Application Diversity

Present the adversary with a variety of installed applications and services.

Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services.

Details
ID: DTE0004
Tactics:  Channel Collect Facilitate Test Detect Legitimize Disrupt

Opportunities

IDDescription
DOS0001 There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
DOS0002 There is an opportunity to discover who or what is being targeting by an adversary.
DOS0085 In an adversary engagement scenario, there is an opportunity to use a variety of applications on a system to see what an adversary tries to exploit in order to acquire credentials.
DOS0180 There is an opportunity to provide a variety of applications to an adversary so they see a full set of information when performing discovery tasks.
DOS0219 There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations.

Use Cases

IDDescription
DUC0035 A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications.
DUC0056 A defender can install decoy services that have extensible capabilities.
DUC0059 A defender can plant AV or monitoring tools which are easy for an adversary to remove. If an adversary removes these, they may be enticed to act more openly believing they have removed monitoring from the system.
DUC0085 A defender can use a variety of applications on a decoy system or in a decoy network to see what an adversary tries to exploit in order to acquire credentials.
DUC0180 During an adversary engagement operation, a defender can open and use any particular subset of applications installed on a system to control what is presented to the adversary at any point in time.
DUC0219 A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction.
DUC0235 A defender can install an array of various software packages on a system to make it look used and populated. This will give an adversary a collection of software to interact with and possibly expose additional techniques.

Procedures

IDDescription
DPR0007 Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks.
DPR0008 Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1010 Application Window Discovery Discovery
T1203 Exploitation for Client Execution Execution
T1210 Exploitation of Remote Services Lateral Movement
T1211 Exploitation for Defense Evasion Defense Evasion
T1212 Exploitation for Credential Access Credential Access
T1480 Execution Guardrails Defense Evasion
T1505 Server Software Component Persistence
T1518 Software Discovery Discovery
T1562 Impair Defenses Defense Evasion