We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Complete ATT&CK® Mapping

When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK® activity, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness. The following table outlines the Adversary Vulnerabilities and Engagement Activities that are available to the defender when the adversary engages in a behaviors across any ATT&CK® Tactic.

ATT&CK Technique Adversary Vulnerability Engagement Activity Engagement Activity Description
Abuse Elevation Control Mechanism When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Abuse Elevation Control Mechanism When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Access Token Manipulation When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Access Token Manipulation When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Access Token Manipulation When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Account Access Removal When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Account Access Removal When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Account Access Removal When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Account Access Removal When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Account Access Removal When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Account Access Removal When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Account Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Account Discovery When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Account Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Account Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Account Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Account Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Account Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Account Manipulation When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Account Manipulation When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Account Manipulation When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Account Manipulation When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Account Manipulation When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Active Scanning When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Active Scanning When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Active Scanning When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Active Scanning When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Active Scanning When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Active Scanning When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Application Layer Protocol When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Application Layer Protocol When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Application Window Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Application Window Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Application Window Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Archive Collected Data When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Archive Collected Data When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Archive Collected Data When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Audio Capture When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Audio Capture When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Audio Capture When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Audio Capture When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Audio Capture When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Audio Capture When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Hardware Manipulation Alter the hardware configuration of a system to limit what an adversary can do with the device.
Audio Capture When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Automated Collection When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Automated Collection When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Automated Collection When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Email Manipulation Modify the flow of email in the environment.
Automated Collection When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Automated Collection When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Automated Collection When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Automated Collection When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Automated Exfiltration When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Automated Exfiltration When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Automated Exfiltration When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Automated Exfiltration When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Automated Exfiltration When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Automated Exfiltration When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Automated Exfiltration When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Automated Exfiltration When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Automated Exfiltration When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Monitoring Monitor network traffic in order to detect adversary activity.
Automated Exfiltration When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
BITS Jobs When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
BITS Jobs When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
BITS Jobs When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Boot or Logon Autostart Execution When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Boot or Logon Initialization Scripts When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Browser Bookmark Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Browser Bookmark Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Browser Bookmark Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Browser Bookmark Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Browser Bookmark Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Browser Bookmark Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Browser Extensions When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Browser Extensions When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Browser Extensions When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Browser Extensions When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Browser Extensions When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Brute Force When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Brute Force When adversaries use brute force techniques to access accounts or encrypted data, they are vulnerable to wasting resources if the artifact has no valid credentials or is locked in some other way. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Brute Force When adversaries use brute force techniques to access accounts or encrypted data, they are vulnerable to wasting resources if the artifact has no valid credentials or is locked in some other way. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Brute Force When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Brute Force When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Build Image on Host When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Clipboard Data When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Clipboard Data When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Clipboard Data When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Clipboard Data When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Cloud Infrastructure Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Cloud Infrastructure Discovery When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Cloud Infrastructure Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Cloud Infrastructure Discovery When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Cloud Infrastructure Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Cloud Infrastructure Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Cloud Service Dashboard When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Cloud Service Dashboard When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Cloud Service Dashboard When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Cloud Service Dashboard When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Cloud Service Dashboard When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Cloud Service Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Cloud Service Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Cloud Service Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Cloud Service Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Command and Scripting Interpreter When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Command and Scripting Interpreter When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Command and Scripting Interpreter When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Command and Scripting Interpreter When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Security Controls Alter security controls to make the system more or less vulnerable to attack.
Command and Scripting Interpreter When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Communication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Communication Through Removable Media When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Communication Through Removable Media When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Communication Through Removable Media When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Communication Through Removable Media When the adversary's malware is detonated they may be encouraged to operate in an unintended environment. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Communication Through Removable Media When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Communication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Communication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Compromise Client Software Binary When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Compromise Client Software Binary When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Compromise Client Software Binary When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Compromise Client Software Binary When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Container Administration Command When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Container Administration Command When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Container and Resource Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Container and Resource Discovery When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Container and Resource Discovery When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Container and Resource Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Container and Resource Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Container and Resource Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Container and Resource Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Create Account When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Create Account When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Create Account When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Create Account When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Create or Modify System Process When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Security Controls Alter security controls to make the system more or less vulnerable to attack.
Create or Modify System Process When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Create or Modify System Process When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Create or Modify System Process When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Credentials from Password Stores When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Credentials from Password Stores When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Credentials from Password Stores When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Credentials from Password Stores When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Credentials from Password Stores When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Credentials from Password Stores When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Credentials from Password Stores When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Credentials from Password Stores When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data Destruction When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data Destruction When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Data Destruction When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Data Destruction When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data Destruction When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Data Destruction When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data Encoding When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Data Encoding When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data Encoding When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Monitoring Monitor network traffic in order to detect adversary activity.
Data Encoding When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Data Encoding When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Data Encoding When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data Encrypted for Impact When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data Encrypted for Impact When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Data Encrypted for Impact When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Data from Cloud Storage Object When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Cloud Storage Object When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data from Cloud Storage Object When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Data from Cloud Storage Object When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Data from Cloud Storage Object When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Cloud Storage Object When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Data from Cloud Storage Object When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Cloud Storage Object When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Data from Cloud Storage Object When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Data from Configuration Repository When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Configuration Repository When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Data from Configuration Repository When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Configuration Repository When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Data from Configuration Repository When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Data from Configuration Repository When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Data from Configuration Repository When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data from Configuration Repository When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Information Repositories When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Information Repositories When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Data from Information Repositories When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Information Repositories When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Information Repositories When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Data from Information Repositories When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data from Local System When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Local System When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data from Local System When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Data from Local System When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Data from Local System When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Local System When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Local System When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Data from Local System When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Data from Network Shared Drive When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Network Shared Drive When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data from Network Shared Drive When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Data from Network Shared Drive When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Network Shared Drive When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Data from Network Shared Drive When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Network Shared Drive When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Data from Removable Media When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data from Removable Media When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Removable Media When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Data from Removable Media When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data from Removable Media When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Data Manipulation When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data Manipulation When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data Manipulation When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Data Obfuscation When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Data Obfuscation When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Data Obfuscation When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data Staged When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Data Staged When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data Transfer Size Limits When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Data Transfer Size Limits When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Data Transfer Size Limits When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data Transfer Size Limits When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data Transfer Size Limits When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Data Transfer Size Limits When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Data Transfer Size Limits When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Monitoring Monitor network traffic in order to detect adversary activity.
Data Transfer Size Limits When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Defacement When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Defacement When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Deobfuscate/Decode Files or Information When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Deploy Container When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Direct Volume Access When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Disk Wipe When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Disk Wipe When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Disk Wipe When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Impair Defenses When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Remote Service Session Hijacking When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Remote Service Session Hijacking When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Domain Trust Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Domain Trust Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Drive-by Compromise When the adversaries maintain drive-by sites, they provide a pathway for beginning engagements. They may be unable to differentiate real from deceptive victims. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Drive-by Compromise When the adversaries maintain drive-by sites, they may reveal information about their targetting capabilities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Drive-by Compromise When the adversaries maintain drive-by sites and collect information about potential victims, they may reveal information about their targetting preferences by selecting or rejecting an arbitrary victim. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Dynamic Resolution When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Dynamic Resolution When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Email Collection When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Email Collection When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Email Collection When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Email Collection When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Email Collection When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Email Manipulation Modify the flow of email in the environment.
Email Collection When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Email Manipulation Modify the flow of email in the environment.
Email Collection When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Email Manipulation Modify the flow of email in the environment.
Encrypted Channel When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Encrypted Channel When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Encrypted Channel When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Endpoint Denial of Service When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Endpoint Denial of Service When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Escape to Host When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Event Triggered Execution When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Event Triggered Execution When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Execution Guardrails When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Execution Guardrails When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Execution Guardrails When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Exfiltration Over Alternative Protocol When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over Alternative Protocol When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Exfiltration Over Alternative Protocol When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over Alternative Protocol When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Exfiltration Over Alternative Protocol When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over Alternative Protocol When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over Alternative Protocol When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exfiltration Over Alternative Protocol When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over Alternative Protocol When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over C2 Channel When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over C2 Channel When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Exfiltration Over C2 Channel When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over C2 Channel When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Exfiltration Over C2 Channel When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over C2 Channel When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over C2 Channel When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exfiltration Over C2 Channel When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over C2 Channel When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over Other Network Medium When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over Other Network Medium When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Exfiltration Over Other Network Medium When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over Other Network Medium When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Exfiltration Over Other Network Medium When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over Other Network Medium When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over Other Network Medium When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exfiltration Over Other Network Medium When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over Other Network Medium When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over Physical Medium When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over Physical Medium When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Exfiltration Over Physical Medium When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over Physical Medium When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Exfiltration Over Physical Medium When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over Physical Medium When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over Physical Medium When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exfiltration Over Physical Medium When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over Physical Medium When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over Physical Medium When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Exfiltration Over Physical Medium When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Exfiltration Over Web Service When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exfiltration Over Web Service When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Exfiltration Over Web Service When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over Web Service When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Exfiltration Over Web Service When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over Web Service When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exfiltration Over Web Service When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exfiltration Over Web Service When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Monitoring Monitor network traffic in order to detect adversary activity.
Exfiltration Over Web Service When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Exploit Public-Facing Application When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploit Public-Facing Application When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploit Public-Facing Application When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Exploitation for Client Execution When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation for Client Execution When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Exploitation for Client Execution When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploitation for Client Execution When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation for Credential Access When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation for Credential Access When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Exploitation for Credential Access When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Exploitation for Credential Access When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation for Credential Access When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploitation for Defense Evasion When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation for Defense Evasion When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation for Defense Evasion When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Exploitation for Defense Evasion When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploitation for Privilege Escalation When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Exploitation for Privilege Escalation When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation for Privilege Escalation When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation for Privilege Escalation When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploitation of Remote Services When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Exploitation of Remote Services When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation of Remote Services When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation of Remote Services When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
External Remote Services When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
External Remote Services When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
External Remote Services When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
External Remote Services When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
External Remote Services When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Fallback Channels When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Fallback Channels When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Fallback Channels When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Fallback Channels When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Fallback Channels When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
File and Directory Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
File and Directory Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
File and Directory Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
File and Directory Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
File and Directory Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
File and Directory Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
File and Directory Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
File and Directory Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
File and Directory Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
File and Directory Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
File and Directory Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
File and Directory Permissions Modification When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
File and Directory Permissions Modification When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
File and Directory Permissions Modification When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Firmware Corruption When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Forced Authentication When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Forced Authentication When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Forced Authentication When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Forced Authentication When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Forge Web Credentials When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Forge Web Credentials When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Forge Web Credentials When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Gather Victim Host Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Gather Victim Host Information When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Gather Victim Host Information When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Gather Victim Host Information When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Gather Victim Host Information When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Gather Victim Identity Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Gather Victim Identity Information When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Gather Victim Identity Information When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Gather Victim Network Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Gather Victim Network Information When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Gather Victim Network Information When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Gather Victim Org Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Gather Victim Org Information When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Gather Victim Org Information When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Hardware Additions When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Hardware Additions When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Hardware Additions When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Hide Artifacts When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Hide Artifacts When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Hide Artifacts When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Hijack Execution Flow When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Hijack Execution Flow When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Impair Defenses When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Impair Defenses When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Impair Defenses When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Implant Internal Image When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Implant Internal Image When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Indicator Removal on Host When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Indicator Removal on Host When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Indicator Removal on Host When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Indicator Removal on Host When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Indirect Command Execution When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Indirect Command Execution When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Ingress Tool Transfer When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Ingress Tool Transfer When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Ingress Tool Transfer When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Inhibit System Recovery When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Inhibit System Recovery When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Input Capture When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Input Capture When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Input Capture When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Input Capture When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Phishing When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated or from where a link is clicked. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Phishing When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated or from where a link is clicked. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Phishing When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Phishing When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Inter-Process Communication When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Inter-Process Communication When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Lateral Tool Transfer When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Lateral Tool Transfer When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Man in the Browser When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Man in the Browser When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Man in the Browser When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Man in the Browser When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Man-in-the-Middle When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Man-in-the-Middle When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Man-in-the-Middle When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Man-in-the-Middle When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Masquerading When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Modify Authentication Process When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Modify Authentication Process When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Modify Cloud Compute Infrastructure When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Modify Cloud Compute Infrastructure When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Modify Cloud Compute Infrastructure When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Modify Cloud Compute Infrastructure When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Modify Registry When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Modify Registry When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Modify Registry When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Modify System Image When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Modify System Image When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Modify System Image When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Modify System Image When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Multi-Stage Channels When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Multi-Stage Channels When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Multi-Stage Channels When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Native API When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Native API When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Network Boundary Bridging When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Network Boundary Bridging When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Network Boundary Bridging When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Network Denial of Service When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Network Denial of Service When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Network Service Scanning When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Network Service Scanning When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Service Scanning When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Network Service Scanning When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Service Scanning When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Network Service Scanning When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Service Scanning When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Network Share Discovery When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Network Share Discovery When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Network Share Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Share Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Network Share Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Network Share Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Share Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Network Share Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Network Share Discovery When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Network Share Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Network Sniffing When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Network Sniffing When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Sniffing When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Network Sniffing When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Sniffing When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Network Sniffing When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Network Sniffing When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Non-Application Layer Protocol When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Non-Application Layer Protocol When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Non-Standard Port When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Non-Standard Port When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Obfuscated Files or Information When the adversary's malware is detonated, they are vulnerable to dynamic analysis including revealing how the malware interacts with system resources. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Obfuscated Files or Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Obfuscated Files or Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Obfuscated Files or Information When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Office Application Startup When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Office Application Startup When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Office Application Startup When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Office Application Startup When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
OS Credential Dumping When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
OS Credential Dumping When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
OS Credential Dumping When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
OS Credential Dumping When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Password Policy Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Password Policy Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Password Policy Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Peripheral Device Discovery When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Peripheral Device Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Peripheral Device Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Peripheral Device Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Peripheral Device Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Peripheral Device Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Permission Groups Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Permission Groups Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Permission Groups Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Permission Groups Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Permission Groups Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Phishing for Information When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Phishing for Information When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Phishing for Information When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Pre-OS Boot When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Process Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Process Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Process Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Process Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Process Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Process Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Process Injection When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Protocol Tunneling When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Protocol Tunneling When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Proxy When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Proxy When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Query Registry When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Query Registry When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Query Registry When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Query Registry When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Query Registry When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Remote Access Software When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Remote Access Software When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Remote Access Software When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Remote Access Software When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Remote Access Software When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Access Software When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Remote Access Software When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Service Session Hijacking When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Remote Service Session Hijacking When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Service Session Hijacking When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Remote Services When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Remote Services When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Services When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Services When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Remote Services When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Remote System Discovery When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Remote System Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote System Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Remote System Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote System Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
Remote System Discovery When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote System Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Replication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Replication Through Removable Media When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Replication Through Removable Media When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Replication Through Removable Media When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Replication Through Removable Media When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Replication Through Removable Media When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Replication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Replication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Resource Hijacking When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Resource Hijacking When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Resource Hijacking When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Rogue Domain Controller When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Rogue Domain Controller When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Rogue Domain Controller When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Rootkit When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Rootkit When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Rootkit When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Scheduled Task/Job When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Scheduled Task/Job When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Scheduled Task/Job When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Scheduled Transfer When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Scheduled Transfer When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Scheduled Transfer When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Scheduled Transfer When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Scheduled Transfer When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Scheduled Transfer When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Scheduled Transfer When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Scheduled Transfer When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Monitoring Monitor network traffic in order to detect adversary activity.
Scheduled Transfer When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Screen Capture When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Hardware Manipulation Alter the hardware configuration of a system to limit what an adversary can do with the device.
Screen Capture When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Screen Capture When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Screen Capture When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Screen Capture When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Screen Capture When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Search Closed Sources When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Search Closed Sources When adversaries collect targetting information from open or closed data sources, they may reveal their targetting preferences. information Manipulation Conceal and reveal both facts and fictions to support a deception story
Search Open Technical Databases When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Search Open Technical Databases When adversaries collect targetting information from open or closed data sources, they may reveal their targetting preferences. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Search Open Websites/Domains When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Search Open Websites/Domains When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Search Open Websites/Domains When adversaries collect targetting information from open or closed data sources, they may reveal their targetting preferences. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Search Open Websites/Domains When adversaries collect targetting information from open or closed data sources, they may reveal their targetting preferences. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Search Victim-Owned Websites When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Search Victim-Owned Websites When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Search Victim-Owned Websites When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Search Victim-Owned Websites When adversaries collect targetting information from open or closed data sources, they may reveal their targetting preferences. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Server Software Component When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Server Software Component When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Service Stop When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Service Stop When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Shared Modules When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Signed Binary Proxy Execution When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Signed Binary Proxy Execution When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Signed Binary Proxy Execution When the adversary's malware is detonated, they are vulnerable to dynamic analysis including revealing how the malware interacts with system resources. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Signed Script Proxy Execution When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Signed Script Proxy Execution When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Signed Script Proxy Execution When the adversary's malware is detonated, they are vulnerable to dynamic analysis including revealing how the malware interacts with system resources. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Software Deployment Tools When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Software Deployment Tools When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Software Deployment Tools When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Software Deployment Tools When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Software Deployment Tools When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Software Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Software Discovery When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Software Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Software Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Steal Application Access Token When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Steal Application Access Token When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Steal Application Access Token When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Steal Application Access Token When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Steal or Forge Kerberos Tickets When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Steal or Forge Kerberos Tickets When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Steal or Forge Kerberos Tickets When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Steal or Forge Kerberos Tickets When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Steal Web Session Cookie When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Steal Web Session Cookie When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Steal Web Session Cookie When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Steal Web Session Cookie When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Subvert Trust Controls When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Subvert Trust Controls When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Subvert Trust Controls When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Application Diversity Present the adversary with a variety of installed applications and services.
Supply Chain Compromise When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfiet control over when and where the product is connected in the target network Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Supply Chain Compromise When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfiet control over when and where the product is connected in the target network Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
System Information Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Information Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
System Information Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
System Information Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Information Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
System Information Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
System Location Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Location Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
System Location Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Location Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
System Location Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Api Monitoring Monitor local APIs that might be used by adversary tools and activity.
System Network Configuration Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Network Configuration Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Network Configuration Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
System Network Configuration Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
System Network Configuration Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Network Configuration Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Network Configuration Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
System Network Configuration Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
System Network Connections Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Network Connections Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Network Connections Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
System Network Connections Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
System Network Connections Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Network Connections Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Network Connections Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
System Network Connections Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
System Owner/User Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Owner/User Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
System Owner/User Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
System Owner/User Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Owner/User Discovery When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Owner/User Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
System Owner/User Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
System Service Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Service Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. API Monitoring Monitor local APIs that might be used by adversary tools and activity.
System Service Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
System Service Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Service Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
System Service Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Service Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Service Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
System Service Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
System Services When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
System Services When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
System Services When the adversary's malware is detonated, they are vulnerable to dynamic analysis including revealing how the malware interacts with system resources. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
System Shutdown/Reboot When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Shutdown/Reboot When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
System Shutdown/Reboot When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
System Time Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Time Discovery When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
System Time Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
System Time Discovery When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Taint Shared Content When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Taint Shared Content When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Taint Shared Content When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Taint Shared Content When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Taint Shared Content When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Template Injection When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Template Injection When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Template Injection When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Template Injection When the adversary's malware is detonated they may be encouraged to operate in an unintended environment. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Traffic Signaling When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Monitoring Monitor network traffic in order to detect adversary activity.
Traffic Signaling When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Traffic Signaling When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Transfer Data to Cloud Account When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Transfer Data to Cloud Account When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Transfer Data to Cloud Account When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Transfer Data to Cloud Account When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Transfer Data to Cloud Account When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Transfer Data to Cloud Account When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Transfer Data to Cloud Account When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Transfer Data to Cloud Account When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Monitoring Monitor network traffic in order to detect adversary activity.
Transfer Data to Cloud Account When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Trusted Relationship When adversaries exploit a trusted relationship, they are vulnerable to collect and act on manipulated data provided by the trusted party. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Trusted Relationship When adversaries exploit a trusted relationship such as using an account to access or move in the environment, they are vulnerable to trigger tripwires or engage in anamoulous behavior. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Trusted Relationship When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Trusted Relationship When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Two-Factor Authentication Interception When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Two-Factor Authentication Interception When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Two-Factor Authentication Interception When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Unsecured Credentials When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unsecured Credentials When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Unused/Unsupported Cloud Regions When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Unused/Unsupported Cloud Regions When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Use Alternate Authentication Material When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Use Alternate Authentication Material When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
User Execution When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
User Execution When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user Information Manipulation Conceal and reveal both facts and fictions to support a deception story
User Execution When the adversary's malware is detonated they may be encouraged to operate in an unintended environment. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
User Execution When the adversary's malware is detonated they may be encouraged to operate in an unintended environment. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
User Execution When the adversary's malware is detonated they may be encouraged to operate in an unintended environment. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
User Execution When the adversary's malware is detonated, they are vulnerable to dynamic analysis including revealing how the malware interacts with system resources. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
Valid Accounts When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Valid Accounts When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Artifact Diversity Present the adversary with a variety of network and system artifacts.
Valid Accounts When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Valid Accounts When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Valid Accounts When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Video Capture When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Video Capture When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Video Capture When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Video Capture When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Video Capture When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Video Capture When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Hardware Manipulation Alter the hardware configuration of a system to limit what an adversary can do with the device.
Video Capture When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Video Capture When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Virtualization/Sandbox Evasion When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Virtualization/Sandbox Evasion When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Virtualization/Sandbox Evasion When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Weaken Encryption When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Weaken Encryption When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Weaken Encryption When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Weaken Encryption When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Weaken Encryption When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Weaken Encryption When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Web Service When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Web Service When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Web Service When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Web Service When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Web Service When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Web Service When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Windows Management Instrumentation When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Windows Management Instrumentation When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Security Controls Alter security controls to make the system more or less vulnerable to attack.
Windows Management Instrumentation When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Windows Management Instrumentation When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Windows Management Instrumentation When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Windows Management Instrumentation When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Windows Management Instrumentation When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Windows Management Instrumentation When the adversary's malware is detonated they may be encouraged to operate in an unintended environment. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
XSL Script Processing When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation API Monitoring Monitor local APIs that might be used by adversary tools and activity.
XSL Script Processing When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
XSL Script Processing When the adversary's malware is detonated, they are vulnerable to dynamic analysis including revealing how the malware interacts with system resources. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
XSL Script Processing When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Disk Wipe When the adversary's malware is detonated they may be encouraged to operate in an unintended environment. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Disk Wipe When the adversary's malware is detonated they may be encouraged to operate in an unintended environment. Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Taint Shared Content When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Taint Shared Content When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Network Manipulation Make changes to network properties and functions to achieve a desired effect.