Mapping To Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0108
Associated Groups:  Blue Mockingbird
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1003 - OS Credential Dumping There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0012 - Decoy Credentials A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
T1021 - Remote Services There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1021 - Remote Services In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service.
T1027 - Obfuscated Files or Information In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.
T1036 - Masquerading There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.
T1047 - Windows Management Instrumentation In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. DTE0001 - Admin Access A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI.
T1047 - Windows Management Instrumentation There is an opportunity to implement security controls which will prevent an adversary from using Windows Management Instrumentation (WMI), in order to entice them to reveal new TTPs. DTE0032 - Security Controls A defender can harden accounts which have admin access and also restrict any users from being able to connect remotely using WMI.
T1053 - Scheduled Task/Job There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0001 - Admin Access A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools.
T1053 - Scheduled Task/Job There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware.
T1053 - Scheduled Task/Job There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1082 - System Information Discovery There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery.
T1090 - Proxy There is an opportunity to block an adversary that is seeking to use a proxied connection. DTE0026 - Network Manipulation A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists.
T1112 - Modify Registry There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes. DTE0006 - Baseline A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline.
T1112 - Modify Registry There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0034 - System Activity Monitoring A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry.
T1134 - Access Token Manipulation There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender could feed or redirect requests for credentials with false data that can be used to direct an adversary into a decoy network or system.
T1134 - Access Token Manipulation There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions.
T1190 - Exploit Public-Facing Application There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0017 - Decoy System A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs.
T1190 - Exploit Public-Facing Application There is an opportunity to present several public-facing application options to see what application(s) the adversary targets. DTE0013 - Decoy Diversity A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit.
T1218 - Signed Binary Proxy Execution There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0036 - Software Manipulation A defender can monitor operating system functions calls to look for adversary use and/or abuse.
T1218 - Signed Binary Proxy Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes.
T1218 - Signed Binary Proxy Execution There is an opportunity to create a detection with a moderately high probability of success. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1496 - Resource Hijacking There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics By looking for anomalies in host resource consumption and alerting on suspect activity, the defender can detect the use of system resources at odd times or at odd levels.
T1543 - Create or Modify System Process There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.
T1546 - Event Triggered Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.
T1546 - Event Triggered Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0001 - Admin Access A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution.
T1569 - System Services There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1569 - System Services There is an opportunity to create a detection with a moderately high probability of success. DTE0033 - Standard Operating Procedure A defender can define operating procedures for adding services and alert when they are not followed.
T1574 - Hijack Execution Flow There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can block execution of untrusted software.