Mapping To Axiom

Axiom is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. Though both this group and Winnti Group use the malware Winnti for Windows, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0001
Associated Groups:  Axiom, Group 72
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1001 - Data Obfuscation There is an opportunity to detect adversary activity that uses obfuscated communication. DTE0028 - PCAP Collection A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation.
T1001 - Data Obfuscation There is an opportunity to reveal data that the adversary has tried to protect from defenders DTE0031 - Protocol Decoder Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity.
T1003 - OS Credential Dumping There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0012 - Decoy Credentials A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
T1021 - Remote Services There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1021 - Remote Services In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service.
T1190 - Exploit Public-Facing Application There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0017 - Decoy System A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs.
T1190 - Exploit Public-Facing Application There is an opportunity to present several public-facing application options to see what application(s) the adversary targets. DTE0013 - Decoy Diversity A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit.
T1546 - Event Triggered Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.
T1546 - Event Triggered Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0001 - Admin Access A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution.