Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Active and Passive Mandiant APT1 Detection

The Mandiant® Intelligence Center™ recently released a report exposing APT1's multi-year, enterprise-scale computer espionage campaign. Mandiant considers APT1, one of China's most persistent cyber espionage groups, to be one of the most prolific in terms of sheer quantity of information stolen.

I read the Mandiant APT1 report with a great deal of interest. There was a tremendous amount of detail in the report about attacker techniques, indicators of compromise, and who the adversaries could possibly be. What I found most interesting, though, was the large amount of technical detail provided about the indicators of compromise – domain names, SSL certificates, file hashes, and more. Yesterday, Tenable's research team leveraged this information into a wide variety of reporting and detection tools which are now available in Nessus and SecurityCenter.

Malicious Process Detection: APT1 Software Running

This new Nessus plugin extends the hash lookup process for malware introduced last year to also include the APT1 hashes reported by Mandiant. This plugin requires credentials and tests Windows systems.

APT1-related SSL Certificate Detected

This new Nessus plugin extends the extensive SSL certificate testing performed by Nessus to also include those reported by Mandiant. The SSL certificates in the APT1 report were for command and control.

APT1 Configuration Audit File

This audit file determines possible infections by several of the malware items identified by Mandiant. It includes checks for 32 of the malware variants identified in Appendix C: The Malware Arsenal. The audit file utilizes a combination of registry checks and file system checks to find hosts that might likely be at risk or infected.

Mandiant APT1 SSL Connection Activity Report

The SecurityCenter report leverage's the Tenable Passive Vulnerability Scanner's ability to identify the certificate name used in SSL network connections. These real-time logs are sent to the Tenable Log Correlation Engine where they are summarized in an "SSL_Cert_Summary" event. Searching these events allows for an efficient search of historical APT1 SSL activity.

I'd like to thank Mandiant for sharing this sort of information and encourage this type of reporting and research.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.