MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Mapping To Stealth Falcon
Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
Details
ATT&CK ID:
G0038
Associated Groups:
Stealth Falcon
Note:
This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique |
Opportunity Space | AD Technique | Use Case |
|---|---|---|---|
| T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system. |
| T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
| T1012 - Query Registry | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0011 - Decoy Content | A defender can create decoy registry objects and monitor access to them using Windows Registry Auditing. |
| T1016 - System Network Configuration Discovery | There is an opportunity to influence an adversary to move toward systems you want them to engage with. | DTE0011 - Decoy Content | A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services. |
| T1033 - System Owner/User Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system. |
| T1041 - Exfiltration Over C2 Channel | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. | DTE0026 - Network Manipulation | A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols. |
| T1041 - Exfiltration Over C2 Channel | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. | DTE0026 - Network Manipulation | A defender can restrict network traffic making adversary exfiltration slow or unreliable. |
| T1047 - Windows Management Instrumentation | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. | DTE0001 - Admin Access | A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI. |
| T1047 - Windows Management Instrumentation | There is an opportunity to implement security controls which will prevent an adversary from using Windows Management Instrumentation (WMI), in order to entice them to reveal new TTPs. | DTE0032 - Security Controls | A defender can harden accounts which have admin access and also restrict any users from being able to connect remotely using WMI. |
| T1053 - Scheduled Task/Job | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0001 - Admin Access | A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools. |
| T1053 - Scheduled Task/Job | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware. |
| T1053 - Scheduled Task/Job | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks. |
| T1057 - Process Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary. |
| T1057 - Process Discovery | There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. | DTE0016 - Decoy Process | A defender can run decoy processes on a system to entice an adversary. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0034 - System Activity Monitoring | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
| T1071 - Application Layer Protocol | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
| T1082 - System Information Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery. |
| T1555 - Credentials from Password Stores | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |
| T1573 - Encrypted Channel | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can reverse engineer malware and develop protocol decoders that can decrypt and expose adversary communications |