APT20 associated with Operation Wocao is suspected to be a Chinese-based cyberespioange APT group that targets government entities, managed service providers and a wide variety of industries, including construction and engineering, non-profit organizations, defense, energy, health care and high-tech in 10 different countries, including East Asia, Thailand, and the USA.
To evade defenses, the group is known to Install Root Certificate to the local Windows store.
|Enterprise||VT0020||.001||Remote Services: SSH||
APT20 is using SSH to laterally move in the victim's network
|Enterprise||VT0016||.001||Subvert Trust Controls: Install Root Certificate||
APT20 install a root certificate on the victim's machine to evade defenses.
|Enterprise||VT0017||.004||Unsecured Credentials: Private Keys||
APT20 uses tools like Mimikatz to dump credentials and keys from the victim's machine
APT20 uses valid credentials and key to login to remote services, such as SSH, and laterally move among its victims
|VS0004||Mimikatz||APT20 uses Mimikatz to extract keys and credentials from victim machines to preform lateral movement||Account Manipulation, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Unsecured Credentials: Private Keys|
Created: 02 May 2021
Last Modified: 03 May 2021