Stealth
Details
| ID | PT0008 |
| MITRE ATT&CK ID | TA0005 |
| Created | 2026-06-22 |
| Last Modified | 2026-06-22 |
| Contributors | slashsec |
| Version Permalink | Link |
Description
The adversary is trying to hide their activity and appear legitimate.
Stealth consists of techniques that reduce the chance of detection by blending with normal traffic, staff behavior, or visitor activity. Examples include appropriate dress, timing, pretext, and route selection without disabling security systems.
Techniques
| ID | Name | Description |
|---|---|---|
| P0007 | Social Engineering | Adversaries may manipulate people to obtain access, information, or assistance at a target facility. This includes impersonation, authority appeals, urgency, and other influence tactics at entry points, reception areas, or during escorted movement. |
| P0007.001 | Exploit Business Process | Adversaries may exploit missing, ambiguous, or unenforced business processes to gain access or avoid scrutiny. Weak processes for visitor handling, deliveries, escorts, after-hours access, and contractor workflows can be abused through pretext, policy gaps, or inconsistent enforcement. |
| P0007.002 | Impersonate Staff or Vendor | Adversaries may present themselves as employees, contractors, or vendor personnel to appear legitimate during entry and movement. Impersonation pairs with dress, tools, and behavior expected for the claimed role. |
| P0007.003 | Pose as Visitor or Guest | Adversaries may act as visitors, interview candidates, guests, or event attendees to blend with normal foot traffic. Visitor pretexts often face lighter challenge at reception when appearance and behavior match expected patterns. |
| P0007.004 | Employ Pretext in Conversation | Adversaries may use a prepared cover story when interacting with staff, security, or reception during operations. Consistent pretext in conversation reinforces legitimacy and deflects casual questions about purpose or destination. |
| P0007.005 | Wear Cover Dress | Adversaries may wear clothing, uniforms, PPE, or accessories that match expected roles at the facility during live operations. Cover dress reduces scrutiny compared to out-of-place attire and supports blending with staff, vendors, or visitors. |
| P0007.006 | Employ Pretext via Phone Calls | Adversaries may use a prepared cover story during phone calls to staff, security, reception, or help desks to obtain information or assistance without physical presence at the facility. Phone pretexts can elicit facility details, access procedures, or identities useful for planning and later tactics. |
| P0007.007 | Employ Pretext via Email | Adversaries may use a prepared cover story in email to staff, contractors, or shared mailboxes to obtain information or assistance without physical presence at the facility. Email pretexts can request layouts, visitor procedures, or organizational details that support planning and later tactics. |
| P0013 | Hide on Premises | Adversaries may conceal themselves within a facility or controlled area to avoid detection between operating periods. Hiding locations include unused spaces, storage areas, ceilings, and other low-traffic zones that support extended presence. |
| P0021 | Select Low-Visibility Route | Adversaries may choose paths that minimize exposure to guards, reception desks, cameras, and high-visibility lobbies. Route selection favors service corridors, stairwells, loading areas, and times when fewer people observe transit between objectives. |
| P0022 | Activity Timing | Adversaries may schedule entry, movement, or actions for specific times that improve success or reduce scrutiny. Timing can align with busy periods that provide cover or with quiet periods when fewer people are present. |
| P0022.001 | Time Activity to Normal Operations | Adversaries may schedule movement and actions to coincide with routine facility activity. Examples include shift changes, meal periods, delivery windows, and peak visitor traffic when additional people reduce individual scrutiny. |
| P0022.002 | Time Activity Outside Regular Business Hours | Adversaries may schedule entry or movement outside regular business hours, such as nights, weekends, or holidays when facilities are closed or lightly staffed. Operating off-hours can reduce encounters with personnel while exploiting gaps in patrols, escorts, or visitor controls. |