MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Application Diversity
Present the adversary with a variety of installed applications and services.
Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services.
Details
ID:
DTE0004
Opportunities
| ID | Description |
|---|---|
| DOS0001 | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. |
| DOS0002 | There is an opportunity to discover who or what is being targeting by an adversary. |
| DOS0085 | In an adversary engagement scenario, there is an opportunity to use a variety of applications on a system to see what an adversary tries to exploit in order to acquire credentials. |
| DOS0180 | There is an opportunity to provide a variety of applications to an adversary so they see a full set of information when performing discovery tasks. |
| DOS0219 | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. |
Use Cases
| ID | Description |
|---|---|
| DUC0035 | A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications. |
| DUC0056 | A defender can install decoy services that have extensible capabilities. |
| DUC0059 | A defender can plant AV or monitoring tools which are easy for an adversary to remove. If an adversary removes these, they may be enticed to act more openly believing they have removed monitoring from the system. |
| DUC0085 | A defender can use a variety of applications on a decoy system or in a decoy network to see what an adversary tries to exploit in order to acquire credentials. |
| DUC0180 | During an adversary engagement operation, a defender can open and use any particular subset of applications installed on a system to control what is presented to the adversary at any point in time. |
| DUC0219 | A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction. |
| DUC0235 | A defender can install an array of various software packages on a system to make it look used and populated. This will give an adversary a collection of software to interact with and possibly expose additional techniques. |
Procedures
| ID | Description |
|---|---|
| DPR0007 | Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks. |
| DPR0008 | Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1010 | Application Window Discovery | Discovery |
| T1203 | Exploitation for Client Execution | Execution |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1480 | Execution Guardrails | Defense Evasion |
| T1505 | Server Software Component | Persistence |
| T1518 | Software Discovery | Discovery |
| T1562 | Impair Defenses | Defense Evasion |