Mapping To CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0052
Associated Groups:  CopyKittens
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1218 - Signed Binary Proxy Execution There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0036 - Software Manipulation A defender can monitor operating system functions calls to look for adversary use and/or abuse.
T1218 - Signed Binary Proxy Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes.
T1218 - Signed Binary Proxy Execution There is an opportunity to create a detection with a moderately high probability of success. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1553 - Subvert Trust Controls There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. DTE0032 - Security Controls In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack.
T1553 - Subvert Trust Controls There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1560 - Archive Collected Data There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable.
T1564 - Hide Artifacts There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0036 - Software Manipulation A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would.
T1564 - Hide Artifacts There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0034 - System Activity Monitoring A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts.