## APT17

**attack.mitre.org/groups/G0025/**

[APT17 is a China-based threat group that has conducted network intrusions against U.S.](https://attack.mitre.org/groups/G0025)
government entities, the defense industry, law firms, information technology companies,
[mining companies, and non-government organizations. [1]](https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf)

### ID: G0025

ⓘ

### Associated Groups: Deputy Dog

 Version: 1.1

 Created: 31 May 2017

 Last Modified: 13 October 2020

[Version Permalink](https://attack.mitre.org/versions/v11/groups/G0025/)

[Live Version](https://attack.mitre.org/versions/v11/groups/G0025/)

### Associated Group Descriptions

**Name** **Description**

[[1]](https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf)

Deputy Dog

Enterprise Layer
# download view

### Techniques Used

|Name|Description|
|---|---|
|Deputy Dog|[1]|


-----

|Domain Domain|ID ID|Name Name|Use Use|Col5|
|---|---|---|---|---|
|Enterprise|T1583|.006|Acquire Infrastructure: Web Services|APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.[1]|
|Enterprise|T1585|Establish Accounts|APT17 has created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, APT17 has created biographical sections and posted in forum threads.[1]||


### Software

**ID** **Name** **References** **Techniques**

[[1]](https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf)

[S0069](https://attack.mitre.org/software/S0069) [BLACKCOFFEE](https://attack.mitre.org/software/S0069) [Command and Scripting Interpreter:](https://attack.mitre.org/techniques/T1059) Windows
Command Shell, [File and Directory Discovery,](https://attack.mitre.org/techniques/T1083)
[Indicator Removal on Host:](https://attack.mitre.org/techniques/T1070) [File Deletion,](https://attack.mitre.org/techniques/T1070/004)
Stage Channels, [Process Discovery,](https://attack.mitre.org/techniques/T1057) Web
Service: [Bidirectional Communication,](https://attack.mitre.org/techniques/T1102/002) Web
Service: [Dead Drop Resolver](https://attack.mitre.org/techniques/T1102/001)

### References

1. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight:

FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.

|ID|Name|References|Techniques|
|---|---|---|---|
|S0069|BLACKCOFFEE|[1]|Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Multi- Stage Channels, Process Discovery, Web Service: Bidirectional Communication, Web Service: Dead Drop Resolver|


-----