Software Manipulation

Make changes to a system's software properties and functions to achieve a desired effect.

Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system.

Details
ID: DTE0036
Tactics:  Channel Contain Disrupt Test Detect Facilitate Collect

Opportunities

IDDescription
DOS0026 In an adversary engagement operation, there is an opportunity to impact what an adversary sees when they execute commands on a system.
DOS0028 There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.
DOS0029 There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs.

Use Cases

IDDescription
DUC0028 A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
DUC0029 A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
DUC0030 A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc.
DUC0032 A defender can monitor operating system functions calls to look for adversary use and/or abuse.
DUC0038 A defender can manipulate the output of commands commonly used to enumerate a system's network connections. They could seed this output with decoy systems and/or networks or remove legitimate systems from the output in order to direct an adversary away from legitimate systems.
DUC0041 A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would.
DUC0057 A defender can manipulate commands on systems so an adversary is unable delete data in ways they normally would.
DUC0075 A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with.
DUC0079 By changing the output of network sniffing utilities normally found on a system, you can prevent adversaries from seeing particular content or making use of the results at all.
DUC0125 A defender can modify the functionality of commands that are used to delete files or format drives so they fail when used in a specific manner.
DUC0148 A defender could feed or redirect requests for credentials with false data that can be used to direct an adversary into a decoy network or system.
DUC0181 A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary.
DUC0186 A defender could alter the output from account enumeration commands to hide accounts or show the presence of accounts which do not exist.
DUC0189 If the defender knows the specific regions an adversary is targeting, they can alter the output of commands which return systems times to return data consistent with what an adversary would want to see.
DUC0192 A defender can use API calls associated with direct volume access to either see what activity and data is being passed through, or to influence how that API call functions.
DUC0194 A defender could manipulate the command to display services an adversary would expect to see on a system, or to shown them unexpected services.
DUC0203 A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system.
DUC0206 A defender could manipulate a system's software to alter the results of an adversary enumerating permission group information.
DUC0216 A defender can alter the output of the password policy description so the adversary is unsure of exactly what the requirements are.
DUC0242 A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable.

Procedures

IDDescription
DPR0003 Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities.
DPR0004 Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use.
DPR0018 Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier.
DPR0019 Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1006 Direct Volume Access Defense Evasion
T1007 System Service Discovery Discovery
T1018 Remote System Discovery Discovery
T1033 System Owner/User Discovery Discovery
T1040 Network Sniffing Credential AccessDiscovery
T1046 Network Service Scanning Discovery
T1049 System Network Connections Discovery Discovery
T1057 Process Discovery Discovery
T1059 Command and Scripting Interpreter Execution
T1069 Permission Groups Discovery Discovery
T1087 Account Discovery Discovery
T1106 Native API Execution
T1124 System Time Discovery Discovery
T1129 Shared Modules Execution
T1134 Access Token Manipulation Defense EvasionPrivilege Escalation
T1201 Password Policy Discovery Discovery
T1218 Signed Binary Proxy Execution Defense Evasion
T1485 Data Destruction Impact
T1559 Inter-Process Communication Execution
T1560 Archive Collected Data Collection
T1561 Disk Wipe Impact
T1564 Hide Artifacts Defense Evasion