DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1040 - Network Sniffing||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0036 - Software Manipulation||By changing the output of network sniffing utilities normally found on a system, you can prevent adversaries from seeing particular content or making use of the results at all.|
|T1040 - Network Sniffing||There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment.||DTE0016 - Decoy Process||The defender can run processes on legitimate systems that create network artifacts for an adversary to collect. These artifacts may contain data such as credentials, hostnames, etc., that would lead an adversary to target decoy systems and networks.|
|T1040 - Network Sniffing||There is an opportunity to entice the adversary to expose additional TTPs.||DTE0025 - Network Diversity||The defender can add unique endpoints, servers, routers, and other devices to give the adversary a broader attack surface. This can cause the adversary to expose additional capabilities.|
|T1046 - Network Service Scanning||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0036 - Software Manipulation||A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with.|
|T1046 - Network Service Scanning||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0017 - Decoy System||A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use.|
|T1059 - Command and Scripting Interpreter||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.||DTE0036 - Software Manipulation||A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.|
|T1059 - Command and Scripting Interpreter||DTE0036 - Software Manipulation||A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.|
|T1059 - Command and Scripting Interpreter||DTE0034 - System Activity Monitoring||A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.|
|T1110 - Brute Force||There is an opportunity to create a detection with a moderately high probability of success.||DTE0034 - System Activity Monitoring||A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques.|
|T1135 - Network Share Discovery||In an adversary engagement scenario, there is an opportunity to introduce decoy content to entice additional engagement activity.||DTE0011 - Decoy Content||A defender can utilize decoy network shares to provide content that could be used by the adversary.|
|T1135 - Network Share Discovery||There is an opportunity to supply a variety of different decoy network shares to an adversary to see what they are drawn to look at and use.||DTE0013 - Decoy Diversity||A defender can make a variety of decoy network shares available to an adversary and see if the adversary seems to be drawn to shares with specific names, permissions, etc.|
|T1200 - Hardware Additions||There is an opportunity to test hardware additions in an isolated environment and ensure they can't be used by an adversary.||DTE0022 - Isolation||A defender can install any suspect hardware on an isolated system and monitor for non-standard behaviors.|
|T1219 - Remote Access Software||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0017 - Decoy System||A defender can install remote access tools on decoy systems across the network to see if the adversary uses these tools for command and control.|
|T1543 - Create or Modify System Process||There is an opportunity to use security controls to stop or allow an adversary's activity.||DTE0032 - Security Controls||A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.|
|T1571 - Non-Standard Port||There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary.||DTE0027 - Network Monitoring||The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.|