Techniques

Techniques detail the specific actions or methods that may be employed by adversaries during business logic attacks. They are the low level activies that the adversary performs to achieve their tactical goal.

ID Name Description Tactic(s) Phase(s)
TEQ-001 Cloning Cloning is when an adversary copies a website to create a replica of said site. This is generally used when the attacker is trying to impersonate a legitimate site for illegitimate purposes. Website Creation Resource Development
TEQ-002 URL Disguise URL Disguise is where an adversary attempts to make their illegitimate version of a legitimate site appear to be the legitimate domain by associating it with a similar URL (such as F0rbes.com or G00gle.com). Traffic to and from this site may thus be mistaken by a human analyst as being... Website Creation Resource Development
TEQ-003 Data Dumps The adversary obtains data, such as credentials or payment details, from previous breaches. Credential Acquisition | Payment Detail Acquisition Resource Development
TEQ-004 Malware Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and scareware. Credential Acquisition | Payment Detail Acquisition Resource Development
TEQ-005 Person in the Middle A person in the middle attack is when the attacker intercepts traffic between two hosts; this allows the attacker to listen to the traffic that is being sent from host A to host B and to manipulate the data. Credential Acquisition | Payment Detail Acquisition Resource Development
TEQ-006 Social Engineering Social engineering is the fraudulent attempt to obtain information or data, such as usernames, passwords, credit card numbers, or other sensitive details, by impersonating a trustworthy entity. Credential Acquisition | Payment Detail Acquisition Resource Development
TEQ-007 Fake Credibility Generation The adversary seeks to establish their credibility by building a false reputation. Some sites may limit certain interactions or activities to those accounts that have performed certain actions or been active on the site for a certain length of time. Other defensive measures include a broad assessment of Internet activity... Credential Acquisition | Human Emulation Resource Development | Defence Bypass
TEQ-008 Botnet A botnet is a number of internet-connected devices, each of which is running one or more bots (essentially allowing the device to be controlled remotely without the permission of the system owner). Botnets can be used to perform distributed attacks from many different sources simultaneously. Infrastructure Acquisition | Proxying Resource Development | Defence Bypass
TEQ-009 Command & Control An adversary employs command and control in order to remotely issue instructions to large numbers of devices. Infrastructure Acquisition Resource Development
TEQ-010 Proxies In preparing for an attack and adversary may seek to acquire proxy servers through which to route traffic. This will allow them to disguise the true source of the traffic, enabling one source to appear as many and/or permitting the bypassing of IP-based blocking of traffic. Infrastructure Acquisition Resource Development
TEQ-011 Supply Chain Compromise The adversary targets 3rd party organisations known to be affiliated to their main target, to compromise infrastructure that is used by the main target. For example, adversaries can compromise software that the main target uses, cloud-based infrastructure or even CDNs used by the main target Infrastructure Acquisition Resource Development
TEQ-012 Development of Tools An adversary creates a tool that facilitates a targeted attack on a specific company and/or utilising a specific attack technique, depending on the adversary's intent and the chosen attack methodology. Tool Development Resource Development
TEQ-013 Testing of Tools An adversary tests the tools that they have acquired, developed, or purchased for their effectiveness and utility in the intended attack. This may also include learning how the tool functions in a live exercise. Tool Development Resource Development
TEQ-014 Campaign Reuse The adversary reuses previously seen campaign elements or tools in a new campaign. Tool Development Resource Development
TEQ-015 Continual Content Scraping Scraping the same webapp or API continuously without breaks in the run time. This is usually performed to check for the exact moment when something becomes available (such as a new limited-run product the attacker wishes to be amongst the first to acquire). Specific Target | Loose Target Reconnaissance
TEQ-016 Periodic Content Scraping Scraping a webapp or API in periodic bursts with breaks between each run. This is generally performed to acquire information without generating a pattern of continuous activity that is likely to be blocked by vigilant defenders or risk putting undue strain on the webapp or API. Specific Target | Loose Target Reconnaissance
TEQ-017 Technical Reconnaissance An adversary seeks technical information related to the target (such as sub-domains, IP addresses and types of software a target is utilising) to better inform later stages of the attack. Specific Target | Loose Target Reconnaissance
TEQ-018 CAPTCHA Farm When challenged by CAPTCHA, a bot may hand-off the session to a human operator who completes the challege and sends the session back to the bot to continue its activities. Mitigation Bypass Defence Bypass
TEQ-019 Automated CAPTCHA Bypass An adversary equips their bot with the capability to automatically bypass CAPTCHA challenges without human interaction. Mitigation Bypass Defence Bypass
TEQ-020 Token Bypass The adversary abuses token based mitigation mechanisms, for example, by reusing cross site request forgery tokens to successfully authenticate. Mitigation Bypass Defence Bypass
TEQ-021 Cookie Abuse The adversary abuses cookies, for example by reusing valid session cookies or spoofing the contents expected by a cookie based protection mechanism. Mitigation Bypass Defence Bypass
TEQ-022 Accessibility Options Abuse The adversary uses inbuilt accessibility tools or options to bypass defences, emulate human behaviour or perform actions they shouldn't be allowed to. Mitigation Bypass | Human Emulation | Fake Interaction Defence Bypass | Attack Execution
TEQ-023 MFA Bypass The adversary circumvents multi-factor authentication (MFA) mechanisms, such as by using accessibility options to interact with MFA notifications. Mitigation Bypass Defence Bypass
TEQ-024 Credential Pinning The adversary abuses credential stores, for example by hard-coding valid credentials into an application. Mitigation Bypass Defence Bypass
TEQ-025 Certificate Abuse The adversary abuses certificates and certificate services, for example by pinning certificates to applications or browsers with the intention of impersonating a legitimate user. Mitigation Bypass Defence Bypass
TEQ-026 Mouse Usage A bot may emulate human-like mouse usage on a webpage in order to impersonate a human visitor. Human Emulation Defence Bypass
TEQ-027 User Agent Spoofing User-agent spoofing is when an adversary replaces the user agent string that identifies the browser with another string. This disguises the adversary's brower and device, allowing them to impersonate other devices. Human Emulation | Proxying Defence Bypass
TEQ-028 Device Fingerprint Emulation An adversary creates a fake digital fingerprint that disguises their genuine digital footprint by providing illicit information about the supporting software and framework types and versions. This allows them to hide their own identity and/or impersonate another person online. Human Emulation Defence Bypass
TEQ-029 Notification Hijack The adversary changes notifications or interacts with notifications to trick the end user or fake an interaction. Human Emulation | Fake Interaction Defence Bypass | Attack Execution
TEQ-030 IP Rotation Adversaries employ IP rotation to conceal the fact that suspiciously high numbers of connections are all coming from a single point. In IP rotation the adversary rotates their traffic through multiple different proxies in order to give each connection (or group of connections) a new IP address. Proxying Defence Bypass
TEQ-031 IP Spoofing IP spoofing allows an adversary to create Internet Protocol (IP) packets with a false source IP address for the purpose of impersonating another computing system and obfuscating the origin of the traffic. Proxying Defence Bypass
TEQ-032 Domain Fronting The adversary uses different domain names to hide the intended source and/or destination of a request, for example by sitting behind a content distribution network. Proxying Defence Bypass
TEQ-033 Smurfing The adversary hides their true identity by performing actions through multiple accounts. Proxying Defence Bypass
TEQ-034 Volumetric Traffic Disguise An adversary directs a large volume of traffic at the victim. The true attack is hidden within this traffic. The intention is to make the legitimate attack less likely to be noticed amongst the "noise" generated by the large volume of traffic. Smokescreening Defence Bypass
TEQ-035 Target Diversification The adversary seeks to reduce the footprint of their attack by spreading it across multiple intermediary targets and thereby reduce the likelihood of being detected. Smokescreening Defence Bypass
TEQ-036 Social Media Creation The adversary creates multiple social media accounts to allow interaction with different geographic locations or groups. Account Creation Attack Execution
TEQ-037 Email Generator An email generator is a temporary electronic mailbox that provides an adversary the ability to send and receive messages. This allows the adversary to conceal their true identity and contact details, impersonate others, bypass blocks placed on specific emails, and to bypass restrictions based around limiting activities on a site... Account Creation Attack Execution
TEQ-038 Call/SMS Generator A Call/SMS Generator allows an adversary to make and receive calls and text messages online, while obfuscating the true identity of the adversary behind fake contact details. This allows an adversary to impersonate multiple others from a single point by pretending to have multiple different phones. Account Creation Attack Execution
TEQ-039 Virtual Wallet Creation The adversary creates a virtual wallet in the form of a crypto wallet or standard currency accounts in order to facilitate online transactions that are difficult to trace. Account Creation Attack Execution
TEQ-040 Credential Cracking Credential cracking is when an adversary attempts to identify valid login credentials by guessing different values for usernames and/or password combinations. In some cases the adversary will guess both usernames and passwords, and in others will have some part of the credentials (such as the username) and will try to... Account Takeover Attack Execution
TEQ-041 Credential Stuffing An adversary who has a list of credential pairings (i.e. usernames and passwords) will inject them into website login pages in the effort to determine which ones are accepted as legitimate login credentials. The target of such an attack may not be the organisation from which the credentials were initially... Account Takeover Attack Execution
TEQ-042 SSO Compromise The adversary abuses single sign on mechanisms to gain unauthorised access to a user's account. Account Takeover Attack Execution
TEQ-043 Comment Flooding Comment Flooding is when an adversary repeatedly posts the same or similar comments over and over. This may be employed to prevent the comments page from being used in its intended fashion by overwhelming legitimate users with large numbers of comments, or to hide comments of a particular type by... Fake Interaction Attack Execution
TEQ-044 Click Interaction An adversary's bot interacts with a webpage by clicking on it. This may be for such purposes as upvoting/downvoting particular content, or clicking on adverts to either generate advertising revenue or 'burn' a competitor's Pay Per Click advertising budget. Fake Interaction Attack Execution
TEQ-045 Written Interaction The bot automatically generates written posts that convey the message the adversary desires, and/or 'buries' other opposing comments. Fake Interaction Attack Execution
TEQ-046 Play Media An adversary employs a bot to complete the runtime of media (such as video) for the benefit of the adversary (for example the bot may impersonate a human watching adverts on a webpage in order to generate revenue for the adversary from marketing initiatives). Fake Interaction Attack Execution
TEQ-047 Form Filling The adversary will automate filling out forms on a site for such purposes as denial of service attacks, skewing analytics, link generation and inconveniencing of the target. Fake Interaction Attack Execution
TEQ-048 Overlay Attack The adversary overlays a window over another application, to alter the information displayed to a user or allow them to steal user input. Fake Interaction Attack Execution
TEQ-049 Automated Add to Cart An adversary employs automated means to add an item to a digital cart, generally far faster than any human could do so. This is typically used with scalper bots when targeting a desired product or service. Stock Purchase | Spinning | Sniping Attack Execution
TEQ-050 Automated Purchase An adversary uses automated means to complete a purchase, generally far faster than any human could do so. Stock Purchase | Spinning | Sniping Attack Execution
TEQ-051 Stock Price Manipulation The adversary emulates legitmate user behaviour on the stock market to influence stock prices. Stock Purchase Attack Execution
TEQ-052 Distributed Stock Purchase The adversary makes purchases from multiple stores or locations to avoid detection. Stock Purchase Attack Execution
TEQ-053 Inventory Hoarding An adversary will reserve the product or service within their cart without completing the purchase. They will either hold it indefinitely to deny legitimate customers access to purchase it or advertise the stock for sale elsewhere, and only upon confirming the sale there will they complete the original purchase or... Spinning Attack Execution
TEQ-054 Transfer of Cart The adversary hands over a digital cart (containing a desired service or product) to another individual for them to complete the transaction. This will often involve the adversary selling the cart to a third party who is eager to acquire the service or product contained therein. Spinning Attack Execution
TEQ-055 Automated Sale The adversary uses automation to advertise stock of a particular item on a third party website either before, at the time of, or after purchasing the desired item from the target site. In some cases, the purchase will be completed only after a confirmed Sale of the item at an... Spinning | Sniping | Sale Attack Execution | Post-Attack
TEQ-056 Automated Bid The adversary's bot will make a bid on an auction automatically. This is generally done at the last possible moment (often to a fraction of a second) and with a bid the smallest amount higher that is possible than the prior highest bid so that no other actors have time... Sniping Attack Execution
TEQ-057 Pre-Release Buying The adversary completes a purchase before the product is publicly released. This is often perpetrated by exploiting technical vulnerabilities within the purchase/order system or facilitated by an insider threat. Sniping Attack Execution
TEQ-058 Limitation Policy Bypass The adversary attempts to bypass numerical based restrictions, for example limits on the amount of stock purchases. Policy Abuse Attack Execution
TEQ-059 Terms of Use Abuse The adversary violates the terms of use/service agreements that they are party to. Policy Abuse Attack Execution
TEQ-060 Returns Abuse The adversary abuses the return or refund policy of a merchant for their financial gain, for example by claiming a refund but returning a similar but less valuable item than the original purchase. Policy Abuse Attack Execution
TEQ-061 Credit/Debit Card Abuse The adversary uses stolen payment card information in order to complete an action (often a purchase). Payment Detail Abuse Attack Execution
TEQ-062 Gift Card Abuse The adversary uses gift card information to complete transactions on a site. This may involve stealing gift card information, purchasing it from an illegitimate source, or correctly guessing it. Payment Detail Abuse Attack Execution
TEQ-063 Loyalty Points Abuse Targeting an organisation that has a loyalty or bonus points scheme, an adversary steals or otherwise illegitimately uses loyalty or bonus points to perform transactions either on the targeted site or on a third party affiliate site. Payment Detail Abuse Attack Execution
TEQ-064 Buy Now Pay Later Abuse The adversary makes a purchase using buy now pay later services, with the intention of abusing the contract and withholding payment once goods or services are recieved. Policy Abuse | Payment Detail Abuse Attack Execution
TEQ-065 ATS Fraud The adversary uses automatic transfer services to withdraw funds or make financial transactions, often without the knowledge or informed permission of the account owner. Transaction Redirect Actions on the Objective
TEQ-066 Automated Advertisement of Stock Having identified the availability of a desired product or service, an adversary employs an automated means of reposting the stock levels onto a third party site or forum. Exfiltration Actions on the Objective
TEQ-067 Credential Dumping The adversary releases or sells credentials that should not be made publicly available. These are normally stolen from a system or victim and advertised on the open web or the dark web. Exfiltration Actions on the Objective
TEQ-068 API Information Flow Exfiltration The adversary gathers and exfiltrates information, such as vulnerabilities and exposures, from API endpoints. Exfiltration Actions on the Objective
TEQ-069 Payment Detail Dumping The adversary releases or sells payment details that should not be made publicly available, such as credit card information. These are normally stolen from a system or victim and advertised on the open web or the dark web. Exfiltration Actions on the Objective
TEQ-070 PII Dumping The adversary releases or sells private personal identifiable information that should not be made publicly available. This is normally stolen from a system or victim and advertised on the open web or the dark web. Exfiltration Actions on the Objective
TEQ-071 PO Box Obfuscation The adversary will place an order on a site setting the delivery preferences to a PO box rather than a legitimate address. This will allow for the receipt of the product without revealing the adversary's true address and/or allow the bypassing of address-based restrictions. Invoice Abuse Post-Attack
TEQ-072 Jigging The adversary will modify the address and personal information enough to avoid automated controls for detecting a single address being used multiple times (a common defensive measure used to limit the number of times a specific individual can purchase a specific item). The address will nonetheless be written in a... Invoice Abuse Post-Attack
TEQ-073 Fake Identity The adversary will hide their true identity by providing fake details to the invoice process, such as name, phone number, etc. Invoice Abuse Post-Attack
TEQ-074 Driver Intercept Driver Intercept is used once an order has been placed and shipped for delivery. The adversary will contact the delivery organisation and redirect the delivery to a different location such as an alternative address, PO Box, or Amazon secure locker. Delivery Redirect Post-Attack
TEQ-075 Redelivery Abuse The adversary obtains a redelivery card and uses for their own benefit. Delivery Redirect Post-Attack
TEQ-076 Manual Sale The adversary manually advertises stock of a particular item on a third party website either before or after purchasing the desired item from the target site. Sale Post-Attack
TEQ-077 New Site Creation The adversary creates an original website to support their operations, for example, to host advertisements or malicious content. Website Creation Resource Development
TEQ-078 Valid Accounts The adversary obtains and exploits access to valid user accounts on their target webservice or API. Credential Acquisition Resource Development
TEQ-079 Fund Withdrawal The adversary withdraws monetary balances from their target to an account in their control. Transaction Redirect Actions on the Objective
TEQ-080 Information Brokerage The adversary sells information they have gathered as a result of the operation, for financial gain. Sale Post-Attack