PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1036 - Masquerading||There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.||DTE0007 - Behavioral Analytics||A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.|
|T1078 - Valid Accounts||There is an opportunity to introduce user accounts that are used to make a system look more realistic.||DTE0010 - Decoy Account||A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.|
|T1078 - Valid Accounts||There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.||DTE0012 - Decoy Credentials||A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.|
|T1078 - Valid Accounts||There is an opportunity to prepare user accounts so they look used and authentic.||DTE0008 - Burn-In||A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate.|
|T1189 - Drive-by Compromise||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0017 - Decoy System||A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.).|
|T1189 - Drive-by Compromise||There is an opportunity to discover who or what is being targeting by an adversary.||DTE0013 - Decoy Diversity||A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it.|
|T1189 - Drive-by Compromise||There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs.||DTE0014 - Decoy Network||A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise.|
|T1204 - User Execution||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0018 - Detonate Malware||A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.|
|T1205 - Traffic Signaling||There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary.||DTE0027 - Network Monitoring||The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.|
|T1543 - Create or Modify System Process||There is an opportunity to use security controls to stop or allow an adversary's activity.||DTE0032 - Security Controls||A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.|
|T1547 - Boot or Logon Autostart Execution||There is an opportunity to use tools and controls to stop an adversary's activity.||DTE0006 - Baseline||A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.|
|T1553 - Subvert Trust Controls||There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment.||DTE0032 - Security Controls||In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack.|
|T1553 - Subvert Trust Controls||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0003 - API Monitoring||A defender can monitor and analyze operating system functions calls for detection and alerting.|