Mapping To APT19

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0073
Associated Groups:  APT19, Codoso, C0d0so0, Codoso Team, Sunshop Group
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1016 - System Network Configuration Discovery There is an opportunity to influence an adversary to move toward systems you want them to engage with. DTE0011 - Decoy Content A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.
T1027 - Obfuscated Files or Information In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.
T1033 - System Owner/User Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1071 - Application Layer Protocol There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1082 - System Information Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery.
T1112 - Modify Registry There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes. DTE0006 - Baseline A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline.
T1112 - Modify Registry There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0034 - System Activity Monitoring A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry.
T1132 - Data Encoding There is an opportunity to reveal data that the adversary has tried to protect from defenders DTE0031 - Protocol Decoder Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity.
T1140 - Deobfuscate/Decode Files or Information There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1189 - Drive-by Compromise There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.).
T1189 - Drive-by Compromise There is an opportunity to discover who or what is being targeting by an adversary. DTE0013 - Decoy Diversity A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it.
T1189 - Drive-by Compromise There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs. DTE0014 - Decoy Network A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise.
T1204 - User Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.
T1218 - Signed Binary Proxy Execution There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0036 - Software Manipulation A defender can monitor operating system functions calls to look for adversary use and/or abuse.
T1218 - Signed Binary Proxy Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes.
T1218 - Signed Binary Proxy Execution There is an opportunity to create a detection with a moderately high probability of success. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1543 - Create or Modify System Process There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.
T1547 - Boot or Logon Autostart Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.
T1564 - Hide Artifacts There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0036 - Software Manipulation A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would.
T1564 - Hide Artifacts There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0034 - System Activity Monitoring A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts.
T1566 - Phishing A phishing email can be detected and blocked from arriving at the intended recipient. DTE0019 - Email Manipulation A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.
T1566 - Phishing A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. DTE0023 - Migrate Attack Vector A defender can move suspicious emails to a decoy system prior to opening and examining the email.
T1566 - Phishing Users trained and encouraged to report phishing can detect attacks that other defenses do not. DTE0035 - User Training A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.
T1566 - Phishing There is an opportunity to discover who or what is being targeting by an adversary. DTE0015 - Decoy Persona A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.
T1574 - Hijack Execution Flow There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can block execution of untrusted software.