Playbook Battle Card

GSPBC-1076 - Discovery - Group Policy Discovery

GSPBC-1076 Discovery – Group Policy Discovery

2023-11-15T02:52:25+00:00

Group Policy Discovery Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network ... Read More

GSPBC-1076 Discovery – Group Policy Discovery2023-11-15T02:52:25+00:00
GSPBC-1074 - Reconnaissance - Search Open Websites_Domains

GSPBC-1075 Initial Access – Supply Chain Compromise

2023-10-20T14:48:15+00:00

Supply Chain Compromise Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: Manipulation of development tools Manipulation of a development environment Manipulation of source code repositories (public or private) Manipulation of source code in open-source dependencies Manipulation of software update/distribution mechanisms Compromised/infected system images (multiple cases of removable ... Read More

GSPBC-1075 Initial Access – Supply Chain Compromise2023-10-20T14:48:15+00:00
GSPBC-1074 - Reconnaissance - Search Open Websites_Domains

GSPBC-1074 Reconnaissance – Search Open Websites/Domains

2023-10-09T18:28:53+00:00

Search Open Websites/Domains Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts. Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of ... Read More

GSPBC-1074 Reconnaissance – Search Open Websites/Domains2023-10-09T18:28:53+00:00
GSPBC-1073 - Privilege Escalation - Access Token Manipulation

GSPBC-1073 Privilege Escalation – Access Token Manipulation

2023-09-13T01:21:37+00:00

Access Token Manipulation Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process ... Read More

GSPBC-1073 Privilege Escalation – Access Token Manipulation2023-09-13T01:21:37+00:00
GSPBC-1072 - Privilege Escalation - Process Injection

GSPBC-1072 Privilege Escalation – Process Injection

2023-08-21T16:53:33+00:00

Process Injection Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under ... Read More

GSPBC-1072 Privilege Escalation – Process Injection2023-08-21T16:53:33+00:00
GSPBC-1071 - Exfiltration - Exfiltration Over Web Service

GSPBC-1071 Exfiltration – Exfiltration Over Web Service

2023-08-15T16:00:35+00:00

Exfiltration Over Web Service Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers also commonly use SSL/TLS ... Read More

GSPBC-1071 Exfiltration – Exfiltration Over Web Service2023-08-15T16:00:35+00:00
GSPBC-1070 - Command and Control - Protocol Tunneling

GSPBC-1070 Command and Control – Protocol Tunneling

2023-07-13T04:17:50+00:00

Protocol Tunneling Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, ... Read More

GSPBC-1070 Command and Control – Protocol Tunneling2023-07-13T04:17:50+00:00