MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Mapping To Dust Storm

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0031
Associated Groups:  Dust Storm
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1005 - Data from Local System In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system.
T1005 - Data from Local System In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
T1027 - Obfuscated Files or Information In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.
T1083 - File and Directory Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can utilize decoy files and directories to provide content that could be used by the adversary.