Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1027 - Obfuscated Files or Information||In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task.||DTE0017 - Decoy System||A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.|
|T1055 - Process Injection||In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement.||DTE0032 - Security Controls||A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events.|
|T1547 - Boot or Logon Autostart Execution||There is an opportunity to use tools and controls to stop an adversary's activity.||DTE0006 - Baseline||A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.|
|T1562 - Impair Defenses||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0004 - Application Diversity||A defender can plant AV or monitoring tools which are easy for an adversary to remove. If an adversary removes these, they may be enticed to act more openly believing they have removed monitoring from the system.|
|T1562 - Impair Defenses||There is an opportunity to create a detection with a moderately high probability of success.||DTE0034 - System Activity Monitoring||A defender can monitor for signs that security tools and other controls are being tampered with by an adversary.|
|T1562 - Impair Defenses||There is an opportunity to create a detection with a moderately high probability of success.||DTE0033 - Standard Operating Procedure||A defender can define operating procedures for modifying GPOs and alert when they are not followed.|