Make changes to a system's software properties and functions to achieve a desired effect.
Software Manipulation allows a defender to alter or replace elements of the OS, file system, or any other software installed and executed on a system. These alterations can affect outputs, degrade effectiveness, and/or prevent the software from functioning altogether. For example, the defender can manipulate software by changing the output of commonly used discovery commands to hide legitimate systems and artifacts and/or reveal decoy artifacts and systems.
Alternatively, the defender can change the output of the password policy description for an adversary attempting to brute-force credentials. This manipulation may cause the adversary to waste resources brute-forcing passwords with inaccurate complexity requirements. If the defender wanted to degrade software effectiveness, they might weaken algorithms to expose data that is being archived, encoded, and/or encrypted.
Finally, to prevent software from functioning altogether, the defender may cause software typically used to delete data or hide adversary artifacts to fail. For some Software Manipulation use cases, it may be possible to make changes in such a way that adversary actions and legitimate user actions are handled differently. For example, the defender could show all files when viewed in a graphical application but hide files or introduce decoy files when viewed via a terminal command. This would allow legitimate users full access to the file system while adversaries using a reverse shell to access the target would see the manipulated the files.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Privilege Escalation, Discovery, Collection, Execution, Persistence, Impact, Command and Control, Defense Evasion, Lateral Movement||When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation|
|Impact, Privilege Escalation, Discovery||When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.|
|Persistence, Defense Evasion||When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable.|
|Credential Access||When adversaries use brute force techniques to access accounts or encrypted data, they are vulnerable to wasting resources if the artifact has no valid credentials or is locked in some other way.|
|Discovery||When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities|
|Discovery||When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence|
|Initial Access||When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior|