We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Pocket Litter

Place data on a system to reinforce the legitimacy of the system or user.

Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket Litter can be used to establish a cognitive bias to raise the adversary's tolerance to weaknesses in the environment. Unlike Decoy Artifacts, Pocket Litter does not necessarily aim to encourage the adversary to take a specific action, but rather it supports the overall deception story.

Pocket Litter can include documents, pictures, registry entries, installed software, log history, browsing history, connection history, and other user data that an adversary would expect to exist on a user's computer. For example, a defender might conduct a series of web searches to generate browser artifacts, or scatter a variety of photos and documents across the desktop to make the computer feel lived in.

ID: EAC0011
Type:  Engagement 
Goals:  Elicit
Approaches:  Reassurance
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Pocket Litter.

ATT&CK® Tactics Adversary Vulnerability Presented
Credential Access Collection Discovery Execution Initial Access Command and Control Impact Lateral Movement Reconnaissance Defense Evasion When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.
Exfiltration When adversaries collect manipulated artifacts, they are vulnerable to revealing their presence when using or moving the artifacts elsewhere in the engagement environment.
Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.
Impact When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities.