GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. Disclaimer: We present this mapping to stimulate thinking about engagement activities to take advantage of the historically observed behavior of adversary, not to present all possibilities. We invite you to use this as a guide, understanding that adversary behavior is constantly changing and evolving.
Note: All ATT&CK Group sub-activity mappings have been remapped to their parent activity and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK® Technique||Adversary Vulnerability||Engagement Activity||Engagement Activity Description|
|Remote Services||When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc.||Network Manipulation||Make changes to network properties and functions to achieve a desired effect.|
|Remote Services||When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities.||Decoy Artifacts and Systems||Introduce impersonations to expand the scope of a deceptive story.|
|Remote Services||When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource||Decoy Artifacts and Systems||Introduce impersonations to expand the scope of a deceptive story.|
|Remote Services||When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities||Application Diversity||Present the adversary with a variety of installed applications and services.|
|Remote Services||When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior||Network Monitoring||Monitor network traffic in order to detect adversary activity.|