Mapping To Tropic Trooper

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0081
Associated Groups:  Tropic Trooper, Pirate Panda, KeyBoy
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1016 - System Network Configuration Discovery There is an opportunity to influence an adversary to move toward systems you want them to engage with. DTE0011 - Decoy Content A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.
T1020 - Automated Exfiltration There is an opportunity to collect network data and analyze the adversary activity it contains. DTE0028 - PCAP Collection Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.
T1020 - Automated Exfiltration There is an opportunity to reveal data that the adversary has tried to protect from defenders DTE0031 - Protocol Decoder Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity.
T1027 - Obfuscated Files or Information In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.
T1033 - System Owner/User Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system.
T1036 - Masquerading There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.
T1046 - Network Service Scanning There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with.
T1046 - Network Service Scanning There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use.
T1049 - System Network Connections Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of commands commonly used to enumerate a system's network connections. They could seed this output with decoy systems and/or networks or remove legitimate systems from the output in order to direct an adversary away from legitimate systems.
T1052 - Exfiltration Over Physical Medium There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. DTE0029 - Peripheral Management A defender could use decoy peripherals, such as external Wi-Fi adapters, USB devices, etc. to determine if adversaries attempt to use them for exfiltration purposes.
T1055 - Process Injection In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. DTE0032 - Security Controls A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events.
T1057 - Process Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary.
T1057 - Process Discovery There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. DTE0016 - Decoy Process A defender can run decoy processes on a system to entice an adversary.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1070 - Indicator Removal on Host In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. DTE0001 - Admin Access A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system.
T1070 - Indicator Removal on Host There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.
T1071 - Application Layer Protocol There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1078 - Valid Accounts There is an opportunity to introduce user accounts that are used to make a system look more realistic. DTE0010 - Decoy Account A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.
T1078 - Valid Accounts There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0012 - Decoy Credentials A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
T1078 - Valid Accounts There is an opportunity to prepare user accounts so they look used and authentic. DTE0008 - Burn-In A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate.
T1082 - System Information Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery.
T1083 - File and Directory Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can utilize decoy files and directories to provide content that could be used by the adversary.
T1091 - Replication Through Removable Media There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0034 - System Activity Monitoring A defender can monitor systems for the use of removeable media.
T1091 - Replication Through Removable Media There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can disable Autorun to prevent malware from automatically executing when removeable media is plugged into a system.
T1091 - Replication Through Removable Media There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network. DTE0023 - Migrate Attack Vector A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled.
T1091 - Replication Through Removable Media There is an opportunity to prevent an adversary from using removable media to compromise disconnected or air-gapped systems. DTE0022 - Isolation A defender can setup protections so removeable media cannot be mounted until an isolated review process has cleared the drive.
T1105 - Ingress Tool Transfer There is an opportunity to collect network data and analyze the adversary activity it contains. DTE0028 - PCAP Collection Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.
T1106 - Native API There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc.
T1106 - Native API There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor operating system functions calls to look for adversary use and/or abuse.
T1119 - Automated Collection In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner.
T1132 - Data Encoding There is an opportunity to reveal data that the adversary has tried to protect from defenders DTE0031 - Protocol Decoder Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity.
T1135 - Network Share Discovery In an adversary engagement scenario, there is an opportunity to introduce decoy content to entice additional engagement activity. DTE0011 - Decoy Content A defender can utilize decoy network shares to provide content that could be used by the adversary.
T1135 - Network Share Discovery There is an opportunity to supply a variety of different decoy network shares to an adversary to see what they are drawn to look at and use. DTE0013 - Decoy Diversity A defender can make a variety of decoy network shares available to an adversary and see if the adversary seems to be drawn to shares with specific names, permissions, etc.
T1140 - Deobfuscate/Decode Files or Information There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1203 - Exploitation for Client Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system.
T1203 - Exploitation for Client Execution There is an opportunity to discover who or what is being targeting by an adversary. DTE0004 - Application Diversity A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications.
T1204 - User Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.
T1221 - Template Injection There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can have decoy systems that are easy to gain access to and have Office installed. The decoy system can be monitored to see if an adversary attempts to inject anything malicious into Office templates.
T1505 - Server Software Component There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0004 - Application Diversity A defender can install decoy services that have extensible capabilities.
T1518 - Software Discovery There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. DTE0004 - Application Diversity A defender can install an array of various software packages on a system to make it look used and populated. This will give an adversary a collection of software to interact with and possibly expose additional techniques.
T1543 - Create or Modify System Process There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.
T1547 - Boot or Logon Autostart Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.
T1564 - Hide Artifacts There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0036 - Software Manipulation A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would.
T1564 - Hide Artifacts There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0034 - System Activity Monitoring A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts.
T1566 - Phishing A phishing email can be detected and blocked from arriving at the intended recipient. DTE0019 - Email Manipulation A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.
T1566 - Phishing A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. DTE0023 - Migrate Attack Vector A defender can move suspicious emails to a decoy system prior to opening and examining the email.
T1566 - Phishing Users trained and encouraged to report phishing can detect attacks that other defenses do not. DTE0035 - User Training A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.
T1566 - Phishing There is an opportunity to discover who or what is being targeting by an adversary. DTE0015 - Decoy Persona A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.
T1573 - Encrypted Channel There is an opportunity to reveal data that the adversary has tried to protect from defenders DTE0031 - Protocol Decoder Defenders can reverse engineer malware and develop protocol decoders that can decrypt and expose adversary communications
T1574 - Hijack Execution Flow There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can block execution of untrusted software.