Playbook Battle Card

GSPBC-1064 - Persistence - Event Triggered Execution

GSPBC-1064: Persistence – Event Triggered Execution


Event Triggered Execution Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events. Adversaries may abuse these mechanisms as a means of maintaining persistent access ... Read More

GSPBC-1064: Persistence – Event Triggered Execution2023-03-13T21:59:25+00:00
GSPBC-1063 - Execution - Scheduled Task or Job

GSPBC-1063: Execution – Scheduled Task or Job


Scheduled Task/Job Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a ... Read More

GSPBC-1063: Execution – Scheduled Task or Job2023-03-01T22:20:32+00:00
GSPBC-1062 - Command and Control - Application Layer Protocol

GSPBC-1062: Command and Control – Application Layer Protocol


Application Layer Protocol Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a ... Read More

GSPBC-1062: Command and Control – Application Layer Protocol2023-03-13T22:50:36+00:00
GSPBC-1061 - Reconnaissance - Gather Victim Identity Information

GSPBC-1061: Reconnaissance – Gather Victim Identity Information


Gather Victim Identity Information Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about users could also be enumerated via other active means (i.e. Active Scanning) such ... Read More

GSPBC-1061: Reconnaissance – Gather Victim Identity Information2023-01-10T03:48:25+00:00
GSPBC-1060 - Lateral Movement - Internal Spearphishing

GSPBC-1060: Lateral Movement – Internal Spearphishing


Internal Spearphishing Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase ... Read More

GSPBC-1060: Lateral Movement – Internal Spearphishing2022-12-20T02:35:38+00:00
GSPBC-1059 - Discovery - Browser Bookmark Discovery

GSPBC-1059: Discovery – Browser Bookmark Discovery


Browser Bookmark Discovery Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser. Specific storage locations vary based ... Read More

GSPBC-1059: Discovery – Browser Bookmark Discovery2022-12-05T01:20:56+00:00
GSPBC-1058 - Persistence - Modify Authentication Process

GSPBC-1058: Persistence – Modify Authentication Process


Modify Authentication Process Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able ... Read More

GSPBC-1058: Persistence – Modify Authentication Process2022-11-21T22:17:52+00:00
GSPBC-1057 - Defense Evasion - Valid Accounts

GSPBC-1057: Defense Evasion – Valid Accounts


Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased ... Read More

GSPBC-1057: Defense Evasion – Valid Accounts2022-11-04T02:40:50+00:00
GSPBC-1056 - Reconnaissance - Search Victim-Owned Websites

GSPBC-1056: Reconnaissance – Gather Victim Host Information


Gather Victim Host Information Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Adversaries may also compromise sites then include ... Read More

GSPBC-1056: Reconnaissance – Gather Victim Host Information2022-10-05T21:12:06+00:00
GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites

GSPBC-1055: Reconnaissance – Search Victim-Owned Websites


Search Victim-Owned Websites Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships. Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities ... Read More

GSPBC-1055: Reconnaissance – Search Victim-Owned Websites2022-09-14T23:04:28+00:00