Mapping To Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0044
Associated Groups:  Winnti Group, Blackfly
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1014 - Rootkit There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0001 - Admin Access A defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit.
T1014 - Rootkit In an adversary engagement scenario, there is an opportunity to implement security controls to allow an adversary to accomplish a task and extend an engagement. DTE0032 - Security Controls In an adversary engagement scenario, a defender could ensure security controls allow untrusted code to execute on a system.
T1057 - Process Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary.
T1057 - Process Discovery There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. DTE0016 - Decoy Process A defender can run decoy processes on a system to entice an adversary.
T1553 - Subvert Trust Controls There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. DTE0032 - Security Controls In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack.
T1553 - Subvert Trust Controls There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.