Mapping To Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted several industries, including oil, government, military, and more.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0004
Associated Groups:  Ke3chang, APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1003 - OS Credential Dumping There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0012 - Decoy Credentials A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
T1005 - Data from Local System In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system.
T1005 - Data from Local System In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
T1007 - System Service Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1007 - System Service Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender could manipulate the command to display services an adversary would expect to see on a system, or to shown them unexpected services.
T1016 - System Network Configuration Discovery There is an opportunity to influence an adversary to move toward systems you want them to engage with. DTE0011 - Decoy Content A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.
T1018 - Remote System Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with.
T1018 - Remote System Discovery In an adversary engagement situation, there is an opportunity to add legitimacy by ensuring decoy systems are fully populated with information an adversary would expect to see during this recon process. DTE0011 - Decoy Content A defender can create entries in a decoy system's ARP cache, hosts file, etc. to add to the legitimacy of the device.
T1021 - Remote Services There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1021 - Remote Services In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service.
T1036 - Masquerading There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.
T1041 - Exfiltration Over C2 Channel There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. DTE0026 - Network Manipulation A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols.
T1041 - Exfiltration Over C2 Channel There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. DTE0026 - Network Manipulation A defender can restrict network traffic making adversary exfiltration slow or unreliable.
T1049 - System Network Connections Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of commands commonly used to enumerate a system's network connections. They could seed this output with decoy systems and/or networks or remove legitimate systems from the output in order to direct an adversary away from legitimate systems.
T1056 - Input Capture There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter.
T1057 - Process Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary.
T1057 - Process Discovery There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. DTE0016 - Decoy Process A defender can run decoy processes on a system to entice an adversary.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1069 - Permission Groups Discovery In an adversary engagement operation, there is an opportunity to impact what an adversary sees when they execute commands on a system. DTE0036 - Software Manipulation A defender could manipulate a system's software to alter the results of an adversary enumerating permission group information.
T1071 - Application Layer Protocol There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1082 - System Information Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery.
T1083 - File and Directory Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can utilize decoy files and directories to provide content that could be used by the adversary.
T1087 - Account Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender could alter the output from account enumeration commands to hide accounts or show the presence of accounts which do not exist.
T1087 - Account Discovery In an adversary engagement operation, there is an opportunity to present decoy accounts to the adversary during the enumeration process. DTE0010 - Decoy Account During an adversary engagement operation, a defender can utilize decoy accounts to provide content to an adversary and encourage additional activity.
T1087 - Account Discovery There is an opportunity to use decoy accounts of varying types to see what an adversary is most interested in. DTE0013 - Decoy Diversity A defender can make a variety of decoy accounts and see if the adversary seems to be drawn to accounts of a specific type, with specific permissions, group access, etc.
T1114 - Email Collection There is an opportunity to influence an adversary to move toward systems you want them to engage with. DTE0011 - Decoy Content A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems.
T1133 - External Remote Services There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services. DTE0017 - Decoy System A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it.
T1213 - Data from Information Repositories In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.
T1213 - Data from Information Repositories In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
T1543 - Create or Modify System Process There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.
T1547 - Boot or Logon Autostart Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.
T1558 - Steal or Forge Kerberos Tickets There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. DTE0025 - Network Diversity A defender can setup networks that use Kerberos authentication and systems that authenticate using it. This gives you a chance to see if an adversary has the capacity to steal or forge Kerberos tickets for lateral movement.
T1558 - Steal or Forge Kerberos Tickets In an adversary engagement scenario, there is an opportunity to test whether an adversary has the capability to steal or forge Kerberos tickets. DTE0032 - Security Controls A defender can secure Kerberos in order to prevent an adversary from leveraging the tickets to authenticate or move laterally. This may result in the adversary exposing additional TTPs.
T1560 - Archive Collected Data There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable.
T1569 - System Services There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1569 - System Services There is an opportunity to create a detection with a moderately high probability of success. DTE0033 - Standard Operating Procedure A defender can define operating procedures for adding services and alert when they are not followed.