APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1102 - Web Service||There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.||DTE0007 - Behavioral Analytics||A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic.|
|T1203 - Exploitation for Client Execution||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0017 - Decoy System||A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system.|
|T1203 - Exploitation for Client Execution||There is an opportunity to discover who or what is being targeting by an adversary.||DTE0004 - Application Diversity||A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications.|
|T1204 - User Execution||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0018 - Detonate Malware||A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.|
|T1566 - Phishing||A phishing email can be detected and blocked from arriving at the intended recipient.||DTE0019 - Email Manipulation||A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.|
|T1566 - Phishing||A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution.||DTE0023 - Migrate Attack Vector||A defender can move suspicious emails to a decoy system prior to opening and examining the email.|
|T1566 - Phishing||Users trained and encouraged to report phishing can detect attacks that other defenses do not.||DTE0035 - User Training||A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.|
|T1566 - Phishing||There is an opportunity to discover who or what is being targeting by an adversary.||DTE0015 - Decoy Persona||A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.|
|T1568 - Dynamic Resolution||If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools.||DTE0021 - Hunting||A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner.|
|T1568 - Dynamic Resolution||An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure.||DTE0026 - Network Manipulation||A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure.|