Information Security

Asssignment#1

Submitted by:
Bilal Hasan Khan
BSCS-2021-37

Submitted to:

Dr. Arshad Farhad

Namal University Mianwali

Part1:

Grille ciphers:

It is type of text encryption methon which in which a grill is used to encrypt plain text into cipher text on
paper and simililarly decrypt that cipher text into originl text using this grill. This grill act as key to
encrypt and decrypy. Image grill as paper consists of some holes.
At sender side, first of all, based on text length, sender make Grid and then place grill on it and using
naked holes, he write that text into that portion of grid starting from first letter of text. Similarly after
filling holes with text, he rotate that grill clockwise or anticlock wise to write each charcter on cipher
paper in respected holes. So after its four rotation, now sender get cipher text on paper, then he send it to
reciver with grill, Similarly reciver can place that grille on that cipher paper and get original text. He also
have to rotate grill to get all character of text.
Grille ciphers have been used in past to secure communication,however with passage of time, they have
been considered less secure due to analysis.
Example:
Suppose Bilal is sender and he want to send a message to Anus. Message is “BILALWINSFOREVER”. So
he will first select 4x4 grid and a grille. He selected following grille and empty grid.

Now he fill place that grille on paper and will write character of text in that hole.

B B

I I

L A L A

Now he will rotate grill clockwise and then write character in holes.
 B L B L

W I W I

L A L A

I N I N

Similarly after 3 and 4 th rotation, here will be Final cipher text.

B W V L

S W F I

O L E A

R I N R
So text is BWVLSWFIOLEARINR
Now our original text is encode and Sender(Bila) will send it to reciver(Anus)
Decoding:
Anus will get cipher text and grille. Similary just like encoding process, he will repeat same process and
will get original text.
First he will make grid and place grill on that text to get character of text.

Plain text= BILA

Similarly on second rotation,
Plaintext=BILALWIN
Similarly on 3 and 4 rotation,

So after 4 rotation, Anus will get full original text

Original text= BILALWINSFOREVER
In this way, Bilal has successfully encoded original text into cipher text and Anus has decode
cipher text into original text.

Product Cipher:

A product cipher is a cryptographic technique that combines multiple simple encryption methods in a
layered or sequential manner to enhance security. Instead of relying on a single encryption algorithm, a
product cipher uses a combination of different encryption methods. These methods are applied in
sequence or in parallel to transform the plaintext into ciphertext.
Mostly product cipher use two type of cipher.
Substitution Cipher: In a substitution cipher, each character in the plaintext is replaced with another
character or symbol according to a predetermined substitution table or algorithm. This replaces each
plaintext character with a different one.

Transposition Cipher: In a transposition cipher, the positions of characters in the plaintext are
rearranged according to a specific rule or permutation. This means that the order of the characters is
changed, but the characters themselves remain the same.
Encryption:
At sender side, original text is first encoded using substitution cipher into cipher text and then
transposition cipher is applied to this cipher text to make it more secure. It adds extra layer of security.
Decryption:
At reciver side, to decrypt cipher text, revers process is performed. First transposition is applied reversly
to conver text and then substitution cipher is applied on this converted text to get original text.
Example:
Sender:
Suppose we want to send a message “BILALWINSFOREVER”.
Then here are steps of encryption.
Substitution Cipher (Caesar Cipher with a shift of 3):
Plaintext: BILALWINSFOREVER
ciphertext: ELODOZLQVRIRQHYHU
Transposition Cipher (Rearrange letters in pairs):
Plaintext: ELODOZLQVRIRQHYHU
ciphertext: LEOLOVDQIRYHQDORZU
So, the encrypted ciphertext is "LEOLOVDQIRYHQDORZU"
Reciver:

To decrypt, we reverse the process:

Transposition Cipher (Reverse the arrangement of letters in pairs):
Ciphertext: LEOLOVDQIRYHQDORZU
Decryption: ELODOZLQVRIRQHYHU
Substitution Cipher (Reverse the Caesar Cipher with a shift of 3):
Ciphertext: ELODOZLQVRIRQHYHU
Decryption: BILALWINSFOREVER

The decrypted plaintext is "BILALWINSFOREVER".

Polybius(square) cipher:

The Polybius cipher, attributed to the ancient Greek historian and scholar Polybius, is a classical substitution
cipher that operates by converting plaintext characters into pairs of numerical coordinates based on their
positions in a pre-defined grid. The grid, known as the Polybius square, typically consists of a 5x5 matrix,
The alphabet is then arranged in the grid, with each letter occupying a unique cell.

1 2 3 4 5

1 A B C D E

2 F G H I K

3 L M N O P

4 Q R S T U

5 V W X Y Z

To encrypt a message, each letter in the plaintext is replaced with a pair of digits representing its row and
column coordinates in the grid. For example, 'A' might be represented by the coordinates (1,1), 'B' by (1,2),
'C' by (1,3), and so on. Once all the letters are converted into coordinate pairs, they are concatenated to
form the ciphertext. Decryption involves reversing this process: each pair of digits in the ciphertext is
mapped back to its corresponding letter in the grid, ultimately revealing the original plaintext. The Polybius
cipher is relatively straightforward to implement and understand, making it suitable for educational
purposes and historical studies. However, it is not particularly secure against modern cryptographic
techniques, as it lacks complexity and is susceptible to frequency analysis. Despite its vulnerabilities, the
Polybius cipher remains an intriguing aspect of cryptographic history and serves as an introduction to more
advanced encryption methods.

Example:
Suppose we want to crypt and decrypt a message “BILALWINSFOREVER” using poybius cipher.
Encryption:
So based on location in grid, we will get following pair of number for each letter.
B -> (1,2)
I -> (3,2)
L -> (3,1)
A -> (1,1)
L -> (3,1)
W -> (5,2)
I -> (3,2)
N -> (3,3)
S -> (4,3)
F -> (2,3)
O -> (3,4)
R -> (4,2)
E -> (1,5)
V -> (5,1)
E -> (1,5)
R -> (4,5)
After this, we will get following in numbers

12 32 31 11 31 52 32 33 43 23 34 42 15 51 15 45

Decryption:

For decryption, we will match these pair of number with coordinates of grid.

(1,2) -> B
(3,2) -> I
(3,1) -> L
(1,1) -> A
(3,1) -> L
(5,2) -> W
(3,2) -> I
(3,3) -> N
(4,3) -> S
(2,3) -> F
(3,4) -> O
(4,2) -> R
(1,5) -> E
(5,1) -> V
(1,5) -> E
(4,5) -> R
After this, we will get original text as
“BILALWINSFOREVER”

Biphase Cipher:
The Bifid cipher is an updated version of Polybius ciphers that operates by first converting plaintext
characters into a set of coordinates using a Polybius square, and then rearranging these coordinates to create
the ciphertext. It uses a 5 x 5 Polybius square combined with transposition and fractionation to encrypt a
message.

Working:
A Polybius square, typically a 5x5 grid is constructed with the letters of the alphabet arranged in rows and
columns. Each letter is assigned a pair of coordinates based on its position in the grid and then pairs are
repositioned for additional security.
Encryption:
First coordinates of letter of plaintext are generated using Polybius square, then these pairs of
coordinates are rearranged in such way that
Convert the plaintext into a set of coordinates using the Polybius square.
Write down the row and column numbers for each letter.
Concatenate the row and column numbers to create a string of numbers.
Split the string of numbers into two equal halves.
Reorganize these halves into two new strings, one containing only the row numbers and the other containing
only the column numbers.
Concatenate the row and column numbers alternately to create the ciphertext.
Decryption:
Convert the ciphertext back into a set of coordinates using the Polybius square.
Separate the row and column numbers into two equal halves.
Reorganize these halves into two new strings, one containing only the row numbers and the other containing
only the column numbers.
Concatenate the row and column numbers alternately to recreate the original string of numbers.
Use the pairs of numbers to look up the corresponding letters in the Polybius square, forming the decrypted
plaintext.

Example:
A T T A C K A T D A W N
14 41 12 14 11 53 14 41 35 14 41 23
Now divide them into half two halves in following way
14 41 12 14 11 53
14 41 35 14 41 23
Now make each pair column wise just like that
14 41 12 14 11 53 14 41 35 14 41 23
Then we get following letter against these coordinates pair to get cipher text.

14 41 12 14 11 53 14 41 35 14 41 23
D Q B D A X D Q P D Q H
So cipher text is “ DQBDAXDQPDQH”
Decryption:

Decrytpion is reverse process.

Reciver will get “D Q B D A X D Q P D Q H”

Now we will get coordinates of these letter.

D Q B D A X D Q P D Q H
14 41 12 14 11 53 14 41 35 14 41 23
So we get following coordinates
14 41 12 14 11 53 14 41 35 14 41 23
Now cut them into two halves and put second half below first half .
14 41 12 14 11 53
14 41 35 14 41 23
Now rearrange pair in such way that make pair vertically just like that
11 44 44 11 13 25 11 44 14 11 52 33
Now match these coordinates to grid to get letters.
11 44 44 11 13 25 11 44 14 11 52 33
A T T A C K A T D A W N
So finally we get our original plain text.
Trified Cipher:
The Trifid cipher is a polyalphabetic substitution cipher that extends the
concept of the Bifid cipher. The Trifid cipher employs a 3x3x3 cube to encode
letters into triplets of ciphertext characters, adding another layer of complexity
to the encryption process.
Working:
In its encryption process, first we create three (3x3) grid square.
1 2 3 1 2 3 1 2 3

1 1 1
1 2 3 2
2 2

3 3 3

Then we select a keyword and write it in that grid in sequence starting from first
square. Then after it, we write letter of plain text in these square. Then we make
coordinates(X,Y,Z). Here X represents square, Y represents rows and Z
represents coloumns of that square. Then we get coordinate of three number
for each letter. Then we write these numbers in single row for tranpostion and
then perform fractionation in which we create group of 3 number and get a
letter against this coordinate.
In this way, we convert plain text into cipher text. For decryption, reverse
process simply.
Example:
We want to encrypt a message “The quick brown fox jumps over the lazy
dog” and keyword is “HELLOW ”, so first we write keyoword in square.
 1 2 3 1 2 3
1 2 3
1 H E L 1 C K B
1 S V A
1
2 O W T
2 2 R N F
3 2 Z Y D
3 Q U I 3 X M P
3 G

Now write xyz coordinates against each letter of cipher

T HE Q U I C K B R O W N F O X J U M P S
1 1 1 1 1 1 2 2 2 2 1 1 2 2 1 2 1 1 2 2 3
2 1 1 3 3 3 1 1 1 2 2 2 2 2 2 3 3 3 3 3 1
3 1 2 1 2 3 1 2 3 1 1 2 2 3 1 1 3 2 2 3 1

O V E R T H E LA Z Y D O G
1 3 1 2 1 1 1 1 3 3 3 3 1 3
2 1 1 2 2 1 1 1 1 2 2 2 2 3
1 2 2 1 3 1 2 3 3 1 2 3 1 1
Now make group of three numbers row-wize
1 1 1 111 2 2 2
2 11 2 21 2 11 2 2 3 1 31
2 11 1 1 3 3 3 1 1 32 1 1 3
331 1 12 222
2 23 322 3 12 112 211
311 112 312 231
122 311 322
311 221 312 213
123 312 311
Now write letter against these coordinates.
HHN CRCFQ CLGUL GEN FZVEC SEVX WSY SRVB TVS
Here is our cipher text.
Decryption is reverse process following same step.

Part2
Zero day attack:
Software/apps has security vulnerabilities that lead to exploitation,so developers are
always looking out for these vulnerabilities to identify them and then release patch or
update. Some times these vulnerabilities are not identified by developers and identified by
attackers. They can exploit resources. For example, they can use exploit code to take
advantage of of this weakness. So before developers can not do anything once attackers has
successfully exploited. Exploits are sold at Dark webs for large amounts of money.
Developers have to identify these vulnerabilities and then have to release patch. So zero day
attack are dangerous.

A zero-day exploit targeting a critical component of a widely-used operating system, such as

Windows or macOS, could allow attackers to gain unauthorized access to sensitive data, execute
arbitrary code, or escalate privileges without detection.

Hackers could exploit a previously unknown vulnerability in a popular web browser like Google
Chrome or Mozilla Firefox to deliver malware-laden web pages to unsuspecting users,
compromising their systems upon visiting the malicious site.

Detection:

When organizations fall victim to a zero-day exploit, they may notice unusual patterns of
traffic or scanning activities originating from various clients or services. To identify such
attacks, several detection methods are employed:

• Utilizing existing databases of malware behaviors as a reference can offer valuable

insights. However, since zero-day exploits are newly discovered and unknown,
relying solely on these databases has its limitations.
 • Some detection techniques focus on identifying zero-day malware characteristics
based on their interactions with the targeted system. Rather than analyzing the code
of incoming files, this method observes how they interact with existing software,
aiming to detect any potentially malicious behavior.

• Machine learning is increasingly employed to detect anomalies by analyzing data

from previous exploits. This allows organizations to establish a baseline for normal
system behavior based on historical and current interactions, enhancing detection
accuracy as more data becomes available.

• Often, organizations adopt a hybrid approach, combining different detection

systems to strengthen their defense mechanisms against zero-day exploits.

Protection:
To safeguard against zero-day threats and ensure the security of your computer and data,
it's crucial for both individuals and organizations to adhere to cybersecurity best practices.
Here's how:

• Keep Software Updated: Regularly update all software and operating systems.
Vendors release security patches to address newly discovered vulnerabilities, thus
keeping your systems up to date enhances your security posture.

• Minimize Applications: Limit the number of installed applications to essential ones

only. More software means more potential vulnerabilities. By minimizing
unnecessary applications, you reduce the attack surface of your network.

• Use a Firewall: Employ a firewall to bolster your system's defenses against zero-day
threats. Configure the firewall to allow only legitimate transactions, thereby
maximizing protection against malicious activity.

• Employee Education: In organizational settings, educate users about cybersecurity

best practices. Many zero-day attacks exploit human error, so training employees
 and users on safe online practices can mitigate risks and safeguard against zero-day
exploits and other digital threats.

• Comprehensive Antivirus Software: Use antivirus softwares to protect your devices

against both known and unknown threats. Such software employs advanced
detection mechanisms to block malicious activities, enhancing overall
cybersecurity..

Examples:
CVE-2018-8453 Exploit (2018): This zero-day vulnerability in the Win32k component of
Windows operating systems was exploited by attackers to gain elevated privileges on
targeted systems. The exploit was used in targeted attacks against organizations in the
Middle East and Asia, particularly those involved in government, telecommunications, and
research sectors.
Pegasus Spyware Exploits (Various): Pegasus is a highly sophisticated spyware tool
developed by the NSO Group, an Israeli cybersecurity firm. It has been associated with
several zero-day exploits targeting vulnerabilities in mobile operating systems such as iOS
and Android. Pegasus has been used in targeted attacks against journalists, activists, and
government officials worldwide.
Microsoft Exchange Server Vulnerabilities (2021): In early 2021, Microsoft disclosed four
zero-day vulnerabilities affecting its Exchange Server software. These vulnerabilities,
collectively known as ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858,
and CVE-2021-27065), were exploited by threat actors to gain unauthorized access to
Exchange servers, enabling data theft, malware deployment, and further network
compromise.
https://www.kaspersky.com/resource-center/definitions/zero-day-exploit
Zero click attack:
Traditionally, spyware relies on persuading the targeted individual to click on a link or file to
install itself on their device. However, with a zero-click attack, the malware can be installed
on a device without any action from the victim. Consequently, zero-click malware, or no-
click malware, poses a significantly greater threat.
The minimal interaction required in zero-click attacks results in fewer traces of malicious
activity. This, combined with the rarity of vulnerabilities that cybercriminals can exploit for
zero-click attacks, makes them particularly valuable to attackers.
Even basic zero-click attacks leave minimal traces, making them extremely challenging to
detect. Moreover, the same security features that enhance software protection often make
zero-click attacks harder to identify. Zero-click exploits have been present for years, but
their prevalence has increased with the widespread use of smartphones, which store vast
amounts of personal data.
How does a zero-click attack function?
Zero-click attacks often target messaging or voice calling apps because they are designed
to receive and interpret data from untrusted sources. Attackers typically use specially
crafted data, such as hidden text messages or image files, to inject code that compromises
the device.
A hypothetical zero-click attack might unfold as follows:
1. Cybercriminals identify a vulnerability in a mail or messaging app.
2. They exploit the vulnerability by sending a carefully crafted message to the target.
3. The vulnerability allows malicious actors to remotely infect the device via emails that
consume extensive memory.
4. The hacker's communication may not remain on the device.
5. Consequently, cybercriminals gain access to read, edit, leak, or delete messages.

Examples of zero-click malware

Zero-click vulnerabilities can affect various devices, including those running Apple and
Android operating systems. Notable examples of zero-click exploits include:

1. Apple zero-click, ForcedEntry, 2021:

In 2021, a Bahraini human rights activist had their iPhone hacked using powerful spyware
sold to nation-states. The exploit, dubbed ForcedEntry, bypassed security measures
implemented by Apple to resist covert compromises. Citizen Lab, an internet watchdog at
the University of Toronto, discovered the hack. Analysis revealed that it exploited a
previously unknown security flaw in Apple's iMessage, allowing the installation of Pegasus
spyware developed by the Israeli firm NSO Group.
2. Jeff Bezos, 2018:
In 2018, Saudi Arabia's Crown Prince allegedly sent Amazon CEO Jeff Bezos a WhatsApp
message containing a video promoting Saudi Arabia's telecom market. The video file
purportedly contained code that enabled the sender to extract information from Bezos's
iPhone over several months, including text messages, instant messages, emails, and
potentially eavesdropped recordings from the phone's microphones.

3. Project Raven, 2016:

Project Raven refers to the UAE's offensive cyber operations unit, which included Emirati
security officials and former US intelligence operators as contractors. They reportedly used
a tool called Karma to exploit a flaw in iMessage, using specially crafted text messages to
hack into the iPhones of activists, diplomats, and rival foreign leaders, gaining access to
photos, emails, text messages, and location data.

How to safeguard against zero-click exploits

Given that zero-click attacks require no interaction from the victim, there are limited
measures individuals can take to protect themselves. However taking certain steps can
minimize risk. These steps include:

- Keeping operating systems, firmware, and apps up to date as prompted.

- Downloading apps only from official stores.
- Deleting unused apps.
- Avoiding 'jailbreaking' or 'rooting' devices, as it removes built-in protections.
- Using strong device password protection and authentication methods for critical
accounts.
- Employing strong, unique passwords.
- Regularly backing up systems to expedite recovery in case of ransomware attacks.
- Use antivirus softwares to protect your devices against both known and unknown threats.
Such software employs advanced detection mechanisms to block malicious activities,
enhancing overall cybersecurity..
https://usa.kaspersky.com/resource-center/definitions/what-is-zero-click-malware

One click attack:

It is type of cyberattack which require one click or one time interaction of user to gain access
to attacker. This interaction is being done by sending malicious link using email etc.. Once
the victim performs this action, the attack is initiated, and malware is installed on the
victim's device or system and then lead to malicious activites.
Working:
The attacker sends a phishing email or social media message to victim containing a
malicious link or attachment.
The victim clicks on the harmful link or opens the attachment and once the victim interacts,
the harmful software is activated, taking advantage of weaknesses in the victim's device or
software to secretly install malware or trick the victim into sharing personal information.
The attacker gets unauthorized access to the victim's device, network, or sensitive
information, which they can use for things like stealing data, committing fraud, or spreading
more malware.
Protection:
Use tools to detect and block phishing emails, spam, and harmful attachments before they
reach users' inboxes. This lowers the chance of users falling for one-click attacks via email.
Install antivirus software or endpoint detection tools to spot and stop malicious files or
behavior on devices
Regularly update all software, operating systems, and firmware with the latest security
patches
Add an extra layer of security beyond passwords by using MFA for sensitive systems or
accounts. This makes it harder for attackers to get in even if they steal login details in a one-
click attack.
Employ web filtering to stop users from accessing known bad websites or pages hosting
malware or phishing content.
Examples:
One example of a successful one-click attack is the WannaCry ransomware outbreak in
2017. This cyberattack exploited a vulnerability in Microsoft Windows systems, known as
EternalBlue, to spread rapidly across networks. The initial infection often occurred through
a single click on a malicious link or email attachment, allowing the ransomware to encrypt
files on the victim's computer and demand payment in exchange for decryption.
Another example is Emotet malware campaign, which has been active since 2014. Emotet
often spreads through phishing emails containing malicious attachments or links. Once a
victim clicks on the link or opens the attachment, Emotet installs itself on the system,
allowing attackers to steal sensitive information or deploy additional malware.
NotPetya ransomware attack in 2017 also utilized a one-click attack vector. It initially spread
through a malicious software update for a Ukrainian accounting program called MeDoc.
Once users downloaded and installed the compromised update, NotPetya quickly spread
across networks, encrypting files and causing widespread damage to businesses
worldwide.

PART3
Mitre Attack:
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a framework
used to categorize the various tactics and techniques employed by attackers during
cyberattacks. It provides a structured way to understand and analyze the behavior of threat
actors, helping organizations improve their defense strategies and incident response
capabilities.
Here's a list of some tactics and techniques commonly observed in cyberattacks according
to the MITRE ATT&CK framework:
Reconnaissance:
Reconnaissance consists of techniques that involve adversaries actively or passively
gathering information that can be used to support targeting. Such information may include
details of the victim organization, infrastructure, or staff/personnel. This information can be
leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using
gathered information to plan and execute Initial Access, to scope and prioritize post-
compromise objectives, or to drive and lead further Reconnaissance efforts.
Techniques:
Active Scanning
Gather Victim Host Information
Gather Victim Identity Information
Gather Victim Network Information
Gather Victim Org Information
Phishing for Information
Search Closed Sources
Search Open Technical Databases
Search Open Websites/Domains
Search Victim-Owned Websites
Resource Development:
Resource Development consists of techniques that involve adversaries creating,
purchasing, or compromising/stealing resources that can be used to support targeting.
Such resources include infrastructure, accounts, or capabilities. These resources can be
leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using
purchased domains to support Command and Control, email accounts for phishing as a
part of Initial Access, or stealing code signing certificates to help with Defense Evasion.
Techniques:
Acqure Access
Acquire Infrastructure
Compromise Accounts
Compromise Infrastructure
Develop Capabilities
Establish Accounts
Obtain Capabilities
Stage Capabilities

Intital access:
Gaining entry into a victim environment through techniques like phishing or exploiting
vulnerabilities.

Techniques:

content injection
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Phishing
Replication Through Removable Media
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution:

Techniques used to run malicious code on a target system, such as executing binaries or scripts.
Techniques that run malicious code are often paired with techniques from all other tactics to
achieve broader goals, like exploring a network or stealing data. For example, an adversary might
use a remote access tool to run a PowerShell script that does Remote System Discovery.

Techniques:

Command and Scripting Interpreter

Container Administration Command
Deploy Container
Exploitation for Client Execution
Inter-Process Communication
Native API
Scheduled Task/Job
Serverless Execution
Shared Modules
Software Deployment Tools
System Services
User Execution
Windows Management Instrumentation
Persistence:
Establishing mechanisms to maintain access to a compromised system over time, such as
creating backdoors or modifying startup configuration. Persistence consists of techniques
that adversaries use to keep access to systems across restarts, changed credentials, and
other interruptions that could cut off their access.
Techniques:
Account Manipulation
BITS Jobs
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Browser Extensions
Compromise Client Software Binary
Create Account
Create or Modify System Process
Event Triggered Execution
External Remote Services
Hijack Execution Flow
Implant Internal Image
Modify Authentication Process
Office Application Startup
Power Settings
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts

Privilege Escalation:

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions
on a system or network. Adversaries can often enter and explore a network with unprivileged
access but require elevated permissions to follow through on their objectives.

Abuse Elevation Control Mechanism

Access Token Manipulation
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Script
Create or Modify System Process
Domain Policy Modification
Escape to Host
Event Triggered Execution
Exploitation for Privilege Escalation
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Invasion:
Defense Evasion consists of techniques that adversaries use to avoid detection throughout
their compromise. Techniques used for defense evasion include uninstalling/disabling
security software or obfuscating/encrypting data and scripts. Adversaries also leverage and
abuse trusted processes to hide and masquerade their malware.
Techniques:

Credential access:
Credential Access consists of techniques for stealing credentials like account names and
passwords. Techniques used to get credentials include keylogging or credential dumping.
Using legitimate credentials can give adversaries access to systems, make them harder to
detect, and provide the opportunity to create more accounts to help achieve their goals.
Techniques:
Adversary-in-the-Middle
Brute Force
Credentials from Password Stores
Exploitation for Credential Access
Forced Authentication
Forge Web Credentials
Input Capture
Modify Authentication Process
Multi-Factor Authentication Interception
Multi-Factor Authentication Request Generation
Network Sniffing
OS Credential Dumping
Steal Application Access Token
Steal or Forge Authentication Certificates
Steal or Forge Kerberos Tickets
Steal Web Session Cookie
Unsecured Credentials
Discovery:
Discovery consists of techniques an adversary may use to gain knowledge about the system
and internal network. These techniques help adversaries observe the environment and
orient themselves before deciding how to act. They also allow adversaries to explore what
they can control and what’s around their entry point in order to discover how it could benefit
their current objective.
Techniques:
Account Discovery
Application Window Discovery
Browser Information Discovery
Cloud Infrastructure Discovery
Cloud Service Dashboard
Cloud Service Discovery
Cloud Storage Object Discovery
Container and Resource Discovery
Debugger Evasion
Device Driver Discovery
Domain Trust Discovery
File and Directory Discovery
Group Policy Discovery
Log Enumeration
Network Service Discovery
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Software Discovery
System Information Discovery
System Location Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion