We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Mapping To GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.Disclaimer: We present this mapping to stimulate thinking about engagement activities to take advantage of the historically observed behavior of adversary, not to present all possibilities. We invite you to use this as a guide, understanding that adversary behavior is constantly changing and evolving.

Note: All ATT&CK Group sub-activity mappings have been remapped to their parent activity and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0115
Associated Groups:  GOLD SOUTHFIELD
Note:  This page uses Adversary Group data from MITRE ATT&CK.

ATT&CK® Technique Adversary Vulnerability Engagement Activity Engagement Activity Description
Exploit Public-Facing Application When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploit Public-Facing Application When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploit Public-Facing Application When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
External Remote Services When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
External Remote Services When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
External Remote Services When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
External Remote Services When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
External Remote Services When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Phishing When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated or from where a link is clicked. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Phishing When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated or from where a link is clicked. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Phishing When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Phishing When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Supply Chain Compromise When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfiet control over when and where the product is connected in the target network Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Supply Chain Compromise When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfiet control over when and where the product is connected in the target network Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Trusted Relationship When adversaries exploit a trusted relationship, they are vulnerable to collect and act on manipulated data provided by the trusted party. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Trusted Relationship When adversaries exploit a trusted relationship such as using an account to access or move in the environment, they are vulnerable to trigger tripwires or engage in anamoulous behavior. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Trusted Relationship When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Trusted Relationship When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.