| DUC0028 |
A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity. |
| DUC0029 |
A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted. |
| DUC0030 |
A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc. |
| DUC0032 |
A defender can monitor operating system functions calls to look for adversary use and/or abuse.
|
| DUC0038 |
A defender can manipulate the output of commands commonly used to enumerate a system's network connections. They could seed this output with decoy systems and/or networks or remove legitimate systems from the output in order to direct an adversary away from legitimate systems. |
| DUC0041 |
A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would. |
| DUC0057 |
A defender can manipulate commands on systems so an adversary is unable delete data in ways they normally would. |
| DUC0075 |
A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with. |
| DUC0079 |
By changing the output of network sniffing utilities normally found on a system, you can prevent adversaries from seeing particular content or making use of the results at all. |
| DUC0125 |
A defender can modify the functionality of commands that are used to delete files or format drives so they fail when used in a specific manner. |
| DUC0148 |
A defender could feed or redirect requests for credentials with false data that can be used to direct an adversary into a decoy network or system. |
| DUC0181 |
A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary. |
| DUC0186 |
A defender could alter the output from account enumeration commands to hide accounts or show the presence of accounts which do not exist. |
| DUC0189 |
If the defender knows the specific regions an adversary is targeting, they can alter the output of commands which return systems times to return data consistent with what an adversary would want to see. |
| DUC0192 |
A defender can use API calls associated with direct volume access to either see what activity and data is being passed through, or to influence how that API call functions. |
| DUC0194 |
A defender could manipulate the command to display services an adversary would expect to see on a system, or to shown them unexpected services. |
| DUC0203 |
A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system. |
| DUC0206 |
A defender could manipulate a system's software to alter the results of an adversary enumerating permission group information. |
| DUC0216 |
A defender can alter the output of the password policy description so the adversary is unsure of exactly what the requirements are. |
| DUC0242 |
A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable. |
