Capability Abstraction

Abstraction is a concept by which implementation details are hidden from/automated for the user. Abstraction typically manifests itself in layers, called abstraction layers, that systematically hide complexity, with each layer providing a more superficial interface than the last.

The idea of Capability Abstraction is that an attacker’s tools are merely an abstraction of their attack capabilities, and detection engineers must understand how to evaluate abstraction while building detection logic.

In the blog mentioned in the footnote below, they go about their process of peeling away the different abstraction layers of Kerberoasting, from tools all the way down to the network layer.

This method is futher elaborated in Tactical to Functional

NOTE

It is important to note that while peeling back layers of abstractions allow for a more broad or comprehensive detection, it also means that the detection is possibly losing precision, which leads to a higher likelihood of false positives.

1


Relevant Note(s): Pyramid of Pain

Footnotes

  1. https://posts.specterops.io/capability-abstraction-fbeaeeb26384