Mapping To APT12

APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0005
Associated Groups:  APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1102 - Web Service There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic.
T1203 - Exploitation for Client Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system.
T1203 - Exploitation for Client Execution There is an opportunity to discover who or what is being targeting by an adversary. DTE0004 - Application Diversity A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications.
T1204 - User Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.
T1566 - Phishing A phishing email can be detected and blocked from arriving at the intended recipient. DTE0019 - Email Manipulation A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.
T1566 - Phishing A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. DTE0023 - Migrate Attack Vector A defender can move suspicious emails to a decoy system prior to opening and examining the email.
T1566 - Phishing Users trained and encouraged to report phishing can detect attacks that other defenses do not. DTE0035 - User Training A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.
T1566 - Phishing There is an opportunity to discover who or what is being targeting by an adversary. DTE0015 - Decoy Persona A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.
T1568 - Dynamic Resolution If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools. DTE0021 - Hunting A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner.
T1568 - Dynamic Resolution An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure. DTE0026 - Network Manipulation A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure.