Mapping To Honeybee

Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0072
Associated Groups:  Honeybee
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1005 - Data from Local System In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system.
T1005 - Data from Local System In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
T1020 - Automated Exfiltration There is an opportunity to collect network data and analyze the adversary activity it contains. DTE0028 - PCAP Collection Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.
T1020 - Automated Exfiltration There is an opportunity to reveal data that the adversary has tried to protect from defenders DTE0031 - Protocol Decoder Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity.
T1027 - Obfuscated Files or Information In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.
T1055 - Process Injection In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. DTE0032 - Security Controls A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events.
T1057 - Process Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary.
T1057 - Process Discovery There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. DTE0016 - Decoy Process A defender can run decoy processes on a system to entice an adversary.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1070 - Indicator Removal on Host In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. DTE0001 - Admin Access A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system.
T1070 - Indicator Removal on Host There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.
T1071 - Application Layer Protocol There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1074 - Data Staged In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network.
T1082 - System Information Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery.
T1083 - File and Directory Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can utilize decoy files and directories to provide content that could be used by the adversary.
T1112 - Modify Registry There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes. DTE0006 - Baseline A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline.
T1112 - Modify Registry There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0034 - System Activity Monitoring A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry.
T1140 - Deobfuscate/Decode Files or Information There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1543 - Create or Modify System Process There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.
T1546 - Event Triggered Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.
T1546 - Event Triggered Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0001 - Admin Access A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution.
T1547 - Boot or Logon Autostart Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.
T1548 - Abuse Elevation Control Mechanism There is an opportunity to use security controls on systems in order to affect the success of an adversary. DTE0032 - Security Controls A defender could use a host-based tool in order to have an effect on the success of an adversary abusing elevation control mechanisms.
T1553 - Subvert Trust Controls There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. DTE0032 - Security Controls In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack.
T1553 - Subvert Trust Controls There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1560 - Archive Collected Data There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable.
T1569 - System Services There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1569 - System Services There is an opportunity to create a detection with a moderately high probability of success. DTE0033 - Standard Operating Procedure A defender can define operating procedures for adding services and alert when they are not followed.