We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Mapping To Stolen Pencil

Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.Disclaimer: We present this mapping to stimulate thinking about engagement activities to take advantage of the historically observed behavior of adversary, not to present all possibilities. We invite you to use this as a guide, understanding that adversary behavior is constantly changing and evolving.

Note: All ATT&CK Group sub-activity mappings have been remapped to their parent activity and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0086
Associated Groups:  Stolen Pencil
Note:  This page uses Adversary Group data from MITRE ATT&CK.

ATT&CK® Technique Adversary Vulnerability Engagement Activity Engagement Activity Description
Browser Extensions When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Browser Extensions When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Browser Extensions When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Browser Extensions When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Browser Extensions When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Credentials from Password Stores When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Credentials from Password Stores When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Credentials from Password Stores When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Credentials from Password Stores When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Credentials from Password Stores When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Credentials from Password Stores When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Credentials from Password Stores When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Credentials from Password Stores When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Input Capture When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Input Capture When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Input Capture When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Input Capture When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Phishing When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated or from where a link is clicked. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Phishing When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated or from where a link is clicked. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Phishing When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Phishing When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Network Sniffing When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Network Sniffing When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Sniffing When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Network Sniffing When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Sniffing When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Network Sniffing When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Sniffing When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
OS Credential Dumping When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
OS Credential Dumping When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
OS Credential Dumping When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Services When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Remote Services When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Services When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Services When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Remote Services When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Unsecured Credentials When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Unsecured Credentials When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Valid Accounts When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Valid Accounts When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Valid Accounts When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Valid Accounts When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.