Esc
Content Modification
Definition
Modify content that does not comply with policy.
How it works
When content is found to not comply with it's content policy, it may be transformed to a safer state by modifying it.
Artifact Relationships:
This defensive technique is related to specific artifacts. Click the artifact node for more information.
Technique Subclasses
There are 5 techniques in this category, Content Modification.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Content Modification | D3-CM | Modify content that does not comply with policy. | |
| - Content Rebuild | D3-CNR | Rebuild the file according to the spec so any unreferenced components or objects are removed. | Content Reconstruction |
| - Content Format Conversion | D3-CFC | Content format conversion is mechanical transformation from one format to another which may be normalization or specifically flattening. | |
| - Content Excision | D3-CNE | Removing specific, potentially malicious, parts of content | |
| - Content Substitution | D3-CNS | Modifies specific digital content information by replacing it with something else. |
Related ATT&CK Techniques:
These mappings are inferred, experimental, and will improve as the
knowledge graph grows.
These offensive techniques are determined related because of the way this defensive technique,, , , and .
Lateral Movement
Software Deployment Tools
Internal Spearphishing
Privilege Escalation
Abuse Elevation Control Mechanism
Process Injection
Boot or Logon Autostart Execution
Event Triggered Execution
Hijack Execution Flow
Create or Modify System Process
Scheduled Task/Job
Boot or Logon Initialization Scripts
Command And Control
Encrypted Channel
Application Layer Protocol
Impact
Data Encrypted for Impact
Data Manipulation
Collection
Automated Collection
Data Staged
Archive Collected Data
Data from Local System
Email Collection
Discovery
System Network Configuration Discovery
Remote System Discovery
System Owner/User Discovery
File and Directory Discovery
Persistence
Office Application Startup
Boot or Logon Autostart Execution
Event Triggered Execution
Hijack Execution Flow
Modify Authentication Process
Create or Modify System Process
Scheduled Task/Job
Server Software Component
Boot or Logon Initialization Scripts
Execution
Software Deployment Tools
User Execution
Command and Scripting Interpreter
Scheduled Task/Job
Credential Access
Unsecured Credentials
Modify Authentication Process
OS Credential Dumping
Forced Authentication
Credentials from Password Stores
Steal or Forge Authentication Certificates
Defense Evasion
Abuse Elevation Control Mechanism
Indicator Removal
Masquerading
Process Injection
System Binary Proxy Execution
Obfuscated Files or Information
Hide Artifacts
Trusted Developer Utilities Proxy Execution
Hijack Execution Flow
Deobfuscate/Decode Files or Information
Modify Authentication Process
Rootkit
Impair Defenses
XSL Script Processing
Exfiltration
Exfiltration Over C2 Channel
Exfiltration Over Alternative Protocol
References
All
Patent
The following references were used to develop the Content Modification knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Method For Content Disarm and Reconstruction
Reference Type: Patent Organization: OPSWAT, Inc. Author: Taeil Goh, Vinh Nguyen Xuan Lam, Nhut Minh Ngo, Dung Huu Nguyen