MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Pocket Litter
Place data on a system to reinforce the legitimacy of the system or user.
Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).
Details
ID:
DTE0030
Opportunities
| ID | Description |
|---|---|
| DOS0098 | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. |
| DOS0099 | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. |
| DOS0165 | In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. |
Use Cases
| ID | Description |
|---|---|
| DUC0098 | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
| DUC0099 | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
| DUC0104 | A defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner. |
| DUC0111 | A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network. |
| DUC0165 | A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system. |
| DUC0226 | A defender can seed content interesting files to an adversary, but lock the permissions down. The goal would be to force the adversary to expose their TTPs for circumventing the restrictions. |
Procedures
| ID | Description |
|---|---|
| DPR0052 | When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary. |
| DPR0053 | Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1005 | Data from Local System | Collection |
| T1025 | Data from Removable Media | Collection |
| T1039 | Data from Network Shared Drive | Collection |
| T1074 | Data Staged | Collection |
| T1119 | Automated Collection | Collection |
| T1213 | Data from Information Repositories | Collection |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1530 | Data from Cloud Storage Object | Collection |