GSPBC-1052 - Defense Evasion - Impair Defenses

GSPBC-1052: Defense Evasion – Impair Defenses


Impair Defenses Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt ... Read More

GSPBC-1052: Defense Evasion – Impair Defenses2022-06-28T23:54:29+00:00
GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium

GSPBC-1051: Exfiltration – Exfiltration Over Physical Medium


Exfiltration Over Physical Medium Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point ... Read More

GSPBC-1051: Exfiltration – Exfiltration Over Physical Medium2022-06-14T21:43:27+00:00
GSPBC-1050 - Initial Access - Hardware Additions

GSPBC-1050: Initial Access – Hardware Additions


Hardware Additions Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. While public references of usage by threat actors are scarce, many red ... Read More

GSPBC-1050: Initial Access – Hardware Additions2022-05-17T02:48:11+00:00
GSPBC-1049 - Impact - Resource Hijacking

GSPBC-1049: Impact – Resource Hijacking


Resource Hijacking Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint ... Read More

GSPBC-1049: Impact – Resource Hijacking2022-05-04T02:26:36+00:00
GSPBC-1048 - Credential Access - Brute Force

GSPBC-1048: Credential Access – Brute Force


Brute Force: Password Guessing Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may ... Read More

GSPBC-1048: Credential Access – Brute Force2022-04-06T01:35:03+00:00

GSPBC-1047: Defense Evasion – Domain Policy Modification


Domain Policy Modification Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or ... Read More

GSPBC-1047: Defense Evasion – Domain Policy Modification2022-03-23T01:28:07+00:00

GSPBC-1046: Defense Evasion – Subvert Trust Controls


Subvert Trust Controls Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute ... Read More

GSPBC-1046: Defense Evasion – Subvert Trust Controls2022-03-09T02:58:05+00:00

GSPBC-1045: Privilege Escalation – Create or Modify System Process


Create or Modify System ProcessAdversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.Adversaries may install new services, daemons, or agents that ... Read More

GSPBC-1045: Privilege Escalation – Create or Modify System Process2022-03-23T01:31:57+00:00

GSPBC-1044: Lateral Movement – Taint Shared Content


Taint Shared Content Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may ... Read More

GSPBC-1044: Lateral Movement – Taint Shared Content2022-01-26T18:46:35+00:00

GSPBC-1043: Execution – Exploitation for Client Execution


Exploitation for Client Execution Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be ... Read More

GSPBC-1043: Execution – Exploitation for Client Execution2022-01-12T01:54:27+00:00
Go to Top