APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1027 - Obfuscated Files or Information||In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task.||DTE0017 - Decoy System||A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.|
|T1053 - Scheduled Task/Job||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0001 - Admin Access||A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools.|
|T1053 - Scheduled Task/Job||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0017 - Decoy System||A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware.|
|T1053 - Scheduled Task/Job||There is an opportunity to create a detection with a moderately high probability of success.||DTE0034 - System Activity Monitoring||A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks.|
|T1059 - Command and Scripting Interpreter||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0036 - Software Manipulation||A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.|
|T1059 - Command and Scripting Interpreter||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0036 - Software Manipulation||A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.|
|T1059 - Command and Scripting Interpreter||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0034 - System Activity Monitoring||A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.|
|T1070 - Indicator Removal on Host||In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives.||DTE0001 - Admin Access||A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system.|
|T1070 - Indicator Removal on Host||There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.||DTE0007 - Behavioral Analytics||A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.|
|T1071 - Application Layer Protocol||There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary.||DTE0027 - Network Monitoring||The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.|
|T1078 - Valid Accounts||There is an opportunity to introduce user accounts that are used to make a system look more realistic.||DTE0010 - Decoy Account||A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.|
|T1078 - Valid Accounts||There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.||DTE0012 - Decoy Credentials||A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.|
|T1078 - Valid Accounts||There is an opportunity to prepare user accounts so they look used and authentic.||DTE0008 - Burn-In||A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate.|
|T1082 - System Information Discovery||There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment.||DTE0011 - Decoy Content||A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery.|
|T1083 - File and Directory Discovery||There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment.||DTE0011 - Decoy Content||A defender can utilize decoy files and directories to provide content that could be used by the adversary.|
|T1105 - Ingress Tool Transfer||There is an opportunity to collect network data and analyze the adversary activity it contains.||DTE0028 - PCAP Collection||Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.|
|T1133 - External Remote Services||There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services.||DTE0017 - Decoy System||A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it.|
|T1547 - Boot or Logon Autostart Execution||There is an opportunity to use tools and controls to stop an adversary's activity.||DTE0006 - Baseline||A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.|