MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Mapping To Frankenstein
Frankenstein is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
Details
ATT&CK ID:
G0101
Associated Groups:
Frankenstein
Note:
This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique |
Opportunity Space | AD Technique | Use Case |
|---|---|---|---|
| T1003 - OS Credential Dumping | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
| T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system. |
| T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
| T1016 - System Network Configuration Discovery | There is an opportunity to influence an adversary to move toward systems you want them to engage with. | DTE0011 - Decoy Content | A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services. |
| T1020 - Automated Exfiltration | There is an opportunity to collect network data and analyze the adversary activity it contains. | DTE0028 - PCAP Collection | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
| T1020 - Automated Exfiltration | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
| T1027 - Obfuscated Files or Information | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information. |
| T1033 - System Owner/User Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system. |
| T1041 - Exfiltration Over C2 Channel | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. | DTE0026 - Network Manipulation | A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols. |
| T1041 - Exfiltration Over C2 Channel | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. | DTE0026 - Network Manipulation | A defender can restrict network traffic making adversary exfiltration slow or unreliable. |
| T1047 - Windows Management Instrumentation | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. | DTE0001 - Admin Access | A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI. |
| T1047 - Windows Management Instrumentation | There is an opportunity to implement security controls which will prevent an adversary from using Windows Management Instrumentation (WMI), in order to entice them to reveal new TTPs. | DTE0032 - Security Controls | A defender can harden accounts which have admin access and also restrict any users from being able to connect remotely using WMI. |
| T1053 - Scheduled Task/Job | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0001 - Admin Access | A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools. |
| T1053 - Scheduled Task/Job | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware. |
| T1053 - Scheduled Task/Job | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks. |
| T1057 - Process Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary. |
| T1057 - Process Discovery | There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. | DTE0016 - Decoy Process | A defender can run decoy processes on a system to entice an adversary. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted. |
| T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0034 - System Activity Monitoring | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
| T1082 - System Information Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery. |
| T1105 - Ingress Tool Transfer | There is an opportunity to collect network data and analyze the adversary activity it contains. | DTE0028 - PCAP Collection | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
| T1119 - Automated Collection | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner. |
| T1127 - Trusted Developer Utilities Proxy Execution | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
| T1140 - Deobfuscate/Decode Files or Information | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
| T1203 - Exploitation for Client Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system. |
| T1203 - Exploitation for Client Execution | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0004 - Application Diversity | A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications. |
| T1204 - User Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence. |
| T1221 - Template Injection | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can have decoy systems that are easy to gain access to and have Office installed. The decoy system can be monitored to see if an adversary attempts to inject anything malicious into Office templates. |
| T1497 - Virtualization/Sandbox Evasion | There is an opportunity to deploy virtual decoy systems and see if an adversary discovers or reacts to the virtualization. | DTE0017 - Decoy System | A defender can deploy a virtual decoy system to see if the adversary recognizes the virtualization and reacts. |
| T1497 - Virtualization/Sandbox Evasion | There is an opportunity to seed decoy content to make non-virtual systems look like virtual systems to see how an adversary reacts. | DTE0011 - Decoy Content | A defender can plant files, registry entries, software, processes, etc. to make a system look like a VM when it is not. |
| T1518 - Software Discovery | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. | DTE0004 - Application Diversity | A defender can install an array of various software packages on a system to make it look used and populated. This will give an adversary a collection of software to interact with and possibly expose additional techniques. |
| T1566 - Phishing | A phishing email can be detected and blocked from arriving at the intended recipient. | DTE0019 - Email Manipulation | A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target. |
| T1566 - Phishing | A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. | DTE0023 - Migrate Attack Vector | A defender can move suspicious emails to a decoy system prior to opening and examining the email. |
| T1566 - Phishing | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
| T1566 - Phishing | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
| T1573 - Encrypted Channel | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can reverse engineer malware and develop protocol decoders that can decrypt and expose adversary communications |