Techniques
Techniques detail the specific actions or methods that may be employed by adversaries during business logic attacks. They are the low level activies that the adversary performs to achieve their tactical goal.
ID | Name | Description | Tactic(s) | Phase(s) |
---|---|---|---|---|
TEQ-001 | Cloning | Cloning is when an adversary copies a website to create a replica of said site. This is generally used when the attacker is trying to impersonate a legitimate site for illegitimate purposes. | Website Creation | Resource Development |
TEQ-002 | URL Disguise | URL Disguise is where an adversary attempts to make their illegitimate version of a legitimate site appear to be the legitimate domain by associating it with a similar URL (such as F0rbes.com or G00gle.com). Traffic to and from this site may thus be mistaken by a human analyst as being... | Website Creation | Resource Development |
TEQ-003 | Data Dumps | The adversary obtains data, such as credentials or payment details, from previous breaches. | Credential Acquisition | Payment Detail Acquisition | Resource Development |
TEQ-004 | Malware | Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and scareware. | Credential Acquisition | Payment Detail Acquisition | Resource Development |
TEQ-005 | Person in the Middle | A person in the middle attack is when the attacker intercepts traffic between two hosts; this allows the attacker to listen to the traffic that is being sent from host A to host B and to manipulate the data. | Credential Acquisition | Payment Detail Acquisition | Resource Development |
TEQ-006 | Social Engineering | Social engineering is the fraudulent attempt to obtain information or data, such as usernames, passwords, credit card numbers, or other sensitive details, by impersonating a trustworthy entity. | Credential Acquisition | Payment Detail Acquisition | Resource Development |
TEQ-007 | Fake Credibility Generation | The adversary seeks to establish their credibility by building a false reputation. Some sites may limit certain interactions or activities to those accounts that have performed certain actions or been active on the site for a certain length of time. Other defensive measures include a broad assessment of Internet activity... | Credential Acquisition | Human Emulation | Resource Development | Defence Bypass |
TEQ-008 | Botnet | A botnet is a number of internet-connected devices, each of which is running one or more bots (essentially allowing the device to be controlled remotely without the permission of the system owner). Botnets can be used to perform distributed attacks from many different sources simultaneously. | Infrastructure Acquisition | Proxying | Resource Development | Defence Bypass |
TEQ-009 | Command & Control | An adversary employs command and control in order to remotely issue instructions to large numbers of devices. | Infrastructure Acquisition | Resource Development |
TEQ-010 | Proxies | In preparing for an attack and adversary may seek to acquire proxy servers through which to route traffic. This will allow them to disguise the true source of the traffic, enabling one source to appear as many and/or permitting the bypassing of IP-based blocking of traffic. | Infrastructure Acquisition | Resource Development |
TEQ-011 | Supply Chain Compromise | The adversary targets 3rd party organisations known to be affiliated to their main target, to compromise infrastructure that is used by the main target. For example, adversaries can compromise software that the main target uses, cloud-based infrastructure or even CDNs used by the main target | Infrastructure Acquisition | Resource Development |
TEQ-012 | Development of Tools | An adversary creates a tool that facilitates a targeted attack on a specific company and/or utilising a specific attack technique, depending on the adversary's intent and the chosen attack methodology. | Tool Development | Resource Development |
TEQ-013 | Testing of Tools | An adversary tests the tools that they have acquired, developed, or purchased for their effectiveness and utility in the intended attack. This may also include learning how the tool functions in a live exercise. | Tool Development | Resource Development |
TEQ-014 | Campaign Reuse | The adversary reuses previously seen campaign elements or tools in a new campaign. | Tool Development | Resource Development |
TEQ-015 | Continual Content Scraping | Scraping the same webapp or API continuously without breaks in the run time. This is usually performed to check for the exact moment when something becomes available (such as a new limited-run product the attacker wishes to be amongst the first to acquire). | Specific Target | Loose Target | Reconnaissance |
TEQ-016 | Periodic Content Scraping | Scraping a webapp or API in periodic bursts with breaks between each run. This is generally performed to acquire information without generating a pattern of continuous activity that is likely to be blocked by vigilant defenders or risk putting undue strain on the webapp or API. | Specific Target | Loose Target | Reconnaissance |
TEQ-017 | Technical Reconnaissance | An adversary seeks technical information related to the target (such as sub-domains, IP addresses and types of software a target is utilising) to better inform later stages of the attack. | Specific Target | Loose Target | Reconnaissance |
TEQ-018 | CAPTCHA Farm | When challenged by CAPTCHA, a bot may hand-off the session to a human operator who completes the challege and sends the session back to the bot to continue its activities. | Mitigation Bypass | Defence Bypass |
TEQ-019 | Automated CAPTCHA Bypass | An adversary equips their bot with the capability to automatically bypass CAPTCHA challenges without human interaction. | Mitigation Bypass | Defence Bypass |
TEQ-020 | Token Bypass | The adversary abuses token based mitigation mechanisms, for example, by reusing cross site request forgery tokens to successfully authenticate. | Mitigation Bypass | Defence Bypass |
TEQ-021 | Cookie Abuse | The adversary abuses cookies, for example by reusing valid session cookies or spoofing the contents expected by a cookie based protection mechanism. | Mitigation Bypass | Defence Bypass |
TEQ-022 | Accessibility Options Abuse | The adversary uses inbuilt accessibility tools or options to bypass defences, emulate human behaviour or perform actions they shouldn't be allowed to. | Mitigation Bypass | Human Emulation | Fake Interaction | Defence Bypass | Attack Execution |
TEQ-023 | MFA Bypass | The adversary circumvents multi-factor authentication (MFA) mechanisms, such as by using accessibility options to interact with MFA notifications. | Mitigation Bypass | Defence Bypass |
TEQ-024 | Credential Pinning | The adversary abuses credential stores, for example by hard-coding valid credentials into an application. | Mitigation Bypass | Defence Bypass |
TEQ-025 | Certificate Abuse | The adversary abuses certificates and certificate services, for example by pinning certificates to applications or browsers with the intention of impersonating a legitimate user. | Mitigation Bypass | Defence Bypass |
TEQ-026 | Mouse Usage | A bot may emulate human-like mouse usage on a webpage in order to impersonate a human visitor. | Human Emulation | Defence Bypass |
TEQ-027 | User Agent Spoofing | User-agent spoofing is when an adversary replaces the user agent string that identifies the browser with another string. This disguises the adversary's brower and device, allowing them to impersonate other devices. | Human Emulation | Proxying | Defence Bypass |
TEQ-028 | Device Fingerprint Emulation | An adversary creates a fake digital fingerprint that disguises their genuine digital footprint by providing illicit information about the supporting software and framework types and versions. This allows them to hide their own identity and/or impersonate another person online. | Human Emulation | Defence Bypass |
TEQ-029 | Notification Hijack | The adversary changes notifications or interacts with notifications to trick the end user or fake an interaction. | Human Emulation | Fake Interaction | Defence Bypass | Attack Execution |
TEQ-030 | IP Rotation | Adversaries employ IP rotation to conceal the fact that suspiciously high numbers of connections are all coming from a single point. In IP rotation the adversary rotates their traffic through multiple different proxies in order to give each connection (or group of connections) a new IP address. | Proxying | Defence Bypass |
TEQ-031 | IP Spoofing | IP spoofing allows an adversary to create Internet Protocol (IP) packets with a false source IP address for the purpose of impersonating another computing system and obfuscating the origin of the traffic. | Proxying | Defence Bypass |
TEQ-032 | Domain Fronting | The adversary uses different domain names to hide the intended source and/or destination of a request, for example by sitting behind a content distribution network. | Proxying | Defence Bypass |
TEQ-033 | Smurfing | The adversary hides their true identity by performing actions through multiple accounts. | Proxying | Defence Bypass |
TEQ-034 | Volumetric Traffic Disguise | An adversary directs a large volume of traffic at the victim. The true attack is hidden within this traffic. The intention is to make the legitimate attack less likely to be noticed amongst the "noise" generated by the large volume of traffic. | Smokescreening | Defence Bypass |
TEQ-035 | Target Diversification | The adversary seeks to reduce the footprint of their attack by spreading it across multiple intermediary targets and thereby reduce the likelihood of being detected. | Smokescreening | Defence Bypass |
TEQ-036 | Social Media Creation | The adversary creates multiple social media accounts to allow interaction with different geographic locations or groups. | Account Creation | Attack Execution |
TEQ-037 | Email Generator | An email generator is a temporary electronic mailbox that provides an adversary the ability to send and receive messages. This allows the adversary to conceal their true identity and contact details, impersonate others, bypass blocks placed on specific emails, and to bypass restrictions based around limiting activities on a site... | Account Creation | Attack Execution |
TEQ-038 | Call/SMS Generator | A Call/SMS Generator allows an adversary to make and receive calls and text messages online, while obfuscating the true identity of the adversary behind fake contact details. This allows an adversary to impersonate multiple others from a single point by pretending to have multiple different phones. | Account Creation | Attack Execution |
TEQ-039 | Virtual Wallet Creation | The adversary creates a virtual wallet in the form of a crypto wallet or standard currency accounts in order to facilitate online transactions that are difficult to trace. | Account Creation | Attack Execution |
TEQ-040 | Credential Cracking | Credential cracking is when an adversary attempts to identify valid login credentials by guessing different values for usernames and/or password combinations. In some cases the adversary will guess both usernames and passwords, and in others will have some part of the credentials (such as the username) and will try to... | Account Takeover | Attack Execution |
TEQ-041 | Credential Stuffing | An adversary who has a list of credential pairings (i.e. usernames and passwords) will inject them into website login pages in the effort to determine which ones are accepted as legitimate login credentials. The target of such an attack may not be the organisation from which the credentials were initially... | Account Takeover | Attack Execution |
TEQ-042 | SSO Compromise | The adversary abuses single sign on mechanisms to gain unauthorised access to a user's account. | Account Takeover | Attack Execution |
TEQ-043 | Comment Flooding | Comment Flooding is when an adversary repeatedly posts the same or similar comments over and over. This may be employed to prevent the comments page from being used in its intended fashion by overwhelming legitimate users with large numbers of comments, or to hide comments of a particular type by... | Fake Interaction | Attack Execution |
TEQ-044 | Click Interaction | An adversary's bot interacts with a webpage by clicking on it. This may be for such purposes as upvoting/downvoting particular content, or clicking on adverts to either generate advertising revenue or 'burn' a competitor's Pay Per Click advertising budget. | Fake Interaction | Attack Execution |
TEQ-045 | Written Interaction | The bot automatically generates written posts that convey the message the adversary desires, and/or 'buries' other opposing comments. | Fake Interaction | Attack Execution |
TEQ-046 | Play Media | An adversary employs a bot to complete the runtime of media (such as video) for the benefit of the adversary (for example the bot may impersonate a human watching adverts on a webpage in order to generate revenue for the adversary from marketing initiatives). | Fake Interaction | Attack Execution |
TEQ-047 | Form Filling | The adversary will automate filling out forms on a site for such purposes as denial of service attacks, skewing analytics, link generation and inconveniencing of the target. | Fake Interaction | Attack Execution |
TEQ-048 | Overlay Attack | The adversary overlays a window over another application, to alter the information displayed to a user or allow them to steal user input. | Fake Interaction | Attack Execution |
TEQ-049 | Automated Add to Cart | An adversary employs automated means to add an item to a digital cart, generally far faster than any human could do so. This is typically used with scalper bots when targeting a desired product or service. | Stock Purchase | Spinning | Sniping | Attack Execution |
TEQ-050 | Automated Purchase | An adversary uses automated means to complete a purchase, generally far faster than any human could do so. | Stock Purchase | Spinning | Sniping | Attack Execution |
TEQ-051 | Stock Price Manipulation | The adversary emulates legitmate user behaviour on the stock market to influence stock prices. | Stock Purchase | Attack Execution |
TEQ-052 | Distributed Stock Purchase | The adversary makes purchases from multiple stores or locations to avoid detection. | Stock Purchase | Attack Execution |
TEQ-053 | Inventory Hoarding | An adversary will reserve the product or service within their cart without completing the purchase. They will either hold it indefinitely to deny legitimate customers access to purchase it or advertise the stock for sale elsewhere, and only upon confirming the sale there will they complete the original purchase or... | Spinning | Attack Execution |
TEQ-054 | Transfer of Cart | The adversary hands over a digital cart (containing a desired service or product) to another individual for them to complete the transaction. This will often involve the adversary selling the cart to a third party who is eager to acquire the service or product contained therein. | Spinning | Attack Execution |
TEQ-055 | Automated Sale | The adversary uses automation to advertise stock of a particular item on a third party website either before, at the time of, or after purchasing the desired item from the target site. In some cases, the purchase will be completed only after a confirmed Sale of the item at an... | Spinning | Sniping | Sale | Attack Execution | Post-Attack |
TEQ-056 | Automated Bid | The adversary's bot will make a bid on an auction automatically. This is generally done at the last possible moment (often to a fraction of a second) and with a bid the smallest amount higher that is possible than the prior highest bid so that no other actors have time... | Sniping | Attack Execution |
TEQ-057 | Pre-Release Buying | The adversary completes a purchase before the product is publicly released. This is often perpetrated by exploiting technical vulnerabilities within the purchase/order system or facilitated by an insider threat. | Sniping | Attack Execution |
TEQ-058 | Limitation Policy Bypass | The adversary attempts to bypass numerical based restrictions, for example limits on the amount of stock purchases. | Policy Abuse | Attack Execution |
TEQ-059 | Terms of Use Abuse | The adversary violates the terms of use/service agreements that they are party to. | Policy Abuse | Attack Execution |
TEQ-060 | Returns Abuse | The adversary abuses the return or refund policy of a merchant for their financial gain, for example by claiming a refund but returning a similar but less valuable item than the original purchase. | Policy Abuse | Attack Execution |
TEQ-061 | Credit/Debit Card Abuse | The adversary uses stolen payment card information in order to complete an action (often a purchase). | Payment Detail Abuse | Attack Execution |
TEQ-062 | Gift Card Abuse | The adversary uses gift card information to complete transactions on a site. This may involve stealing gift card information, purchasing it from an illegitimate source, or correctly guessing it. | Payment Detail Abuse | Attack Execution |
TEQ-063 | Loyalty Points Abuse | Targeting an organisation that has a loyalty or bonus points scheme, an adversary steals or otherwise illegitimately uses loyalty or bonus points to perform transactions either on the targeted site or on a third party affiliate site. | Payment Detail Abuse | Attack Execution |
TEQ-064 | Buy Now Pay Later Abuse | The adversary makes a purchase using buy now pay later services, with the intention of abusing the contract and withholding payment once goods or services are recieved. | Policy Abuse | Payment Detail Abuse | Attack Execution |
TEQ-065 | ATS Fraud | The adversary uses automatic transfer services to withdraw funds or make financial transactions, often without the knowledge or informed permission of the account owner. | Transaction Redirect | Actions on the Objective |
TEQ-066 | Automated Advertisement of Stock | Having identified the availability of a desired product or service, an adversary employs an automated means of reposting the stock levels onto a third party site or forum. | Exfiltration | Actions on the Objective |
TEQ-067 | Credential Dumping | The adversary releases or sells credentials that should not be made publicly available. These are normally stolen from a system or victim and advertised on the open web or the dark web. | Exfiltration | Actions on the Objective |
TEQ-068 | API Information Flow Exfiltration | The adversary gathers and exfiltrates information, such as vulnerabilities and exposures, from API endpoints. | Exfiltration | Actions on the Objective |
TEQ-069 | Payment Detail Dumping | The adversary releases or sells payment details that should not be made publicly available, such as credit card information. These are normally stolen from a system or victim and advertised on the open web or the dark web. | Exfiltration | Actions on the Objective |
TEQ-070 | PII Dumping | The adversary releases or sells private personal identifiable information that should not be made publicly available. This is normally stolen from a system or victim and advertised on the open web or the dark web. | Exfiltration | Actions on the Objective |
TEQ-071 | PO Box Obfuscation | The adversary will place an order on a site setting the delivery preferences to a PO box rather than a legitimate address. This will allow for the receipt of the product without revealing the adversary's true address and/or allow the bypassing of address-based restrictions. | Invoice Abuse | Post-Attack |
TEQ-072 | Jigging | The adversary will modify the address and personal information enough to avoid automated controls for detecting a single address being used multiple times (a common defensive measure used to limit the number of times a specific individual can purchase a specific item). The address will nonetheless be written in a... | Invoice Abuse | Post-Attack |
TEQ-073 | Fake Identity | The adversary will hide their true identity by providing fake details to the invoice process, such as name, phone number, etc. | Invoice Abuse | Post-Attack |
TEQ-074 | Driver Intercept | Driver Intercept is used once an order has been placed and shipped for delivery. The adversary will contact the delivery organisation and redirect the delivery to a different location such as an alternative address, PO Box, or Amazon secure locker. | Delivery Redirect | Post-Attack |
TEQ-075 | Redelivery Abuse | The adversary obtains a redelivery card and uses for their own benefit. | Delivery Redirect | Post-Attack |
TEQ-076 | Manual Sale | The adversary manually advertises stock of a particular item on a third party website either before or after purchasing the desired item from the target site. | Sale | Post-Attack |
TEQ-077 | New Site Creation | The adversary creates an original website to support their operations, for example, to host advertisements or malicious content. | Website Creation | Resource Development |
TEQ-078 | Valid Accounts | The adversary obtains and exploits access to valid user accounts on their target webservice or API. | Credential Acquisition | Resource Development |
TEQ-079 | Fund Withdrawal | The adversary withdraws monetary balances from their target to an account in their control. | Transaction Redirect | Actions on the Objective |
TEQ-080 | Information Brokerage | The adversary sells information they have gathered as a result of the operation, for financial gain. | Sale | Post-Attack |