APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
ATT&CK Technique | Opportunity Space | AD Technique | Use Case |
---|---|---|---|
T1003 - OS Credential Dumping | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
T1008 - Fallback Channels | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender can identify and block specific adversary Command and Control (C2) traffic to see how an adversary responds, possibly exposing additional C2 information. |
T1014 - Rootkit | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0001 - Admin Access | A defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit. |
T1014 - Rootkit | In an adversary engagement scenario, there is an opportunity to implement security controls to allow an adversary to accomplish a task and extend an engagement. | DTE0032 - Security Controls | In an adversary engagement scenario, a defender could ensure security controls allow untrusted code to execute on a system. |
T1016 - System Network Configuration Discovery | There is an opportunity to influence an adversary to move toward systems you want them to engage with. | DTE0011 - Decoy Content | A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services. |
T1021 - Remote Services | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1021 - Remote Services | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service. |
T1027 - Obfuscated Files or Information | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information. |
T1033 - System Owner/User Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system. |
T1036 - Masquerading | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections. |
T1046 - Network Service Scanning | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with. |
T1046 - Network Service Scanning | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use. |
T1047 - Windows Management Instrumentation | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. | DTE0001 - Admin Access | A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI. |
T1047 - Windows Management Instrumentation | There is an opportunity to implement security controls which will prevent an adversary from using Windows Management Instrumentation (WMI), in order to entice them to reveal new TTPs. | DTE0032 - Security Controls | A defender can harden accounts which have admin access and also restrict any users from being able to connect remotely using WMI. |
T1049 - System Network Connections Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can manipulate the output of commands commonly used to enumerate a system's network connections. They could seed this output with decoy systems and/or networks or remove legitimate systems from the output in order to direct an adversary away from legitimate systems. |
T1053 - Scheduled Task/Job | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0001 - Admin Access | A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools. |
T1053 - Scheduled Task/Job | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware. |
T1053 - Scheduled Task/Job | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks. |
T1055 - Process Injection | In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. | DTE0032 - Security Controls | A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events. |
T1056 - Input Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter. |
T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity. |
T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted. |
T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0034 - System Activity Monitoring | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
T1070 - Indicator Removal on Host | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. | DTE0001 - Admin Access | A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system. |
T1070 - Indicator Removal on Host | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity. |
T1071 - Application Layer Protocol | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1078 - Valid Accounts | There is an opportunity to introduce user accounts that are used to make a system look more realistic. | DTE0010 - Decoy Account | A defender can create decoy user accounts which are used to make a decoy system or network look more realistic. |
T1078 - Valid Accounts | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
T1078 - Valid Accounts | There is an opportunity to prepare user accounts so they look used and authentic. | DTE0008 - Burn-In | A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate. |
T1083 - File and Directory Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can utilize decoy files and directories to provide content that could be used by the adversary. |
T1090 - Proxy | There is an opportunity to block an adversary that is seeking to use a proxied connection. | DTE0026 - Network Manipulation | A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists. |
T1102 - Web Service | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic. |
T1104 - Multi-Stage Channels | There is an opportunity to detect an unknown process that is being used for command and control and disrupt it. | DTE0022 - Isolation | A defender can isolate unknown processes that are being used for command and control and prevent them from being able to access the internet. |
T1104 - Multi-Stage Channels | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender could implement a protocol aware IPS to limit systems communicating to unknown locations on the internet. |
T1105 - Ingress Tool Transfer | There is an opportunity to collect network data and analyze the adversary activity it contains. | DTE0028 - PCAP Collection | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
T1110 - Brute Force | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques. |
T1112 - Modify Registry | There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes. | DTE0006 - Baseline | A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline. |
T1112 - Modify Registry | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0034 - System Activity Monitoring | A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry. |
T1133 - External Remote Services | There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services. | DTE0017 - Decoy System | A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it. |
T1135 - Network Share Discovery | In an adversary engagement scenario, there is an opportunity to introduce decoy content to entice additional engagement activity. | DTE0011 - Decoy Content | A defender can utilize decoy network shares to provide content that could be used by the adversary. |
T1135 - Network Share Discovery | There is an opportunity to supply a variety of different decoy network shares to an adversary to see what they are drawn to look at and use. | DTE0013 - Decoy Diversity | A defender can make a variety of decoy network shares available to an adversary and see if the adversary seems to be drawn to shares with specific names, permissions, etc. |
T1136 - Create Account | There is an opportunity to create a detection with a moderately high probability of success. | DTE0033 - Standard Operating Procedure | A defender can detect user accounts created outside the acceptable process. |
T1190 - Exploit Public-Facing Application | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0017 - Decoy System | A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs. |
T1190 - Exploit Public-Facing Application | There is an opportunity to present several public-facing application options to see what application(s) the adversary targets. | DTE0013 - Decoy Diversity | A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit. |
T1195 - Supply Chain Compromise | Hardware and/or software additions can be tested and verified in controlled environments prior to deployment. | DTE0014 - Decoy Network | A defender can install any suspect hardware or software on an isolated system or network and monitor for non-standard behaviors. |
T1197 - BITS Jobs | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender could use host-based tool to detect common persistence mechanisms and prevent the process from executing successfully. |
T1197 - BITS Jobs | There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. | DTE0034 - System Activity Monitoring | By collecting system logs, a defender can implement detections that identify abnormal BITS usage. |
T1203 - Exploitation for Client Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system. |
T1203 - Exploitation for Client Execution | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0004 - Application Diversity | A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications. |
T1218 - Signed Binary Proxy Execution | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can monitor operating system functions calls to look for adversary use and/or abuse. |
T1218 - Signed Binary Proxy Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes. |
T1218 - Signed Binary Proxy Execution | There is an opportunity to create a detection with a moderately high probability of success. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
T1480 - Execution Guardrails | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender could develop behavioral analytics to detect the examination of commonly used guardrails such as inspection of VM artifacts, enumeration of connected storage and/or devices, domain information, etc. |
T1480 - Execution Guardrails | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. | DTE0004 - Application Diversity | A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction. |
T1486 - Data Encrypted for Impact | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can use process monitoring to look for the execution of utilities commonly used for ransomware and other data encryption. |
T1486 - Data Encrypted for Impact | There is an opportunity to test what an adversary might do if encrypted data is selectively replaced by the defender. | DTE0005 - Backup and Recovery | A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts. |
T1496 - Resource Hijacking | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | By looking for anomalies in host resource consumption and alerting on suspect activity, the defender can detect the use of system resources at odd times or at odd levels. |
T1542 - Pre-OS Boot | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised. |
T1543 - Create or Modify System Process | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes. |
T1546 - Event Triggered Execution | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0006 - Baseline | A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms. |
T1546 - Event Triggered Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0001 - Admin Access | A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution. |
T1547 - Boot or Logon Autostart Execution | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0006 - Baseline | A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup. |
T1553 - Subvert Trust Controls | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0032 - Security Controls | In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack. |
T1553 - Subvert Trust Controls | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
T1560 - Archive Collected Data | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable. |
T1566 - Phishing | A phishing email can be detected and blocked from arriving at the intended recipient. | DTE0019 - Email Manipulation | A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target. |
T1566 - Phishing | A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. | DTE0023 - Migrate Attack Vector | A defender can move suspicious emails to a decoy system prior to opening and examining the email. |
T1566 - Phishing | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
T1566 - Phishing | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
T1568 - Dynamic Resolution | If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools. | DTE0021 - Hunting | A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner. |
T1568 - Dynamic Resolution | An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure. | DTE0026 - Network Manipulation | A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure. |
T1569 - System Services | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
T1569 - System Services | There is an opportunity to create a detection with a moderately high probability of success. | DTE0033 - Standard Operating Procedure | A defender can define operating procedures for adding services and alert when they are not followed. |
T1574 - Hijack Execution Flow | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can block execution of untrusted software. |