Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1003 - OS Credential Dumping||There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.||DTE0012 - Decoy Credentials||A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.|
|T1007 - System Service Discovery||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0003 - API Monitoring||A defender can monitor and analyze operating system functions calls for detection and alerting.|
|T1007 - System Service Discovery||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0036 - Software Manipulation||A defender could manipulate the command to display services an adversary would expect to see on a system, or to shown them unexpected services.|
|T1036 - Masquerading||There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.||DTE0007 - Behavioral Analytics||A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.|
|T1049 - System Network Connections Discovery||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0036 - Software Manipulation||A defender can manipulate the output of commands commonly used to enumerate a system's network connections. They could seed this output with decoy systems and/or networks or remove legitimate systems from the output in order to direct an adversary away from legitimate systems.|
|T1057 - Process Discovery||DTE0036 - Software Manipulation||A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary.|
|T1057 - Process Discovery||There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment.||DTE0016 - Decoy Process||A defender can run decoy processes on a system to entice an adversary.|
|T1059 - Command and Scripting Interpreter||DTE0036 - Software Manipulation||A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.|
|T1059 - Command and Scripting Interpreter||DTE0036 - Software Manipulation||A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.|
|T1059 - Command and Scripting Interpreter||DTE0034 - System Activity Monitoring||A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.|
|T1087 - Account Discovery||DTE0036 - Software Manipulation||A defender could alter the output from account enumeration commands to hide accounts or show the presence of accounts which do not exist.|
|T1087 - Account Discovery||In an adversary engagement operation, there is an opportunity to present decoy accounts to the adversary during the enumeration process.||DTE0010 - Decoy Account||During an adversary engagement operation, a defender can utilize decoy accounts to provide content to an adversary and encourage additional activity.|
|T1087 - Account Discovery||There is an opportunity to use decoy accounts of varying types to see what an adversary is most interested in.||DTE0013 - Decoy Diversity||A defender can make a variety of decoy accounts and see if the adversary seems to be drawn to accounts of a specific type, with specific permissions, group access, etc.|