MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Mapping To Equation
Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
Details
ATT&CK ID:
G0020
Associated Groups:
Equation
Note:
This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique |
Opportunity Space | AD Technique | Use Case |
|---|---|---|---|
| T1120 - Peripheral Device Discovery | There is an opportunity to gauge an adversary's interest in connected peripheral devices. | DTE0029 - Peripheral Management | A defender can connect one or more peripheral devices to a decoy system to see if an adversary has any interest in them. |
| T1120 - Peripheral Device Discovery | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0029 - Peripheral Management | A defender can plug in a USB drive and see how quickly the adversary notices and inspects it. |
| T1480 - Execution Guardrails | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender could develop behavioral analytics to detect the examination of commonly used guardrails such as inspection of VM artifacts, enumeration of connected storage and/or devices, domain information, etc. |
| T1480 - Execution Guardrails | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. | DTE0004 - Application Diversity | A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction. |
| T1542 - Pre-OS Boot | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised. |
| T1564 - Hide Artifacts | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would. |
| T1564 - Hide Artifacts | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts. |