Cryptography

The input data to the authenticated encryption function that is authenticated but not encrypted.

A protocol defined in IETF RFC 8555 that provides for the automated enrollment of certificates.

A pass phrase, personal identification number (PIN), biometric data, or other mechanisms of equivalent authentication robustness used to protect access to any use of a private key, except for private keys associated with System or Device certificates.

A lifecycle state for a key in which the key may be used to cryptographically protect information (e.g., encrypt plaintext or generate a digital signature), to cryptographically process previously protected information (e.g., decrypt ciphertext or verify a digital signature) or both.

Input data to the CCM generation encryption process that is authenticated but not encrypted.

The input data to the authenticated encryption function that is authenticated but not encrypted.

Information known by two parties that is cryptographically bound to the secret keying material being protected using the encryption operation.

A violation of procedures or practices dangerous to security that is not serious enough to jeopardize the integrity of a controlled cryptographic item (CCI), but requires corrective action to ensure the violation does not recur or possibly lead to a reportable COMSEC incident.

Adversaries may attempt to position themselves between two or more networked devices using an adversary in the middle (AiTM) technique to support follow on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)

AES stands for Advanced Encryption Standard, a widely used symmetric key block cipher standardized by NIST.

An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well known compression algorithms have also been used.(Citation: ESET Sednit Part 2)

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Confidentiality is the property that information is not disclosed to unauthorized parties.

Adversaries may create self signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self signing, digital certificates will lack the element of trust associated with the signature of a third party certificate authority (CA).

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)

Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use.

Encryption is the process of transforming information so it is unintelligible without the appropriate key.

Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems ( , , , and ) and volatile directories on Network Devices ( and ) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).

A hash function maps input data to a fixed size output (digest) and is commonly used for integrity checks.

Integrity is the property that data is accurate and has not been improperly modified or destroyed.

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC LOAD DYLIB header in a Mach O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is <code 0xFF 0xD8</code and the file extension is either , or .

RSA private key in the basic format.

RSA public key.

RSA private key in the Chinese Remainder Theorem (CRT) format.

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.(Citation: US CERT TA18 106A)

RSA private key in the prime factor format.

A public key is the publicly shared component of an asymmetric key pair used for encryption or signature verification.

Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via <code Cscript.exe</code . For example, the following code publishes a printer within the specified domain: <code cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code .(Citation: pubprn)

Digital signature for DSA or ECDSA.

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code NotOnOrAfter</code value of the <code conditions ...</code element in a token. This value can be changed using the <code AccessTokenLifetime</code in a <code LifetimeTokenPolicy</code .(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign on) mechanism.(Citation: Cyberark Golden SAML)

An adversary with root access may gather credentials by reading ’s memory. is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through 's memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)

A symmetric key is a secret key shared between parties and used for both encryption and decryption.

Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)