Full Report
Winter is coming – so it must be time for Sophos X-Ops’ report on this year’s MITRE ATT&CK Enterprise Evaluations
Analysis Summary
This summary is based on the provided article describing Sophos X-Ops participation in the MITRE ATT&CK Enterprise 2025 Evaluations. Specific technical details like malware hashes, exact first seen dates, T-numbers, and mitigation steps outside of general scope are not present in the provided text and thus cannot be detailed in the required format. The summary focuses on the threat actors, evaluation scenarios, and frameworks mentioned.
# Tool/Technique: SCATTERED SPIDER Emulation (Scenario 1)
## Overview
An emulation based on the financially motivated cybercriminal threat actor group SCATTERED SPIDER (also linked to GOLD HARVEST). This scenario tested the entire attack chain, starting with initial access and pivoting from an on-premises environment to cloud infrastructure.
## Technical Details
- Type: Threat Actor Emulation / Scenario
- Platform: Enterprise Environments (On-premises and Cloud Infrastructure)
- Capabilities: Covered the full attack chain including initial access, persistence, lateral movement, and impact, specifically emphasizing cloud pivoting.
- First Seen: Not specified in the text (though the group is prominent in recent years).
## MITRE ATT&CK Mapping
*Specific mappings (T####) are not detailed in the article snippet, only the context of testing against ATT&CK TTPs.*
## Functionality
### Core Capabilities
- Exploiting initial access methods leading through the enterprise environment.
- Lateral movement.
- Pivoting from on-premises infrastructure to cloud services.
### Advanced Features
- Simulation of realistic TTPs used by a financially motivated group known for extortion and ransomware.
## Indicators of Compromise
- File Hashes: [Not detailed in the provided text]
- File Names: [Not detailed in the provided text]
- Registry Keys: [Not detailed in the provided text]
- Network Indicators: [Not detailed in the provided text]
- Behavioral Indicators: [Not detailed in the provided text]
## Associated Threat Actors
- SCATTERED SPIDER (G1015)
- GOLD HARVEST
## Detection Methods
- Sophos X-Ops detection capabilities were tested against the emulation. (Specific detection mechanisms like YARA rules are not detailed.)
## Mitigation Strategies
- General enterprise monitoring and defense against TTPs used by financially motivated groups are implied through the evaluation context. (Specific recommendations are not detailed.)
## Related Tools/Techniques
- Ransomware execution (contextual, based on actor profile).
- Extortion tactics (contextual, based on actor profile).
# Tool/Technique: MUSTANG PANDA Emulation (Scenarios ORPHEUS and PERSEUS)
## Overview
An emulation based on the China-based threat actor group MUSTANG PANDA (also linked to BRONZE PRESIDENT). This testing was divided into two sub-scenarios focused on espionage and information theft.
## Technical Details
- Type: Threat Actor Emulation / Scenario
- Platform: Enterprise Environments targeting government and non-government organizations.
- Capabilities: Tested distinct malware families associated with the threat actor across two distinct execution flows (ORPHEUS and PERSEUS).
- First Seen: Group activity noted since at least 2012.
## MITRE ATT&CK Mapping
*Specific mappings (T####) are not detailed in the article snippet, only the context of testing against ATT&CK TTPs.*
## Functionality
### Core Capabilities
- Full attack chain execution (ORPHEUS sub-scenario).
- Specific focus on Collection and Exfiltration phases (PERSEUS sub-scenario).
### Advanced Features
- Use of distinct, threat-actor-associated malware families for coverage testing.
## Indicators of Compromise
- File Hashes: [Not detailed in the provided text]
- File Names: [Not detailed in the provided text]
- Registry Keys: [Not detailed in the provided text]
- Network Indicators: [Not detailed in the provided text]
- Behavioral Indicators: [Not detailed in the provided text]
## Associated Threat Actors
- MUSTANG PANDA (G0129)
- BRONZE PRESIDENT
## Detection Methods
- Sophos X-Ops detection capabilities were tested. (Specific detection mechanisms are not detailed.)
## Mitigation Strategies
- General defense against espionage TTPs and information exfiltration techniques are implied. (Specific recommendations are not detailed.)
## Related Tools/Techniques
- Information Theft techniques.
- Espionage-focused malware use.
# Tool/Technique: MITRE ATT&CK Enterprise Evaluations (General)
## Overview
The annual full-scale cyber attack emulation framework utilized by Sophos X-Ops to transparently appraise security solutions' performance against real-world threat actor TTPs across initial access, persistence, lateral movement, and impact in multi-device customer environments.
## Technical Details
- Type: Evaluation Framework / Testing Methodology
- Platform: Multi-device customer environments (Endpoints, Servers, Domain-joined devices, Active Directory).
- Capabilities: Provides end-to-end attack chain testing against established adversary TTPs.
- First Seen: [Context indicates 2025 is the fifth year of Sophos participation.]
## MITRE ATT&CK Mapping
- N/A (This is the framework that maps the tested TTPs)
## Functionality
### Core Capabilities
- Realistic assessment of security product detection and prevention abilities.
- Transparency through publicly available results.
### Advanced Features
- Incorporates complexity, such as pivoting between on-premises and cloud infrastructure.
- Uses TTPs derived from specific, current threat actors.
## Indicators of Compromise
- Not applicable to the framework itself.
## Associated Threat Actors
- SCATTERED SPIDER (Cybercriminal)
- MUSTANG PANDA (Espionage)
## Detection Methods
- Solutions are evaluated based on their ability to detect and prevent the emulated actions.
## Mitigation Strategies
- Participating in evaluations helps identify gaps in detection and protection capabilities against advanced adversarial behavior.
## Related Tools/Techniques
- Any tool or technique utilized by the emulated threat actors within the defined scenarios.