We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Mapping To GALLIUM

GALLIUM is a group that has been active since at least 2012, primarily targeting high-profile telecommunications networks. GALLIUM has been identified in some reporting as likely a Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.Disclaimer: We present this mapping to stimulate thinking about engagement activities to take advantage of the historically observed behavior of adversary, not to present all possibilities. We invite you to use this as a guide, understanding that adversary behavior is constantly changing and evolving.

Note: All ATT&CK Group sub-activity mappings have been remapped to their parent activity and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0093
Associated Groups:  GALLIUM, Operation Soft Cell
Note:  This page uses Adversary Group data from MITRE ATT&CK.

ATT&CK® Technique Adversary Vulnerability Engagement Activity Engagement Activity Description
OS Credential Dumping When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
OS Credential Dumping When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
OS Credential Dumping When adversaries use previously stolen information to access or move laterally within an environment, they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries collect manipulated artifacts, they are vulnerable to revealing their presence when using or moving the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data from Local System When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Local System When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Data from Local System When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Data from Local System When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Local System When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data from Local System When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Data from Local System When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Data from Local System When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Network Configuration Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Network Configuration Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Network Configuration Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
System Network Configuration Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
System Network Configuration Discovery When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Network Configuration Discovery When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Network Configuration Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. API Monitoring Monitor local APIs that might be used by adversary tools and activity.
System Network Configuration Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Remote System Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote System Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Remote System Discovery When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote System Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Remote System Discovery When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote System Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Remote System Discovery When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Obfuscated Files or Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Obfuscated Files or Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Obfuscated Files or Information When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Obfuscated Files or Information When adversaries’ malware is detonated, they are vulnerable to dynamic analysis, which can reveal how the malware interacts with system resources. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
System Owner/User Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Owner/User Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
System Owner/User Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
System Owner/User Discovery When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Owner/User Discovery When adversaries use previously stolen information to access or move laterally within an environment, they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Owner/User Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
System Owner/User Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Masquerading When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Exfiltration Over C2 Channel When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Exfiltration Over C2 Channel When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Exfiltration Over C2 Channel When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over C2 Channel When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities. Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over C2 Channel When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over C2 Channel When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over C2 Channel When adversaries discover inaccessible but valuable data, they are vulnerable to wasting resources or revealing additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exfiltration Over C2 Channel When adversaries collect manipulated artifacts, they are vulnerable to revealing their presence when using or moving the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over C2 Channel When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to wasting resources to accomplish the task. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Windows Management Instrumentation When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Windows Management Instrumentation When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Windows Management Instrumentation When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Windows Management Instrumentation When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Windows Management Instrumentation When adversaries use previously stolen information to access or move laterally within an environment, they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Windows Management Instrumentation When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Windows Management Instrumentation When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Windows Management Instrumentation When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Security Controls Alter security controls to make the system more or less vulnerable to attack.
System Network Connections Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Network Connections Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Network Connections Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
System Network Connections Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
System Network Connections Discovery When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Network Connections Discovery When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Network Connections Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. API Monitoring Monitor local APIs that might be used by adversary tools and activity.
System Network Connections Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Scheduled Task/Job When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Scheduled Task/Job When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Scheduled Task/Job When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Command and Scripting Interpreter When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Command and Scripting Interpreter When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Command and Scripting Interpreter When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Command and Scripting Interpreter When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Command and Scripting Interpreter When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Artifact Diversity Present the adversary with a variety of network and system artifacts.
Data Staged When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data Staged When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to wasting resources to accomplish the task. Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Valid Accounts When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Valid Accounts When adversaries use previously stolen information to access or move laterally within an environment, they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Valid Accounts When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Artifact Diversity Present the adversary with a variety of network and system artifacts.
Valid Accounts When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Proxy When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Monitoring Monitor network traffic in order to detect adversary activity.
Proxy When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Ingress Tool Transfer When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Monitoring Monitor network traffic in order to detect adversary activity.
Ingress Tool Transfer When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Ingress Tool Transfer When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
External Remote Services When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
External Remote Services When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
External Remote Services When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
External Remote Services When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries use previously stolen information to access or move laterally within an environment, they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Create Account When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Create Account When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Create Account When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Create Account When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Exploit Public-Facing Application When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploit Public-Facing Application When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploit Public-Facing Application When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Application Diversity Present the adversary with a variety of installed applications and services.
Server Software Component When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Server Software Component When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Application Diversity Present the adversary with a variety of installed applications and services.
Use Alternate Authentication Material When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Use Alternate Authentication Material When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Archive Collected Data When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Archive Collected Data When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Application Diversity Present the adversary with a variety of installed applications and services.
Archive Collected Data When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to wasting resources to accomplish the task. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Hijack Execution Flow When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Hijack Execution Flow When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Security Controls Alter security controls to make the system more or less vulnerable to attack.