We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Software Manipulation

Make changes to a system's software properties and functions to achieve a desired effect.

Software Manipulation allows a defender to alter or replace elements of the OS, file system, or any other software installed and executed on a system. These alterations can affect outputs, degrade effectiveness, and/or prevent the software from functioning altogether. For example, the defender can manipulate software by changing the output of commonly used discovery commands to hide legitimate systems and artifacts and/or reveal decoy artifacts and systems.

Alternatively, the defender can change the output of the password policy description for an adversary attempting to brute-force credentials. This manipulation may cause the adversary to waste resources brute-forcing passwords with inaccurate complexity requirements. If the defender wanted to degrade software effectiveness, they might weaken algorithms to expose data that is being archived, encoded, and/or encrypted.

Finally, to prevent software from functioning altogether, the defender may cause software typically used to delete data or hide adversary artifacts to fail. For some Software Manipulation use cases, it may be possible to make changes in such a way that adversary actions and legitimate user actions are handled differently. For example, the defender could show all files when viewed in a graphical application but hide files or introduce decoy files when viewed via a terminal command. This would allow legitimate users full access to the file system while adversaries using a reverse shell to access the target would see the manipulated the files.

ID: EAC0014
Type:  Engagement 
Goals:  Expose Affect
Approaches:  Collection Direction Disruption
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Software Manipulation.

ATT&CK® Tactics Adversary Vulnerability Presented
Command and Control Collection Defense Evasion Discovery Execution Lateral Movement Privilege Escalation Impact Persistence When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation.
Discovery Privilege Escalation Impact When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.
Discovery When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.
Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities.
Initial Access When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior.
Credential Access When adversaries use brute-force techniques to access accounts or encrypted data, they are vulnerable to wasting resources if the artifact has no valid credentials or is locked in some other way.
Persistence Defense Evasion When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable.