Stealth
The Stealth tactic:
Who is (the adversary) trying to hide and conceal their actions, appearing as normal behavior?
The adversary is trying to break security mechanisms, pipelines, and tooling so defenders can’t see or trust what’s happening.
What is Defense Impairment?
The adversary is trying to get into your network.
What is Initial Access?
Represent 'how' an adversary achieves a tactical goal by performing an action
What do techniques represent?
List at least 5 techniques under the Stealth tactic:
Access Token Manipulation, BITS Jobs, Build Image on Host, Debugger Evasion, Delay Execution, Deobfuscate/Decode Files or Information, Direct Volume Access, Execution Guardrails, Exploitation for Stealth, Hide Artifacts, Hijack Execution Flow, Indicator Removal, Indirect Command Execution, Masquerading, Obfuscated Files or Information, Pre-OS Boot, Process Injection, Reflective Code Loading, Rootkit, Selective Exclusion, Social Engineering, System Binary Proxy Execution, System Script Proxy Execution, Template Injection, Traffic Signaling, Trusted Developer Utilities Proxy Execution, Unused/Unsupported Cloud Regions, Valid Accounts, Virtualization/Sandbox Evasion, and XSL Script Processing.
The number of techniques under the Defense Impairment tactic:
What is 18?
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems.
What is Spearphishing via Service?
Difference between Initial Access and Discovery:
Initial Access is how an attacker gets into a system, while Discovery is how they explore and learn about the environment after gaining access.
The two subtechniques in Social Engineering:
What is Impersonation and Email Spoofing?
The two subtechniques under Weaken Encryption:
What is Reduce Key Space and Disable Crypto Hardware?
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes
What is Replication Through Removable Media?
Valid Accounts Technique falls under which Tactics:
What are Initial Access, Stealth, Persistence, and Privilege Escalation?
Selectively deleting or modifying suspicious artifacts to reduce detection while still appearing normal.
What is Indicator Removal?
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
What is Disable or Modify System Firewall > Cloud Firewall?
Ember Bear has compromised information technology providers and software developers providing services to targets of interest, building initial access to ultimate victims at least in part through compromise of service providers that work with the victim organizations
What is Supply Chain Compromise?
Difference between Persistence and Stealth:
Stealth is about avoiding detection while active, whereas Persistence is about maintaining long-term access to a system even after restarts or disruptions
The number of techniques under the Stealth tactic:
What is 30?
Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications.
What is Weaken Encryption?
The four subtechniques under Valid Accounts:
What are Default Accounts, Domain Accounts, Local Accounts, and Cloud Accounts?
The reason why Defense Evasion was deprecated:
What is a tactic that became too broad and lacked a clear adversary objective, leading MITRE to split it into more specific tactics?