Playbook Battle Card

GSPBC-1058 - Persistence - Modify Authentication Process

GSPBC-1058: Persistence – Modify Authentication Process

2022-11-21T22:17:52+00:00

Modify Authentication Process Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able ... Read More

GSPBC-1058: Persistence – Modify Authentication Process2022-11-21T22:17:52+00:00
GSPBC-1057 - Defense Evasion - Valid Accounts

GSPBC-1057: Defense Evasion – Valid Accounts

2022-11-04T02:40:50+00:00

Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased ... Read More

GSPBC-1057: Defense Evasion – Valid Accounts2022-11-04T02:40:50+00:00
GSPBC-1056 - Reconnaissance - Search Victim-Owned Websites

GSPBC-1056: Reconnaissance – Gather Victim Host Information

2022-10-05T21:12:06+00:00

Gather Victim Host Information Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Adversaries may also compromise sites then include ... Read More

GSPBC-1056: Reconnaissance – Gather Victim Host Information2022-10-05T21:12:06+00:00
GSPBC-1055 - Reconnaissance - Search Victim-Owned Websites

GSPBC-1055: Reconnaissance – Search Victim-Owned Websites

2022-09-14T23:04:28+00:00

Search Victim-Owned Websites Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships. Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities ... Read More

GSPBC-1055: Reconnaissance – Search Victim-Owned Websites2022-09-14T23:04:28+00:00
GSPBC-1054 - Discovery - Password Policy Discovery

GSPBC-1054: Discovery – Password Policy Discovery

2022-08-04T14:50:08+00:00

Password Policy Discovery Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, ... Read More

GSPBC-1054: Discovery – Password Policy Discovery2022-08-04T14:50:08+00:00
GSPBC-1053 - Initial Access - Exploit Public-Facing Application

GSPBC-1053: Initial Access – Exploit Public-Facing Application

2022-07-27T21:05:17+00:00

Exploit Public-Facing Application Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and ... Read More

GSPBC-1053: Initial Access – Exploit Public-Facing Application2022-07-27T21:05:17+00:00
GSPBC-1052 - Defense Evasion - Impair Defenses

GSPBC-1052: Defense Evasion – Impair Defenses

2022-06-28T23:54:29+00:00

Impair Defenses Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt ... Read More

GSPBC-1052: Defense Evasion – Impair Defenses2022-06-28T23:54:29+00:00
GSPBC-1051 - Exfiltration - Exfiltration Over Physical Medium

GSPBC-1051: Exfiltration – Exfiltration Over Physical Medium

2022-06-14T21:43:27+00:00

Exfiltration Over Physical Medium Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point ... Read More

GSPBC-1051: Exfiltration – Exfiltration Over Physical Medium2022-06-14T21:43:27+00:00
GSPBC-1050 - Initial Access - Hardware Additions

GSPBC-1050: Initial Access – Hardware Additions

2022-05-17T02:48:11+00:00

Hardware Additions Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. While public references of usage by threat actors are scarce, many red ... Read More

GSPBC-1050: Initial Access – Hardware Additions2022-05-17T02:48:11+00:00
GSPBC-1049 - Impact - Resource Hijacking

GSPBC-1049: Impact – Resource Hijacking

2022-05-04T02:26:36+00:00

Resource Hijacking Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint ... Read More

GSPBC-1049: Impact – Resource Hijacking2022-05-04T02:26:36+00:00
Go to Top