MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Mapping To APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
Details
ATT&CK ID:
G0007
Associated Groups:
APT28, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127
Note:
This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique |
Opportunity Space | AD Technique | Use Case |
|---|---|---|---|
| T1001 - Data Obfuscation | There is an opportunity to detect adversary activity that uses obfuscated communication. | DTE0028 - PCAP Collection | A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation. |
| T1001 - Data Obfuscation | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
| T1003 - OS Credential Dumping | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
| T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system. |
| T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
| T1014 - Rootkit | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0001 - Admin Access | A defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit. |
| T1014 - Rootkit | In an adversary engagement scenario, there is an opportunity to implement security controls to allow an adversary to accomplish a task and extend an engagement. | DTE0032 - Security Controls | In an adversary engagement scenario, a defender could ensure security controls allow untrusted code to execute on a system. |
| T1025 - Data from Removable Media | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
| T1025 - Data from Removable Media | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
| T1027 - Obfuscated Files or Information | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information. |
| T1037 - Boot or Logon Initialization Scripts | There is an opportunity to utilize confirmed good copies of login scripts and restoring on a frequent basis to prevent an adversary from using them to launch malware on a recurring basis. | DTE0006 - Baseline | A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms. |
| T1040 - Network Sniffing | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | By changing the output of network sniffing utilities normally found on a system, you can prevent adversaries from seeing particular content or making use of the results at all. |
| T1040 - Network Sniffing | There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. | DTE0016 - Decoy Process | The defender can run processes on legitimate systems that create network artifacts for an adversary to collect. These artifacts may contain data such as credentials, hostnames, etc., that would lead an adversary to target decoy systems and networks. |
| T1040 - Network Sniffing | There is an opportunity to entice the adversary to expose additional TTPs. | DTE0025 - Network Diversity | The defender can add unique endpoints, servers, routers, and other devices to give the adversary a broader attack surface. This can cause the adversary to expose additional capabilities. |
| T1056 - Input Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter. |
| T1057 - Process Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary. |
| T1057 - Process Discovery | There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. | DTE0016 - Decoy Process | A defender can run decoy processes on a system to entice an adversary. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0034 - System Activity Monitoring | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
| T1068 - Exploitation for Privilege Escalation | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0001 - Admin Access | A defender can configure system users to not have admin access in order to ensure privilege escalation requires exploitation. |
| T1070 - Indicator Removal on Host | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. | DTE0001 - Admin Access | A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system. |
| T1070 - Indicator Removal on Host | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity. |
| T1071 - Application Layer Protocol | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
| T1074 - Data Staged | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network. |
| T1078 - Valid Accounts | There is an opportunity to introduce user accounts that are used to make a system look more realistic. | DTE0010 - Decoy Account | A defender can create decoy user accounts which are used to make a decoy system or network look more realistic. |
| T1078 - Valid Accounts | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
| T1078 - Valid Accounts | There is an opportunity to prepare user accounts so they look used and authentic. | DTE0008 - Burn-In | A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate. |
| T1083 - File and Directory Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can utilize decoy files and directories to provide content that could be used by the adversary. |
| T1090 - Proxy | There is an opportunity to block an adversary that is seeking to use a proxied connection. | DTE0026 - Network Manipulation | A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists. |
| T1091 - Replication Through Removable Media | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender can monitor systems for the use of removeable media. |
| T1091 - Replication Through Removable Media | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can disable Autorun to prevent malware from automatically executing when removeable media is plugged into a system. |
| T1091 - Replication Through Removable Media | There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network. | DTE0023 - Migrate Attack Vector | A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled. |
| T1091 - Replication Through Removable Media | There is an opportunity to prevent an adversary from using removable media to compromise disconnected or air-gapped systems. | DTE0022 - Isolation | A defender can setup protections so removeable media cannot be mounted until an isolated review process has cleared the drive. |
| T1092 - Communication Through Removable Media | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0029 - Peripheral Management | A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do. |
| T1092 - Communication Through Removable Media | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0023 - Migrate Attack Vector | A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do. |
| T1105 - Ingress Tool Transfer | There is an opportunity to collect network data and analyze the adversary activity it contains. | DTE0028 - PCAP Collection | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
| T1110 - Brute Force | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques. |
| T1113 - Screen Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can display decoy content on the screen which may be of interest to an adversary in an attempt to elicit further engagement. |
| T1114 - Email Collection | There is an opportunity to influence an adversary to move toward systems you want them to engage with. | DTE0011 - Decoy Content | A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems. |
| T1119 - Automated Collection | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner. |
| T1120 - Peripheral Device Discovery | There is an opportunity to gauge an adversary's interest in connected peripheral devices. | DTE0029 - Peripheral Management | A defender can connect one or more peripheral devices to a decoy system to see if an adversary has any interest in them. |
| T1120 - Peripheral Device Discovery | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0029 - Peripheral Management | A defender can plug in a USB drive and see how quickly the adversary notices and inspects it. |
| T1134 - Access Token Manipulation | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender could feed or redirect requests for credentials with false data that can be used to direct an adversary into a decoy network or system. |
| T1134 - Access Token Manipulation | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions. |
| T1137 - Office Application Startup | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can collect system process information and look for abnormal activity tied to Office processes. |
| T1140 - Deobfuscate/Decode Files or Information | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
| T1190 - Exploit Public-Facing Application | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0017 - Decoy System | A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs. |
| T1190 - Exploit Public-Facing Application | There is an opportunity to present several public-facing application options to see what application(s) the adversary targets. | DTE0013 - Decoy Diversity | A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit. |
| T1199 - Trusted Relationship | When authorized behavior is defined and limited for trusted partners, adversaries exploiting trust relationships are easier to detect. | DTE0034 - System Activity Monitoring | Defenders can monitor trusted partner access, detecting unauthorized activity. |
| T1203 - Exploitation for Client Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system. |
| T1203 - Exploitation for Client Execution | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0004 - Application Diversity | A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications. |
| T1204 - User Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence. |
| T1210 - Exploitation of Remote Services | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. | DTE0004 - Application Diversity | A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction. |
| T1211 - Exploitation for Defense Evasion | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. | DTE0004 - Application Diversity | A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction. |
| T1213 - Data from Information Repositories | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
| T1213 - Data from Information Repositories | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
| T1218 - Signed Binary Proxy Execution | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can monitor operating system functions calls to look for adversary use and/or abuse. |
| T1218 - Signed Binary Proxy Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes. |
| T1218 - Signed Binary Proxy Execution | There is an opportunity to create a detection with a moderately high probability of success. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
| T1221 - Template Injection | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can have decoy systems that are easy to gain access to and have Office installed. The decoy system can be monitored to see if an adversary attempts to inject anything malicious into Office templates. |
| T1498 - Network Denial of Service | There is an opportunity to alter the network configuration in order to disrupt an adversary who is trying to saturate the network or a system via denial of service. | DTE0026 - Network Manipulation | A defender can configure network devices to analyze network traffic, detect a potential DoS attack, and make appropriate adjustments to mitigate the situation. |
| T1528 - Steal Application Access Token | Users trained and encouraged to report unsolicited application authorization requests can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train users on how to recognize and report third-party applications requesting authorization can create "Human Sensors" that help detect application token theft. |
| T1542 - Pre-OS Boot | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised. |
| T1546 - Event Triggered Execution | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0006 - Baseline | A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms. |
| T1546 - Event Triggered Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0001 - Admin Access | A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution. |
| T1550 - Use Alternate Authentication Material | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent. |
| T1559 - Inter-Process Communication | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc. |
| T1560 - Archive Collected Data | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable. |
| T1564 - Hide Artifacts | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would. |
| T1564 - Hide Artifacts | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts. |
| T1566 - Phishing | A phishing email can be detected and blocked from arriving at the intended recipient. | DTE0019 - Email Manipulation | A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target. |
| T1566 - Phishing | A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. | DTE0023 - Migrate Attack Vector | A defender can move suspicious emails to a decoy system prior to opening and examining the email. |
| T1566 - Phishing | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
| T1566 - Phishing | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
| T1573 - Encrypted Channel | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can reverse engineer malware and develop protocol decoders that can decrypt and expose adversary communications |
| T1583 - Acquire Infrastructure | There is an opportunity to gain visibility into newly created or previously unknown adversary infrastructure | DTE0021 - Hunting | A defender could use information about an adversary's TTPs in order to monitor for new adversary infrastructure and files. |