We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Mapping To Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). Disclaimer: We present this mapping to stimulate thinking about engagement activities to take advantage of the historically observed behavior of adversary, not to present all possibilities. We invite you to use this as a guide, understanding that adversary behavior is constantly changing and evolving.

Note: All ATT&CK Group sub-activity mappings have been remapped to their parent activity and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0024
Associated Groups:  Putter Panda, APT2, MSUpdater
Note:  This page uses Adversary Group data from MITRE ATT&CK.

ATT&CK® Technique Adversary Vulnerability Engagement Activity Engagement Activity Description
Boot or Logon Autostart Execution When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Impair Defenses When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Impair Defenses When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Impair Defenses When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Impair Defenses When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Obfuscated Files or Information When the adversary's malware is detonated, they are vulnerable to dynamic analysis including revealing how the malware interacts with system resources. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Obfuscated Files or Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Obfuscated Files or Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Obfuscated Files or Information When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Process Injection When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.