented through tools such as Mimikatz, pwdump, gsecdump, Cachedump, Lslsass, PsExec, Net, ipconfig, PoisonIvy, BISCUIT, CALENDAR, GLOOXMAIL, WEBC2, and related credential-access and lateral-movement techniques including LSASS Memory, Remote Desktop Protocol, discovery commands, local data collection, and network connection/configuration discovery. SOC and IR teams should validate visibility across credential material access, LSASS-related activity, suspicious use of built-in admin utilities, remote service execution patterns, RDP logons, unusual process/file naming or placement, and outbound backdoor-like communications that may mimic legitimate web, Gmail Calendar, or Jabber/XMPP-style traffic as described in related software records.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for tools and utilities such as Net, Tasklist, ipconfig, PsExec-like execution, and credential dumpers
- Security event logs and authentication telemetry for privileged logons, RDP sessions, lateral authentication, and possible pass-the-hash-style use of account material
- Endpoint detection telemetry around LSASS access, memory dumping behavior, registry access for cached credentials, and execution from unusual paths or with misleading names
- Network telemetry for outbound connections, web traffic, and protocol patterns relevant to backdoors such as WEBC2, CALENDAR, and GLOOXMAIL as described in ATT&CK relationships
- File, registry, and service telemetry for backdoor persistence indicators, remote execution artifacts, and suspicious service or task enumeration
Detection direction
- Do not rely only on malware names. Several related items are legitimate or publicly available tools, so detection should focus on behavior: credential dumping, LSASS access, remote execution, discovery bursts, RDP use, and unusual administrative utility chains.
- Tune for context around legitimate administration. PsExec, Net, Tasklist, ipconfig, and RDP can be normal; higher-fidelity detections usually require baselines for admin hosts, service accounts, expected remote management paths, and change windows.
- Validate coverage for credential-access techniques first, especially LSASS Memory and tools that obtain password hashes or cached credentials, because the relationship set repeatedly references credential dumping and alternate authentication material.
- Correlate endpoint and identity evidence. A suspicious credential dump followed by RDP, PsExec-like execution, or remote command execution should be treated differently from isolated utility execution.
- Review network detections for backdoors that blend into expected traffic patterns, including web-based command retrieval and traffic mimicking legitimate services, while recognizing that ATT&CK does not provide detection logic for this group entry.
Mitigation priorities
- Start with identity hardening: reduce standing administrative privileges, protect privileged accounts, and limit where high-value credentials can log on.
- Harden credential exposure on Windows endpoints, including controls that reduce access to LSASS and cached credential material where applicable.
- Restrict and monitor remote administration paths such as RDP and PsExec-like execution; require strong authentication, approved admin workstations, and documented exceptions.
- Improve endpoint logging and retention before relying on detections; many relevant behaviors require process, command-line, authentication, and memory-access visibility.
- Segment systems and limit lateral movement paths so stolen credentials or remote execution tools do not provide broad enterprise reach.
Analyst notes and limits
This take is based on the official ATT&CK APT1 group object, its aliases, cited external references, and listed relationships to software and techniques. The relationship graph is the main source of defensive value because the group object itself has no official detection text, tactics, or platforms. The mapped software includes both malware and legitimate/public tools, so local baselining is essential to separate administration from suspicious use.
ATT&CK fields supplied here do not establish current activity, targeting, victim exposure, or guaranteed detection coverage. The intrusion-set platform and tactics fields are not specified, so platform references are derived only from related software and technique records. Local environment evidence is required to determine relevance, control gaps, and alert fidelity.
APT1
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1005 | Data from Local System | |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | |
| Enterprise | T1583.001 | Domains Sub-technique | |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | |
| Enterprise | T1119 | Automated Collection | |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | |
| Enterprise | T1588.001 | Malware Sub-technique | |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1585.002 | Email Accounts Sub-technique | |
| Enterprise | T1584.001 | Domains Sub-technique | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1087.001 | Local Account Sub-technique | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | |
| Enterprise | T1135 | Network Share Discovery | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1007 | System Service Discovery | |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | The APT1 group is known to have used RDP during operations.CitationFireEye PLA |
Groups, software, and campaigns
S0345: Seasalt
S0100: ipconfig
S0017: BISCUIT
S0119: Cachedump
S0029: PsExec
S0026: GLOOXMAIL
S0121: Lslsass
S0012: PoisonIvy
S0109: WEBC2
S0002: Mimikatz
S0008: gsecdump
S0122: Pass-The-Hash Toolkit
Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | e900813c68d3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT1
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Open source URL -
[2]
APT1
(Citation: Mandiant APT1)
-
[3]
Comment Crew
(Citation: Mandiant APT1)
-
[4]
Comment Group
(Citation: Mandiant APT1)
-
[5]
Comment Panda
(Citation: CrowdStrike Putter Panda)
-
[6]
CrowdStrike Putter Panda
Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
Open source URL -
[7]
mitre-attack G0006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.