Characterize Adversary TTPs and Assess Attribution

Actions

1. 1

   Enumerate confirmed techniques so far against MITRE ATT&CK (Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration).

2. 2

   Pull threat-intel reports for groups matching the observed TTP set (MITRE ATT&CK Groups, vendor tracked groups, Mandiant/CrowdStrike/Microsoft profiles). Track 3-5 candidate groups, not one "most likely".

3. 3

   For each candidate group, build a hunt list: additional tools they typically bring, additional persistence they typically install, C2 infrastructure patterns.

4. 4

   Pivot from one known IoC to others: IP -> passive DNS -> domains -> registrar/WHOIS -> TLS certs (Censys, Shodan) -> infrastructure clusters. Record every pivot and its confidence level.

5. 5

   Request TI team engagement with ISAC and vendor contacts for private IoC sharing under NDA.

6. 6

   Document attribution confidence explicitly (Low / Moderate / High) and the specific evidence underlying each level; avoid cargo-cult attribution from a single shared tool.

Queries

SigninLogs | where TimeGenerated > ago(90d) | where UserPrincipalName in~ (<suspected-targets>) | summarize by IPAddress, Country, UserAgent, ClientAppUsed | order by TimeGenerated asc

DeviceProcessEvents | where Timestamp > ago(90d) | where InitiatingProcessFileName =~ "w3wp.exe" or InitiatingProcessFileName =~ "svchost.exe" | where FileName =~ "rundll32.exe" or FileName =~ "regsvr32.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine

DeviceNetworkEvents | where RemoteIP in (<apt-c2-infra>) or RemoteUrl has_any (<apt-c2-domains>) | summarize count() by DeviceName, RemoteIP, RemoteUrl

Notes

Where to Go Next

Related Resources