APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1583 - Acquire Infrastructure||There is an opportunity to gain visibility into newly created or previously unknown adversary infrastructure||DTE0021 - Hunting||A defender could use information about an adversary's TTPs in order to monitor for new adversary infrastructure and files.|
|T1585 - Establish Accounts||Users trained and encouraged to report phishing can detect attacks that other defenses do not.||DTE0035 - User Training||A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.|