We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Mapping To Equation

Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. Disclaimer: We present this mapping to stimulate thinking about engagement activities to take advantage of the historically observed behavior of adversary, not to present all possibilities. We invite you to use this as a guide, understanding that adversary behavior is constantly changing and evolving.

Note: All ATT&CK Group sub-activity mappings have been remapped to their parent activity and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0020
Associated Groups:  Equation
Note:  This page uses Adversary Group data from MITRE ATT&CK.

ATT&CK® Technique Adversary Vulnerability Engagement Activity Engagement Activity Description
Peripheral Device Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Peripheral Device Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Peripheral Device Discovery When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Peripheral Device Discovery When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Peripheral Device Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Peripheral Device Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Artifact Diversity Present the adversary with a variety of network and system artifacts.
Execution Guardrails When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Execution Guardrails When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Execution Guardrails When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Pre-OS Boot When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Hide Artifacts When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Hide Artifacts When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Hide Artifacts When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Artifact Diversity Present the adversary with a variety of network and system artifacts.