{ "id": "cfa74483-d5f4-421a-a9be-77143c8f7188", "created_at": "2026-04-06T01:31:51.858758Z", "updated_at": "2026-04-10T13:12:09.026571Z", "deleted_at": null, "sha1_hash": "db05552190ef7c4966c2b209bd33d59d53488037", "title": "Chinese State-Sponsored Cyber Operations: Observed TTPs | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 448384, "plain_text": "Chinese State-Sponsored Cyber Operations: Observed TTPs | CISA\r\nPublished: 2021-08-20 · Archived: 2026-04-06 01:15:11 UTC\r\nSummary\r\nThis advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) framework,\r\nVersion 9, and MITRE D3FEND™ framework, version 0.9.2-BETA-3. See the ATT\u0026CK for Enterprise for all\r\nreferenced threat actor tactics and techniques and the D3FEND framework for referenced defensive tactics and\r\ntechniques.\r\nThe National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of\r\nInvestigation (FBI) assess that People’s Republic of China state-sponsored malicious cyber activity is a major threat to\r\nU.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political,\r\neconomic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical\r\nand emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors\r\ninclude managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and\r\nmedical institutions. These cyber operations support China’s long-term economic and military development objectives.\r\nThis Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by\r\nChinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal,\r\nstate, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends\r\nand persistent TTPs through collaborative, proactive, and retrospective analysis.\r\nTo increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA,\r\nCISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the\r\nMitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures.\r\nNote: NSA, CISA, and FBI encourage organization leaders to review CISA Joint Insights: Chinese Malicious Cyber\r\nActivity: Threat Overview for Leaders for information on this threat to their organization.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nTrends in Chinese State-Sponsored Cyber Operations\r\nNSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S.\r\npolitical, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the\r\nfollowing trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:\r\nAcquisition of Infrastructure and Capabilities. Chinese state-sponsored cyber actors remain agile and cognizant\r\nof the information security community’s practices. These actors take effort to mask their activities by using a\r\nrevolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.\r\nExploitation of Public Vulnerabilities. Chinese state-sponsored cyber actors consistently scan target networks for\r\ncritical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber\r\nactors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 1 of 38\n\nproducts. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious\r\nChinese state-sponsored cyber actors, see:\r\nCISA-FBI Joint CSA AA20-133A: Top 10 Routinely Exploited Vulnerabilities,\r\nCISA Activity Alert: AA20-275A: Potential for China Cyber Response to Heightened U.S.-China Tensions,\r\nand\r\nNSA CSA U/OO/179811-20: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities.\r\nEncrypted Multi-Hop Proxies. Chinese state-sponsored cyber actors have been routinely observed using a VPS\r\nas an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as\r\noperational nodes to evade detection.\r\nObserved Tactics and Techniques\r\nChinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest\r\nworldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B:\r\nMITRE ATT\u0026CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A\r\ndownloadable JSON file is also available on the NSA Cybersecurity GitHub page .\r\nRefer to Appendix A: Chinese State-Sponsored Cyber Actors’ Observed Procedures for information on procedures\r\naffiliated with these tactics and techniques as well as applicable mitigations.\r\nFigure 1: Example of tactics and techniques used in various cyber operations.\r\nMitigations\r\nNSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the\r\nfollowing recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored\r\nto observed tactics and techniques:\r\nPatch systems and equipment promptly and diligently. Focus on patching critical and high vulnerabilities that\r\nallow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be\r\nexploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that\r\nenables a timely and thorough patching cycle.\r\nNote: for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the\r\nresources listed in the Trends in Chinese State-Sponsored Cyber Operations section.\r\nEnhance monitoring of network traffic, email, and endpoint systems. Review network signatures and\r\nindicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the\r\nbest practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure\r\nthat log information is aggregated and correlated to enable maximum detection capabilities, with a focus on\r\nmonitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity.\r\nSSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of\r\nmalware communication protocols. Implement and enhance network and endpoint event analysis and detection\r\ncapabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and\r\nfiles.\r\nUse protection capabilities to stop malicious activity. Implement anti-virus software and other endpoint\r\nprotection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion\r\ndetection and prevention system to identify and prevent commonly employed adversarial malware and limit\r\nnefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 2 of 38\n\ncredentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's\r\nability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA\r\nimplementations.▪\r\nResources\r\nRefer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ for previous reporting on Chinese state-sponsored malicious cyber\r\nactivity.\r\nDisclaimer of Endorsement\r\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees.\r\nReference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or\r\notherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government,\r\nand this guidance shall not be used for advertising or product endorsement purposes.\r\nPurpose\r\nThis document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions,\r\nincluding their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be\r\nshared broadly to reach all appropriate stakeholders.\r\nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information\r\ncarries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.\r\nSubject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more\r\ninformation on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/.\r\nTrademark Recognition\r\nMITRE and ATT\u0026CK are registered trademarks of The MITRE Corporation. • D3FEND is a trademark of The MITRE\r\nCorporation. • Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell,\r\nWindows Defender, and Windows are registered trademarks of Microsoft Corporation. • Pulse Secure is a registered\r\ntrademark of Pulse Secure, LLC. • Apache is a registered trademark of Apache Software Foundation. • F5 and BIG-IP are\r\nregistered trademarks of F5 Networks. • Cobalt Strike is a registered trademark of Strategic Cyber LLC. • GitHub is a\r\nregistered trademark of GitHub, Inc. • JavaScript is a registered trademark of Oracle Corporation. • Python is a registered\r\ntrademark of Python Software Foundation. • Unix is a registered trademark of The Open Group. • Linux is a registered\r\ntrademark of Linus Torvalds. • Dropbox is a registered trademark of Dropbox, Inc.\r\nAPPENDIX A: Chinese State-Sponsored Cyber Actors’ Observed Procedures\r\nNote: D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to\r\nATT\u0026CK techniques and sub-techniques.\r\nTactics: Reconnaissance [TA0043 ]    \r\nTable 1: Chinese state-sponsored cyber actors’ Reconnaissance TTPs with detection and mitigation recommendations\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 3 of 38\n\nThreat\r\nActor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nActive\r\nScanning\r\n[T1595 ] \r\nChinese state-sponsored cyber actors\r\nhave been assessed to perform\r\nreconnaissance on Microsoft® 365\r\n(M365), formerly Office® 365,\r\nresources with the intent of further\r\ngaining information about the\r\nnetworks. These scans can be\r\nautomated, through Python® scripts,\r\nto locate certain files, paths, or\r\nvulnerabilities. The cyber actors can\r\ngain valuable information on the\r\nvictim network, such as the allocated\r\nresources, an organization’s fully\r\nqualified domain name, IP address\r\nspace, and open ports to target or\r\nexploit.\r\nMinimize the amount and\r\nsensitivity of data\r\navailable to external\r\nparties, for example: \r\nScrub user email\r\naddresses and\r\ncontact lists from\r\npublic websites,\r\nwhich can be used\r\nfor social\r\nengineering,\r\nShare only\r\nnecessary data and\r\ninformation with\r\nthird parties, and\r\nMonitor and limit\r\nthird-party access\r\nto the network. \r\nActive scanning from\r\ncyber actors may be\r\nidentified by monitoring\r\nnetwork traffic for sources\r\nassociated with botnets,\r\nadversaries, and known\r\nbad IPs based on threat\r\nintelligence.\r\nDetect: \r\nNetwork Traffic\r\nAnalysis\r\nConnection\r\nAttempt\r\nAnalysis\r\n[D3-CAA\r\n]\r\nIsolate: \r\nNetwork Isolation\r\nInbound\r\nTraffic\r\nFiltering\r\n[D3-ITF ]\r\nGather\r\nVictim\r\nNetwork\r\nInformation\r\n[T1590 ]\r\nTactics: Resource Development [TA0042 ]\r\nTable II: Chinese state-sponsored cyber actors’ Resource Development TTPs with detection and mitigation\r\nrecommendations\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 4 of 38\n\nThreat Actor\r\nTechnique / Sub-TechniquesThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive\r\nTactics and\r\nTechniques\r\nAcquire\r\nInfrastructure\r\n[T1583 ]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved using VPSs from\r\ncloud service providers that\r\nare physically distributed\r\naround the world to host\r\nmalware and function as C2\r\nnodes.\r\nAdversary activities occurring outside the\r\norganization’s boundary of control and\r\nview makes mitigation difficult.\r\nOrganizations can monitor for unexpected\r\nnetwork traffic and data flows to and from\r\nVPSs and correlate other suspicious\r\nactivity that may indicate an active threat.\r\nN/A\r\nStage Capabilities\r\n[T1608 ]\r\nObtain Capabilities\r\n[T1588 ]: \r\nTools\r\n[T1588.002\r\n]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved using Cobalt\r\nStrike® and tools from\r\nGitHub® on victim\r\nnetworks. \r\nOrganizations may be able to identify\r\nmalicious use of Cobalt Strike by:\r\nExamining network traffic using\r\nTransport Layer Security (TLS)\r\ninspection to identify Cobalt Strike.\r\nLook for human generated vice\r\nmachine-generated traffic, which\r\nwill be more uniformly distributed.\r\nLooking for the default Cobalt\r\nStrike TLS certificate.\r\nLook at the user agent that\r\ngenerates the TLS traffic for\r\ndiscrepancies that may indicate\r\nfaked and malicious traffic.\r\nReview the traffic destination\r\ndomain, which may be malicious\r\nand an indicator of compromise.\r\nLook at the packet's HTTP host\r\nheader. If it does not match with the\r\ndestination domain, it may indicate\r\na fake Cobalt Strike header and\r\nprofile.\r\nCheck the Uniform Resource\r\nIdentifier (URI) of the flow to see if\r\nit matches one associated with\r\nCobalt Strike's malleable C2\r\nlanguage. If discovered, additional\r\nrecovery and investigation will be\r\nrequired.\r\nN/A\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 5 of 38\n\nTactics: Initial Access [TA0001 ]\r\nTable III: Chinese state-sponsored cyber actors’ Initial Access TTPs with detection and mitigation recommendations\r\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDetection and Mitigation\r\nRecommendations\r\nDrive By\r\nCompromise [T1189\r\n]\r\nChinese state-sponsored cyber actors\r\nhave been observed\r\ngaining access to\r\nvictim networks\r\nthrough watering hole\r\ncampaigns of typo-squatted domains.\r\nEnsure all browsers and\r\nplugins are kept up to\r\ndate.\r\nUse modern browsers\r\nwith security features\r\nturned on.\r\nRestrict the use of\r\nunneeded websites,\r\nblock unneeded\r\ndownloads/attachments,\r\nblock unneeded\r\nJavaScript®, restrict\r\nbrowser extensions, etc.\r\nUse adblockers to help\r\nprevent malicious code\r\nserved through\r\nadvertisements from\r\nexecuting.\r\nUse script blocking\r\nextensions to help\r\nprevent the execution of\r\nunneeded JavaScript,\r\nwhich may be used\r\nduring exploitation\r\nprocesses.\r\nUse browser sandboxes\r\nor remote virtual\r\nenvironments to mitigate\r\nbrowser exploitation.\r\nUse security applications\r\nthat look for behavior\r\nused during exploitation,\r\nsuch as Windows\r\nDefender® Exploit\r\nGuard (WDEG).\r\nDetect: \r\nIdentifier Analysis\r\nHomoglyph\r\nDetection [D3-\r\nHD ]\r\nURL Analysis\r\n[D3-UA ]\r\nFile Analysis\r\nDynamic\r\nAnalysis [D3-\r\nDA ]\r\nIsolate: \r\nExecution Isolation\r\nHardware-based Process\r\nIsolation [D3-\r\nHBPI ]\r\nExecutable\r\nAllowlisting\r\n[D3-EAL ]\r\nNetwork Isolation\r\nDNS\r\nDenylisting\r\n[D3-DNSDL\r\n]\r\nOutbound\r\nTraffic\r\nFiltering [D3-\r\nOTF ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 6 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDetection and Mitigation\r\nRecommendations\r\nExploit Public-Facing Application\r\n[T1190 ]\r\nChinese state-sponsored cyber actors\r\nhave exploited known\r\nvulnerabilities in\r\nInternet-facing\r\nsystems.[1] For\r\ninformation on\r\nvulnerabilities known\r\nto be exploited by\r\nChinese state-sponsored cyber\r\nactors, refer to the\r\nTrends in Chinese\r\nState-Sponsored\r\nCyber Operations\r\nsection for a list of\r\nresources.\r\nChinese state-sponsored cyber actors\r\nhave also been\r\nobserved:\r\nUsing short-term VPS\r\ndevices to scan\r\nand exploit\r\nvulnerable\r\nMicrosoft\r\nExchange®\r\nOutlook Web\r\nAccess\r\n(OWA®) and\r\nplant\r\nwebshells.\r\nTargeting on-premises\r\nIdentity and\r\nAccess\r\nManagement\r\n(IdAM) and\r\nfederation\r\nReview previously published\r\nalerts and advisories from NSA,\r\nCISA, and FBI, and diligently\r\npatch vulnerable applications\r\nknown to be exploited by cyber\r\nactors. Refer to the Trends in\r\nChinese State-Sponsored Cyber\r\nOperations section for a non-inclusive list of resources.\r\nAdditional mitigations include:\r\nConsider implementing\r\nWeb Application\r\nFirewalls (WAF), which\r\ncan prevent exploit\r\ntraffic from reaching an\r\napplication.\r\nSegment externally\r\nfacing servers and\r\nservices from the rest of\r\nthe network with a\r\ndemilitarized zone\r\n(DMZ).\r\nUse multi-factor\r\nauthentication (MFA)\r\nwith strong factors and\r\nrequire regular re-authentication.\r\nDisable protocols using\r\nweak authentication.\r\nLimit access to and\r\nbetween cloud resources\r\nwith the desired state\r\nbeing a Zero Trust\r\nmodel. For more\r\ninformation refer to NSA\r\nCybersecurity\r\nInformation Sheet:\r\n[Embracing a Zero Trust\r\nSecurity Model].\r\nHarden:\r\nApplication Hardening\r\n[D3-AH ]\r\nPlatform Hardening\r\nSoftware\r\nUpdate [D3-SU\r\n]\r\nDetect:\r\nFile Analysis [D3-FA\r\n]\r\nNetwork Traffic\r\nAnalysis\r\nClient-server\r\nPayload\r\nProfiling [D3-\r\nCSPP ]\r\nProcess Analysis\r\nProcess Spawn\r\nAnalysis\r\nProcess\r\nLineage\r\nAnalysis [D3-\r\nPLA ]\r\nIsolate: \r\nNetwork Isolation\r\nInbound Traffic\r\nFiltering [D3-\r\nITF ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 7 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDetection and Mitigation\r\nRecommendations\r\nservices in\r\nhybrid cloud\r\nenvironments\r\nto gain access\r\nto cloud\r\nresources.\r\nDeploying a\r\npublic proof of\r\nconcept (POC)\r\nexploit\r\ntargeting a\r\npublic-facing\r\nappliance\r\nvulnerability.\r\nWhen possible, use\r\ncloud-based access\r\ncontrols on cloud\r\nresources (e.g., cloud\r\nservice provider (CSP)-\r\nmanaged authentication\r\nbetween virtual\r\nmachines).\r\nUse automated tools to\r\naudit access logs for\r\nsecurity concerns.\r\nWhere possible, enforce\r\nMFA for password\r\nresets.\r\nDo not include\r\nApplication Programing\r\nInterface (API) keys in\r\nsoftware version control\r\nsystems where they can\r\nbe unintentionally\r\nleaked.\r\nPhishing [T1566 ]: \r\nSpearphishing\r\nAttachment\r\n[T1566.001\r\n]\r\nSpearphishing\r\nLink\r\n[T1566.002\r\n]\r\nChinese state-sponsored cyber actors\r\nhave been observed\r\nconducting\r\nspearphishing\r\ncampaigns. These\r\nemail compromise\r\nattempts range from\r\ngeneric emails with\r\nmass targeted phishing\r\nattempts to\r\nspecifically crafted\r\nemails in targeted\r\nsocial engineering\r\nlures. \r\nThese compromise\r\nattempts use the cyber\r\nactors’ dynamic\r\ncollection of VPSs,\r\nImplement a user\r\ntraining program and\r\nsimulated spearphishing\r\nemails to discourage\r\nusers from visiting\r\nmalicious websites or\r\nopening malicious\r\nattachments and re-enforce the appropriate\r\nuser responses to\r\nspearphishing emails.\r\nQuarantine suspicious\r\nfiles with antivirus\r\nsolutions.\r\nUse a network intrusion\r\nprevention system (IPS)\r\nto scan and remove\r\nHarden: \r\nMessage Hardening\r\nMessage\r\nAuthentication\r\n[D3-MAN ]\r\nTransfer Agent\r\nAuthentication\r\n[D3-TAAN ]\r\nDetect: \r\nFile Analysis\r\nDynamic\r\nAnalysis [D3-\r\nDA ]\r\nIdentifier Analysis\r\nHomoglyph\r\nDetection [D3-\r\nHD ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 8 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDetection and Mitigation\r\nRecommendations\r\npreviously\r\ncompromised\r\naccounts, or other\r\ninfrastructure in order\r\nto encourage\r\nengagement from the\r\ntarget audience\r\nthrough domain typo-squatting and\r\nmasquerading. These\r\nemails may contain a\r\nmalicious link or files\r\nthat will provide the\r\ncyber actor access to\r\nthe victim’s device\r\nafter the user clicks on\r\nthe malicious link or\r\nopens the attachment. \r\nmalicious email\r\nattachments.\r\nBlock uncommon file\r\ntypes in emails that are\r\nnot needed by general\r\nusers ( .exe ,\r\n.jar , .vbs )\r\nUse anti-spoofing and\r\nemail authentication\r\nmechanisms to filter\r\nmessages based on\r\nvalidity checks of the\r\nsender domain (using\r\nSender Policy\r\nFramework [SPF]) and\r\nintegrity of messages\r\n(using Domain Keys\r\nIdentified Mail\r\n[DKIM]). Enabling these\r\nmechanisms within an\r\norganization (through\r\npolicies such as Domain-based Message\r\nAuthentication,\r\nReporting, and\r\nConformance\r\n[DMARC]) may enable\r\nrecipients (intra-org and\r\ncross domain) to\r\nperform similar message\r\nfiltering and validation.\r\nDetermine if certain\r\nwebsites that can be\r\nused for spearphishing\r\nare necessary for\r\nbusiness operations and\r\nconsider blocking access\r\nif activity cannot be\r\nmonitored well or if it\r\nposes a significant risk.\r\nURL Analysis\r\n[D3-UA ]\r\nMessage Analysis\r\nSender MTA\r\nReputation\r\nAnalysis [D3-\r\nSMRA ]\r\nSender\r\nReputation\r\nAnalysis [D3-\r\nSRA ]\r\n \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 9 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDetection and Mitigation\r\nRecommendations\r\nPrevent users from\r\nclicking on malicious\r\nlinks by stripping\r\nhyperlinks or\r\nimplementing \"URL\r\ndefanging\" at the Email\r\nSecurity Gateway or\r\nother email security\r\ntools.\r\nAdd external sender\r\nbanners to emails to alert\r\nusers that the email\r\ncame from an external\r\nsender.\r\nExternal Remote\r\nServices [T1133 ]\r\nChinese state-sponsored cyber actors\r\nhave been observed:\r\nExploiting\r\nvulnerable\r\ndevices\r\nimmediately\r\nafter\r\nconducting\r\nscans for\r\ncritical zero-day or publicly\r\ndisclosed\r\nvulnerabilities.\r\nThe cyber\r\nactors used or\r\nmodified\r\npublic proof of\r\nconcept code in\r\norder to exploit\r\nvulnerable\r\nsystems.\r\nTargeting\r\nMicrosoft\r\nExchange\r\nMany exploits can be\r\nmitigated by applying\r\navailable patches for\r\nvulnerabilities (such as\r\nCVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting\r\nexternal remote services.\r\nReset credentials after\r\nvirtual private network\r\n(VPN) devices are\r\nupgraded and\r\nreconnected to the\r\nexternal network.\r\nRevoke and generate\r\nnew VPN server keys\r\nand certificates (this may\r\nrequire redistributing\r\nVPN connection\r\ninformation to users).\r\nDisable Remote Desktop\r\nProtocol (RDP) if not\r\nrequired for legitimate\r\nbusiness functions.\r\nHarden:\r\nSoftware Update [D3-\r\nSU ]\r\nDetect:\r\nNetwork Traffic\r\nAnalysis\r\nConnection\r\nAttempt\r\nAnalysis [D3-\r\nCAA ]\r\nPlatform Monitoring\r\n[D3-PM ]\r\nProcess Analysis\r\nProcess Spawn\r\nAnalysis [D3-\r\nSPA ]\r\nProcess\r\nLineage\r\nAnalysis\r\n[D3-\r\nPLA ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 10 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDetection and Mitigation\r\nRecommendations\r\noffline address\r\nbook (OAB)\r\nvirtual\r\ndirectories\r\n(VDs).\r\nExploiting\r\nInternet\r\naccessible\r\nwebservers\r\nusing webshell\r\nsmall code\r\ninjections\r\nagainst\r\nmultiple code\r\nlanguages,\r\nincluding\r\nnet , asp ,\r\napsx , php ,\r\njapx , and\r\ncfm . \r\nNote: refer to the\r\nreferences listed above\r\nin Exploit Public-Facing Application\r\n[T1190 ] for\r\ninformation on CVEs\r\nknown to be exploited\r\nby malicious Chinese\r\ncyber actors.\r\nNote: this technique\r\nalso applies to\r\nPersistence [TA0003\r\n].\r\nRestrict VPN traffic to\r\nand from managed\r\nservice providers\r\n(MSPs) using a\r\ndedicated VPN\r\nconnection.\r\nReview and verify all\r\nconnections between\r\ncustomer systems,\r\nservice provider\r\nsystems, and other client\r\nenclaves.\r\nValid Accounts\r\n[T1078 ]:\r\nDefault\r\nAccounts\r\nChinese state-sponsored cyber actors\r\nhave been observed:\r\ngaining credential\r\nAdhere to best practices\r\nfor password and\r\npermission management.\r\nHarden: \r\nCredential Hardening\r\nMulti-factor\r\nAuthentication\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 11 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDetection and Mitigation\r\nRecommendations\r\n[T1078.001\r\n]\r\nDomain\r\nAccounts\r\n[T1078.002\r\n]\r\naccess into victim\r\nnetworks by using\r\nlegitimate, but\r\ncompromised\r\ncredentials to access\r\nOWA servers,\r\ncorporate login\r\nportals, and victim\r\nnetworks.\r\nNote: this technique\r\nalso applies to\r\nPersistence [TA0003\r\n], Privilege\r\nEscalation [TA0004\r\n], and Defense\r\nEvasion [TA0005 ].\r\nEnsure that MSP\r\naccounts are not\r\nassigned to administrator\r\ngroups and restrict those\r\naccounts to only systems\r\nthey manage\r\nDo not store credentials\r\nor sensitive data in\r\nplaintext.\r\nChange all default\r\nusernames and\r\npasswords.\r\nRoutinely update and\r\nsecure applications using\r\nSecure Shell (SSH).\r\nUpdate SSH keys\r\nregularly and keep\r\nprivate keys secure.\r\nRoutinely audit\r\nprivileged accounts to\r\nidentify malicious use.\r\n[D3-MFA ]\r\nDetect:\r\nUser Behavior\r\nAnalysis [D3-UBA ]\r\nAuthentication\r\nEvent\r\nThresholding\r\n[D3-ANET ]\r\nJob Function\r\nAccess Pattern\r\nAnalysis [D3-\r\nJFAPA ]\r\nTactics: Execution [TA0002 ]\r\nTable IV: Chinese state-sponsored cyber actors’ Execution TTPs with detection and mitigation recommendations\r\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nCommand and\r\nScripting Interpreter\r\n[T1059 ]: \r\nPowerShell®\r\n[T1059.001\r\n]\r\nWindows®\r\nCommand\r\nShell\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved:\r\nUsing cmd.exe,\r\nJavaScript/Jscript\r\nInterpreter, and\r\nnetwork device\r\ncommand line\r\ninterpreters\r\n(CLI).\r\nPowerShell\r\nTurn on PowerShell\r\nlogging. (Note: this\r\nworks better in newer\r\nversions of PowerShell.\r\nNSA, CISA, and FBI\r\nrecommend using\r\nversion 5 or higher.)\r\nPush Powershell logs\r\ninto a security\r\nHarden: \r\nPlatform Hardening [D3-\r\nPH ]\r\nDetect: \r\nProcess Analysis\r\nScript Execution\r\nAnalysis [D3-\r\nSEA ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 12 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\n[T1059.003\r\n]\r\nUnix® Shell\r\n[T1059.004\r\n]\r\nPython\r\n[T1059.006\r\n]\r\nJavaScript\r\n[T1059.007\r\n]\r\nNetwork\r\nDevice CLI\r\n[T1059.008\r\n]\r\nUsing\r\nPowerShell to\r\nconduct\r\nreconnaissance,\r\nenumeration, and\r\ndiscovery of the\r\nvictim network.\r\nEmploying\r\nPython scripts to\r\nexploit\r\nvulnerable\r\nservers.\r\nUsing a UNIX\r\nshell in order to\r\nconduct\r\ndiscovery,\r\nenumeration, and\r\nlateral movement\r\non Linux®\r\nservers in the\r\nvictim network.\r\ninformation and event\r\nmanagement (SIEM)\r\ntool.\r\nMonitor for suspicious\r\nbehavior and commands.\r\nRegularly evaluate and\r\nupdate blocklists and\r\nallowlists.\r\nUse an antivirus\r\nprogram, which may\r\nstop malicious code\r\nexecution that cyber\r\nactors attempt to execute\r\nvia PowerShell.\r\nRemove PowerShell if it\r\nis not necessary for\r\noperations.\r\nRestrict which\r\ncommands can be used.\r\nWindows Command Shell\r\nRestrict use to\r\nadministrator, developer,\r\nor power user systems.\r\nConsider its use\r\nsuspicious and\r\ninvestigate, especially if\r\naverage users run scripts.\r\nInvestigate scripts\r\nrunning out of cycle\r\nfrom patching or other\r\nadministrator functions\r\nif scripts are not\r\ncommonly used on a\r\nsystem, but enabled.\r\nMonitor for and\r\ninvestigate other unusual\r\nor suspicious scripting\r\nbehavior. \r\nUnix\r\nIsolate:\r\nExecution Isolation\r\nExecutable\r\nAllowlisting [D3-\r\nEAL ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 13 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nUse application controls\r\nto prevent execution.\r\nMonitor for and\r\ninvestigate unusual\r\nscripting behavior. Use\r\nof the Unix shell may be\r\ncommon on\r\nadministrator, developer,\r\nor power user systems.\r\nIn this scenario, normal\r\nusers running scripts\r\nshould be considered\r\nsuspicious.\r\nIf scripts are not\r\ncommonly used on a\r\nsystem, but enabled,\r\nscripts running out of\r\ncycle from patching or\r\nother administrator\r\nfunctions should be\r\nconsidered suspicious. \r\nPython\r\nAudit inventory systems\r\nfor unauthorized Python\r\ninstallations.\r\nBlocklist Python where\r\nnot required.\r\nPrevent users from\r\ninstalling Python where\r\nnot required.\r\nJavaScript\r\nTurn off or restrict\r\naccess to unneeded\r\nscripting components.\r\nBlocklist scripting where\r\nappropriate.\r\nFor malicious code\r\nserved up through ads,\r\nadblockers can help\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 14 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nprevent that code from\r\nexecuting.\r\nNetwork Device Command\r\nLine Interface (CLI)\r\nUse TACACS+ to keep\r\ncontrol over which\r\ncommands\r\nadministrators are\r\npermitted to use through\r\nthe configuration of\r\nauthentication and\r\ncommand authorization.\r\nUse an authentication,\r\nauthorization, and\r\naccounting (AAA)\r\nsystems to limit actions\r\nadministrators can\r\nperform and provide a\r\nhistory of user actions to\r\ndetect unauthorized use\r\nand abuse.\r\nEnsure least privilege\r\nprinciples are applied to\r\nuser accounts and\r\ngroups.\r\nScheduled Task/Job\r\n[T1053 ]\r\nCron\r\n[T1053.003\r\n]\r\nScheduled\r\nTask\r\n[T1053.005\r\n]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved using Cobalt\r\nStrike, webshells, or\r\ncommand line interface\r\ntools, such as schtask\r\nor crontab to create\r\nand schedule tasks that\r\nenumerate victim\r\ndevices and networks.\r\nNote: this technique\r\nalso applies to\r\n•    Monitor scheduled task\r\ncreation from common utilities\r\nusing command-line invocation\r\nand compare for any changes\r\nthat do not correlate with\r\nknown software, patch cycles,\r\nor other administrative activity.\r\n•    Configure event logging for\r\nscheduled task creation and\r\nmonitor process execution from\r\nsvchost.exe (Windows 10)\r\nand Windows Task Scheduler\r\n(Older version of Windows) to\r\nlook for changes in\r\nDetect: \r\nPlatform Monitoring\r\nOperating System\r\nMonitoring [D3-\r\nOSM ]\r\nScheduled\r\nJob\r\nAnalysis\r\n[D3-SJA\r\n]\r\nSystem\r\nDaemon\r\nMonitoring\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 15 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nPersistence [TA0003 ]\r\nand Privilege Escalation\r\n[TA0004 ].\r\n%systemroot%\\System32\\Tasks\r\nthat do not correlate with\r\nknown software, patch cycles,\r\nor other administrative activity.\r\nAdditionally monitor for any\r\nscheduled tasks created via\r\ncommand line utilities—such as\r\nPowerShell or Windows\r\nManagement Instrumentation\r\n(WMI)—that do not conform to\r\ntypical administrator or user\r\nactions. \r\n[D3-SDM\r\n]\r\nSystem\r\nFile\r\nAnalysis\r\n[D3-SFA\r\n]\r\nIsolate: \r\nExecution Isolation\r\nExecutable\r\nAllowlisting [D3-\r\nEAL ]\r\nUser Execution\r\n[T1204 ]\r\nMalicious\r\nLink\r\n[T1204.001\r\n]\r\nMalicious\r\nFile\r\n[T1204.002\r\n]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved conducting\r\nspearphishing\r\ncampaigns that\r\nencourage engagement\r\nfrom the target\r\naudience. These emails\r\nmay contain a malicious\r\nlink or file that provide\r\nthe cyber actor access to\r\nthe victim’s device after\r\nthe user clicks on the\r\nmalicious link or opens\r\nthe attachment.\r\nUse an antivirus\r\nprogram, which may\r\nstop malicious code\r\nexecution that cyber\r\nactors convince users to\r\nattempt to execute.\r\nPrevent unauthorized\r\nexecution by disabling\r\nmacro scripts from\r\nMicrosoft Office files\r\ntransmitted via email.\r\nConsider using Office\r\nViewer software to open\r\nMicrosoft Office files\r\ntransmitted via email\r\ninstead of full Microsoft\r\nOffice suite applications.\r\nUse a domain reputation\r\nservice to detect and\r\nblock suspicious or\r\nmalicious domains.\r\nDetermine if certain\r\ncategories of websites\r\nare necessary for\r\nbusiness operations and\r\nconsider blocking access\r\nDetect: \r\nFile Analysis\r\nDynamic Analysis\r\n[D3-DA ]\r\nFile Content\r\nRules [D3-FCR\r\n]\r\nIdentifier Analysis\r\nHomoglyph\r\nDetection [D3-\r\nHD ]\r\nURL Analysis\r\n[D3-UA ]\r\nNetwork Traffic Analysis\r\nDNS Traffic\r\nAnalysis [D3-\r\nDNSTA ]\r\nIsolate: \r\nExecution Isolation\r\nHardware-based\r\nProcess Isolation\r\n[D3-HBPI ]\r\nExecutable\r\nAllowlisting [D3-\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 16 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nif activity cannot be\r\nmonitored well or if it\r\nposes a significant risk.\r\nEnsure all browsers and\r\nplugins are kept up to\r\ndate.\r\nUse modern browsers\r\nwith security features\r\nturned on.\r\nUse browser and\r\napplication sandboxes or\r\nremote virtual\r\nenvironments to mitigate\r\nbrowser or other\r\napplication exploitation.\r\nEAL ]\r\nNetwork Isolation\r\nDNS Denylisting\r\n[D3-DNSDL ]\r\nOutbound Traffic\r\nFiltering [D3-\r\nOTF ]\r\nTactics: Persistence [TA0003 ]\r\nTable V: Chinese state-sponsored cyber actors’ Persistence TTPs with detection and mitigation recommendations\r\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nHijack Execution\r\nFlow [T1574 ]: \r\nDLL Search\r\nOrder\r\nHijacking\r\n[T1574.001 ]\r\nChinese state-sponsored cyber\r\nactors have been\r\nobserved using\r\nbenign\r\nexecutables which\r\nused Dynamic\r\nLink Library\r\n(DLL) load-order\r\nhijacking to\r\nactivate the\r\nmalware\r\ninstallation\r\nprocess. \r\nNote: this\r\ntechnique also\r\nDisallow loading of\r\nremote DLLs.\r\nEnable safe DLL\r\nsearch mode.\r\nImplement tools for\r\ndetecting search order\r\nhijacking opportunities.\r\nUse application\r\nallowlisting to block\r\nunknown DLLs.\r\nMonitor the file system\r\nfor created, moved, and\r\nrenamed DLLs.\r\nMonitor for changes in\r\nsystem DLLs not\r\nassociated with updates\r\nor patches.\r\nDetect: \r\nPlatform Monitoring\r\nOperating System\r\nMonitoring\r\nService\r\nBinary\r\nVerification\r\n[D3-SBV ]\r\nProcess Analysis\r\nFile Access Pattern\r\nAnalysis [D3-FAPA\r\n]\r\nIsolate: \r\nExecution Isolation\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 17 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\napplies to\r\nPrivilege\r\nEscalation\r\n[TA0004 ] and\r\nDefense Evasion\r\n[TA0005 ].\r\nMonitor DLLs loaded\r\nby processes (e.g.,\r\nlegitimate name, but\r\nabnormal path).\r\nExecutable\r\nAllowlisting [D3-\r\nEAL ]\r\nModify Authentication\r\nProcess [T1556 ]\r\nDomain\r\nController\r\nAuthentication\r\n[T1556.001 ]\r\nChinese state-sponsored cyber\r\nactors were\r\nobserved creating\r\na new sign-in\r\npolicy to bypass\r\nMFA\r\nrequirements to\r\nmaintain access to\r\nthe victim\r\nnetwork.\r\nNote: this\r\ntechnique also\r\napplies to Defense\r\nEvasion [TA0005\r\n] and Credential\r\nAccess [TA0006\r\n].\r\nMonitor for policy\r\nchanges to\r\nauthentication\r\nmechanisms used by\r\nthe domain controller.\r\nMonitor for\r\nmodifications to\r\nfunctions exported\r\nfrom authentication\r\nDLLs (such as\r\ncryptdll.dll and\r\nsamsrv.dll ).\r\nConfigure robust,\r\nconsistent account\r\nactivity audit policies\r\nacross the enterprise\r\nand with externally\r\naccessible services.\r\nLook for suspicious\r\naccount behavior\r\nacross systems that\r\nshare accounts, either\r\nuser, admin, or service\r\naccounts (for example,\r\none account logged\r\ninto multiple systems\r\nsimultaneously,\r\nmultiple accounts\r\nlogged into the same\r\nmachine\r\nsimultaneously,\r\naccounts logged in at\r\nDetect: \r\nProcess Analysis [D3-PA\r\n]\r\nUser Behavior Analysis\r\nAuthentication\r\nEvent Thresholding\r\n[D3-ANET ]\r\nUser Geolocation\r\nLogon Pattern\r\nAnalysis [D3-\r\nUGLPA ]  \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 18 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nodd times or outside of\r\nbusiness hours).\r\nCorrelate other security\r\nsystems with login\r\ninformation (e.g., a\r\nuser has an active login\r\nsession but has not\r\nentered the building or\r\ndoes not have VPN\r\naccess).\r\nMonitor for new,\r\nunfamiliar DLL files\r\nwritten to a domain\r\ncontroller and/or local\r\ncomputer. Monitor for\r\nand correlate changes\r\nto Registry entries.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 19 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nServer Software\r\nComponent [T1505\r\n]: \r\nWeb Shell\r\n[T1505.003 ]\r\nChinese state-sponsored cyber\r\nactors have been\r\nobserved planting\r\nweb shells on\r\nexploited servers\r\nand using them to\r\nprovide the cyber\r\nactors with access\r\nto the victim\r\nnetworks. \r\nUse Intrusion Detection\r\nSystems (IDS) to\r\nmonitor for and\r\nidentify China Chopper\r\ntraffic using IDS\r\nsignatures.\r\nMonitor and search for\r\npredictable China\r\nChopper shell syntax to\r\nidentify infected files\r\non hosts.\r\nPerform integrity\r\nchecks on critical\r\nservers to identify and\r\ninvestigate unexpected\r\nchanges.\r\nHave application\r\ndevelopers sign their\r\ncode using digital\r\nsignatures to verify\r\ntheir identity.\r\nIdentify and remediate\r\nweb application\r\nvulnerabilities or\r\nconfiguration\r\nweaknesses. Employ\r\nregular updates to\r\napplications and host\r\noperating systems.\r\nImplement a least-privilege policy on web\r\nservers to reduce\r\nadversaries’ ability to\r\nescalate privileges or\r\npivot laterally to other\r\nhosts and control\r\ncreation and execution\r\nof files in particular\r\ndirectories.\r\nDetect: \r\nNetwork Traffic Analysis\r\nClient-server\r\nPayload Profiling\r\n[D3-CSPP ]\r\nPer Host\r\nDownload-Upload\r\nRatio Analysis [D3-\r\nPHDURA ]\r\nProcess Analysis\r\nProcess Spawn\r\nAnalysis\r\nProcess\r\nLineage\r\nAnalysis\r\n[D3-PLA ]\r\nIsolate:\r\nNetwork Isolation\r\nInbound Traffic\r\nFiltering [D3-ITF\r\n]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 20 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nIf not already present,\r\nconsider deploying a\r\nDMZ between web-facing systems and the\r\ncorporate network.\r\nLimiting the interaction\r\nand logging traffic\r\nbetween the two\r\nprovides a method to\r\nidentify possible\r\nmalicious activity.\r\nEnsure secure\r\nconfiguration of web\r\nservers. All\r\nunnecessary services\r\nand ports should be\r\ndisabled or blocked.\r\nAccess to necessary\r\nservices and ports\r\nshould be restricted,\r\nwhere feasible. This\r\ncan include allowlisting\r\nor blocking external\r\naccess to\r\nadministration panels\r\nand not using default\r\nlogin credentials.\r\nUse a reverse proxy or\r\nalternative service,\r\nsuch as mod_security,\r\nto restrict accessible\r\nURL paths to known\r\nlegitimate ones.\r\nEstablish, and backup\r\noffline, a “known\r\ngood” version of the\r\nrelevant server and a\r\nregular change\r\nmanagement policy to\r\nenable monitoring for\r\nchanges to servable\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 21 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\ncontent with a file\r\nintegrity system.\r\nEmploy user input\r\nvalidation to restrict\r\nexploitation of\r\nvulnerabilities.\r\nConduct regular system\r\nand application\r\nvulnerability scans to\r\nestablish areas of risk.\r\nWhile this method does\r\nnot protect against\r\nzero-day exploits, it\r\nwill highlight possible\r\nareas of concern.\r\nDeploy a web\r\napplication firewall and\r\nconduct regular virus\r\nsignature checks,\r\napplication fuzzing,\r\ncode reviews, and\r\nserver network\r\nanalysis.\r\nCreate or Modify\r\nSystem Process\r\n[T1543 ]:\r\nWindows\r\nService\r\n[T1543.003 ]\r\nChinese state-sponsored cyber\r\nactors have been\r\nobserved\r\nexecuting\r\nmalware\r\nshellcode and\r\nbatch files to\r\nestablish new\r\nservices to enable\r\npersistence.\r\nNote: this\r\ntechnique also\r\napplies to\r\nPrivilege\r\nOnly allow authorized\r\nadministrators to make\r\nservice changes and\r\nmodify service\r\nconfigurations.\r\nMonitor processes and\r\ncommand-line\r\narguments for actions\r\nthat could create or\r\nmodify services,\r\nespecially if such\r\nmodifications are\r\nunusual in your\r\nenvironment.\r\nMonitor WMI and\r\nPowerShell for service\r\nDetect:\r\nProcess Analysis\r\nProcess Spawn\r\nAnalysis [D3-PSA\r\n]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 22 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nEscalation\r\n[TA0004 ].\r\nmodifications.\r\nTactics: Privilege Escalation [TA0004 ]\r\nTable VI: Chinese state-sponsored cyber actors’ Privilege Escalation TTPs with detection and mitigation\r\nrecommendations\r\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nDomain Policy\r\nModification\r\n[T1484 ]\r\nGroup\r\nPolicy\r\nModification\r\n[T1484.001\r\n]\r\nChinese state-sponsored cyber actors\r\nhave also been\r\nobserved modifying\r\ngroup policies for\r\npassword exploitation.\r\nNote: this technique\r\nalso applies to Defense\r\nEvasion [TA0005 ].\r\nIdentify and correct\r\nGroup Policy Object\r\n(GPO) permissions\r\nabuse opportunities (e.g.,\r\nGPO modification\r\nprivileges) using\r\nauditing tools.\r\nMonitor directory\r\nservice changes using\r\nWindows event logs to\r\ndetect GPO\r\nmodifications. Several\r\nevents may be logged for\r\nsuch GPO modifications.\r\nConsider implementing\r\nWMI and security\r\nfiltering to further tailor\r\nwhich users and\r\ncomputers a GPO will\r\napply to.\r\nDetect:\r\nNetwork Traffic\r\nAnalysis\r\nAdministrative\r\nNetwork\r\nActivity\r\nAnalysis [D3-\r\nANAA ]\r\nPlatform Monitoring\r\nOperating\r\nSystem\r\nMonitoring\r\nSystem\r\nFile\r\nAnalysis\r\n[D3-\r\nSFA ]\r\nProcess Injection\r\n[T1055 ]: \r\nDynamic\r\nLink Library\r\nInjection\r\nChinese state-sponsored cyber actors\r\nhave been observed:\r\nInjecting into\r\nthe\r\nrundll32.exe\r\nUse endpoint protection\r\nsoftware to block\r\nprocess injection based\r\non behavior of the\r\ninjection process.\r\nMonitor DLL/Portable\r\nExecutable (PE) file\r\nExecution Isolation\r\nHardware-based Process\r\nIsolation [D3-\r\nHBPI ]\r\nMandatory\r\nAccess Control\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 23 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\n[T1055.001\r\n]\r\nPortable\r\nExecutable\r\nInjection\r\n[T1055.002\r\n]\r\nprocess to hide\r\nusage of\r\nMimikatz, as\r\nwell as injecting\r\ninto a running\r\nlegitimate\r\nexplorer.exe\r\nprocess for\r\nlateral\r\nmovement.\r\nUsing shellcode\r\nthat injects\r\nimplants into\r\nnewly created\r\ninstances of the\r\nService Host\r\nprocess\r\n( svchost )\r\nNote: this technique\r\nalso applies to Defense\r\nEvasion [TA0005 ].\r\n \r\nevents, specifically\r\ncreation of these binary\r\nfiles as well as the\r\nloading of DLLs into\r\nprocesses. Look for\r\nDLLs that are not\r\nrecognized or not\r\nnormally loaded into a\r\nprocess.\r\nMonitor for suspicious\r\nsequences of Windows\r\nAPI calls such as\r\nCreateRemoteThread ,\r\nVirtualAllocEx , or\r\nWriteProcessMemory\r\nand analyze processes\r\nfor unexpected or\r\natypical behavior such as\r\nopening network\r\nconnections or reading\r\nfiles.\r\nTo minimize the\r\nprobable impact of a\r\nthreat actor using\r\nMimikatz, always limit\r\nadministrative privileges\r\nto only users who\r\nactually need it; upgrade\r\nWindows to at least\r\nversion 8.1 or 10; run\r\nLocal Security Authority\r\nSubsystem Service\r\n(LSASS) in protected\r\nmode on Windows 8.1\r\nand higher; harden the\r\nlocal security authority\r\n(LSA) to prevent code\r\ninjection.\r\n[D3-MAC]\r\nTactics: Defense Evasion [TA0005 ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 24 of 38\n\nTable VII: Chinese state-sponsored cyber actors’ Defensive Evasion TTPs with detection and mitigation recommendations\r\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nDeobfuscate/Decode\r\nFiles or Information\r\n[T1140 ]\r\nChinese state-sponsored\r\ncyber actors\r\nwere observed\r\nusing the 7-Zip\r\nutility to unzip\r\nimported tools\r\nand malware\r\nfiles onto the\r\nvictim device.\r\nMonitor the execution file\r\npaths and command-line\r\narguments for common archive\r\nfile applications and\r\nextensions, such as those for\r\nZip and RAR archive tools, and\r\ncorrelate with other suspicious\r\nbehavior to reduce false\r\npositives from normal user and\r\nadministrator behavior.\r\nConsider blocking, disabling,\r\nor monitoring use of 7-Zip.\r\nDetect: \r\nProcess Analysis\r\nProcess Spawn\r\nAnalysis [D3-\r\nPSA ]\r\nIsolate: \r\nExecution Isolation\r\nExecutable\r\nDenylisting\r\n[D3-EDL ]\r\nHide Artifacts\r\n[T1564 ]\r\nChinese state-sponsored\r\ncyber actors\r\nwere observed\r\nusing benign\r\nexecutables\r\nwhich used\r\nDLL load-order\r\nhijacking to\r\nactivate the\r\nmalware\r\ninstallation\r\nprocess.\r\nMonitor files, processes, and\r\ncommand-line arguments for\r\nactions indicative of hidden\r\nartifacts, such as executables\r\nusing DLL load-order hijacking\r\nthat can activate malware.\r\nMonitor event and\r\nauthentication logs for records\r\nof hidden artifacts being used.\r\nMonitor the file system and\r\nshell commands for hidden\r\nattribute usage.\r\nDetect: \r\nProcess Analysis\r\nFile Access\r\nPattern Analysis\r\n[D3-FAPA ] \r\nIsolate:\r\nExecution Isolation\r\nExecutable\r\nAllowlisting\r\n[D3-EAL ]\r\nIndicator Removal\r\nfrom Host [T1070\r\n]\r\nChinese state-sponsored\r\ncyber actors\r\nhave been\r\nobserved\r\ndeleting files\r\nusing rm or\r\ndel\r\ncommands.\r\nSeveral files\r\nthat the cyber\r\nactors target\r\nMake the environment\r\nvariables associated with\r\ncommand history read only to\r\nensure that the history is\r\npreserved.\r\nRecognize timestomping by\r\nmonitoring the contents of\r\nimportant directories and the\r\nattributes of the files.\r\nPrevent users from deleting or\r\nwriting to certain files to stop\r\nDetect: \r\nPlatform Monitoring\r\nOperating\r\nSystem\r\nMonitoring\r\nSystem\r\nFile\r\nAnalysis\r\n[D3-SFA\r\n]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 25 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nwould be\r\ntimestomped,\r\nin order to\r\nshow different\r\ntimes compared\r\nto when those\r\nfiles were\r\ncreated/used.\r\nadversaries from maliciously\r\naltering their\r\n~/.bash_history or\r\nConsoleHost_history.txt\r\nfiles.\r\nMonitor for command-line\r\ndeletion functions to correlate\r\nwith binaries or other files that\r\nan adversary may create and\r\nlater remove. Monitor for\r\nknown deletion and secure\r\ndeletion tools that are not\r\nalready on systems within an\r\nenterprise network that an\r\nadversary could introduce.\r\nMonitor and record file access\r\nrequests and file handles. An\r\noriginal file handle can be\r\ncorrelated to a compromise and\r\ninconsistencies between file\r\ntimestamps and previous\r\nhandles opened to them can be\r\na detection rule.\r\nProcess Analysis\r\nFile Access\r\nPattern Analysis\r\n[D3-FAPA ] \r\nIsolate:\r\nExecution Isolation\r\nExecutable\r\nAllowlisting\r\n[D3-EAL ]\r\nObfuscated Files or\r\nInformation [T1027\r\n]\r\nChinese state-sponsored\r\ncyber actors\r\nwere observed\r\nBase64\r\nencoding files\r\nand command\r\nstrings to evade\r\nsecurity\r\nmeasures.\r\nConsider utilizing the Antimalware\r\nScan Interface (AMSI) on Windows\r\n10 to analyze commands after being\r\nprocessed/interpreted.\r\nDetect:\r\nProcess Analysis\r\nFile Access\r\nPattern Analysis\r\n[D3-FAPA ]\r\nSigned Binary Proxy\r\nExecution [T1218\r\n]\r\nMshta\r\n[T1218.005\r\nChinese state-sponsored\r\ncyber actors\r\nwere observed\r\nusing Microsoft\r\nsigned binaries,\r\nMonitor processes for the execution of\r\nknown proxy binaries (e.g.,\r\nr undll32.exe ) and look for\r\nanomalous activity that does not\r\nfollow historically good arguments\r\nDetect:\r\nProcess Analysis\r\nFile Access\r\nPattern Analysis\r\n[D3-FAPA ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 26 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\n]\r\nRundll32\r\n[T1218.011\r\n]\r\nsuch as\r\nRundll32 , as\r\na proxy to\r\nexecute\r\nmalicious\r\npayloads.\r\nand loaded DLLs associated with the\r\ninvocation of the binary.\r\nProcess Spawn\r\nAnalysis [D3-\r\nPSA ] \r\nTactics: Credential Access [TA0006 ]\r\nTable VIII: Chinese state-sponsored cyber actors’ Credential Access TTPs with detection and mitigation\r\nrecommendations\r\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nExploitation\r\nfor Credential\r\nAccess\r\n[T1212 ]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved exploiting Pulse\r\nSecure VPN appliances\r\nto view and extract valid\r\nuser credentials and\r\nnetwork information\r\nfrom the servers.\r\nUpdate and patch software\r\nregularly.\r\nUse cyber threat\r\nintelligence and open-source reporting to\r\ndetermine vulnerabilities\r\nthat threat actors may be\r\nactively targeting and\r\nexploiting; patch those\r\nvulnerabilities\r\nimmediately.\r\nHarden: \r\nPlatform Hardening\r\nSoftware Update\r\n[D3-SU ]\r\nCredential Hardening\r\nMulti-factor\r\nAuthentication\r\n[D3-MFA ]\r\nOS Credential\r\nDumping\r\n[T1003 ]\r\n•    LSASS\r\nMemory\r\n[T1003.001\r\n]\r\n•    NTDS\r\n[T1003.003\r\n]\r\nChinese state-sponsored\r\ncyber actors were\r\nobserved targeting the\r\nLSASS process or Active\r\ndirectory ( NDST.DIT)\r\nfor credential dumping.\r\nMonitor process and\r\ncommand-line arguments\r\nfor program execution that\r\nmay be indicative of\r\ncredential dumping,\r\nespecially attempts to\r\naccess or copy the\r\nNDST.DIT .\r\nEnsure that local\r\nadministrator accounts\r\nhave complex, unique\r\nHarden:\r\nCredential Hardening\r\n[D3-CH ]\r\nDetect: \r\nProcess Analysis\r\nFile Access\r\nPattern Analysis\r\n[D3-FAPA ]\r\nSystem Call\r\nAnalysis [D3-\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 27 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\npasswords across all\r\nsystems on the network.\r\nLimit credential overlap\r\nacross accounts and\r\nsystems by training users\r\nand administrators not to\r\nuse the same passwords for\r\nmultiple accounts.\r\nConsider disabling or\r\nrestricting NTLM.\r\nConsider disabling\r\nWDigest authentication.\r\nEnsure that domain\r\ncontrollers are backed up\r\nand properly secured (e.g.,\r\nencrypt backups).\r\nImplement Credential\r\nGuard to protect the LSA\r\nsecrets from credential\r\ndumping on Windows 10.\r\nThis is not configured by\r\ndefault and requires\r\nhardware and firmware\r\nsystem requirements.\r\nEnable Protected Process\r\nLight for LSA on Windows\r\n8.1 and Windows Server\r\n2012 R2.\r\nSCA ]\r\nIsolate: \r\nExecution Isolation\r\nHardware-based\r\nProcess Isolation\r\n[D3-HBPI ]\r\nMandatory\r\nAccess Control\r\n[D3-MAC]\r\nTactics: Discovery [TA0007 ]\r\nTable IX: Chinese state-sponsored cyber actors’ Discovery TTPs with detection and mitigation recommendations\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 28 of 38\n\nThreat\r\nActor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nFile and\r\nDirectory\r\nDiscovery\r\n[T1083 ]\r\nChinese state-sponsored cyber\r\nactors have been\r\nobserved using\r\nmultiple implants\r\nwith file system\r\nenumeration and\r\ntraversal capabilities.\r\nMonitor processes and command-line\r\narguments for actions that could be taken to\r\ngather system and network information.\r\nWMI and PowerShell should also be\r\nmonitored.\r\nDetect: \r\nUser Behavior\r\nAnalysis\r\nJob Function\r\nAccess\r\nPattern\r\nAnalysis\r\n[D3-JFAPA\r\n]\r\nProcess Analysis\r\nDatabase\r\nQuery String\r\nAnalysis\r\n[D3-DQSA\r\n]\r\nFile Access\r\nPattern\r\nAnalysis\r\n[D3-FAPA\r\n]\r\nProcess\r\nSpawn\r\nAnalysis\r\n[D3-PSA ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 29 of 38\n\nThreat\r\nActor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nPermission\r\nGroup\r\nDiscovery\r\n[T1069 ]\r\nChinese state-sponsored cyber\r\nactors have been\r\nobserved using\r\ncommands, including\r\nnet group and net\r\nlocalgroup , to\r\nenumerate the\r\ndifferent user groups\r\non the target\r\nnetwork. \r\nMonitor processes and command-line\r\narguments for actions that could be taken to\r\ngather system and network information.\r\nRemote access tools with built-in features\r\nmay interact directly with the Windows API\r\nto gather information. Information may also\r\nbe acquired through Windows system\r\nmanagement tools such as Windows\r\nManagement Instrumentation and\r\nPowerShell.\r\nDetect: \r\nProcess Analysis\r\nProcess Spawn\r\nAnalysis [D3-PSA\r\n]\r\nSystem Call\r\nAnalysis\r\n[D3-SCA ]\r\nUser Behavior\r\nAnalysis [D3-UBA\r\n]  \r\nProcess\r\nDiscovery\r\n[T1057 ]\r\nChinese state-sponsored cyber\r\nactors have been\r\nobserved using\r\ncommands, including\r\ntasklist , jobs ,\r\nps , or taskmgr , to\r\nreveal the running\r\nprocesses on victim\r\ndevices.\r\nNormal, benign system and network events\r\nthat look like process discovery may be\r\nuncommon, depending on the environment\r\nand how they are used. Monitor processes\r\nand command-line arguments for actions\r\nthat could be taken to gather system and\r\nnetwork information. Remote access tools\r\nwith built-in features may interact directly\r\nwith the Windows API to gather\r\ninformation. Information may also be\r\nacquired through Windows system\r\nmanagement tools such as Windows\r\nManagement Instrumentation and\r\nPowerShell. \r\nDetect: \r\nProcess Analysis\r\nProcess\r\nSpawn\r\nAnalysis\r\n[D3-PSA ]\r\nSystem Call\r\nAnalysis\r\n[D3-SCA ]\r\nUser Behavior\r\nAnalysis [D3-UBA\r\n]\r\nNetwork\r\nService\r\nScanning\r\n[T1046 ]\r\nChinese state-sponsored cyber\r\nactors have been\r\nobserved using\r\nNbtscan and nmap\r\nto scan and\r\nenumerate target\r\nnetwork information.\r\n•    Ensure that unnecessary ports and\r\nservices are closed to prevent discovery and\r\npotential exploitation.\r\n•    Use network intrusion detection and\r\nprevention systems to detect and prevent\r\nremote service scans such as Nbtscan or\r\nnmap .\r\n•    Ensure proper network segmentation is\r\nfollowed to protect critical servers and\r\ndevices to help mitigate potential\r\nexploitation.\r\nDetect: \r\nNetwork Traffic\r\nAnalysis\r\nConnection\r\nAttempt\r\nAnalysis\r\n[D3-CAA ]\r\nIsolate:\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 30 of 38\n\nThreat\r\nActor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor\r\nProcedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nNetwork Isolation\r\nInbound\r\nTraffic\r\nFiltering\r\n[D3-ITF ]\r\nRemote\r\nSystem\r\nDiscovery\r\n[T1018 ]\r\nChinese state-sponsored cyber\r\nactors have been\r\nobserved using Base-64 encoded\r\ncommands, including\r\nping , net group ,\r\nand net user to\r\nenumerate target\r\nnetwork information.\r\nMonitor for processes that can be used to\r\ndiscover remote systems, such as\r\nping.exe and tracert.exe , especially\r\nwhen executed in quick succession.\r\nDetect: \r\nProcess Analysis\r\nProcess\r\nSpawn\r\nAnalysis\r\n[D3-PSA ]\r\nUser Behavior\r\nAnalysis\r\nJob Function\r\nAccess\r\nPattern\r\nAnalysis\r\n[D3-JFAPA\r\n]\r\nTactics: Lateral Movement [TA0008 ]\r\nTable X: Chinese state-sponsored cyber actors’ Lateral Movement TTPs with detection and mitigation recommendations\r\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nExploitation\r\nof Remote\r\nServices\r\n[T1210 ]\r\nChinese state-sponsored\r\ncyber actors used valid\r\naccounts to log into a service\r\nspecifically designed to\r\naccept remote connections,\r\nsuch as telnet, SSH, RDP,\r\nand Virtual Network\r\nChinese state-sponsored cyber\r\nactors used valid accounts to log\r\ninto a service specifically designed\r\nto accept remote connections, such\r\nas telnet, SSH, RDP, and Virtual\r\nNetwork Computing (VNC). The\r\nDetect: \r\nNetwork Traffic\r\nAnalysis\r\nRemote\r\nTerminal\r\nSession\r\nDetection\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 31 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nComputing (VNC). The\r\nactor may then perform\r\nactions as the logged-on\r\nuser.\r\nChinese state-sponsored\r\ncyber actors also used on-premises Identity and Access\r\nManagement (IdAM) and\r\nfederation services in hybrid\r\ncloud environments in order\r\nto pivot to cloud resources.\r\nactor may then perform actions as\r\nthe logged-on user.\r\nChinese state-sponsored cyber\r\nactors also used on-premises\r\nIdentity and Access Management\r\n(IdAM) and federation services in\r\nhybrid cloud environments in\r\norder to pivot to cloud resources.\r\nDisable or remove\r\nunnecessary services.\r\nMinimize permissions and\r\naccess for service accounts.\r\nPerform vulnerability\r\nscanning and update\r\nsoftware regularly.\r\nUse threat intelligence and\r\nopen-source exploitation\r\ndatabases to determine\r\nservices that are targets for\r\nexploitation.\r\n[D3-RTSD\r\n]\r\nUser Behavior\r\nAnalysis [D3-UBA\r\n]\r\nIsolate:\r\nExecution Isolation\r\nMandatory\r\nAccess\r\nControl [D3-\r\nMAC]\r\nTactics: Collection [TA0009 ]\r\nTable XI: Chinese state-sponsored cyber actors’ Collection TTPs with detection and mitigation recommendations\r\nThreat\r\nActor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nArchive\r\nCollected\r\nData\r\n[T1560 ]\r\nChinese state-sponsored\r\ncyber actors used\r\ncompression and encryption\r\nof exfiltration files into\r\nRAR archives, and\r\nsubsequently utilizing cloud\r\nstorage services for storage.\r\nScan systems to identify\r\nunauthorized archival\r\nutilities or methods unusual\r\nfor the environment.\r\nMonitor command-line\r\narguments for known\r\narchival utilities that are not\r\nDetect: \r\nProcess Analysis\r\nFile Access\r\nPattern\r\nAnalysis [D3-\r\nFAPA ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 32 of 38\n\nThreat\r\nActor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\ncommon in the\r\norganization's environment.\r\nProcess Spawn\r\nAnalysis [D3-\r\nPSA ]\r\nIsolate:\r\nExecution Isolation\r\nExecutable\r\nDenylisting\r\n[D3-EDL ]\r\nClipboard\r\nData [T1115\r\n]\r\nChinese state-sponsored\r\ncyber actors used RDP and\r\nexecute rdpclip.exe to\r\nexfiltrate information from\r\nthe clipboard.\r\nAccess to the clipboard is a\r\nlegitimate function of many\r\napplications on an operating\r\nsystem. If an organization\r\nchooses to monitor for this\r\nbehavior, then the data will\r\nlikely need to be correlated\r\nagainst other suspicious or\r\nnon-user-driven activity\r\n(e.g. excessive use of\r\npbcopy/pbpaste (Linux) or\r\nclip.exe (Windows) run\r\nby general users through\r\ncommand line).\r\nIf possible, disable use of\r\nRDP and other file sharing\r\nprotocols to minimize a\r\nmalicious actor's ability to\r\nexfiltrate data.\r\nDetect:\r\nNetwork Traffic\r\nAnalysis\r\nRemote\r\nTerminal\r\nSession\r\nDetection  [D3-\r\nRTSD ]\r\nIsolate:\r\nNetwork Isolation\r\nInbound Traffic\r\nFiltering [D3-\r\nITF ]\r\nOutbound\r\nTraffic\r\nFiltering [D3-\r\nOTF ] \r\nData Staged\r\n[T1074 ]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved using the mv\r\ncommand to export files\r\ninto a location, like a\r\ncompromised Microsoft\r\nExchange, IIS, or emplaced\r\nwebshell prior to\r\nProcesses that appear to be reading\r\nfiles from disparate locations and\r\nwriting them to the same directory\r\nor file may be an indication of data\r\nbeing staged, especially if they are\r\nsuspected of performing encryption\r\nor compression on the files, such as\r\nusing 7-Zip, RAR, ZIP, or zlib.\r\nDetect: \r\nProcess Analysis\r\nFile Access\r\nPattern\r\nAnalysis [D3-\r\nFAPA ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 33 of 38\n\nThreat\r\nActor\r\nTechnique /\r\nSub-Techniques\r\nThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\ncompressing and\r\nexfiltrating the data from\r\nthe target network.\r\nMonitor publicly writeable\r\ndirectories, central locations, and\r\ncommonly used staging directories\r\n(recycle bin, temp folders, etc.) to\r\nregularly check for compressed or\r\nencrypted data that may be\r\nindicative of staging.\r\nEmail\r\nCollection\r\n[T1114 ]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved using the New-MailboxExportReques t\r\nPowerShell cmdlet to\r\nexport target email boxes.\r\nAudit email auto-forwarding\r\nrules for suspicious or\r\nunrecognized rulesets.\r\nEncrypt email using public\r\nkey cryptography, where\r\nfeasible.\r\nUse MFA on public-facing\r\nmail servers.\r\nHarden:\r\nCredential Hardening\r\nMulti-factor\r\nAuthentication\r\n[D3-MFA ]\r\nMessage Hardening\r\nMessage\r\nEncryption\r\n[D3-MENCR\r\n]\r\nDetect: \r\nProcess Analysis [D3-\r\nPA ]\r\nTactics: Command and Control [TA0011 ]\r\nTable XII: Chinese state-sponsored cyber actors’ Command and Control TTPs with detection and mitigation\r\nrecommendations\r\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\n \r\nThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nApplication Layer\r\nProtocol [T1071\r\n]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved:\r\nUse network intrusion\r\ndetection and prevention\r\nsystems with network\r\nsignatures to identify traffic for\r\nspecific adversary malware.\r\nDetect: \r\nNetwork Traffic\r\nAnalysis\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 34 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\n \r\nThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nUsing commercial\r\ncloud storage\r\nservices for\r\ncommand and\r\ncontrol.\r\nUsing malware\r\nimplants that use the\r\nDropbox® API for\r\nC2 and a downloader\r\nthat downloads and\r\nexecutes a payload\r\nusing the Microsoft\r\nOneDrive® API.\r\nClient-server\r\nPayload\r\nProfiling\r\n[D3-CSPP\r\n]\r\nFile Carving\r\n[D3-FC ]\r\nIsolate: \r\nNetwork Isolation\r\nDNS\r\nDenylisting\r\n[D3-\r\nDNSDL ]\r\nIngress Tool\r\nTransfer [T1105\r\n]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved importing tools\r\nfrom GitHub or infected\r\ndomains to victim networks.\r\nIn some instances. Chinese\r\nstate-sponsored cyber actors\r\nused the Server Message\r\nBlock (SMB) protocol to\r\nimport tools into victim\r\nnetworks.\r\nPerform ingress traffic\r\nanalysis to identify\r\ntransmissions that are\r\noutside of normal\r\nnetwork behavior.\r\nDo not expose services\r\nand protocols (such as\r\nFile Transfer Protocol\r\n[FTP]) to the Internet\r\nwithout strong business\r\njustification.\r\nUse signature-based\r\nnetwork intrusion\r\ndetection and prevention\r\nsystems to identify\r\nadversary malware\r\ncoming into the\r\nnetwork.\r\nIsolate:\r\nNetwork Isolation\r\nInbound\r\nTraffic\r\nFiltering\r\n[D3-ITF ]\r\nNon-Standard Port\r\n[T1571 ]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved using a non-standard SSH port to\r\nUse signature-based\r\nnetwork intrusion\r\ndetection and prevention\r\nDetect:  \r\nNetwork Traffic\r\nAnalysis\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 35 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\n \r\nThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nestablish covert\r\ncommunication channels\r\nwith VPS infrastructure. \r\nsystems to identify\r\nadversary malware\r\ncalling back to C2.\r\nConfigure firewalls to\r\nlimit outgoing traffic to\r\nonly required ports\r\nbased on the functions\r\nof that network segment.\r\nAnalyze packet contents\r\nto detect\r\ncommunications that do\r\nnot follow the expected\r\nprotocol behavior for\r\nthe port.\r\nClient-server\r\nPayload\r\nProfiling\r\n[D3-CSPP\r\n]\r\nProtocol\r\nMetadata\r\nAnomaly\r\nDetection\r\n[D3-PMAD\r\n]\r\nIsolate:\r\nNetwork Isolation\r\nInbound\r\nTraffic\r\nFiltering\r\n[D3-ITF ]\r\nOutbound\r\nTraffic\r\nFiltering\r\n[D3-OTF ]\r\nProtocol Tunneling\r\n[T1572 ]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved using tools like\r\ndog-tunnel and\r\ndns2tcp.exe to conceal\r\nC2 traffic with existing\r\nnetwork activity. \r\nMonitor systems for\r\nconnections using\r\nports/protocols\r\ncommonly associated\r\nwith tunneling, such as\r\nSSH (port 22). Also\r\nmonitor for processes\r\ncommonly associated\r\nwith tunneling, such as\r\nPlink and the OpenSSH\r\nclient.\r\nAnalyze packet contents\r\nto detect application\r\nlayer protocols that do\r\nDetect: \r\nNetwork Traffic\r\nAnalysis\r\nProtocol\r\nMetadata\r\nAnomaly\r\nDetection\r\n[D3-PMAD\r\n]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 36 of 38\n\nThreat Actor\r\nTechnique /\r\nSub-Techniques\r\n \r\nThreat Actor Procedure(s)\r\nDetection and Mitigation\r\nRecommendations\r\nDefensive Tactics and\r\nTechniques\r\nnot follow the expected\r\nprotocol standards.\r\nAnalyze network data\r\nfor uncommon data\r\nflows (e.g., a client\r\nsending significantly\r\nmore data than it\r\nreceives from a server) \r\nProxy [T1090 ]: \r\nMulti-Hop\r\nProxy\r\n[T1090.003\r\n]\r\nChinese state-sponsored\r\ncyber actors have been\r\nobserved using a network of\r\nVPSs and small office and\r\nhome office (SOHO)\r\nrouters as part of their\r\noperational infrastructure to\r\nevade detection and host C2\r\nactivity. Some of these\r\nnodes operate as part of an\r\nencrypted proxy service to\r\nprevent attribution by\r\nconcealing their country of\r\norigin and TTPs.\r\nMonitor traffic for encrypted\r\ncommunications originating\r\nfrom potentially breached\r\nrouters to other routers within\r\nthe organization. Compare the\r\nsource and destination with the\r\nconfiguration of the device to\r\ndetermine if these channels are\r\nauthorized VPN connections or\r\nother encrypted modes of\r\ncommunication.\r\nAlert on traffic to\r\nknown anonymity\r\nnetworks (such as Tor)\r\nor known adversary\r\ninfrastructure that uses\r\nthis technique.\r\nUse network allow and\r\nblocklists to block\r\ntraffic to known\r\nanonymity networks and\r\nC2 infrastructure.\r\nDetect: \r\nNetwork Traffic\r\nAnalysis\r\nProtocol\r\nMetadata\r\nAnomaly\r\nDetection\r\n[D3-PMAD\r\n]\r\nRelay\r\nPattern\r\nAnalysis\r\n[D3-RPA ]\r\nIsolate: \r\nNetwork Isolation\r\nOutbound\r\nTraffic\r\nFiltering\r\n[D3-OTF ]\r\nAppendix B: MITRE ATT\u0026CK Framework \r\nFigure 2: MITRE ATT\u0026CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors (Click here\r\nfor the downloadable JSON file .) \r\nContact Information\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 37 of 38\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your\r\nlocal FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by\r\ne-mail at CyWatch@fbi.gov . When available, please include the following information regarding the incident: date,\r\ntime, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the\r\nname of the submitting company or organization; and a designated point of contact.\r\nTo request incident response resources or technical assistance related to these threats, contact CISA at\r\nCentral@cisa.dhs.gov .\r\nFor NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at\r\n410-854-4200 or Cybersecurity_Requests@nsa.gov.\r\nMedia Inquiries / Press Desk:\r\n•    NSA Media Relations, 443-634-0721, MediaRelations@nsa.gov\r\n•    CISA Media Relations, 703-235-2010, CISAMedia@cisa.dhs.gov\r\n•    FBI National Press Office, 202-324-3691, npo@fbi.gov\r\nReferences\r\n[1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits\r\nRevisions\r\nJuly 19, 2021: Initial Version\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-200b\r\nPage 38 of 38", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa21-200b" ], "report_names": [ "aa21-200b" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439111, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db05552190ef7c4966c2b209bd33d59d53488037.pdf", "text": "https://archive.orkl.eu/db05552190ef7c4966c2b209bd33d59d53488037.txt", "img": "https://archive.orkl.eu/db05552190ef7c4966c2b209bd33d59d53488037.jpg" } }