Test Capabilities

  • Test Capabilities - Pre-ATT&CK
    • Testing capabilities takes place when adversaries may need to test capabilities externally to refine development goals and criteria and to ensure success during an operation. Certain testing may be done after a capability is staged.

Review logs and residual traces

  • Review logs and residual traces - Pre-ATT&CK
    • Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code.

Test ability to evade automated mobile application security analysis performed by app stores

  • Test ability to evade automated mobile application security analysis performed by app stores - Pre-ATT&CK
    • Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices.

Test callback functionality

  • Test callback functionality
    • Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached.

Test malware in various execution environments

  • Test malware in various execution environments - Pre-ATT&CK
    • Malware may perform differently on different platforms (computer vs handheld) and different operating systems (Ubuntu vs OS X), and versions (Windows 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed.

Test malware to evade detection

  • Test malware to evade detection - Pre-ATT&CK
    • An adversary can run their code on systems with cyber security protections, such as antivirus products, in place to see if their code is detected. They can also test their malware on freely available public services.

Test physical access

  • Test physical access - Pre-ATT&CK
    • An adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access.

Test signature detection for file upload/email filters