Santa Claus

Santa Claus (and his associates, the elves) are a north-pole-based physical threat group. Specializations include advanced reconnaissance-at-scale, payload manufacturing / delivery and initial access operations (IAO). Legends indicate this group began a series of world-wide campaigns as early as 280 AD and continue to this day.

ID: G1225
Associated Names: Sinterklaas, Der Weihnachtsmann, Kriss Kringle, Père Noël, Noel Baba, Babbo Natale, Shaka Santa
Version: 1.0
Created: 24 Dec 2022
Last Modified: 24 Dec 2022

Techniques Used

TacticIDNameUse
ReconnaissanceT1595Active ScanningHe see’s you when you’re sleeping, he knows when you’re awake…
ReconnaissanceT1592Gather Victim Host InformationDetermines household ingress points
ReconnaissanceT1589.003Gather Victim Identity InformationHe makes a list (and checks it twice)
Resource DevelopmentT1587Develop CapabilitiesToy manufacturing
Initial AccessT1189Fly-by CompromiseReindeer-based delivery system
Initial AccessT1190Exploit Public-Facing ChimneyPreferred inital access vector via chimney
Initial AccessT1195Supply Chain CompromiseElves make the toys, but what do they embed?
Initial AccessT1199Trusted RelationshipHe’s pretty much invited in yeah?
ExecutionT1610Deploy ContainerLots of wrapped containers are delivered
ExecutionT1053Scheduled Task/JobEvery year, same time.
PersistenceT1525Implant Internal ImageQuite an impression is made on the little ones.
Defense EvasionT1562.004Impair DefensesDisables or modifies system fireplace
Lateral MovementT1210Exploitation of Remote ServicesMoving from house to house
ExfiltrationT1052Exfiltration Over Physical MediumHe takes the cookies and back up the chimney he goes!
ImpactT1485Cookie DestructionNom nom nom (and drinks the milk!)
ImpactT1491DefacementWell between the tree, the lights, the decorations and the gift wrap, my house is always a mess…



References