Mapping To Windshift

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0112
Associated Groups:  Windshift, Bahamut
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1036 - Masquerading There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.
T1189 - Drive-by Compromise There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.).
T1189 - Drive-by Compromise There is an opportunity to discover who or what is being targeting by an adversary. DTE0013 - Decoy Diversity A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it.
T1189 - Drive-by Compromise There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs. DTE0014 - Decoy Network A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise.
T1204 - User Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.
T1566 - Phishing A phishing email can be detected and blocked from arriving at the intended recipient. DTE0019 - Email Manipulation A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.
T1566 - Phishing A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. DTE0023 - Migrate Attack Vector A defender can move suspicious emails to a decoy system prior to opening and examining the email.
T1566 - Phishing Users trained and encouraged to report phishing can detect attacks that other defenses do not. DTE0035 - User Training A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.
T1566 - Phishing There is an opportunity to discover who or what is being targeting by an adversary. DTE0015 - Decoy Persona A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.