Operation Sharpshooter is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and Lazarus Group have been noted, definitive links have not been established.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1055 - Process Injection||In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement.||DTE0032 - Security Controls||A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events.|
|T1059 - Command and Scripting Interpreter||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0036 - Software Manipulation||A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.|
|T1059 - Command and Scripting Interpreter||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0036 - Software Manipulation||A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.|
|T1059 - Command and Scripting Interpreter||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0034 - System Activity Monitoring||A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.|
|T1105 - Ingress Tool Transfer||There is an opportunity to collect network data and analyze the adversary activity it contains.||DTE0028 - PCAP Collection||Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.|
|T1106 - Native API||DTE0036 - Software Manipulation||A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc.|
|T1106 - Native API||DTE0003 - API Monitoring||A defender can monitor operating system functions calls to look for adversary use and/or abuse.|
|T1204 - User Execution||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0018 - Detonate Malware||A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.|
|T1547 - Boot or Logon Autostart Execution||There is an opportunity to use tools and controls to stop an adversary's activity.||DTE0006 - Baseline||A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.|
|T1559 - Inter-Process Communication||DTE0036 - Software Manipulation||A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc.|
|T1566 - Phishing||A phishing email can be detected and blocked from arriving at the intended recipient.||DTE0019 - Email Manipulation||A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.|
|T1566 - Phishing||A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution.||DTE0023 - Migrate Attack Vector||A defender can move suspicious emails to a decoy system prior to opening and examining the email.|
|T1566 - Phishing||Users trained and encouraged to report phishing can detect attacks that other defenses do not.||DTE0035 - User Training||A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.|
|T1566 - Phishing||There is an opportunity to discover who or what is being targeting by an adversary.||DTE0015 - Decoy Persona||A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.|