We have a blog! Check out MITRE Shield on Medium.

Pocket Litter

Place data on a system to reinforce the legitimacy of the system or user.

Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).

Details
ID: DTE0030
Tactics:  Facilitate Legitimize Test Detect Channel

Opportunities

IDDescription
DOS0098 In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment.
DOS0099 In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary.
DOS0165 In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content.

Use Cases

IDDescription
DUC0098 A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.
DUC0099 A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
DUC0104 A defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner.
DUC0111 A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network.
DUC0165 A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system.
DUC0226 A defender can seed content interesting files to an adversary, but lock the permissions down. The goal would be to force the adversary to expose their TTPs for circumventing the restrictions.

Procedures

IDDescription
DPR0052 When staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.
DPR0053 Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1005 Data from Local System Collection
T1025 Data from Removable Media Collection
T1039 Data from Network Shared Drive Collection
T1074 Data Staged Collection
T1119 Automated Collection Collection
T1213 Data from Information Repositories Collection
T1222 File and Directory Permissions Modification Defense Evasion
T1530 Data from Cloud Storage Object Collection