MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Mapping To Lazarus Group
Lazarus Group is a threat group that has been attributed to the North Korean government. The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. In late 2017, Lazarus Group used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America.
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
Details
ATT&CK ID:
G0032
Associated Groups:
Lazarus Group, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY
Note:
This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique |
Opportunity Space | AD Technique | Use Case |
|---|---|---|---|
| T1001 - Data Obfuscation | There is an opportunity to detect adversary activity that uses obfuscated communication. | DTE0028 - PCAP Collection | A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation. |
| T1001 - Data Obfuscation | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
| T1003 - OS Credential Dumping | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
| T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system. |
| T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
| T1008 - Fallback Channels | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender can identify and block specific adversary Command and Control (C2) traffic to see how an adversary responds, possibly exposing additional C2 information. |
| T1010 - Application Window Discovery | There is an opportunity to provide a variety of applications to an adversary so they see a full set of information when performing discovery tasks. | DTE0004 - Application Diversity | During an adversary engagement operation, a defender can open and use any particular subset of applications installed on a system to control what is presented to the adversary at any point in time. |
| T1012 - Query Registry | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0011 - Decoy Content | A defender can create decoy registry objects and monitor access to them using Windows Registry Auditing. |
| T1016 - System Network Configuration Discovery | There is an opportunity to influence an adversary to move toward systems you want them to engage with. | DTE0011 - Decoy Content | A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services. |
| T1021 - Remote Services | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
| T1021 - Remote Services | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service. |
| T1027 - Obfuscated Files or Information | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information. |
| T1033 - System Owner/User Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system. |
| T1036 - Masquerading | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections. |
| T1041 - Exfiltration Over C2 Channel | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. | DTE0026 - Network Manipulation | A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols. |
| T1041 - Exfiltration Over C2 Channel | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. | DTE0026 - Network Manipulation | A defender can restrict network traffic making adversary exfiltration slow or unreliable. |
| T1047 - Windows Management Instrumentation | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. | DTE0001 - Admin Access | A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI. |
| T1047 - Windows Management Instrumentation | There is an opportunity to implement security controls which will prevent an adversary from using Windows Management Instrumentation (WMI), in order to entice them to reveal new TTPs. | DTE0032 - Security Controls | A defender can harden accounts which have admin access and also restrict any users from being able to connect remotely using WMI. |
| T1048 - Exfiltration Over Alternative Protocol | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. | DTE0026 - Network Manipulation | A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols. |
| T1055 - Process Injection | In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. | DTE0032 - Security Controls | A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events. |
| T1056 - Input Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter. |
| T1057 - Process Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary. |
| T1057 - Process Discovery | There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. | DTE0016 - Decoy Process | A defender can run decoy processes on a system to entice an adversary. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0034 - System Activity Monitoring | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
| T1070 - Indicator Removal on Host | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. | DTE0001 - Admin Access | A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system. |
| T1070 - Indicator Removal on Host | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity. |
| T1071 - Application Layer Protocol | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
| T1074 - Data Staged | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network. |
| T1082 - System Information Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery. |
| T1083 - File and Directory Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can utilize decoy files and directories to provide content that could be used by the adversary. |
| T1090 - Proxy | There is an opportunity to block an adversary that is seeking to use a proxied connection. | DTE0026 - Network Manipulation | A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists. |
| T1098 - Account Manipulation | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc. |
| T1098 - Account Manipulation | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0010 - Decoy Account | A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation. |
| T1098 - Account Manipulation | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can enforce strong authentication requirements such as password changes, two factor authentication, etc. to impact or disrupt an adversary's activity. |
| T1105 - Ingress Tool Transfer | There is an opportunity to collect network data and analyze the adversary activity it contains. | DTE0028 - PCAP Collection | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
| T1110 - Brute Force | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques. |
| T1112 - Modify Registry | There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes. | DTE0006 - Baseline | A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline. |
| T1112 - Modify Registry | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0034 - System Activity Monitoring | A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry. |
| T1124 - System Time Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | If the defender knows the specific regions an adversary is targeting, they can alter the output of commands which return systems times to return data consistent with what an adversary would want to see. |
| T1132 - Data Encoding | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
| T1134 - Access Token Manipulation | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender could feed or redirect requests for credentials with false data that can be used to direct an adversary into a decoy network or system. |
| T1134 - Access Token Manipulation | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions. |
| T1189 - Drive-by Compromise | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.). |
| T1189 - Drive-by Compromise | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0013 - Decoy Diversity | A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it. |
| T1189 - Drive-by Compromise | There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs. | DTE0014 - Decoy Network | A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise. |
| T1203 - Exploitation for Client Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system. |
| T1203 - Exploitation for Client Execution | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0004 - Application Diversity | A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications. |
| T1204 - User Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence. |
| T1218 - Signed Binary Proxy Execution | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can monitor operating system functions calls to look for adversary use and/or abuse. |
| T1218 - Signed Binary Proxy Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes. |
| T1218 - Signed Binary Proxy Execution | There is an opportunity to create a detection with a moderately high probability of success. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
| T1485 - Data Destruction | There is an opportunity to test what an adversary might do if destroyed data is selectively replaced by the defender. | DTE0005 - Backup and Recovery | A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts. |
| T1485 - Data Destruction | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can manipulate commands on systems so an adversary is unable delete data in ways they normally would. |
| T1485 - Data Destruction | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can use process monitoring to look for the execution of utilities commonly used for data destruction, such as SDelete. |
| T1489 - Service Stop | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | By looking for anomalies in system service states and alerting on suspect situations, the defender can detect potential malicious activity and triage the system to re-enable the services that have been stopped. |
| T1491 - Defacement | There is an opportunity to detect an adversary who modifies website content (internally or externally) by monitoring for unauthorized changes to websites. | DTE0034 - System Activity Monitoring | A defender can monitor websites for unplanned content changes and generate alerts when activity is detected. |
| T1491 - Defacement | There is an opportunity to disrupt an adversary's defacement activity by quickly restoring altered content. | DTE0005 - Backup and Recovery | A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts. |
| T1496 - Resource Hijacking | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | By looking for anomalies in host resource consumption and alerting on suspect activity, the defender can detect the use of system resources at odd times or at odd levels. |
| T1529 - System Shutdown/Reboot | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can deploy a decoy system to see if an adversary attempts to shutdown or reboot the device. |
| T1542 - Pre-OS Boot | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised. |
| T1543 - Create or Modify System Process | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes. |
| T1547 - Boot or Logon Autostart Execution | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0006 - Baseline | A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup. |
| T1560 - Archive Collected Data | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable. |
| T1561 - Disk Wipe | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands that are used to delete files or format drives so they fail when used in a specific manner. |
| T1562 - Impair Defenses | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0004 - Application Diversity | A defender can plant AV or monitoring tools which are easy for an adversary to remove. If an adversary removes these, they may be enticed to act more openly believing they have removed monitoring from the system. |
| T1562 - Impair Defenses | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can monitor for signs that security tools and other controls are being tampered with by an adversary. |
| T1562 - Impair Defenses | There is an opportunity to create a detection with a moderately high probability of success. | DTE0033 - Standard Operating Procedure | A defender can define operating procedures for modifying GPOs and alert when they are not followed. |
| T1564 - Hide Artifacts | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would. |
| T1564 - Hide Artifacts | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts. |
| T1566 - Phishing | A phishing email can be detected and blocked from arriving at the intended recipient. | DTE0019 - Email Manipulation | A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target. |
| T1566 - Phishing | A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. | DTE0023 - Migrate Attack Vector | A defender can move suspicious emails to a decoy system prior to opening and examining the email. |
| T1566 - Phishing | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
| T1566 - Phishing | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
| T1571 - Non-Standard Port | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
| T1573 - Encrypted Channel | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can reverse engineer malware and develop protocol decoders that can decrypt and expose adversary communications |