-
Notifications
You must be signed in to change notification settings - Fork 0
/
attack_mapping.json
1 lines (1 loc) · 541 KB
/
attack_mapping.json
1
[{"attack_id": "T1001", "attack_technique": {"id": "T1001", "name": "Data Obfuscation", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0116", "description": "There is an opportunity to detect adversary activity that uses obfuscated communication."}, "use_case": {"id": "DUC0116", "description": "A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation.", "": ""}, "technique": {"id": "DTE0028", "name": "PCAP Collection", "description": "Collect full network traffic for future research and analysis.", "long_description": "PCAP Collection allows a defenders to use the data to examine an adversary\u2019s network traffic more closely, including studying if it is encoded and/or encrypted. PCAP can be run through tools to replay the traffic to get a real-time view of what happened over the wire. These tools can also parse the traffic and send results to a SIEM for monitoring and alerting."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0049", "description": "Collect PCAP on a decoy network to improve visibility into an adversary's network activity."}]}, {"attack_id": "T1001", "attack_technique": {"id": "T1001", "name": "Data Obfuscation", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0249", "description": "There is an opportunity to reveal data that the adversary has tried to protect from defenders"}, "use_case": {"id": "DUC0249", "description": "Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity.", "": ""}, "technique": {"id": "DTE0031", "name": "Protocol Decoder", "description": "Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.", "long_description": "Protocol decoders are designed to read network traffic and contextualize all activity between the operator and the implant. These tools are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0054", "description": "Create and apply a decoder which allows you to view encrypted and/or encoded network traffic in a human-readable format."}]}, {"attack_id": "T1003", "attack_technique": {"id": "T1003", "name": "OS Credential Dumping", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0005", "description": "There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique."}, "use_case": {"id": "DUC0005", "description": "A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.", "": ""}, "technique": {"id": "DTE0012", "name": "Decoy Credentials", "description": "Create user credentials that are used for active defense purposes.", "long_description": "Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0024", "description": "Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them."}]}, {"attack_id": "T1005", "attack_technique": {"id": "T1005", "name": "Data from Local System", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0165", "description": "In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content."}, "use_case": {"id": "DUC0165", "description": "A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1005", "attack_technique": {"id": "T1005", "name": "Data from Local System", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0099", "description": "In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary."}, "use_case": {"id": "DUC0099", "description": "A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1006", "attack_technique": {"id": "T1006", "name": "Direct Volume Access", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0192", "description": "A defender can use API calls associated with direct volume access to either see what activity and data is being passed through, or to influence how that API call functions.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1007", "attack_technique": {"id": "T1007", "name": "System Service Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0031", "description": "A defender can monitor and analyze operating system functions calls for detection and alerting.", "": ""}, "technique": {"id": "DTE0003", "name": "API Monitoring", "description": "Monitor local APIs that might be used by adversary tools and activity.", "long_description": "API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0005", "description": "Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further."}, {"id": "DPR0006", "description": "Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time."}]}, {"attack_id": "T1007", "attack_technique": {"id": "T1007", "name": "System Service Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0194", "description": "A defender could manipulate the command to display services an adversary would expect to see on a system, or to shown them unexpected services.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1008", "attack_technique": {"id": "T1008", "name": "Fallback Channels", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0159", "description": "There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity."}, "use_case": {"id": "DUC0153", "description": "A defender can identify and block specific adversary Command and Control (C2) traffic to see how an adversary responds, possibly exposing additional C2 information.", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1010", "attack_technique": {"id": "T1010", "name": "Application Window Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0180", "description": "There is an opportunity to provide a variety of applications to an adversary so they see a full set of information when performing discovery tasks."}, "use_case": {"id": "DUC0180", "description": "During an adversary engagement operation, a defender can open and use any particular subset of applications installed on a system to control what is presented to the adversary at any point in time.", "": ""}, "technique": {"id": "DTE0004", "name": "Application Diversity", "description": "Present the adversary with a variety of installed applications and services.", "long_description": "Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0007", "description": "Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks."}, {"id": "DPR0008", "description": "Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react."}]}, {"attack_id": "T1011", "attack_technique": {"id": "T1011", "name": "Exfiltration Over Other Network Medium", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0146", "description": "In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement."}, "use_case": {"id": "DUC0179", "description": "A defender can prevent an adversary from enabling Wi-Fi or Bluetooth interfaces which could be connected to surrounding access points or devices and used for exfiltration.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1012", "attack_technique": {"id": "T1012", "name": "Query Registry", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0073", "description": "A defender can create decoy registry objects and monitor access to them using Windows Registry Auditing.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1014", "attack_technique": {"id": "T1014", "name": "Rootkit", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0029", "description": "There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs."}, "use_case": {"id": "DUC0196", "description": "A defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit.", "": ""}, "technique": {"id": "DTE0001", "name": "Admin Access", "description": "Modify a user's administrative privileges.\n", "long_description": "Changing the target system to allow or disallow users to perform tasks requiring administrator level permissions gives the defender leverage in inhibiting or facilitating attacks. The procedures for changing these permissions vary across different operating and software systems."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}], "procedures": [{"id": "DPR0001", "description": "Remove an account's administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks."}, {"id": "DPR0002", "description": "Grant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service."}]}, {"attack_id": "T1014", "attack_technique": {"id": "T1014", "name": "Rootkit", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0148", "description": "In an adversary engagement scenario, there is an opportunity to implement security controls to allow an adversary to accomplish a task and extend an engagement."}, "use_case": {"id": "DUC0197", "description": "In an adversary engagement scenario, a defender could ensure security controls allow untrusted code to execute on a system.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1016", "attack_technique": {"id": "T1016", "name": "System Network Configuration Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0074", "description": "There is an opportunity to influence an adversary to move toward systems you want them to engage with."}, "use_case": {"id": "DUC0074", "description": "A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1018", "attack_technique": {"id": "T1018", "name": "Remote System Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0075", "description": "A defender can change the output of a recon commands to hide simulation elements you don\u2019t want attacked and present simulation elements you want the adversary to engage with.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1018", "attack_technique": {"id": "T1018", "name": "Remote System Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0076", "description": "In an adversary engagement situation, there is an opportunity to add legitimacy by ensuring decoy systems are fully populated with information an adversary would expect to see during this recon process."}, "use_case": {"id": "DUC0076", "description": "A defender can create entries in a decoy system's ARP cache, hosts file, etc. to add to the legitimacy of the device.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1020", "attack_technique": {"id": "T1020", "name": "Automated Exfiltration", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0170", "description": "There is an opportunity to collect network data and analyze the adversary activity it contains."}, "use_case": {"id": "DUC0170", "description": "Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.", "": ""}, "technique": {"id": "DTE0028", "name": "PCAP Collection", "description": "Collect full network traffic for future research and analysis.", "long_description": "PCAP Collection allows a defenders to use the data to examine an adversary\u2019s network traffic more closely, including studying if it is encoded and/or encrypted. PCAP can be run through tools to replay the traffic to get a real-time view of what happened over the wire. These tools can also parse the traffic and send results to a SIEM for monitoring and alerting."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0049", "description": "Collect PCAP on a decoy network to improve visibility into an adversary's network activity."}]}, {"attack_id": "T1020", "attack_technique": {"id": "T1020", "name": "Automated Exfiltration", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0249", "description": "There is an opportunity to reveal data that the adversary has tried to protect from defenders"}, "use_case": {"id": "DUC0249", "description": "Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity.", "": ""}, "technique": {"id": "DTE0031", "name": "Protocol Decoder", "description": "Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.", "long_description": "Protocol decoders are designed to read network traffic and contextualize all activity between the operator and the implant. These tools are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0054", "description": "Create and apply a decoder which allows you to view encrypted and/or encoded network traffic in a human-readable format."}]}, {"attack_id": "T1021", "attack_technique": {"id": "T1021", "name": "Remote Services", "attack_tactics": ["lateral-movement"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}], "opportunity": {"id": "DOS0198", "description": "There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary."}, "use_case": {"id": "DUC0198", "description": "The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.", "": ""}, "technique": {"id": "DTE0027", "name": "Network Monitoring", "description": "Monitor network traffic in order to detect adversary activity.", "long_description": "Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0047", "description": "Capture network logs for internet-facing devices and send those logs to a central collection location."}, {"id": "DPR0048", "description": "Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location."}]}, {"attack_id": "T1021", "attack_technique": {"id": "T1021", "name": "Remote Services", "attack_tactics": ["lateral-movement"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}], "opportunity": {"id": "DOS0199", "description": "In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task."}, "use_case": {"id": "DUC0199", "description": "A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1025", "attack_technique": {"id": "T1025", "name": "Data from Removable Media", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0098", "description": "In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0098", "description": "A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1025", "attack_technique": {"id": "T1025", "name": "Data from Removable Media", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0099", "description": "In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary."}, "use_case": {"id": "DUC0099", "description": "A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1027", "attack_technique": {"id": "T1027", "name": "Obfuscated Files or Information", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0199", "description": "In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task."}, "use_case": {"id": "DUC0200", "description": "A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1029", "attack_technique": {"id": "T1029", "name": "Scheduled Transfer", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0198", "description": "There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary."}, "use_case": {"id": "DUC0198", "description": "The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.", "": ""}, "technique": {"id": "DTE0027", "name": "Network Monitoring", "description": "Monitor network traffic in order to detect adversary activity.", "long_description": "Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0047", "description": "Capture network logs for internet-facing devices and send those logs to a central collection location."}, {"id": "DPR0048", "description": "Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location."}]}, {"attack_id": "T1030", "attack_technique": {"id": "T1030", "name": "Data Transfer Size Limits", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0170", "description": "There is an opportunity to collect network data and analyze the adversary activity it contains."}, "use_case": {"id": "DUC0170", "description": "Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.", "": ""}, "technique": {"id": "DTE0028", "name": "PCAP Collection", "description": "Collect full network traffic for future research and analysis.", "long_description": "PCAP Collection allows a defenders to use the data to examine an adversary\u2019s network traffic more closely, including studying if it is encoded and/or encrypted. PCAP can be run through tools to replay the traffic to get a real-time view of what happened over the wire. These tools can also parse the traffic and send results to a SIEM for monitoring and alerting."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0049", "description": "Collect PCAP on a decoy network to improve visibility into an adversary's network activity."}]}, {"attack_id": "T1030", "attack_technique": {"id": "T1030", "name": "Data Transfer Size Limits", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0015", "description": "There is an opportunity to use tools and controls to stop an adversary's activity."}, "use_case": {"id": "DUC0249", "description": "Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity.", "": ""}, "technique": {"id": "DTE0031", "name": "Protocol Decoder", "description": "Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.", "long_description": "Protocol decoders are designed to read network traffic and contextualize all activity between the operator and the implant. These tools are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret."}, "tactics": [{"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0054", "description": "Create and apply a decoder which allows you to view encrypted and/or encoded network traffic in a human-readable format."}]}, {"attack_id": "T1033", "attack_technique": {"id": "T1033", "name": "System Owner/User Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0203", "description": "A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1036", "attack_technique": {"id": "T1036", "name": "Masquerading", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0220", "description": "A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1037", "attack_technique": {"id": "T1037", "name": "Boot or Logon Initialization Scripts", "attack_tactics": ["persistence", "privilege-escalation"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}, {"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0051", "description": "There is an opportunity to utilize confirmed good copies of login scripts and restoring on a frequent basis to prevent an adversary from using them to launch malware on a recurring basis."}, "use_case": {"id": "DUC0051", "description": "A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.", "": ""}, "technique": {"id": "DTE0006", "name": "Baseline", "description": "Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.", "long_description": "Identify elements of software and configuration critical to a set of objectives, define their proper values, and be prepared to reset a running system to its intended state. "}, "tactics": [{"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0011", "description": "Maintain a verified baseline firewall configuration and use that copy as a fallback if an adversary alters that information."}, {"id": "DPR0012", "description": "Maintain a verified list of group policies enforced on a system and use that copy if an adversary attempts to deviate from the baseline."}]}, {"attack_id": "T1039", "attack_technique": {"id": "T1039", "name": "Data from Network Shared Drive", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0098", "description": "In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0098", "description": "A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1039", "attack_technique": {"id": "T1039", "name": "Data from Network Shared Drive", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0099", "description": "In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary."}, "use_case": {"id": "DUC0099", "description": "A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1040", "attack_technique": {"id": "T1040", "name": "Network Sniffing", "attack_tactics": ["credential-access", "discovery"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}, {"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0079", "description": "By changing the output of network sniffing utilities normally found on a system, you can prevent adversaries from seeing particular content or making use of the results at all.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1040", "attack_technique": {"id": "T1040", "name": "Network Sniffing", "attack_tactics": ["credential-access", "discovery"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}, {"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0182", "description": "There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0080", "description": "The defender can run processes on legitimate systems that create network artifacts for an adversary to collect. These artifacts may contain data such as credentials, hostnames, etc., that would lead an adversary to target decoy systems and networks.", "": ""}, "technique": {"id": "DTE0016", "name": "Decoy Process", "description": "Execute software on a target system for the purposes of the defender.", "long_description": "Executing software will create a system process (either ephemeral or perpetual) on the target system, which can be used to influence the perception or action of an adversary. A decoy process could do things including give the impression of either a more or less secure system, the presence of attackable services or defensive infrastructure, or suggest the supposed purpose or use of the target machine."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0031", "description": "Create decoy processes on a system that mimic common antivirus process names. These processes when seen may prevent adversary malware from executing for fear of detection."}]}, {"attack_id": "T1040", "attack_technique": {"id": "T1040", "name": "Network Sniffing", "attack_tactics": ["credential-access", "discovery"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}, {"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0081", "description": "There is an opportunity to entice the adversary to expose additional TTPs."}, "use_case": {"id": "DUC0081", "description": "The defender can add unique endpoints, servers, routers, and other devices to give the adversary a broader attack surface. This can cause the adversary to expose additional capabilities.", "": ""}, "technique": {"id": "DTE0025", "name": "Network Diversity", "description": "Use a diverse set of devices on the network to help establish the\u00a0legitimacy\u00a0of a decoy network.", "long_description": "Network diversity involves the use a diverse collection of network items to make a decoy network look more realistic. It also ensures the network contains the appropriate amount and types of things that would normally be expected, perhaps including networking devices, firewalls, printers, phones, etc. "}, "tactics": [{"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0043", "description": "Deploy a mix of network devices (systems, servers, printers, phones, etc.) to make a decoy network look realistic."}, {"id": "DPR0044", "description": "Deploy a variety of systems which reflect the use of multiple operating systems, hardware platforms, network services, etc."}]}, {"attack_id": "T1041", "attack_technique": {"id": "T1041", "name": "Exfiltration Over C2 Channel", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0174", "description": "There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location."}, "use_case": {"id": "DUC0174", "description": "A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols.", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1041", "attack_technique": {"id": "T1041", "name": "Exfiltration Over C2 Channel", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0174", "description": "There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location."}, "use_case": {"id": "DUC0175", "description": "A defender can restrict network traffic making adversary exfiltration slow or unreliable.", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1046", "attack_technique": {"id": "T1046", "name": "Network Service Scanning", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0075", "description": "A defender can change the output of a recon commands to hide simulation elements you don\u2019t want attacked and present simulation elements you want the adversary to engage with.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1046", "attack_technique": {"id": "T1046", "name": "Network Service Scanning", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0078", "description": "A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1047", "attack_technique": {"id": "T1047", "name": "Windows Management Instrumentation", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0147", "description": "In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives."}, "use_case": {"id": "DUC0137", "description": "A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI.", "": ""}, "technique": {"id": "DTE0001", "name": "Admin Access", "description": "Modify a user's administrative privileges.\n", "long_description": "Changing the target system to allow or disallow users to perform tasks requiring administrator level permissions gives the defender leverage in inhibiting or facilitating attacks. The procedures for changing these permissions vary across different operating and software systems."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0001", "description": "Remove an account's administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks."}, {"id": "DPR0002", "description": "Grant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service."}]}, {"attack_id": "T1047", "attack_technique": {"id": "T1047", "name": "Windows Management Instrumentation", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0137", "description": "There is an opportunity to implement security controls which will prevent an adversary from using Windows Management Instrumentation (WMI), in order to entice them to reveal new TTPs."}, "use_case": {"id": "DUC0138", "description": "A defender can harden accounts which have admin access and also restrict any users from being able to connect remotely using WMI.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1048", "attack_technique": {"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0174", "description": "There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location."}, "use_case": {"id": "DUC0174", "description": "A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols.", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1049", "attack_technique": {"id": "T1049", "name": "System Network Connections Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0038", "description": "A defender can manipulate the output of commands commonly used to enumerate a system's network connections. They could seed this output with decoy systems and/or networks or remove legitimate systems from the output in order to direct an adversary away from legitimate systems.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1052", "attack_technique": {"id": "T1052", "name": "Exfiltration Over Physical Medium", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0024", "description": "There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment."}, "use_case": {"id": "DUC0205", "description": "A defender could use decoy peripherals, such as external Wi-Fi adapters, USB devices, etc. to determine if adversaries attempt to use them for exfiltration purposes.", "": ""}, "technique": {"id": "DTE0029", "name": "Peripheral Management", "description": "Manage peripheral devices used on systems within the network for active defense purposes. \n\n\n", "long_description": "Peripheral Management is the administration of peripheral devices used on systems within the network for defensive or deceptive purposes. A defender can choose to allow or deny certain types of peripherals from being used on systems. Defenders can also introduce certain peripherals to an adversary-controlled system to see how the adversary reacts."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0050", "description": "Introduce external devices (e.g. a USB drive) to a machine in an adversary engagement scenario to see how quickly an adversary gains awareness to its presence and if they attempt to leverage the device."}, {"id": "DPR0051", "description": "Configure controls (such as AutoRun) which would require an adversary to take additional steps when leveraging a peripheral device to execute their tools."}]}, {"attack_id": "T1053", "attack_technique": {"id": "T1053", "name": "Scheduled Task/Job", "attack_tactics": ["execution", "persistence", "privilege-escalation"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}, {"id": "TA0003", "name": "Persistence"}, {"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0025", "description": "A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools.", "": ""}, "technique": {"id": "DTE0001", "name": "Admin Access", "description": "Modify a user's administrative privileges.\n", "long_description": "Changing the target system to allow or disallow users to perform tasks requiring administrator level permissions gives the defender leverage in inhibiting or facilitating attacks. The procedures for changing these permissions vary across different operating and software systems."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0001", "description": "Remove an account's administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks."}, {"id": "DPR0002", "description": "Grant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service."}]}, {"attack_id": "T1053", "attack_technique": {"id": "T1053", "name": "Scheduled Task/Job", "attack_tactics": ["execution", "persistence", "privilege-escalation"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}, {"id": "TA0003", "name": "Persistence"}, {"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0026", "description": "A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1053", "attack_technique": {"id": "T1053", "name": "Scheduled Task/Job", "attack_tactics": ["execution", "persistence", "privilege-escalation"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}, {"id": "TA0003", "name": "Persistence"}, {"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0027", "description": "A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1055", "attack_technique": {"id": "T1055", "name": "Process Injection", "attack_tactics": ["defense-evasion", "privilege-escalation"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0146", "description": "In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement."}, "use_case": {"id": "DUC0144", "description": "A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1056", "attack_technique": {"id": "T1056", "name": "Input Capture", "attack_tactics": ["collection", "credential-access"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}, {"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0210", "description": "There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0082", "description": "A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1057", "attack_technique": {"id": "T1057", "name": "Process Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0181", "description": "A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1057", "attack_technique": {"id": "T1057", "name": "Process Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0182", "description": "There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0182", "description": "A defender can run decoy processes on a system to entice an adversary. ", "": ""}, "technique": {"id": "DTE0016", "name": "Decoy Process", "description": "Execute software on a target system for the purposes of the defender.", "long_description": "Executing software will create a system process (either ephemeral or perpetual) on the target system, which can be used to influence the perception or action of an adversary. A decoy process could do things including give the impression of either a more or less secure system, the presence of attackable services or defensive infrastructure, or suggest the supposed purpose or use of the target machine."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0031", "description": "Create decoy processes on a system that mimic common antivirus process names. These processes when seen may prevent adversary malware from executing for fear of detection."}]}, {"attack_id": "T1059", "attack_technique": {"id": "T1059", "name": "Command and Scripting Interpreter", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0028", "description": "A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1059", "attack_technique": {"id": "T1059", "name": "Command and Scripting Interpreter", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0029", "description": "A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1059", "attack_technique": {"id": "T1059", "name": "Command and Scripting Interpreter", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0033", "description": "A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1068", "attack_technique": {"id": "T1068", "name": "Exploitation for Privilege Escalation", "attack_tactics": ["privilege-escalation"]}, "attack_tactics": [{"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0055", "description": "A defender can configure system users to not have admin access in order to ensure privilege escalation requires exploitation.", "": ""}, "technique": {"id": "DTE0001", "name": "Admin Access", "description": "Modify a user's administrative privileges.\n", "long_description": "Changing the target system to allow or disallow users to perform tasks requiring administrator level permissions gives the defender leverage in inhibiting or facilitating attacks. The procedures for changing these permissions vary across different operating and software systems."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0001", "description": "Remove an account's administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks."}, {"id": "DPR0002", "description": "Grant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service."}]}, {"attack_id": "T1069", "attack_technique": {"id": "T1069", "name": "Permission Groups Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0026", "description": "In an adversary engagement operation, there is an opportunity to impact what an adversary sees when they execute commands on a system."}, "use_case": {"id": "DUC0206", "description": "A defender could manipulate a system's software to alter the results of an adversary enumerating permission group information.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1070", "attack_technique": {"id": "T1070", "name": "Indicator Removal on Host", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0147", "description": "In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives."}, "use_case": {"id": "DUC0232", "description": "A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system.", "": ""}, "technique": {"id": "DTE0001", "name": "Admin Access", "description": "Modify a user's administrative privileges.\n", "long_description": "Changing the target system to allow or disallow users to perform tasks requiring administrator level permissions gives the defender leverage in inhibiting or facilitating attacks. The procedures for changing these permissions vary across different operating and software systems."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0001", "description": "Remove an account's administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks."}, {"id": "DPR0002", "description": "Grant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service."}]}, {"attack_id": "T1070", "attack_technique": {"id": "T1070", "name": "Indicator Removal on Host", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0221", "description": "A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1071", "attack_technique": {"id": "T1071", "name": "Application Layer Protocol", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0198", "description": "There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary."}, "use_case": {"id": "DUC0198", "description": "The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.", "": ""}, "technique": {"id": "DTE0027", "name": "Network Monitoring", "description": "Monitor network traffic in order to detect adversary activity.", "long_description": "Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0047", "description": "Capture network logs for internet-facing devices and send those logs to a central collection location."}, {"id": "DPR0048", "description": "Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location."}]}, {"attack_id": "T1072", "attack_technique": {"id": "T1072", "name": "Software Deployment Tools", "attack_tactics": ["execution", "lateral-movement"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}, {"id": "TA0008", "name": "Lateral Movement"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0097", "description": "A defender can deploy a decoy software deployment tool within an adversary engagement environment to see how the adversary attempts to use the device during their activity.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1074", "attack_technique": {"id": "T1074", "name": "Data Staged", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0098", "description": "In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0111", "description": "A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1078", "attack_technique": {"id": "T1078", "name": "Valid Accounts", "attack_tactics": ["defense-evasion", "persistence", "privilege-escalation", "initial-access"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0003", "name": "Persistence"}, {"id": "TA0004", "name": "Privilege Escalation"}, {"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0004", "description": "There is an opportunity to introduce user accounts that are used to make a system look more realistic."}, "use_case": {"id": "DUC0004", "description": "A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.", "": ""}, "technique": {"id": "DTE0010", "name": "Decoy Account", "description": "Create an account that is used for active defense purposes.", "long_description": "A decoy account is one that is created specifically for defensive or deceptive purposes. It can be in the form of user accounts, service accounts, software accounts, etc. The decoy account can be used to make a system, service, or software look more realistic or to entice an action."}, "tactics": [{"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0020", "description": "Create a user account with a specified job function. Populate the user account's groups, description, logon hours, etc., with decoy data that\u00a0looks normal in the environment."}, {"id": "DPR0021", "description": "Create a user that has a valid email account. Use this account in such a way that the email address could be harvested by the adversary. This can be monitored to see if it is used in future attacks."}]}, {"attack_id": "T1078", "attack_technique": {"id": "T1078", "name": "Valid Accounts", "attack_tactics": ["defense-evasion", "persistence", "privilege-escalation", "initial-access"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0003", "name": "Persistence"}, {"id": "TA0004", "name": "Privilege Escalation"}, {"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0005", "description": "There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique."}, "use_case": {"id": "DUC0005", "description": "A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.", "": ""}, "technique": {"id": "DTE0012", "name": "Decoy Credentials", "description": "Create user credentials that are used for active defense purposes.", "long_description": "Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0024", "description": "Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them."}]}, {"attack_id": "T1078", "attack_technique": {"id": "T1078", "name": "Valid Accounts", "attack_tactics": ["defense-evasion", "persistence", "privilege-escalation", "initial-access"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0003", "name": "Persistence"}, {"id": "TA0004", "name": "Privilege Escalation"}, {"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0006", "description": "There is an opportunity to prepare user accounts so they look used and authentic."}, "use_case": {"id": "DUC0006", "description": "A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate.", "": ""}, "technique": {"id": "DTE0008", "name": "Burn-In", "description": "Exercise a target system in a manner where it will generate desirable system artifacts.\n", "long_description": "Exercising the system to create desirable system artifacts including web browsing, filesystem usage, running user applications like office suites, etc. The burn-in process can be specific to a user or system, depending on your needs."}, "tactics": [{"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0016", "description": "Configure a decoy system and allow it to be used in an manner such that it collects activity logs and appears to be to be a legitimate system."}, {"id": "DPR0017", "description": "Configure a system to generate internet browser traffic for a decoy user profile, creating artifacts such as cookies, history, temp files, etc."}]}, {"attack_id": "T1080", "attack_technique": {"id": "T1080", "name": "Taint Shared Content", "attack_tactics": ["lateral-movement"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}], "opportunity": {"id": "DOS0210", "description": "There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0208", "description": "A defender could seed decoy network shares within an adversary engagement network to see if an adversary uses them for payload delivery or lateral movement.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1082", "attack_technique": {"id": "T1082", "name": "System Information Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0210", "description": "There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0207", "description": "A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1083", "attack_technique": {"id": "T1083", "name": "File and Directory Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0210", "description": "There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0184", "description": "A defender can utilize decoy files and directories to provide content that could be used by the adversary.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1087", "attack_technique": {"id": "T1087", "name": "Account Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0186", "description": "A defender could alter the output from account enumeration commands to hide accounts or show the presence of accounts which do not exist.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1087", "attack_technique": {"id": "T1087", "name": "Account Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0187", "description": "In an adversary engagement operation, there is an opportunity to present decoy accounts to the adversary during the enumeration process."}, "use_case": {"id": "DUC0187", "description": "During an adversary engagement operation, a defender can utilize decoy accounts to provide content to an adversary and encourage additional activity.", "": ""}, "technique": {"id": "DTE0010", "name": "Decoy Account", "description": "Create an account that is used for active defense purposes.", "long_description": "A decoy account is one that is created specifically for defensive or deceptive purposes. It can be in the form of user accounts, service accounts, software accounts, etc. The decoy account can be used to make a system, service, or software look more realistic or to entice an action."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0020", "description": "Create a user account with a specified job function. Populate the user account's groups, description, logon hours, etc., with decoy data that\u00a0looks normal in the environment."}, {"id": "DPR0021", "description": "Create a user that has a valid email account. Use this account in such a way that the email address could be harvested by the adversary. This can be monitored to see if it is used in future attacks."}]}, {"attack_id": "T1087", "attack_technique": {"id": "T1087", "name": "Account Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0188", "description": "There is an opportunity to use decoy accounts of varying types to see what an adversary is most interested in."}, "use_case": {"id": "DUC0188", "description": "A defender can make a variety of decoy accounts and see if the adversary seems to be drawn to accounts of a specific type, with specific permissions, group access, etc.", "": ""}, "technique": {"id": "DTE0013", "name": "Decoy Diversity", "description": "Deploy a set of decoy systems with different OS and software configurations.", "long_description": "Decoy diversity is the deployment of decoy systems with varying Operating Systems and software configurations. Most enterprise networks contain systems which utilize different types and versions of operating systems and applications (Microsoft Windows, MacOS, Linux, Microsoft Office, Adobe Reader, etc.) Deploying decoy systems with such variations allows you to present a realistic environment to an adversary. It also allows you to see if they use different TTPs on systems with different configurations."}, "tactics": [{"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0025", "description": "Use a Windows Virtual Machine (VM) and a Mac VM to visit a malicious website and note any differences in how the site functions based on the client that was used."}, {"id": "DPR0026", "description": "Deploy multiple decoy systems, each with a unique network fingerprint (ports, services, connections, etc.) in order to provide an adversary a wide range of targets."}]}, {"attack_id": "T1090", "attack_technique": {"id": "T1090", "name": "Proxy", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0164", "description": "There is an opportunity to block an adversary that is seeking to use a proxied connection."}, "use_case": {"id": "DUC0164", "description": "A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists. ", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1091", "attack_technique": {"id": "T1091", "name": "Replication Through Removable Media", "attack_tactics": ["lateral-movement", "initial-access"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}, {"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0005", "description": "There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique."}, "use_case": {"id": "DUC0011", "description": "A defender can monitor systems for the use of removeable media.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1091", "attack_technique": {"id": "T1091", "name": "Replication Through Removable Media", "attack_tactics": ["lateral-movement", "initial-access"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}, {"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0016", "description": "There is an opportunity to use security controls to stop or allow an adversary's activity."}, "use_case": {"id": "DUC0012", "description": "A defender can disable Autorun to prevent malware from automatically executing when removeable media is plugged into a system.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1091", "attack_technique": {"id": "T1091", "name": "Replication Through Removable Media", "attack_tactics": ["lateral-movement", "initial-access"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}, {"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0013", "description": "There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network."}, "use_case": {"id": "DUC0013", "description": "A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled.", "": ""}, "technique": {"id": "DTE0023", "name": "Migrate Attack Vector", "description": "Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.", "long_description": "Migrate Attack Vector allows\u00a0a defender\u00a0to access an intercepted malicious element and analyze it in a safe environment\u00a0or conduct an adversary engagement within a decoy network."}, "tactics": [{"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}], "procedures": [{"id": "DPR0041", "description": "When malware is received via spearphishing, move the email message onto a decoy system prior to detonating the malicious file attachment."}]}, {"attack_id": "T1091", "attack_technique": {"id": "T1091", "name": "Replication Through Removable Media", "attack_tactics": ["lateral-movement", "initial-access"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}, {"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0012", "description": "There is an opportunity to prevent an adversary from using removable media to compromise disconnected or air-gapped systems."}, "use_case": {"id": "DUC0014", "description": "A defender can setup protections so removeable media cannot be mounted until an isolated review process has cleared the drive.", "": ""}, "technique": {"id": "DTE0022", "name": "Isolation", "description": "Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.", "long_description": "Using isolation, a defender can prevent potentially malicious activity before it starts or limit its effectiveness and scope. A defender can observe behaviors of adversaries or their tools without exposing them to unintended targets."}, "tactics": [{"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}], "procedures": [{"id": "DPR0040", "description": "Unplug an infected system from the network and disable any other means of communication."}, {"id": "DPR0066", "description": "Run all user applications in isolated containers to prevent a compromise from expanding beyond the container's boundaries."}]}, {"attack_id": "T1092", "attack_technique": {"id": "T1092", "name": "Communication Through Removable Media", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0024", "description": "There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment."}, "use_case": {"id": "DUC0211", "description": "A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do.", "": ""}, "technique": {"id": "DTE0029", "name": "Peripheral Management", "description": "Manage peripheral devices used on systems within the network for active defense purposes. \n\n\n", "long_description": "Peripheral Management is the administration of peripheral devices used on systems within the network for defensive or deceptive purposes. A defender can choose to allow or deny certain types of peripherals from being used on systems. Defenders can also introduce certain peripherals to an adversary-controlled system to see how the adversary reacts."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0050", "description": "Introduce external devices (e.g. a USB drive) to a machine in an adversary engagement scenario to see how quickly an adversary gains awareness to its presence and if they attempt to leverage the device."}, {"id": "DPR0051", "description": "Configure controls (such as AutoRun) which would require an adversary to take additional steps when leveraging a peripheral device to execute their tools."}]}, {"attack_id": "T1092", "attack_technique": {"id": "T1092", "name": "Communication Through Removable Media", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0024", "description": "There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment."}, "use_case": {"id": "DUC0211", "description": "A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do.", "": ""}, "technique": {"id": "DTE0023", "name": "Migrate Attack Vector", "description": "Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.", "long_description": "Migrate Attack Vector allows\u00a0a defender\u00a0to access an intercepted malicious element and analyze it in a safe environment\u00a0or conduct an adversary engagement within a decoy network."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0041", "description": "When malware is received via spearphishing, move the email message onto a decoy system prior to detonating the malicious file attachment."}]}, {"attack_id": "T1095", "attack_technique": {"id": "T1095", "name": "Non-Application Layer Protocol", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0212", "description": "A defender can detect the use of non-standard protocols. By implementing behavior analytics specific to a rise in protocol traffic to a system or set of systems, one might be able to detect malicious communications from an adversary.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1098", "attack_technique": {"id": "T1098", "name": "Account Manipulation", "attack_tactics": ["persistence"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0043", "description": "A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1098", "attack_technique": {"id": "T1098", "name": "Account Manipulation", "attack_tactics": ["persistence"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0044", "description": "A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation.", "": ""}, "technique": {"id": "DTE0010", "name": "Decoy Account", "description": "Create an account that is used for active defense purposes.", "long_description": "A decoy account is one that is created specifically for defensive or deceptive purposes. It can be in the form of user accounts, service accounts, software accounts, etc. The decoy account can be used to make a system, service, or software look more realistic or to entice an action."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0020", "description": "Create a user account with a specified job function. Populate the user account's groups, description, logon hours, etc., with decoy data that\u00a0looks normal in the environment."}, {"id": "DPR0021", "description": "Create a user that has a valid email account. Use this account in such a way that the email address could be harvested by the adversary. This can be monitored to see if it is used in future attacks."}]}, {"attack_id": "T1098", "attack_technique": {"id": "T1098", "name": "Account Manipulation", "attack_tactics": ["persistence"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0016", "description": "There is an opportunity to use security controls to stop or allow an adversary's activity."}, "use_case": {"id": "DUC0045", "description": "A defender can enforce strong authentication requirements such as password changes, two factor authentication, etc. to impact or disrupt an adversary's activity.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1102", "attack_technique": {"id": "T1102", "name": "Web Service", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0213", "description": "A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1104", "attack_technique": {"id": "T1104", "name": "Multi-Stage Channels", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0160", "description": "There is an opportunity to detect an unknown process that is being used for command and control and disrupt it."}, "use_case": {"id": "DUC0160", "description": "A defender can isolate unknown processes that are being used for command and control and prevent them from being able to access the internet.", "": ""}, "technique": {"id": "DTE0022", "name": "Isolation", "description": "Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.", "long_description": "Using isolation, a defender can prevent potentially malicious activity before it starts or limit its effectiveness and scope. A defender can observe behaviors of adversaries or their tools without exposing them to unintended targets."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0040", "description": "Unplug an infected system from the network and disable any other means of communication."}, {"id": "DPR0066", "description": "Run all user applications in isolated containers to prevent a compromise from expanding beyond the container's boundaries."}]}, {"attack_id": "T1104", "attack_technique": {"id": "T1104", "name": "Multi-Stage Channels", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0159", "description": "There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity."}, "use_case": {"id": "DUC0161", "description": "A defender could implement a protocol aware IPS to limit systems communicating to unknown locations on the internet.", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1105", "attack_technique": {"id": "T1105", "name": "Ingress Tool Transfer", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0170", "description": "There is an opportunity to collect network data and analyze the adversary activity it contains."}, "use_case": {"id": "DUC0170", "description": "Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.", "": ""}, "technique": {"id": "DTE0028", "name": "PCAP Collection", "description": "Collect full network traffic for future research and analysis.", "long_description": "PCAP Collection allows a defenders to use the data to examine an adversary\u2019s network traffic more closely, including studying if it is encoded and/or encrypted. PCAP can be run through tools to replay the traffic to get a real-time view of what happened over the wire. These tools can also parse the traffic and send results to a SIEM for monitoring and alerting."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0049", "description": "Collect PCAP on a decoy network to improve visibility into an adversary's network activity."}]}, {"attack_id": "T1106", "attack_technique": {"id": "T1106", "name": "Native API", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0030", "description": "A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1106", "attack_technique": {"id": "T1106", "name": "Native API", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0032", "description": "A defender can monitor operating system functions calls to look for adversary use and/or abuse.", "": ""}, "technique": {"id": "DTE0003", "name": "API Monitoring", "description": "Monitor local APIs that might be used by adversary tools and activity.", "long_description": "API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0005", "description": "Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further."}, {"id": "DPR0006", "description": "Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time."}]}, {"attack_id": "T1110", "attack_technique": {"id": "T1110", "name": "Brute Force", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0072", "description": "A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1111", "attack_technique": {"id": "T1111", "name": "Two-Factor Authentication Interception", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0094", "description": "In an adversary engagement operation, a defender can intentionally increase the time window that a token is valid to see if the adversary is able to acquire and leverage the token.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1111", "attack_technique": {"id": "T1111", "name": "Two-Factor Authentication Interception", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0095", "description": "There is an opportunity to detect an adversary's activity if they are unable to follow a company's documented standard operating procedures."}, "use_case": {"id": "DUC0095", "description": "A defender can implement a standard operating procedure which restricts users from using 2FA or MFA more than once without another process being invoked.", "": ""}, "technique": {"id": "DTE0033", "name": "Standard Operating Procedure", "description": "Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.", "long_description": "Standard Operating Procedures (SOPs) establish a structured way of interacting with systems and services. These procedures are in place for all users to ensure they can accomplish their goal in the approved manner. If an adversary attempts to perform any tasks which do not conform to the SOP, that activity will be easier to identify, alert on, and respond to."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0057", "description": "Require approvals and waivers for users to make changes to their system which requires administrative access. Any changes not made through this process are suspect and immediately investigated as malicious activity."}, {"id": "DPR0058", "description": "Create a development library that all users must leverage in order to interact with any hosted databases. This library modifies queries to look difficult to write. Any queries made without the library will now be obvious to detect and are immediately investigated as malicious activity."}]}, {"attack_id": "T1112", "attack_technique": {"id": "T1112", "name": "Modify Registry", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0069", "description": "There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes."}, "use_case": {"id": "DUC0069", "description": "A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline.", "": ""}, "technique": {"id": "DTE0006", "name": "Baseline", "description": "Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.", "long_description": "Identify elements of software and configuration critical to a set of objectives, define their proper values, and be prepared to reset a running system to its intended state. "}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0011", "description": "Maintain a verified baseline firewall configuration and use that copy as a fallback if an adversary alters that information."}, {"id": "DPR0012", "description": "Maintain a verified list of group policies enforced on a system and use that copy if an adversary attempts to deviate from the baseline."}]}, {"attack_id": "T1112", "attack_technique": {"id": "T1112", "name": "Modify Registry", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0070", "description": "A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1113", "attack_technique": {"id": "T1113", "name": "Screen Capture", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0210", "description": "There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0113", "description": "A defender can display decoy content on the screen which may be of interest to an adversary in an attempt to elicit further engagement.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1114", "attack_technique": {"id": "T1114", "name": "Email Collection", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0074", "description": "There is an opportunity to influence an adversary to move toward systems you want them to engage with."}, "use_case": {"id": "DUC0102", "description": "A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1115", "attack_technique": {"id": "T1115", "name": "Clipboard Data", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0082", "description": "There is an opportunity to introduce data to an adversary to influence their future behaviors."}, "use_case": {"id": "DUC0103", "description": "A defender can insert into a system's clipboard decoy content for the adversary to find. ", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1119", "attack_technique": {"id": "T1119", "name": "Automated Collection", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0098", "description": "In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0104", "description": "A defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1120", "attack_technique": {"id": "T1120", "name": "Peripheral Device Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0023", "description": "There is an opportunity to gauge an adversary's interest in connected peripheral devices."}, "use_case": {"id": "DUC0023", "description": "A defender can connect one or more peripheral devices to a decoy system to see if an adversary has any interest in them.", "": ""}, "technique": {"id": "DTE0029", "name": "Peripheral Management", "description": "Manage peripheral devices used on systems within the network for active defense purposes. \n\n\n", "long_description": "Peripheral Management is the administration of peripheral devices used on systems within the network for defensive or deceptive purposes. A defender can choose to allow or deny certain types of peripherals from being used on systems. Defenders can also introduce certain peripherals to an adversary-controlled system to see how the adversary reacts."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0050", "description": "Introduce external devices (e.g. a USB drive) to a machine in an adversary engagement scenario to see how quickly an adversary gains awareness to its presence and if they attempt to leverage the device."}, {"id": "DPR0051", "description": "Configure controls (such as AutoRun) which would require an adversary to take additional steps when leveraging a peripheral device to execute their tools."}]}, {"attack_id": "T1120", "attack_technique": {"id": "T1120", "name": "Peripheral Device Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0024", "description": "There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment."}, "use_case": {"id": "DUC0024", "description": "A defender can plug in a USB drive and see how quickly the adversary notices and inspects it.", "": ""}, "technique": {"id": "DTE0029", "name": "Peripheral Management", "description": "Manage peripheral devices used on systems within the network for active defense purposes. \n\n\n", "long_description": "Peripheral Management is the administration of peripheral devices used on systems within the network for defensive or deceptive purposes. A defender can choose to allow or deny certain types of peripherals from being used on systems. Defenders can also introduce certain peripherals to an adversary-controlled system to see how the adversary reacts."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0050", "description": "Introduce external devices (e.g. a USB drive) to a machine in an adversary engagement scenario to see how quickly an adversary gains awareness to its presence and if they attempt to leverage the device."}, {"id": "DPR0051", "description": "Configure controls (such as AutoRun) which would require an adversary to take additional steps when leveraging a peripheral device to execute their tools."}]}, {"attack_id": "T1123", "attack_technique": {"id": "T1123", "name": "Audio Capture", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0210", "description": "There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0105", "description": "A defender can introduce decoy audio content designed to make the adversary believe that their audio capture efforts are working.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1123", "attack_technique": {"id": "T1123", "name": "Audio Capture", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0106", "description": "There is an opportunity to alter the system to prevent an adversary from capturing audio content."}, "use_case": {"id": "DUC0106", "description": "A defender can physically remove or disable a system's microphone and web camera so that audio capture is not possible.", "": ""}, "technique": {"id": "DTE0020", "name": "Hardware Manipulation", "description": "Alter the hardware configuration of a system to limit what an adversary can do with the device.", "long_description": "Hardware Manipulation\u00a0can be making physical or configuration changes, including physically removing a system's microphone, camera, on-board Wi-Fi adapter, etc. or using other controls to disable those devices."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}], "procedures": [{"id": "DPR0037", "description": "Remove the microphone from a laptop to prevent an adversary from capturing audio from the device."}, {"id": "DPR0038", "description": "Remove the Wi-Fi hardware from a device to prevent an adversary from enabling and using a Wi-Fi connection."}]}, {"attack_id": "T1124", "attack_technique": {"id": "T1124", "name": "System Time Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0189", "description": "If the defender knows the specific regions an adversary is targeting, they can alter the output of commands which return systems times to return data consistent with what an adversary would want to see.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1125", "attack_technique": {"id": "T1125", "name": "Video Capture", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0210", "description": "There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0114", "description": "A defender can introduce video content designed to make the adversary believe that their capture efforts are working.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1125", "attack_technique": {"id": "T1125", "name": "Video Capture", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0115", "description": "There is an opportunity to alter the system to prevent an adversary from capturing video content."}, "use_case": {"id": "DUC0115", "description": "A defender can physically remove or disable a system's web camera and remove any video capture applications so that video capture is not possible.", "": ""}, "technique": {"id": "DTE0020", "name": "Hardware Manipulation", "description": "Alter the hardware configuration of a system to limit what an adversary can do with the device.", "long_description": "Hardware Manipulation\u00a0can be making physical or configuration changes, including physically removing a system's microphone, camera, on-board Wi-Fi adapter, etc. or using other controls to disable those devices."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0037", "description": "Remove the microphone from a laptop to prevent an adversary from capturing audio from the device."}, {"id": "DPR0038", "description": "Remove the Wi-Fi hardware from a device to prevent an adversary from enabling and using a Wi-Fi connection."}]}, {"attack_id": "T1127", "attack_technique": {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0033", "description": "A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1129", "attack_technique": {"id": "T1129", "name": "Shared Modules", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0030", "description": "A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1132", "attack_technique": {"id": "T1132", "name": "Data Encoding", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0249", "description": "There is an opportunity to reveal data that the adversary has tried to protect from defenders"}, "use_case": {"id": "DUC0249", "description": "Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity.", "": ""}, "technique": {"id": "DTE0031", "name": "Protocol Decoder", "description": "Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.", "long_description": "Protocol decoders are designed to read network traffic and contextualize all activity between the operator and the implant. These tools are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0054", "description": "Create and apply a decoder which allows you to view encrypted and/or encoded network traffic in a human-readable format."}]}, {"attack_id": "T1133", "attack_technique": {"id": "T1133", "name": "External Remote Services", "attack_tactics": ["persistence", "initial-access"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}, {"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0009", "description": "There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services."}, "use_case": {"id": "DUC0009", "description": "A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1134", "attack_technique": {"id": "T1134", "name": "Access Token Manipulation", "attack_tactics": ["defense-evasion", "privilege-escalation"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0148", "description": "A defender could feed or redirect requests for credentials with false data that can be used to direct an adversary into a decoy network or system.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1134", "attack_technique": {"id": "T1134", "name": "Access Token Manipulation", "attack_tactics": ["defense-evasion", "privilege-escalation"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0149", "description": "A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1135", "attack_technique": {"id": "T1135", "name": "Network Share Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0190", "description": "In an adversary engagement scenario, there is an opportunity to introduce decoy content to entice additional engagement activity."}, "use_case": {"id": "DUC0190", "description": "A defender can utilize decoy network shares to provide content that could be used by the adversary. ", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1135", "attack_technique": {"id": "T1135", "name": "Network Share Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0191", "description": " There is an opportunity to supply a variety of different decoy network shares to an adversary to see what they are drawn to look at and use."}, "use_case": {"id": "DUC0191", "description": "A defender can make a variety of decoy network shares available to an adversary and see if the adversary seems to be drawn to shares with specific names, permissions, etc.", "": ""}, "technique": {"id": "DTE0013", "name": "Decoy Diversity", "description": "Deploy a set of decoy systems with different OS and software configurations.", "long_description": "Decoy diversity is the deployment of decoy systems with varying Operating Systems and software configurations. Most enterprise networks contain systems which utilize different types and versions of operating systems and applications (Microsoft Windows, MacOS, Linux, Microsoft Office, Adobe Reader, etc.) Deploying decoy systems with such variations allows you to present a realistic environment to an adversary. It also allows you to see if they use different TTPs on systems with different configurations."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0025", "description": "Use a Windows Virtual Machine (VM) and a Mac VM to visit a malicious website and note any differences in how the site functions based on the client that was used."}, {"id": "DPR0026", "description": "Deploy multiple decoy systems, each with a unique network fingerprint (ports, services, connections, etc.) in order to provide an adversary a wide range of targets."}]}, {"attack_id": "T1136", "attack_technique": {"id": "T1136", "name": "Create Account", "attack_tactics": ["persistence"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0047", "description": "A defender can detect user accounts created outside the acceptable process.", "": ""}, "technique": {"id": "DTE0033", "name": "Standard Operating Procedure", "description": "Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.", "long_description": "Standard Operating Procedures (SOPs) establish a structured way of interacting with systems and services. These procedures are in place for all users to ensure they can accomplish their goal in the approved manner. If an adversary attempts to perform any tasks which do not conform to the SOP, that activity will be easier to identify, alert on, and respond to."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0057", "description": "Require approvals and waivers for users to make changes to their system which requires administrative access. Any changes not made through this process are suspect and immediately investigated as malicious activity."}, {"id": "DPR0058", "description": "Create a development library that all users must leverage in order to interact with any hosted databases. This library modifies queries to look difficult to write. Any queries made without the library will now be obvious to detect and are immediately investigated as malicious activity."}]}, {"attack_id": "T1137", "attack_technique": {"id": "T1137", "name": "Office Application Startup", "attack_tactics": ["persistence"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0052", "description": "A defender can collect system process information and look for abnormal activity tied to Office processes.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1140", "attack_technique": {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0031", "description": "A defender can monitor and analyze operating system functions calls for detection and alerting.", "": ""}, "technique": {"id": "DTE0003", "name": "API Monitoring", "description": "Monitor local APIs that might be used by adversary tools and activity.", "long_description": "API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0005", "description": "Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further."}, {"id": "DPR0006", "description": "Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time."}]}, {"attack_id": "T1176", "attack_technique": {"id": "T1176", "name": "Browser Extensions", "attack_tactics": ["persistence"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0015", "description": "There is an opportunity to use tools and controls to stop an adversary's activity."}, "use_case": {"id": "DUC0046", "description": "A defender can force the removal of browser extensions that are not allowed by a corporate policy.", "": ""}, "technique": {"id": "DTE0006", "name": "Baseline", "description": "Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.", "long_description": "Identify elements of software and configuration critical to a set of objectives, define their proper values, and be prepared to reset a running system to its intended state. "}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0011", "description": "Maintain a verified baseline firewall configuration and use that copy as a fallback if an adversary alters that information."}, {"id": "DPR0012", "description": "Maintain a verified list of group policies enforced on a system and use that copy if an adversary attempts to deviate from the baseline."}]}, {"attack_id": "T1185", "attack_technique": {"id": "T1185", "name": "Man in the Browser", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0112", "description": "In an adversary engagement scenario, there is an opportunity to prepare a user's browser data (sessions, cookies, etc.) so it looks authentic and fully populated."}, "use_case": {"id": "DUC0112", "description": "A defender can perform web browsing tasks on a decoy system over time to give the adversary a robust set of browser data that looks realistic and could potentially be used during adversary engagement.", "": ""}, "technique": {"id": "DTE0008", "name": "Burn-In", "description": "Exercise a target system in a manner where it will generate desirable system artifacts.\n", "long_description": "Exercising the system to create desirable system artifacts including web browsing, filesystem usage, running user applications like office suites, etc. The burn-in process can be specific to a user or system, depending on your needs."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0016", "description": "Configure a decoy system and allow it to be used in an manner such that it collects activity logs and appears to be to be a legitimate system."}, {"id": "DPR0017", "description": "Configure a system to generate internet browser traffic for a decoy user profile, creating artifacts such as cookies, history, temp files, etc."}]}, {"attack_id": "T1187", "attack_technique": {"id": "T1187", "name": "Forced Authentication", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0084", "description": "In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use."}, "use_case": {"id": "DUC0151", "description": "A defender can use adversary attempts at forced authentication exploits to seed adversary servers with decoy credentials.", "": ""}, "technique": {"id": "DTE0012", "name": "Decoy Credentials", "description": "Create user credentials that are used for active defense purposes.", "long_description": "Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0024", "description": "Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them."}]}, {"attack_id": "T1187", "attack_technique": {"id": "T1187", "name": "Forced Authentication", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0159", "description": "There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity."}, "use_case": {"id": "DUC0152", "description": "A defender could allow or deny outbound SMB requests from a network to affect the success of forced authentication. Alternative a defender could redirect outbound SMB requests to a decoy system to thwart attempted credential theft", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1189", "attack_technique": {"id": "T1189", "name": "Drive-by Compromise", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0001", "description": "A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.).", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1189", "attack_technique": {"id": "T1189", "name": "Drive-by Compromise", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0002", "description": "There is an opportunity to discover who or what is being targeting by an adversary."}, "use_case": {"id": "DUC0002", "description": "A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it.", "": ""}, "technique": {"id": "DTE0013", "name": "Decoy Diversity", "description": "Deploy a set of decoy systems with different OS and software configurations.", "long_description": "Decoy diversity is the deployment of decoy systems with varying Operating Systems and software configurations. Most enterprise networks contain systems which utilize different types and versions of operating systems and applications (Microsoft Windows, MacOS, Linux, Microsoft Office, Adobe Reader, etc.) Deploying decoy systems with such variations allows you to present a realistic environment to an adversary. It also allows you to see if they use different TTPs on systems with different configurations."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0025", "description": "Use a Windows Virtual Machine (VM) and a Mac VM to visit a malicious website and note any differences in how the site functions based on the client that was used."}, {"id": "DPR0026", "description": "Deploy multiple decoy systems, each with a unique network fingerprint (ports, services, connections, etc.) in order to provide an adversary a wide range of targets."}]}, {"attack_id": "T1189", "attack_technique": {"id": "T1189", "name": "Drive-by Compromise", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0003", "description": "There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs."}, "use_case": {"id": "DUC0003", "description": "A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise.", "": ""}, "technique": {"id": "DTE0014", "name": "Decoy Network", "description": "Create a target network with a set of target systems, for the purpose of active defense.\n", "long_description": "Decoy networks are comprised of multiple computing resources that can be used for defensive or deceptive purposes. A decoy network can be used to safely perform dynamic analysis of suspected malicious code. A defender can also use a specially crafted decoy network to perform adversary engagement. "}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0027", "description": "Create an isolated network populated with decoy systems that can be used to study an adversary's tactics, techniques, and procedures (TTPs)."}, {"id": "DPR0028", "description": "Use a segregated network to visit a compromised site. If the machine becomes infected, allow the machine to remain on with internet access to see if an adversary engages and takes action on the system."}]}, {"attack_id": "T1190", "attack_technique": {"id": "T1190", "name": "Exploit Public-Facing Application", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0005", "description": "There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique."}, "use_case": {"id": "DUC0007", "description": "A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1190", "attack_technique": {"id": "T1190", "name": "Exploit Public-Facing Application", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0008", "description": "There is an opportunity to present several public-facing application options to see what application(s) the adversary targets."}, "use_case": {"id": "DUC0008", "description": "A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit.", "": ""}, "technique": {"id": "DTE0013", "name": "Decoy Diversity", "description": "Deploy a set of decoy systems with different OS and software configurations.", "long_description": "Decoy diversity is the deployment of decoy systems with varying Operating Systems and software configurations. Most enterprise networks contain systems which utilize different types and versions of operating systems and applications (Microsoft Windows, MacOS, Linux, Microsoft Office, Adobe Reader, etc.) Deploying decoy systems with such variations allows you to present a realistic environment to an adversary. It also allows you to see if they use different TTPs on systems with different configurations."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0025", "description": "Use a Windows Virtual Machine (VM) and a Mac VM to visit a malicious website and note any differences in how the site functions based on the client that was used."}, {"id": "DPR0026", "description": "Deploy multiple decoy systems, each with a unique network fingerprint (ports, services, connections, etc.) in order to provide an adversary a wide range of targets."}]}, {"attack_id": "T1195", "attack_technique": {"id": "T1195", "name": "Supply Chain Compromise", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0020", "description": "Hardware and/or software additions can be tested and verified in controlled environments prior to deployment."}, "use_case": {"id": "DUC0020", "description": "A defender can install any suspect hardware or software on an isolated system or network and monitor for non-standard behaviors.", "": ""}, "technique": {"id": "DTE0014", "name": "Decoy Network", "description": "Create a target network with a set of target systems, for the purpose of active defense.\n", "long_description": "Decoy networks are comprised of multiple computing resources that can be used for defensive or deceptive purposes. A decoy network can be used to safely perform dynamic analysis of suspected malicious code. A defender can also use a specially crafted decoy network to perform adversary engagement. "}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}], "procedures": [{"id": "DPR0027", "description": "Create an isolated network populated with decoy systems that can be used to study an adversary's tactics, techniques, and procedures (TTPs)."}, {"id": "DPR0028", "description": "Use a segregated network to visit a compromised site. If the machine becomes infected, allow the machine to remain on with internet access to see if an adversary engages and takes action on the system."}]}, {"attack_id": "T1197", "attack_technique": {"id": "T1197", "name": "BITS Jobs", "attack_tactics": ["defense-evasion", "persistence"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0140", "description": "There is an opportunity to use security controls on systems in order to affect the success of an adversary."}, "use_case": {"id": "DUC0140", "description": "A defender could use host-based tool to detect common persistence mechanisms and prevent the process from executing successfully.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1197", "attack_technique": {"id": "T1197", "name": "BITS Jobs", "attack_tactics": ["defense-evasion", "persistence"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0141", "description": "There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity."}, "use_case": {"id": "DUC0141", "description": "By collecting system logs, a defender can implement detections that identify abnormal BITS usage.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1199", "attack_technique": {"id": "T1199", "name": "Trusted Relationship", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0021", "description": "When authorized behavior is defined and limited for trusted partners, adversaries exploiting trust relationships are easier to detect."}, "use_case": {"id": "DUC0021", "description": "Defenders can monitor trusted partner access, detecting unauthorized activity.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1200", "attack_technique": {"id": "T1200", "name": "Hardware Additions", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0010", "description": "There is an opportunity to test hardware additions in an isolated environment and ensure they can't be used by an adversary."}, "use_case": {"id": "DUC0010", "description": "A defender can install any suspect hardware on an isolated system and monitor for non-standard behaviors.", "": ""}, "technique": {"id": "DTE0022", "name": "Isolation", "description": "Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.", "long_description": "Using isolation, a defender can prevent potentially malicious activity before it starts or limit its effectiveness and scope. A defender can observe behaviors of adversaries or their tools without exposing them to unintended targets."}, "tactics": [{"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0040", "description": "Unplug an infected system from the network and disable any other means of communication."}, {"id": "DPR0066", "description": "Run all user applications in isolated containers to prevent a compromise from expanding beyond the container's boundaries."}]}, {"attack_id": "T1201", "attack_technique": {"id": "T1201", "name": "Password Policy Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0026", "description": "In an adversary engagement operation, there is an opportunity to impact what an adversary sees when they execute commands on a system."}, "use_case": {"id": "DUC0216", "description": "A defender can alter the output of the password policy description so the adversary is unsure of exactly what the requirements are.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1202", "attack_technique": {"id": "T1202", "name": "Indirect Command Execution", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0217", "description": "A defender can implement behavior analytics which would indicate activity on a system executing commands in non-standard ways. This could indicate malicious activity.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1203", "attack_technique": {"id": "T1203", "name": "Exploitation for Client Execution", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0034", "description": "A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1203", "attack_technique": {"id": "T1203", "name": "Exploitation for Client Execution", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0002", "description": "There is an opportunity to discover who or what is being targeting by an adversary."}, "use_case": {"id": "DUC0035", "description": "A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications.", "": ""}, "technique": {"id": "DTE0004", "name": "Application Diversity", "description": "Present the adversary with a variety of installed applications and services.", "long_description": "Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0007", "description": "Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks."}, {"id": "DPR0008", "description": "Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react."}]}, {"attack_id": "T1204", "attack_technique": {"id": "T1204", "name": "User Execution", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0040", "description": "A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.", "": ""}, "technique": {"id": "DTE0018", "name": "Detonate Malware", "description": "Execute malware under controlled conditions to analyze its functionality.", "long_description": "An\u00a0execution environment can range from a somewhat sterile commercial malware execution appliance, to a bespoke system crafted to meet engagement goals. The execution environment will typically be highly instrumented and have special controls to ensure the experiment is contained and harmless to unrelated systems."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0034", "description": "Take malware received via spearphishing and detonate it on an isolated system in order to collect execution and network communication artifacts."}, {"id": "DPR0035", "description": "Detonate a malware sample in a decoy network to engage with an adversary and study their TTPs."}]}, {"attack_id": "T1205", "attack_technique": {"id": "T1205", "name": "Traffic Signaling", "attack_tactics": ["defense-evasion", "persistence", "command-and-control"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0003", "name": "Persistence"}, {"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0198", "description": "There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary."}, "use_case": {"id": "DUC0198", "description": "The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.", "": ""}, "technique": {"id": "DTE0027", "name": "Network Monitoring", "description": "Monitor network traffic in order to detect adversary activity.", "long_description": "Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0047", "description": "Capture network logs for internet-facing devices and send those logs to a central collection location."}, {"id": "DPR0048", "description": "Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location."}]}, {"attack_id": "T1207", "attack_technique": {"id": "T1207", "name": "Rogue Domain Controller", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0218", "description": "A defender can implement behavioral analytics which would indicate activity on or against a domain controller. Activity which is out of sync with scheduled domain tasks, or results in an uptick in traffic with a particular system on the network could indicate malicious activity.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1210", "attack_technique": {"id": "T1210", "name": "Exploitation of Remote Services", "attack_tactics": ["lateral-movement"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}], "opportunity": {"id": "DOS0219", "description": "There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations."}, "use_case": {"id": "DUC0219", "description": "A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction.", "": ""}, "technique": {"id": "DTE0004", "name": "Application Diversity", "description": "Present the adversary with a variety of installed applications and services.", "long_description": "Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0007", "description": "Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks."}, {"id": "DPR0008", "description": "Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react."}]}, {"attack_id": "T1211", "attack_technique": {"id": "T1211", "name": "Exploitation for Defense Evasion", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0219", "description": "There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations."}, "use_case": {"id": "DUC0219", "description": "A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction.", "": ""}, "technique": {"id": "DTE0004", "name": "Application Diversity", "description": "Present the adversary with a variety of installed applications and services.", "long_description": "Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0007", "description": "Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks."}, {"id": "DPR0008", "description": "Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react."}]}, {"attack_id": "T1212", "attack_technique": {"id": "T1212", "name": "Exploitation for Credential Access", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0085", "description": "In an adversary engagement scenario, there is an opportunity to use a variety of applications on a system to see what an adversary tries to exploit in order to acquire credentials."}, "use_case": {"id": "DUC0085", "description": "A defender can use a variety of applications on a decoy system or in a decoy network to see what an adversary tries to exploit in order to acquire credentials.", "": ""}, "technique": {"id": "DTE0004", "name": "Application Diversity", "description": "Present the adversary with a variety of installed applications and services.", "long_description": "Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0007", "description": "Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks."}, {"id": "DPR0008", "description": "Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react."}]}, {"attack_id": "T1213", "attack_technique": {"id": "T1213", "name": "Data from Information Repositories", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0098", "description": "In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0098", "description": "A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1213", "attack_technique": {"id": "T1213", "name": "Data from Information Repositories", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0099", "description": "In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary."}, "use_case": {"id": "DUC0099", "description": "A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1216", "attack_technique": {"id": "T1216", "name": "Signed Script Proxy Execution", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0221", "description": "A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1217", "attack_technique": {"id": "T1217", "name": "Browser Bookmark Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0210", "description": "There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0210", "description": "A defender can use decoy content to give the false impression about the nature of the system in order to entice an adversary to continue engagement.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1218", "attack_technique": {"id": "T1218", "name": "Signed Binary Proxy Execution", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0029", "description": "There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs."}, "use_case": {"id": "DUC0032", "description": "A defender can monitor operating system functions calls to look for adversary use and/or abuse.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1218", "attack_technique": {"id": "T1218", "name": "Signed Binary Proxy Execution", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0037", "description": "A defender can detonate\u00a0malicious code leveraging a\u00a0signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes.", "": ""}, "technique": {"id": "DTE0018", "name": "Detonate Malware", "description": "Execute malware under controlled conditions to analyze its functionality.", "long_description": "An\u00a0execution environment can range from a somewhat sterile commercial malware execution appliance, to a bespoke system crafted to meet engagement goals. The execution environment will typically be highly instrumented and have special controls to ensure the experiment is contained and harmless to unrelated systems."}, "tactics": [{"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0034", "description": "Take malware received via spearphishing and detonate it on an isolated system in order to collect execution and network communication artifacts."}, {"id": "DPR0035", "description": "Detonate a malware sample in a decoy network to engage with an adversary and study their TTPs."}]}, {"attack_id": "T1218", "attack_technique": {"id": "T1218", "name": "Signed Binary Proxy Execution", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0031", "description": "A defender can monitor and analyze operating system functions calls for detection and alerting.", "": ""}, "technique": {"id": "DTE0003", "name": "API Monitoring", "description": "Monitor local APIs that might be used by adversary tools and activity.", "long_description": "API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0005", "description": "Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further."}, {"id": "DPR0006", "description": "Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time."}]}, {"attack_id": "T1219", "attack_technique": {"id": "T1219", "name": "Remote Access Software", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0223", "description": "A defender can install remote access tools on decoy systems across the network to see if the adversary uses these tools for command and control.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1220", "attack_technique": {"id": "T1220", "name": "XSL Script Processing", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0131", "description": "The defender can use behavioral analytics detect an XSL process doing something abnormal.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1221", "attack_technique": {"id": "T1221", "name": "Template Injection", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0225", "description": "A defender can have decoy systems that are easy to gain access to and have Office installed. The decoy system can be monitored to see if an adversary attempts to inject anything malicious into Office templates.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1222", "attack_technique": {"id": "T1222", "name": "File and Directory Permissions Modification", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0098", "description": "In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0226", "description": "A defender can seed content interesting files to an adversary, but lock the permissions down. The goal would be to force the adversary to expose their TTPs for circumventing the restrictions.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1480", "attack_technique": {"id": "T1480", "name": "Execution Guardrails", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0136", "description": "A defender could develop behavioral analytics to detect the examination of commonly used guardrails such as inspection of VM artifacts, enumeration of connected storage and/or devices, domain information, etc.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1480", "attack_technique": {"id": "T1480", "name": "Execution Guardrails", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0219", "description": "There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations."}, "use_case": {"id": "DUC0219", "description": "A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction.", "": ""}, "technique": {"id": "DTE0004", "name": "Application Diversity", "description": "Present the adversary with a variety of installed applications and services.", "long_description": "Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0007", "description": "Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks."}, {"id": "DPR0008", "description": "Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react."}]}, {"attack_id": "T1482", "attack_technique": {"id": "T1482", "name": "Domain Trust Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0231", "description": "There is an opportunity to extend an adversary's engagement period by creating a decoy network that systems can discover when performing trust discovery."}, "use_case": {"id": "DUC0231", "description": "A defender can create a decoy network that contains systems\u00a0which are easily discoverable and appealing to an adversary.", "": ""}, "technique": {"id": "DTE0014", "name": "Decoy Network", "description": "Create a target network with a set of target systems, for the purpose of active defense.\n", "long_description": "Decoy networks are comprised of multiple computing resources that can be used for defensive or deceptive purposes. A decoy network can be used to safely perform dynamic analysis of suspected malicious code. A defender can also use a specially crafted decoy network to perform adversary engagement. "}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0027", "description": "Create an isolated network populated with decoy systems that can be used to study an adversary's tactics, techniques, and procedures (TTPs)."}, {"id": "DPR0028", "description": "Use a segregated network to visit a compromised site. If the machine becomes infected, allow the machine to remain on with internet access to see if an adversary engages and takes action on the system."}]}, {"attack_id": "T1482", "attack_technique": {"id": "T1482", "name": "Domain Trust Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0084", "description": "In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use."}, "use_case": {"id": "DUC0084", "description": "A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.", "": ""}, "technique": {"id": "DTE0012", "name": "Decoy Credentials", "description": "Create user credentials that are used for active defense purposes.", "long_description": "Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0024", "description": "Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them."}]}, {"attack_id": "T1484", "attack_technique": {"id": "T1484", "name": "Group Policy Modification", "attack_tactics": ["defense-evasion", "privilege-escalation"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0005", "description": "There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique."}, "use_case": {"id": "DUC0065", "description": "A defender could monitor for directory service changes using Windows event logs. This can alert to the presence of an adversary in the network.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1485", "attack_technique": {"id": "T1485", "name": "Data Destruction", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0118", "description": "There is an opportunity to test what an adversary might do if destroyed data is selectively replaced by the defender."}, "use_case": {"id": "DUC0118", "description": "A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts.", "": ""}, "technique": {"id": "DTE0005", "name": "Backup and Recovery", "description": "Make copies of key system software, configuration, and data to enable rapid system restoration.", "long_description": "Employ disk imaging, system backup, or file synchronization tools to create copies of key data on a protected backup repository. This is typically done to capture/restore an entire system or major subsystems."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0009", "description": "Backup data on public facing websites and retain the files offline. In the event of data damage or loss, restore the data from backup."}, {"id": "DPR0010", "description": "Backup data on an end-user system and store offline. If an adversary alters or deletes data on the system, restore the data using the backup copy."}, {"id": "DPR0063", "description": "In an adversary engagement situation, if an adversary deletes or alters files on a machine they are controlling, restore the data to it original state and location to see how the adversary reacts."}]}, {"attack_id": "T1485", "attack_technique": {"id": "T1485", "name": "Data Destruction", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0029", "description": "There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs."}, "use_case": {"id": "DUC0057", "description": "A defender can manipulate commands on systems so an adversary is unable delete data in ways they normally would.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1485", "attack_technique": {"id": "T1485", "name": "Data Destruction", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0120", "description": "A defender can use process monitoring to look for the execution of utilities commonly used for data destruction, such as SDelete.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1486", "attack_technique": {"id": "T1486", "name": "Data Encrypted for Impact", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0121", "description": "A defender can use process monitoring to look for the execution of utilities commonly used for ransomware and other data encryption.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1486", "attack_technique": {"id": "T1486", "name": "Data Encrypted for Impact", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0122", "description": "There is an opportunity to test what an adversary might do if encrypted data is selectively replaced by the defender."}, "use_case": {"id": "DUC0118", "description": "A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts.", "": ""}, "technique": {"id": "DTE0005", "name": "Backup and Recovery", "description": "Make copies of key system software, configuration, and data to enable rapid system restoration.", "long_description": "Employ disk imaging, system backup, or file synchronization tools to create copies of key data on a protected backup repository. This is typically done to capture/restore an entire system or major subsystems."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0009", "description": "Backup data on public facing websites and retain the files offline. In the event of data damage or loss, restore the data from backup."}, {"id": "DPR0010", "description": "Backup data on an end-user system and store offline. If an adversary alters or deletes data on the system, restore the data using the backup copy."}, {"id": "DPR0063", "description": "In an adversary engagement situation, if an adversary deletes or alters files on a machine they are controlling, restore the data to it original state and location to see how the adversary reacts."}]}, {"attack_id": "T1489", "attack_technique": {"id": "T1489", "name": "Service Stop", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0130", "description": "By looking for anomalies in system service states and alerting on suspect situations, the defender can detect potential malicious activity and triage the system to re-enable the services that have been stopped.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1490", "attack_technique": {"id": "T1490", "name": "Inhibit System Recovery", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0039", "description": "A defender can use process monitoring to look for command execution and command line parameters commonly used to inhibit system recovery.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1491", "attack_technique": {"id": "T1491", "name": "Defacement", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0123", "description": "There is an opportunity to detect an adversary who modifies website content (internally or externally) by monitoring for unauthorized changes to websites."}, "use_case": {"id": "DUC0123", "description": "A defender can monitor websites for unplanned content changes and generate alerts when activity is detected.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1491", "attack_technique": {"id": "T1491", "name": "Defacement", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0124", "description": "There is an opportunity to disrupt an adversary's defacement activity by quickly restoring altered content."}, "use_case": {"id": "DUC0118", "description": "A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts.", "": ""}, "technique": {"id": "DTE0005", "name": "Backup and Recovery", "description": "Make copies of key system software, configuration, and data to enable rapid system restoration.", "long_description": "Employ disk imaging, system backup, or file synchronization tools to create copies of key data on a protected backup repository. This is typically done to capture/restore an entire system or major subsystems."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0009", "description": "Backup data on public facing websites and retain the files offline. In the event of data damage or loss, restore the data from backup."}, {"id": "DPR0010", "description": "Backup data on an end-user system and store offline. If an adversary alters or deletes data on the system, restore the data using the backup copy."}, {"id": "DPR0063", "description": "In an adversary engagement situation, if an adversary deletes or alters files on a machine they are controlling, restore the data to it original state and location to see how the adversary reacts."}]}, {"attack_id": "T1495", "attack_technique": {"id": "T1495", "name": "Firmware Corruption", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0128", "description": "A defender can collect system activity and detect commands that interact with firmware. This can speed up the recovery of a system.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1496", "attack_technique": {"id": "T1496", "name": "Resource Hijacking", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0129", "description": "By looking for anomalies in host resource consumption and alerting on suspect activity, the defender can detect the use of system resources at odd times or at odd levels.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1497", "attack_technique": {"id": "T1497", "name": "Virtualization/Sandbox Evasion", "attack_tactics": ["defense-evasion", "discovery"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0169", "description": "There is an opportunity to deploy virtual decoy systems and see if an adversary discovers or reacts to the virtualization."}, "use_case": {"id": "DUC0169", "description": "A defender can deploy a virtual decoy system to see if the adversary recognizes the virtualization and reacts.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1497", "attack_technique": {"id": "T1497", "name": "Virtualization/Sandbox Evasion", "attack_tactics": ["defense-evasion", "discovery"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0234", "description": "There is an opportunity to seed decoy content to make non-virtual systems look like virtual systems to see how an adversary reacts."}, "use_case": {"id": "DUC0234", "description": "A defender can plant files, registry entries, software, processes, etc. to make a system look like a VM when it is not.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1498", "attack_technique": {"id": "T1498", "name": "Network Denial of Service", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0130", "description": "There is an opportunity to alter the network configuration in order to disrupt an adversary who is trying to saturate the network or a system via denial of service."}, "use_case": {"id": "DUC0126", "description": "A defender can configure network devices to analyze network traffic, detect a potential DoS attack, and make appropriate adjustments to mitigate the situation.", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1499", "attack_technique": {"id": "T1499", "name": "Endpoint Denial of Service", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0130", "description": "There is an opportunity to alter the network configuration in order to disrupt an adversary who is trying to saturate the network or a system via denial of service."}, "use_case": {"id": "DUC0126", "description": "A defender can configure network devices to analyze network traffic, detect a potential DoS attack, and make appropriate adjustments to mitigate the situation.", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1499", "attack_technique": {"id": "T1499", "name": "Endpoint Denial of Service", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0029", "description": "There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs."}, "use_case": {"id": "DUC0127", "description": "A defender can configure systems to block any system with a number of authentication failures in a certain window of time.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1505", "attack_technique": {"id": "T1505", "name": "Server Software Component", "attack_tactics": ["persistence"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0056", "description": "A defender can install decoy services that have extensible capabilities.", "": ""}, "technique": {"id": "DTE0004", "name": "Application Diversity", "description": "Present the adversary with a variety of installed applications and services.", "long_description": "Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0007", "description": "Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks."}, {"id": "DPR0008", "description": "Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react."}]}, {"attack_id": "T1518", "attack_technique": {"id": "T1518", "name": "Software Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0219", "description": "There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations."}, "use_case": {"id": "DUC0235", "description": "A defender can install an array of various software packages on a system to make it look used and populated. This will give an adversary a collection of software to interact with and possibly expose additional techniques.", "": ""}, "technique": {"id": "DTE0004", "name": "Application Diversity", "description": "Present the adversary with a variety of installed applications and services.", "long_description": "Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0007", "description": "Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks."}, {"id": "DPR0008", "description": "Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react."}]}, {"attack_id": "T1525", "attack_technique": {"id": "T1525", "name": "Implant Container Image", "attack_tactics": ["persistence"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0168", "description": "A defender can monitor user interactions with images and containers to identify ones that are added or altered anomalously.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1526", "attack_technique": {"id": "T1526", "name": "Cloud Service Discovery", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0251", "description": "There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them."}, "use_case": {"id": "DUC0251", "description": "A defender can use a decoy network and seed it with cloud services to see how an adversary might exploit those resources.", "": ""}, "technique": {"id": "DTE0014", "name": "Decoy Network", "description": "Create a target network with a set of target systems, for the purpose of active defense.\n", "long_description": "Decoy networks are comprised of multiple computing resources that can be used for defensive or deceptive purposes. A decoy network can be used to safely perform dynamic analysis of suspected malicious code. A defender can also use a specially crafted decoy network to perform adversary engagement. "}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0027", "description": "Create an isolated network populated with decoy systems that can be used to study an adversary's tactics, techniques, and procedures (TTPs)."}, {"id": "DPR0028", "description": "Use a segregated network to visit a compromised site. If the machine becomes infected, allow the machine to remain on with internet access to see if an adversary engages and takes action on the system."}]}, {"attack_id": "T1528", "attack_technique": {"id": "T1528", "name": "Steal Application Access Token", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0091", "description": "Users trained and encouraged to report unsolicited application authorization requests can detect attacks that other defenses do not."}, "use_case": {"id": "DUC0091", "description": "A program to train users on how to recognize and report third-party applications requesting authorization can create \"Human Sensors\" that help detect application token theft.", "": ""}, "technique": {"id": "DTE0035", "name": "User Training", "description": "Train users to detect malicious intent or activity, how to report it, etc.", "long_description": "User training involves teaching end users to be human sensors who know how to recognize cyber threats and the procedures for reporting them. Users can be effective sensors for social engineering attempts, phishing email detection, as well as other cyber threats."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0061", "description": "Train users to immediately report suspicious emails. Those emails could then be used for malware detonation or adversary engagement purposes."}, {"id": "DPR0062", "description": "Train users to report potentially compromised devices so they can be isolated or migrated into deception networks."}]}, {"attack_id": "T1529", "attack_technique": {"id": "T1529", "name": "System Shutdown/Reboot", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0134", "description": "A defender can deploy a decoy system to see if an adversary attempts to shutdown or reboot the device.", "": ""}, "technique": {"id": "DTE0017", "name": "Decoy System", "description": "Configure a computing system to serve as an attack target or experimental environment. ", "long_description": "A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0032", "description": "Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system."}, {"id": "DPR0033", "description": "Setup a server which appears to be something that is commonly expected within a network, such as web server."}]}, {"attack_id": "T1530", "attack_technique": {"id": "T1530", "name": "Data from Cloud Storage Object", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0098", "description": "In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment."}, "use_case": {"id": "DUC0098", "description": "A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1530", "attack_technique": {"id": "T1530", "name": "Data from Cloud Storage Object", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0099", "description": "In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary."}, "use_case": {"id": "DUC0099", "description": "A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.", "": ""}, "technique": {"id": "DTE0030", "name": "Pocket Litter", "description": "Place data on a system to reinforce the legitimacy of the system or user.", "long_description": "Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.)."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0052", "description": "When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary."}, {"id": "DPR0053", "description": "Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."}]}, {"attack_id": "T1531", "attack_technique": {"id": "T1531", "name": "Account Access Removal", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0043", "description": "A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1534", "attack_technique": {"id": "T1534", "name": "Internal Spearphishing", "attack_tactics": ["lateral-movement"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0236", "description": "A program to train users to report emails that they did not send but appear in their sent folder.", "": ""}, "technique": {"id": "DTE0035", "name": "User Training", "description": "Train users to detect malicious intent or activity, how to report it, etc.", "long_description": "User training involves teaching end users to be human sensors who know how to recognize cyber threats and the procedures for reporting them. Users can be effective sensors for social engineering attempts, phishing email detection, as well as other cyber threats."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0061", "description": "Train users to immediately report suspicious emails. Those emails could then be used for malware detonation or adversary engagement purposes."}, {"id": "DPR0062", "description": "Train users to report potentially compromised devices so they can be isolated or migrated into deception networks."}]}, {"attack_id": "T1535", "attack_technique": {"id": "T1535", "name": "Unused/Unsupported Cloud Regions", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0237", "description": "A defender can detect adversaries leveraging unused cloud regions. By implementing behavioral analytics for cloud hosts interacting with the network from regions that are not normal, one can detect potential malicious activity.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1536", "attack_technique": {"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0141", "description": "There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity."}, "use_case": {"id": "DUC0238", "description": "A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1537", "attack_technique": {"id": "T1537", "name": "Transfer Data to Cloud Account", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0239", "description": "Defenders can detect adversaries attempting to exfiltrate to a cloud account. This can detect a system connecting to these cloud providers that it might not normally connect to, not using an account that it normally does, or during a time when it normally doesn't do so.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1538", "attack_technique": {"id": "T1538", "name": "Cloud Service Dashboard", "attack_tactics": ["discovery"]}, "attack_tactics": [{"id": "TA0007", "name": "Discovery"}], "opportunity": {"id": "DOS0084", "description": "In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use."}, "use_case": {"id": "DUC0084", "description": "A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.", "": ""}, "technique": {"id": "DTE0012", "name": "Decoy Credentials", "description": "Create user credentials that are used for active defense purposes.", "long_description": "Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0024", "description": "Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them."}]}, {"attack_id": "T1539", "attack_technique": {"id": "T1539", "name": "Steal Web Session Cookie", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0016", "description": "There is an opportunity to use security controls to stop or allow an adversary's activity."}, "use_case": {"id": "DUC0092", "description": "A defender can harden authentication mechanisms to ensure having just a session cookie is not enough to authenticate with another system.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1539", "attack_technique": {"id": "T1539", "name": "Steal Web Session Cookie", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0093", "description": "There is an opportunity to seed systems with decoy cookies that will lead adversaries to decoy targets."}, "use_case": {"id": "DUC0093", "description": "A defender can authenticate to a collection of decoy sites (as a decoy user)\u00a0to give the adversary a set of session cookies to harvest and potentially use during adversary engagement.", "": ""}, "technique": {"id": "DTE0008", "name": "Burn-In", "description": "Exercise a target system in a manner where it will generate desirable system artifacts.\n", "long_description": "Exercising the system to create desirable system artifacts including web browsing, filesystem usage, running user applications like office suites, etc. The burn-in process can be specific to a user or system, depending on your needs."}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}], "procedures": [{"id": "DPR0016", "description": "Configure a decoy system and allow it to be used in an manner such that it collects activity logs and appears to be to be a legitimate system."}, {"id": "DPR0017", "description": "Configure a system to generate internet browser traffic for a decoy user profile, creating artifacts such as cookies, history, temp files, etc."}]}, {"attack_id": "T1542", "attack_technique": {"id": "T1542", "name": "Pre-OS Boot", "attack_tactics": ["defense-evasion", "persistence"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0140", "description": "There is an opportunity to use security controls on systems in order to affect the success of an adversary."}, "use_case": {"id": "DUC0143", "description": "A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1543", "attack_technique": {"id": "T1543", "name": "Create or Modify System Process", "attack_tactics": ["persistence", "privilege-escalation"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}, {"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0016", "description": "There is an opportunity to use security controls to stop or allow an adversary's activity."}, "use_case": {"id": "DUC0049", "description": "A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1545", "attack_technique": {"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0240", "description": "Defenders can detect adversaries attempting to open a port by analyzing incoming network connections. By looking for anomalies in what network traffic comes in, as well as patterns that might indicate intentional sequences, one can potentially identify malicious traffic. One can also look at anomalies in services suddenly listening on ports that were not being used before.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1546", "attack_technique": {"id": "T1546", "name": "Event Triggered Execution", "attack_tactics": ["privilege-escalation", "persistence"]}, "attack_tactics": [{"id": "TA0004", "name": "Privilege Escalation"}, {"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0015", "description": "There is an opportunity to use tools and controls to stop an adversary's activity."}, "use_case": {"id": "DUC0051", "description": "A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.", "": ""}, "technique": {"id": "DTE0006", "name": "Baseline", "description": "Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.", "long_description": "Identify elements of software and configuration critical to a set of objectives, define their proper values, and be prepared to reset a running system to its intended state. "}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0011", "description": "Maintain a verified baseline firewall configuration and use that copy as a fallback if an adversary alters that information."}, {"id": "DPR0012", "description": "Maintain a verified list of group policies enforced on a system and use that copy if an adversary attempts to deviate from the baseline."}]}, {"attack_id": "T1546", "attack_technique": {"id": "T1546", "name": "Event Triggered Execution", "attack_tactics": ["privilege-escalation", "persistence"]}, "attack_tactics": [{"id": "TA0004", "name": "Privilege Escalation"}, {"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0042", "description": "A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution.", "": ""}, "technique": {"id": "DTE0001", "name": "Admin Access", "description": "Modify a user's administrative privileges.\n", "long_description": "Changing the target system to allow or disallow users to perform tasks requiring administrator level permissions gives the defender leverage in inhibiting or facilitating attacks. The procedures for changing these permissions vary across different operating and software systems."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0001", "description": "Remove an account's administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks."}, {"id": "DPR0002", "description": "Grant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service."}]}, {"attack_id": "T1547", "attack_technique": {"id": "T1547", "name": "Boot or Logon Autostart Execution", "attack_tactics": ["persistence", "privilege-escalation"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}, {"id": "TA0004", "name": "Privilege Escalation"}], "opportunity": {"id": "DOS0015", "description": "There is an opportunity to use tools and controls to stop an adversary's activity."}, "use_case": {"id": "DUC0050", "description": "A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.", "": ""}, "technique": {"id": "DTE0006", "name": "Baseline", "description": "Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.", "long_description": "Identify elements of software and configuration critical to a set of objectives, define their proper values, and be prepared to reset a running system to its intended state. "}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0011", "description": "Maintain a verified baseline firewall configuration and use that copy as a fallback if an adversary alters that information."}, {"id": "DPR0012", "description": "Maintain a verified list of group policies enforced on a system and use that copy if an adversary attempts to deviate from the baseline."}]}, {"attack_id": "T1548", "attack_technique": {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "attack_tactics": ["privilege-escalation", "defense-evasion"]}, "attack_tactics": [{"id": "TA0004", "name": "Privilege Escalation"}, {"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0140", "description": "There is an opportunity to use security controls on systems in order to affect the success of an adversary."}, "use_case": {"id": "DUC0142", "description": "A defender could use a host-based tool in order to have an effect on the success of an adversary abusing elevation control mechanisms.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1550", "attack_technique": {"id": "T1550", "name": "Use Alternate Authentication Material", "attack_tactics": ["defense-evasion", "lateral-movement"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}, {"id": "TA0008", "name": "Lateral Movement"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0241", "description": "Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1551", "attack_technique": {"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0058", "description": "Although adversaries may attempt to delete or change important artifacts, there may be a window of time to retrieve them before that happens."}, "use_case": {"id": "DUC0058", "description": "A defender can backup system information on a regular basis and send it to an alternate location for storage. ", "": ""}, "technique": {"id": "DTE0005", "name": "Backup and Recovery", "description": "Make copies of key system software, configuration, and data to enable rapid system restoration.", "long_description": "Employ disk imaging, system backup, or file synchronization tools to create copies of key data on a protected backup repository. This is typically done to capture/restore an entire system or major subsystems."}, "tactics": [{"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0009", "description": "Backup data on public facing websites and retain the files offline. In the event of data damage or loss, restore the data from backup."}, {"id": "DPR0010", "description": "Backup data on an end-user system and store offline. If an adversary alters or deletes data on the system, restore the data using the backup copy."}, {"id": "DPR0063", "description": "In an adversary engagement situation, if an adversary deletes or alters files on a machine they are controlling, restore the data to it original state and location to see how the adversary reacts."}]}, {"attack_id": "T1552", "attack_technique": {"id": "T1552", "name": "Unsecured Credentials", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0084", "description": "In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use."}, "use_case": {"id": "DUC0084", "description": "A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.", "": ""}, "technique": {"id": "DTE0012", "name": "Decoy Credentials", "description": "Create user credentials that are used for active defense purposes.", "long_description": "Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}], "procedures": [{"id": "DPR0024", "description": "Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them."}]}, {"attack_id": "T1553", "attack_technique": {"id": "T1553", "name": "Subvert Trust Controls", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0024", "description": "There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment."}, "use_case": {"id": "DUC0066", "description": "In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1553", "attack_technique": {"id": "T1553", "name": "Subvert Trust Controls", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0031", "description": "A defender can monitor and analyze operating system functions calls for detection and alerting.", "": ""}, "technique": {"id": "DTE0003", "name": "API Monitoring", "description": "Monitor local APIs that might be used by adversary tools and activity.", "long_description": "API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0005", "description": "Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further."}, {"id": "DPR0006", "description": "Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time."}]}, {"attack_id": "T1554", "attack_technique": {"id": "T1554", "name": "Compromise Client Software Binary", "attack_tactics": ["persistence"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0166", "description": "A defender could monitor for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1555", "attack_technique": {"id": "T1555", "name": "Credentials from Password Stores", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0084", "description": "In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use."}, "use_case": {"id": "DUC0084", "description": "A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.", "": ""}, "technique": {"id": "DTE0012", "name": "Decoy Credentials", "description": "Create user credentials that are used for active defense purposes.", "long_description": "Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways."}, "tactics": [{"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0024", "description": "Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them."}]}, {"attack_id": "T1556", "attack_technique": {"id": "T1556", "name": "Modify Authentication Process", "attack_tactics": ["credential-access", "defense-evasion"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}, {"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0140", "description": "There is an opportunity to use security controls on systems in order to affect the success of an adversary."}, "use_case": {"id": "DUC0146", "description": "A defender could implement security controls to force an adversary to modify the authentication process if they want to collect or utilize credentials on a system.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1556", "attack_technique": {"id": "T1556", "name": "Modify Authentication Process", "attack_tactics": ["credential-access", "defense-evasion"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}, {"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0141", "description": "There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity."}, "use_case": {"id": "DUC0238", "description": "A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1557", "attack_technique": {"id": "T1557", "name": "Man-in-the-Middle", "attack_tactics": ["credential-access", "collection"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}, {"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0198", "description": "There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary."}, "use_case": {"id": "DUC0089", "description": "A defender can monitor network traffic for anomalies associated with known MiTM behavior.", "": ""}, "technique": {"id": "DTE0027", "name": "Network Monitoring", "description": "Monitor network traffic in order to detect adversary activity.", "long_description": "Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0047", "description": "Capture network logs for internet-facing devices and send those logs to a central collection location."}, {"id": "DPR0048", "description": "Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location."}]}, {"attack_id": "T1558", "attack_technique": {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0024", "description": "There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment."}, "use_case": {"id": "DUC0087", "description": "A defender can setup networks that use Kerberos authentication and systems that authenticate using it. This gives you a chance to see if an adversary has the capacity to steal or forge Kerberos tickets for lateral movement.", "": ""}, "technique": {"id": "DTE0025", "name": "Network Diversity", "description": "Use a diverse set of devices on the network to help establish the\u00a0legitimacy\u00a0of a decoy network.", "long_description": "Network diversity involves the use a diverse collection of network items to make a decoy network look more realistic. It also ensures the network contains the appropriate amount and types of things that would normally be expected, perhaps including networking devices, firewalls, printers, phones, etc. "}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0043", "description": "Deploy a mix of network devices (systems, servers, printers, phones, etc.) to make a decoy network look realistic."}, {"id": "DPR0044", "description": "Deploy a variety of systems which reflect the use of multiple operating systems, hardware platforms, network services, etc."}]}, {"attack_id": "T1558", "attack_technique": {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "attack_tactics": ["credential-access"]}, "attack_tactics": [{"id": "TA0006", "name": "Credential Access"}], "opportunity": {"id": "DOS0087", "description": "In an adversary engagement scenario, there is an opportunity to test whether an adversary has the capability to steal or forge Kerberos tickets."}, "use_case": {"id": "DUC0088", "description": "A defender can secure Kerberos in order to prevent an adversary from leveraging the tickets to authenticate or move laterally. This may result in the adversary exposing additional TTPs.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}, {"attack_id": "T1559", "attack_technique": {"id": "T1559", "name": "Inter-Process Communication", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0030", "description": "A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1560", "attack_technique": {"id": "T1560", "name": "Archive Collected Data", "attack_tactics": ["collection"]}, "attack_tactics": [{"id": "TA0009", "name": "Collection"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0242", "description": "A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1561", "attack_technique": {"id": "T1561", "name": "Disk Wipe", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0125", "description": "A defender can modify the functionality of commands that are used to delete files or format drives so they fail when used in a specific manner.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1562", "attack_technique": {"id": "T1562", "name": "Impair Defenses", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0001", "description": "There is an opportunity to study the adversary and collect first-hand observations about them and their tools."}, "use_case": {"id": "DUC0059", "description": "A defender can plant AV or monitoring tools which are easy for an adversary to remove. If an adversary removes these, they may be enticed to act more openly believing they have removed monitoring from the system.", "": ""}, "technique": {"id": "DTE0004", "name": "Application Diversity", "description": "Present the adversary with a variety of installed applications and services.", "long_description": "Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0007", "description": "Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks."}, {"id": "DPR0008", "description": "Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react."}]}, {"attack_id": "T1562", "attack_technique": {"id": "T1562", "name": "Impair Defenses", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0060", "description": "A defender can monitor for signs that security tools and other controls are being tampered with by an adversary.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1562", "attack_technique": {"id": "T1562", "name": "Impair Defenses", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0061", "description": "A defender can provide a set of operating procedures for modifying GPOs and create an alert to detect unusual behavior when that procedure is not followed.", "": ""}, "technique": {"id": "DTE0033", "name": "Standard Operating Procedure", "description": "Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.", "long_description": "Standard Operating Procedures (SOPs) establish a structured way of interacting with systems and services. These procedures are in place for all users to ensure they can accomplish their goal in the approved manner. If an adversary attempts to perform any tasks which do not conform to the SOP, that activity will be easier to identify, alert on, and respond to."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0057", "description": "Require approvals and waivers for users to make changes to their system which requires administrative access. Any changes not made through this process are suspect and immediately investigated as malicious activity."}, {"id": "DPR0058", "description": "Create a development library that all users must leverage in order to interact with any hosted databases. This library modifies queries to look difficult to write. Any queries made without the library will now be obvious to detect and are immediately investigated as malicious activity."}]}, {"attack_id": "T1563", "attack_technique": {"id": "T1563", "name": "Remote Service Session Hijacking", "attack_tactics": ["lateral-movement"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0243", "description": "A defender can look for anomalies in accounts being active with other services/systems during hours they are normally not active. This can indicate malicious activity.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1564", "attack_technique": {"id": "T1564", "name": "Hide Artifacts", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0029", "description": "There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs."}, "use_case": {"id": "DUC0041", "description": "A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would.", "": ""}, "technique": {"id": "DTE0036", "name": "Software Manipulation", "description": "Make changes to a system's software properties and functions to achieve a desired effect.", "long_description": "Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0003", "description": "Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities."}, {"id": "DPR0004", "description": "Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use."}, {"id": "DPR0018", "description": "Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier."}, {"id": "DPR0019", "description": "Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."}]}, {"attack_id": "T1564", "attack_technique": {"id": "T1564", "name": "Hide Artifacts", "attack_tactics": ["defense-evasion"]}, "attack_tactics": [{"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0005", "description": "There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique."}, "use_case": {"id": "DUC0063", "description": "A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts.", "": ""}, "technique": {"id": "DTE0034", "name": "System Activity Monitoring", "description": "Collect system activity logs which can reveal adversary activity.", "long_description": "Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0059", "description": "Ensure that systems capture and retain common system level activity artifacts that might be produced."}, {"id": "DPR0060", "description": "Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."}]}, {"attack_id": "T1565", "attack_technique": {"id": "T1565", "name": "Data Manipulation", "attack_tactics": ["impact"]}, "attack_tactics": [{"id": "TA0040", "name": "Impact"}], "opportunity": {"id": "DOS0133", "description": "In an adversary engagement scenario, there is an opportunity to observe how an adversary might manipulate data on a system."}, "use_case": {"id": "DUC0133", "description": "A defender can deploy decoy content to see if an adversary attempts to manipulate data on the system or connected storage devices.", "": ""}, "technique": {"id": "DTE0011", "name": "Decoy Content ", "description": "Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.", "long_description": "Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0022", "description": "Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data."}, {"id": "DPR0023", "description": "Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary."}]}, {"attack_id": "T1566", "attack_technique": {"id": "T1566", "name": "Phishing", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0017", "description": "A phishing email can be detected and blocked from arriving at the intended recipient. "}, "use_case": {"id": "DUC0015", "description": "A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target. ", "": ""}, "technique": {"id": "DTE0019", "name": "Email Manipulation", "description": "Modify the flow or contents of email.\n", "long_description": "Email flow manipulation includes changing which mail appliances process mail flows, to which systems they forward mail, or moving mail after it arrives in an inbox. Email content manipulation includes altering the contents of an email message."}, "tactics": [{"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}, {"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0036", "description": "Modify the destination of inbound email to facilitate the collection of inbound spearphishing messages."}, {"id": "DPR0064", "description": "Modify the contents of an email message to maintain continuity when it is used for adversary engagement purposes."}]}, {"attack_id": "T1566", "attack_technique": {"id": "T1566", "name": "Phishing", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0019", "description": "A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution."}, "use_case": {"id": "DUC0016", "description": "A defender can move suspicious emails to a decoy system prior to opening and examining the email.", "": ""}, "technique": {"id": "DTE0023", "name": "Migrate Attack Vector", "description": "Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.", "long_description": "Migrate Attack Vector allows\u00a0a defender\u00a0to access an intercepted malicious element and analyze it in a safe environment\u00a0or conduct an adversary engagement within a decoy network."}, "tactics": [{"id": "DTA0003", "name": "Contain", "description": "Prevent an adversary from moving outside specific bounds or constraints.", "long_description": "Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally. "}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0041", "description": "When malware is received via spearphishing, move the email message onto a decoy system prior to detonating the malicious file attachment."}]}, {"attack_id": "T1566", "attack_technique": {"id": "T1566", "name": "Phishing", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0018", "description": "Users trained and encouraged to report phishing can detect attacks that other defenses do not."}, "use_case": {"id": "DUC0018", "description": "A program to train and exercise the anti-phishing skills of users can create \"Human Sensors\" that help detect phishing attacks.", "": ""}, "technique": {"id": "DTE0035", "name": "User Training", "description": "Train users to detect malicious intent or activity, how to report it, etc.", "long_description": "User training involves teaching end users to be human sensors who know how to recognize cyber threats and the procedures for reporting them. Users can be effective sensors for social engineering attempts, phishing email detection, as well as other cyber threats."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0061", "description": "Train users to immediately report suspicious emails. Those emails could then be used for malware detonation or adversary engagement purposes."}, {"id": "DPR0062", "description": "Train users to report potentially compromised devices so they can be isolated or migrated into deception networks."}]}, {"attack_id": "T1566", "attack_technique": {"id": "T1566", "name": "Phishing", "attack_tactics": ["initial-access"]}, "attack_tactics": [{"id": "TA0001", "name": "Initial Access"}], "opportunity": {"id": "DOS0002", "description": "There is an opportunity to discover who or what is being targeting by an adversary."}, "use_case": {"id": "DUC0019", "description": "A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.", "": ""}, "technique": {"id": "DTE0015", "name": "Decoy Persona", "description": "Develop personal information (aka a backstory) about a user and plant data to support that backstory.\n", "long_description": "A decoy persona is used to establish background information about a user. In order to have the adversary believe they are operating against real targets (people and IT), develop a backstory about a user and plant data to support that backstory. Depending on the need for realism, the constructed persona can be supported by evidence of hobbies, social and professional interactions, consumer transactions, employment, etc. "}, "tactics": [{"id": "DTA0006", "name": "Facilitate", "description": "Enable an adversary to conduct part or all of their mission.", "long_description": "Facilitate is used to enable an adversary to conduct part or all of their mission. This could include using unpatched versions of operating systems and software, removing end-point detection software, and using weak password. It may also include opening firewall ports, adding proxy capabilities, or introducing elements that an adversary can easily leverage to bypass an obstacle in their operations."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}, {"id": "DTA0007", "name": "Legitimize", "description": "Add authenticity to deceptive components to convince an adversary that something is real.", "long_description": "Legitimize is used to add authenticity to deceptive components to convince an adversary that something is real. This includes adding realistic user accounts, files, system activity, and any other content that an adversary might expect to see. "}, {"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0029", "description": "Create a persona that represents an employee with hobbies, outside interests, personal accounts, etc. This persona may be used in conjunction with decoy accounts and credentials."}, {"id": "DPR0030", "description": "Create a persona that represents an employee's projects and job scope. This persona information can be leveraged in conjunction with Burn-In and Pocket Litter."}]}, {"attack_id": "T1567", "attack_technique": {"id": "T1567", "name": "Exfiltration Over Web Service", "attack_tactics": ["exfiltration"]}, "attack_tactics": [{"id": "TA0010", "name": "Exfiltration"}], "opportunity": {"id": "DOS0131", "description": "There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors."}, "use_case": {"id": "DUC0244", "description": "Defenders can detect adversaries attempting to exfiltrate over web services by implementing behavioral analytics. This can detect a system connecting to these web services that it might not normally connect to, or during a time when it normally doesn't do so.", "": ""}, "technique": {"id": "DTE0007", "name": "Behavioral Analytics", "description": "Deploy tools that detect unusual system or user behavior.\n", "long_description": "Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0013", "description": "Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file."}, {"id": "DPR0014", "description": "Use behavioral analytics to identify a system running development tools, but is not used by someone who does development."}, {"id": "DPR0015", "description": "Use behavioral analytics to identify abnormal system processes being used to launch a different process."}]}, {"attack_id": "T1568", "attack_technique": {"id": "T1568", "name": "Dynamic Resolution", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0245", "description": "If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools."}, "use_case": {"id": "DUC0245", "description": "A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner.", "": ""}, "technique": {"id": "DTE0021", "name": "Hunting", "description": "The process of searching for the presence of or information about an adversary. ", "long_description": "Typically the search is informed by intelligence on adversary TTPs and infrastructure. Within the defender's environments, hunting presupposes a failure of initial prevention or detection, and that an adversary has successfully penetrated a system. In this case defenders hunt for the presence of an adversary. Defenders also hunt adversaries outside the defended environment. Information about the adversary, including their skills, TTPs, and infrastructure can be used to improve defenses or promote better adversary engagement."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0039", "description": "Pivot on Command and Control information to identify other infrastructure used by the same adversary."}, {"id": "DPR0065", "description": "Use information about an adversary's TTPs to perform retroactive searches for any activity that have gone undetected."}]}, {"attack_id": "T1568", "attack_technique": {"id": "T1568", "name": "Dynamic Resolution", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0246", "description": "An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure."}, "use_case": {"id": "DUC0246", "description": "A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure.", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0008", "name": "Test", "description": "Determine the interests, capabilities, or behaviors of an adversary.", "long_description": "Test is used to determine an adversary's interests, capabilities, behaviors, motivations, etc. This may include things like providing systems to see if an adversary engages or providing content to see if the adversary inspects or exfiltrates it. You can also test an adversary by making a tasks more difficult to perform and see if they have the capabilities to accomplish it."}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1569", "attack_technique": {"id": "T1569", "name": "System Services", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0028", "description": "There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access."}, "use_case": {"id": "DUC0031", "description": "A defender can monitor and analyze operating system functions calls for detection and alerting.", "": ""}, "technique": {"id": "DTE0003", "name": "API Monitoring", "description": "Monitor local APIs that might be used by adversary tools and activity.", "long_description": "API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0005", "description": "Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further."}, {"id": "DPR0006", "description": "Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time."}]}, {"attack_id": "T1569", "attack_technique": {"id": "T1569", "name": "System Services", "attack_tactics": ["execution"]}, "attack_tactics": [{"id": "TA0002", "name": "Execution"}], "opportunity": {"id": "DOS0027", "description": "There is an opportunity to create a detection with a moderately high probability of success."}, "use_case": {"id": "DUC0054", "description": "A defender can define operating procedures for adding services and alert when they are added outside of this procedure (i.e. by an adversary) to detect abnormal behavior.", "": ""}, "technique": {"id": "DTE0033", "name": "Standard Operating Procedure", "description": "Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.", "long_description": "Standard Operating Procedures (SOPs) establish a structured way of interacting with systems and services. These procedures are in place for all users to ensure they can accomplish their goal in the approved manner. If an adversary attempts to perform any tasks which do not conform to the SOP, that activity will be easier to identify, alert on, and respond to."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0057", "description": "Require approvals and waivers for users to make changes to their system which requires administrative access. Any changes not made through this process are suspect and immediately investigated as malicious activity."}, {"id": "DPR0058", "description": "Create a development library that all users must leverage in order to interact with any hosted databases. This library modifies queries to look difficult to write. Any queries made without the library will now be obvious to detect and are immediately investigated as malicious activity."}]}, {"attack_id": "T1570", "attack_technique": {"id": "T1570", "name": "Lateral Tool Transfer", "attack_tactics": ["lateral-movement"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}], "opportunity": {"id": "DOS0198", "description": "There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary."}, "use_case": {"id": "DUC0198", "description": "The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.", "": ""}, "technique": {"id": "DTE0027", "name": "Network Monitoring", "description": "Monitor network traffic in order to detect adversary activity.", "long_description": "Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0047", "description": "Capture network logs for internet-facing devices and send those logs to a central collection location."}, {"id": "DPR0048", "description": "Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location."}]}, {"attack_id": "T1570", "attack_technique": {"id": "T1570", "name": "Lateral Tool Transfer", "attack_tactics": ["lateral-movement"]}, "attack_tactics": [{"id": "TA0008", "name": "Lateral Movement"}], "opportunity": {"id": "DOS0159", "description": "There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity."}, "use_case": {"id": "DUC0158", "description": "A defender can block certain adversary used protocols used between systems in order to prevent lateral tool transfer.", "": ""}, "technique": {"id": "DTE0026", "name": "Network Manipulation", "description": "Make changes to network properties and functions to achieve a desired effect.", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}, {"id": "DTA0001", "name": "Channel", "description": "Guide an adversary down a specific path or in a specific direction.", "long_description": "Channel is used to guide an adversary down a specific path or in a specific direction. A defender can channel an adversary away from important systems or network segments and towards decoy systems or hardened devices. They could also attempt to channel an adversary based on the content that you provide. Channeling can be used to waste an adversary's time, make them expend additional resources, or allow defenders to study their behaviors."}], "procedures": [{"id": "DPR0045", "description": "Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope."}, {"id": "DPR0046", "description": "Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities."}]}, {"attack_id": "T1571", "attack_technique": {"id": "T1571", "name": "Non-Standard Port", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0198", "description": "There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary."}, "use_case": {"id": "DUC0198", "description": "The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.", "": ""}, "technique": {"id": "DTE0027", "name": "Network Monitoring", "description": "Monitor network traffic in order to detect adversary activity.", "long_description": "Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0047", "description": "Capture network logs for internet-facing devices and send those logs to a central collection location."}, {"id": "DPR0048", "description": "Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location."}]}, {"attack_id": "T1572", "attack_technique": {"id": "T1572", "name": "Protocol Tunneling", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0198", "description": "There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary."}, "use_case": {"id": "DUC0159", "description": "A defender can monitor for systems establishing connections using encapsulated protocols not commonly used together such as RDP tunneled over TCP.", "": ""}, "technique": {"id": "DTE0027", "name": "Network Monitoring", "description": "Monitor network traffic in order to detect adversary activity.", "long_description": "Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}], "procedures": [{"id": "DPR0047", "description": "Capture network logs for internet-facing devices and send those logs to a central collection location."}, {"id": "DPR0048", "description": "Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location."}]}, {"attack_id": "T1573", "attack_technique": {"id": "T1573", "name": "Encrypted Channel", "attack_tactics": ["command-and-control"]}, "attack_tactics": [{"id": "TA0011", "name": "Command and Control"}], "opportunity": {"id": "DOS0249", "description": "There is an opportunity to reveal data that the adversary has tried to protect from defenders"}, "use_case": {"id": "DUC0248", "description": "Defenders can reverse engineer malware and develop protocol decoders that can decrypt and expose adversary communications", "": ""}, "technique": {"id": "DTE0031", "name": "Protocol Decoder", "description": "Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.", "long_description": "Protocol decoders are designed to read network traffic and contextualize all activity between the operator and the implant. These tools are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret."}, "tactics": [{"id": "DTA0004", "name": "Detect", "description": "Establish or maintain awareness into what an adversary is doing.", "long_description": "Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools."}, {"id": "DTA0002", "name": "Collect", "description": "Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity.", "long_description": "Collect is used to gather information about an adversary or their activity that can inform other defenses. This can include gathering logs that can be used to create detections. It also includes collecting malware samples that can be used for adversary engagement, hunting, or other purposes."}], "procedures": [{"id": "DPR0054", "description": "Create and apply a decoder which allows you to view encrypted and/or encoded network traffic in a human-readable format."}]}, {"attack_id": "T1574", "attack_technique": {"id": "T1574", "name": "Hijack Execution Flow", "attack_tactics": ["persistence", "privilege-escalation", "defense-evasion"]}, "attack_tactics": [{"id": "TA0003", "name": "Persistence"}, {"id": "TA0004", "name": "Privilege Escalation"}, {"id": "TA0005", "name": "Defense Evasion"}], "opportunity": {"id": "DOS0016", "description": "There is an opportunity to use security controls to stop or allow an adversary's activity."}, "use_case": {"id": "DUC0048", "description": "A defender can block execution of untrusted software.", "": ""}, "technique": {"id": "DTE0032", "name": "Security Controls", "description": "Alter security controls to make the system more or less vulnerable to attack.", "long_description": "Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc."}, "tactics": [{"id": "DTA0005", "name": "Disrupt", "description": "Prevent an adversary from conducting part or all of their mission.", "long_description": "Disrupt is used to prevent or discourage an adversary from conducting part or all of their mission. This may include increasing the time or skills needed to accomplish a specific task or by tightening controls so that more steps need to be taken."}], "procedures": [{"id": "DPR0055", "description": "Weaken security controls on a system to allow for leaking of credentials via network connection poisoning."}, {"id": "DPR0056", "description": "Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials."}]}]