PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1003 - OS Credential Dumping||There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.||DTE0012 - Decoy Credentials||A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.|
|T1036 - Masquerading||There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.||DTE0007 - Behavioral Analytics||A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.|
|T1055 - Process Injection||In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement.||DTE0032 - Security Controls||A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events.|
|T1056 - Input Capture||There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment.||DTE0011 - Decoy Content||A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter.|
|T1068 - Exploitation for Privilege Escalation||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0001 - Admin Access||A defender can configure system users to not have admin access in order to ensure privilege escalation requires exploitation.|
|T1095 - Non-Application Layer Protocol||There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.||DTE0007 - Behavioral Analytics||A defender can detect the use of non-standard protocols. By implementing behavior analytics specific to a rise in protocol traffic to a system or set of systems, one might be able to detect malicious communications from an adversary.|
|T1105 - Ingress Tool Transfer||There is an opportunity to collect network data and analyze the adversary activity it contains.||DTE0028 - PCAP Collection||Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.|
|T1189 - Drive-by Compromise||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0017 - Decoy System||A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.).|
|T1189 - Drive-by Compromise||There is an opportunity to discover who or what is being targeting by an adversary.||DTE0013 - Decoy Diversity||A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it.|
|T1189 - Drive-by Compromise||There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs.||DTE0014 - Decoy Network||A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise.|
|T1204 - User Execution||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0018 - Detonate Malware||A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.|
|T1566 - Phishing||A phishing email can be detected and blocked from arriving at the intended recipient.||DTE0019 - Email Manipulation||A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.|
|T1566 - Phishing||A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution.||DTE0023 - Migrate Attack Vector||A defender can move suspicious emails to a decoy system prior to opening and examining the email.|
|T1566 - Phishing||Users trained and encouraged to report phishing can detect attacks that other defenses do not.||DTE0035 - User Training||A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.|
|T1566 - Phishing||There is an opportunity to discover who or what is being targeting by an adversary.||DTE0015 - Decoy Persona||A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.|