Mapping To TA505

TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0092
Associated Groups:  TA505, Hive0065
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1027 - Obfuscated Files or Information In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.
T1055 - Process Injection In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. DTE0032 - Security Controls A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1069 - Permission Groups Discovery In an adversary engagement operation, there is an opportunity to impact what an adversary sees when they execute commands on a system. DTE0036 - Software Manipulation A defender could manipulate a system's software to alter the results of an adversary enumerating permission group information.
T1071 - Application Layer Protocol There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1078 - Valid Accounts There is an opportunity to introduce user accounts that are used to make a system look more realistic. DTE0010 - Decoy Account A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.
T1078 - Valid Accounts There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0012 - Decoy Credentials A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
T1078 - Valid Accounts There is an opportunity to prepare user accounts so they look used and authentic. DTE0008 - Burn-In A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate.
T1087 - Account Discovery There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender could alter the output from account enumeration commands to hide accounts or show the presence of accounts which do not exist.
T1087 - Account Discovery In an adversary engagement operation, there is an opportunity to present decoy accounts to the adversary during the enumeration process. DTE0010 - Decoy Account During an adversary engagement operation, a defender can utilize decoy accounts to provide content to an adversary and encourage additional activity.
T1087 - Account Discovery There is an opportunity to use decoy accounts of varying types to see what an adversary is most interested in. DTE0013 - Decoy Diversity A defender can make a variety of decoy accounts and see if the adversary seems to be drawn to accounts of a specific type, with specific permissions, group access, etc.
T1105 - Ingress Tool Transfer There is an opportunity to collect network data and analyze the adversary activity it contains. DTE0028 - PCAP Collection Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.
T1204 - User Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.
T1218 - Signed Binary Proxy Execution There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0036 - Software Manipulation A defender can monitor operating system functions calls to look for adversary use and/or abuse.
T1218 - Signed Binary Proxy Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes.
T1218 - Signed Binary Proxy Execution There is an opportunity to create a detection with a moderately high probability of success. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1486 - Data Encrypted for Impact There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can use process monitoring to look for the execution of utilities commonly used for ransomware and other data encryption.
T1486 - Data Encrypted for Impact There is an opportunity to test what an adversary might do if encrypted data is selectively replaced by the defender. DTE0005 - Backup and Recovery A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts.
T1552 - Unsecured Credentials In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. DTE0012 - Decoy Credentials A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.
T1553 - Subvert Trust Controls There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. DTE0032 - Security Controls In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack.
T1553 - Subvert Trust Controls There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1555 - Credentials from Password Stores In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. DTE0012 - Decoy Credentials A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.
T1559 - Inter-Process Communication There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc.
T1566 - Phishing A phishing email can be detected and blocked from arriving at the intended recipient. DTE0019 - Email Manipulation A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.
T1566 - Phishing A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. DTE0023 - Migrate Attack Vector A defender can move suspicious emails to a decoy system prior to opening and examining the email.
T1566 - Phishing Users trained and encouraged to report phishing can detect attacks that other defenses do not. DTE0035 - User Training A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.
T1566 - Phishing There is an opportunity to discover who or what is being targeting by an adversary. DTE0015 - Decoy Persona A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.
T1568 - Dynamic Resolution If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools. DTE0021 - Hunting A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner.
T1568 - Dynamic Resolution An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure. DTE0026 - Network Manipulation A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure.