an introduction to att&ck - federal aviation …...an overview of the (enterprise) mitre...
TRANSCRIPT
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
An Introduction to ATT&CK
Andy Applebaum
ATIEC 2019
September 24th, 2019
Outline
▪ An Overview of the (Enterprise) MITRE ATT&CK framework
▪ Use Cases in 15 minutes (or less!)
– Detection
– Cyber Threat Intelligence
– Adversary Emulation
– Assessments and Enginering
| 2 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Understanding Our Defenses Within the Perimeter
MITRE’s ATT&CK Framework
https://www.youtube.com/watch?v=0BEf6s1iu5g
| 3 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Understanding Our Defenses Within the Perimeter
MITRE’s ATT&CK Framework
https://www.youtube.com/watch?v=0BEf6s1iu5g
| 4 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Understanding Our Defenses Within the Perimeter
MITRE’s ATT&CK Framework
https://www.youtube.com/watch?v=0BEf6s1iu5g
| 5 |
Block attachments based on MD5
Block bad IP rangesAlert on DNS requests
Scan hosts for artifacts
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
ATT&CK in Context: The Pyramid of Pain
Source: David Bianco
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
TTPs = Tactics, Techniques, and Procedures
| 6 |
Block attachments based on MD5
Block bad IP ranges
Scan hosts for artifacts
Alert on DNS requests
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
ATT&CK in Context: The Pyramid of Pain
Source: David Bianco
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
TTPs = Tactics, Techniques, and Procedures
ATT&CK™ is a globally-accessible
knowledge base of adversary tactics
and techniques, developed by MITRE
based on real-world observations of
adversaries’ operations.
attack.mitre.org
| 7 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
The ATT&CK Matrix
| 8 |
Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Tactics – Adversary’s technical goal
Tech
niq
ues
–H
ow
go
al is
ach
ieve
d
Publicly Available
attack.mitre.org
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
The ATT&CK Matrix
| 9 |
Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Tactics – Adversary’s technical goal
Tech
niq
ues
–H
ow
go
al is
ach
ieve
d
Publicly Available
attack.mitre.org
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and ControlImpact
The ATT&CK Matrix
| 10 |
Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Tactics – Adversary’s technical goal
Tech
niq
ues
–H
ow
go
al is
ach
ieve
d
Procedures – Specific technique implementation
Publicly Available
attack.mitre.org
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
The ATT&CK Matrix
| 11 |
Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Tactics – Adversary’s technical goal
Tech
niq
ues
–H
ow
go
al is
ach
ieve
d
Procedures – Specific technique implementation
Grounded in real data from cyber incidents
Decouples the problem from the solution
Focuses on describing adversary TTPs, not IoCs
Describes post-compromise adversary behaviors
Publicly Available
attack.mitre.org
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Example Technique: New Service
Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1
Platform: Windows
Permissions required: Administrator, SYSTEM
Effective permissions: SYSTEM
Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation
• …
Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors• …
Data sources: Windows registry, process monitoring, command-line parameters
Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, …
References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016.
| 12 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Not Just Techniques: Example Group (APT28)
Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This group reportedly compromised the Democratic National Committee in April 2016.5
Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127 1 2 3 4 5 6 7
Techniques: • Data Obfuscation 1
• Connection Proxy 1 8
• Standard Application Layer Protocol 1
• Remote File Copy 8 9
• Rundll32 8 9
• Indicator Removal on Host 5
• Timestomp 5
• Credential Dumping 10
• Screen Capture 10 11
• Bootkit 7 and more…
Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer, CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6
References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
…
| 13 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
MITRE’s Public ATT&CK Resources
| 14 |
Public ATT&CK Knowledge Base
attack.mitre.org
ATT&CK Navigator
Structured Content PRE- and Mobile ATT&CK
Conference Talks
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
MITRE’s Public ATT&CK Resources
| 15 |
attackevals.mitre.orgAdversary Emulation Plans
CALDERA: Automated
Adversary Emulation
ATT&CK Evaluations
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
What do people do with ATT&CK?
▪ Develop detection rules
▪ Measure their security posture
▪ Quantify their security posture
▪ Guide threat hunting efforts
▪ Evaluate/analyze defensive tools
▪ Write threat intelligence reports
▪ Ingest threat intelligence
▪ Automate intrusion response
▪ Build threat models
▪ Train blue/red teams
▪ Run red team exercises
▪ Classify malware behaviors
| 16 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Who’s Hiring for ATT&CK?
Financial▪ SF Fed Reserve▪ Bank of America▪ JP Morgan▪ FS-ISAC▪ Experian
Tech▪ Microsoft▪ Intel▪ Airbnb▪ Verizon▪ Box
Security▪ RevSec▪ FireEye▪ AppGuard▪ CrowdStrike
Retail▪ Target▪ Best Buy▪ PepsiCo▪ Under Armour
Media▪ NBCUniversal▪ Nielsen
Defense▪ Boeing▪ Booz Allen
Others▪ General Electric▪ Deloitte▪ Pfizer▪ GSK
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Who’s Contributing to ATT&CK?
▪ Alain Homewood, Insomnia Security
▪ Alan Neville, @abnev
▪ Anastasios Pingios
▪ Andrew Smith, @jakx_
▪ Barry Shteiman, Exabeam
▪ Bartosz Jerzman
▪ Bryan Lee
▪ Carlos Borges, CIP
▪ Casey Smith
▪ Christiaan Beek, @ChristiaanBeek
▪ Cody Thomas, SpecterOps
▪ Craig Aitchison
▪ Daniel Oakley
▪ Darren Spruell
▪ Dave Westgard
▪ David Ferguson, CyberSponse
▪ David Lu, Tripwire
▪ David Routin
▪ Ed Williams, Trustwave, SpiderLabs
▪ Edward Millington
▪ Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre
▪ Elia Florio, Microsoft
▪ Emily Ratliff, IBM
▪ ENDGAME
▪ Eric Kuehn, Secure Ideas
▪ Erye Hernandez, Palo Alto Networks
▪ Felipe Espósito, @Pr0teus
▪ FS-ISAC
▪ Hans Christoffer Gaardløs
▪ Itamar Mizrahi
▪ Itzik Kotler, SafeBreach
▪ Jacob Wilkin, Trustwave, SpiderLabs
▪ Jan Miller, CrowdStrike
▪ Jared Atkinson, @jaredcatkinson
▪ Jeremy Galloway
▪ John Lambert, Microsoft Threat Intelligence Center
▪ John Strand
▪ Josh Abraham
▪ Justin Warner, ICEBRG
▪ Leo Loobeek, @leoloobeek
▪ Loic Jaquemet
▪ Marc-Etienne M.Léveillé, ESET
▪ Mark Wee
▪ Matt Graeber, @mattifestation, SpecterOps
▪ Matt Kelly, @breakersall
▪ Matthew Demaske, Adaptforward
▪ Matthew Molyett, @s1air
▪ McAfee
▪ Michael Cox
▪ Mike Kemmerer
▪ Milos Stojadinovic
▪ Mnemonic
▪ Nick Carr, FireEye
▪ Nik Seetharaman, Palantir
▪ Nishan Maharjan, @loki248
▪ Oddvar Moe, @oddvarmoe
▪ Omkar Gudhate
▪ Patrick Campbell, @pjcampbe11
▪ Paul Speulstra, AECOM Global Security
Operations Center
▪ Pedro Harrison
▪ Praetorian
▪ Rahmat Nurfauzi, @infosecn1nja, PT XynexisInternational
▪ Red Canary
▪ RedHuntLabs (@redhuntlabs)
▪ Ricardo Dias
▪ Richard Gold, Digital Shadows
▪ Richie Cyrus, SpecterOps
▪ Robby Winchester, @robwinchester3
▪ Robert Falcone
▪ Romain Dumont, ESET
▪ Ryan Becwar
▪ Ryan Benson, Exabeam
▪ Scott Lundgren, @5twenty9, Carbon Black
▪ Stefan Kanthak
▪ Sudhanshu Chauhan, @Sudhanshu_C
▪ Sunny Neo
▪ Sylvain Gil, Exabeam
▪ Teodor Cimpoesu
▪ Tim MalcomVetter
▪ Tom Ueltschi @c_APT_ure
▪ Tony Lambert, Red Canary
▪ Travis Smith, Tripwire
▪ Tristan Bennett, Seamless Intelligence
▪ Valerii Marchuk, Cybersecurity Help s.r.o.
▪ Veeral Patel
▪ Vincent Le Toux
▪ Walker Johnson
▪ Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
▪ Yonatan Gotlib, Deep Instinct
| 18 |
89 individuals + orgs contributing
to ATT&CK!
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Starting Places for Using ATT&CK(in 15 minutes)
| 19 |
ATT&CK Core Use Cases
| 20 |
Threat Intelligenceprocesses = search Process:Createreg = filter processes where (exe == "reg.exe" and parent_exe== "cmd.exe")cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname)output reg_and_cmd
Detection
Adversary Emulation
Assessment and Engineering
MITRE ATT&CK™
Techniques Mapped to Data Sourc es
About This Diagram
How can I use data I already have to get started w ith ATT&CK?
MITRE
MITRE
MITRE ATT&CK™
Resources
To help cyber defenders gain a common understanding
of the threats they face, MITRE developed the ATT&CK
framework. It ’s a globally-accessible knowledge base of
adversary tact ics and t echniques based on real world
observat ions and open source research contributed by
the cyber community.
Used by organizat ions around the world, ATT&CK
provides a shared understanding of adversary tact ics,
techniques and procedures and how to detect , prevent ,
and/ or mit igate them.
ATT&CK is open and available to any person or
organizat ion for use at no charge.
For sixty years, MITRE has tackled complex problems
that challenge public saf ety, stability, and well-being.
Pioneering together with the cyber community, we’re
building a stronger, threat-informed defense for a
safer world.
ATT&CK™
EnterpriseFramework
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, informat ion-sharing groups, government threat -sharing programs,
and more. ATT&CK gives analysts a common language to communicate across reports and
organizat ions, providing a way to st ructure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analyt ics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analyt ics to detect threats.
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary
behavior framework based on threat intelligence that red teams can use to emulate
specific threats. This helps cyber defenders find gaps in visib ilit y, defensive tools, and
processes—and then fix them.
Get St art ed w it h ATT&CK
at tack.mit re.org
• Access ATT&CK technical informat ion
• Cont ribute to ATT&CK
• Follow our b log
• W atch ATT&CK presentat ions
@MITREat tack
Follow us on Tw it ter for the
latest news
at tackevals.mit re.org
MITRE ATT&CK Evaluat ions
Legend
APT28
APT29
Both
LegendLow Priority
High Priority
Comparing APT28 to APT29
Find ing Gaps in Defense
One way to get started using ATT&CK is to look at what data sources you're already collect ing and use that data to detect ATT&CK
techniques. On our website, we current ly have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram,
we've chosen 12 of those data sources to show the techniques each of them might be able to detect w ith the right collect ion and
analyt ics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and specific
adversary examples you can use t o start detect ing adversary behavior with ATT&CK.
You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit .ly/ ATTACK19 to
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content.
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScript
Application DeploymentSoftware
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication ThroughRemovable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Commonly Used Port
Communication ThroughRemovable Media
Connection Proxy
Custom Command andControl Protocol
Custom CryptographicProtocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application LayerProtocol
Standard CryptographicProtocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over AlternativeProtocol
Exfiltration OverPhysical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted DataManipulation
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from NetworkShared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Drive-by Compromise
Exploit Public-FacingApplication
External Remote Services
Hardware Additions
Replication ThroughRemovable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution throughModule Load
Exploitation forClient Execution
Graphical User Interface
InstallUtil
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scripting
Service Execution
Signed BinaryProxy Execution
Signed ScriptProxy Execution
Source
Space after Filename
Third-party Software
Trusted Developer Utilities
DLL Search Order Hijacking
Image File Execution Options Injection
Plist Modification
Valid Accounts
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Dylib Hijacking
File System Permissions Weakness
Hooking
Launch Daemon
New Service
Path Interception
Port Monitors
Service Registry Permissions Weakness
Setuid and Setgid
Startup Items
Web Shell
.bash_profile and .bashrc
Account Manipulation
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change DefaultFile Association
Component Firmware
BITS Jobs
Clear Command History
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Component Object ModelHijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Filesor Information
Disabling Security Tools
DLL Side-Loading
Execution Guardrails
Exploitation forDefense Evasion
File Deletion
File PermissionsModification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Exploitation forPrivilege Escalation
SID-History Injection
Sudo
Sudo Caching
Scheduled Task Binary Padding Network Sniffing
Launchctl
Local Job Scheduling
LSASS Driver
Trap
Access Token Manipulation
Bypass User Account Control
Extra Window Memory Injection
Process Injection
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation forCredential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoningand Relay
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor AuthenticationInterception
Account Discovery
Application WindowDiscovery
Browser BookmarkDiscovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Discovery
Remote System Discovery
Security Software Discovery
System InformationDiscovery
System NetworkConfiguration Discovery
System NetworkConnections Discovery
System Owner/UserDiscovery
System Service Discovery
System Time Discovery
Virtualization/SandboxEvasion
data loss prevention
dll monitoring
kernel driversloaded d
lls
malw
are
reve
rse e
ngin
eering
netw
ork
device lo
gs
network intrusion detection system
ssl/tls inspection
system calls
win
dow
s eve
nt lo
gs
anti-v
irus
dis
abl in
g s
ecu
rity
to
ols
explo
itatio
n f
or
clie
nt
exe
cu
tio
n
ind
icato
r re
moval fr
om
to
ols
spea
rphis
hin
g v
ia s
erv
ice
tem
pla
te inje
ction
user
execution
web s
hell
bin
ary
paddin
gco
de s
ignin
gco
ntrol p
anel i
tem
s
data
com
pre
ssed
data
encr
ypte
dfil
e d
elet
ion
grap
hica
l use
r in
terfac
e
hook
ing
indi
cato
r rem
oval
from
tool
s
lc_l
oad_
dylib
add
ition
lc_m
ain
hija
ckin
g
masq
ueradin
g
obfusc
ated fi
les
or info
rmatio
n
redundant a
ccess
rundll3
2
software packing
third-party
software
time providers
automated collection
communication through removable media
data from information repositories
exfiltration over physical medium
hardware additions
replication through removable media
authentication package
component object model hijacking
control panel items
dll search order hijacking
distributed component object modeldynamic data exchange
execution through module loadhooking
lsass driver
netsh helper dllpassword filter dllport monitorspowershellprocess injectionsip and trust provider hijacking
security support provider
time providers
xsl script processing
data encrypted for impact
disk content wipe
disk structure wipe
input capture
lsass driver
ntfs file attributes
two-factor au
thenticatio
n interception
appce
rt dlls
appin
it dlls
applica
tion sh
imm
ing
auth
entica
tion p
acka
ge
com
ponent o
bje
ct m
odel h
ijackin
g
dll s
ide-lo
adin
g
hookin
g
lsass d
rive
r
pow
ers
he
ll
reg
svr3
2
sip
and
trust p
rovid
er h
ijackin
g
se
curity
su
pp
ort p
rovid
er
tim
e p
rovi d
ers
bin
ary
pa
dd
ing
custo
m c
ryp
tog
rap
hic
pro
toco
l
fallb
ack c
hannels
lc_m
ain
hija
ckin
g
multib
and c
om
munic
ation
multila
yer
encr
yption
obfu
scate
d file
s o
r in
form
atio
n
standard
applic
atio
n la
yer
pro
toco
l
standard
cry
pto
gra
phic
pro
toco
l
dom
ain
genera
tion a
lgorith
ms
driv
e-by
com
prom
ise
endp
oint
den
ial o
f ser
vice
forc
ed a
uthe
ntic
atio
n
mul
ti-st
age
chan
nels
netw
ork
deni
al o
f ser
vice
netw
ork sn
iffing
reso
urce
hija
ckin
g
cust
om c
omm
and and c
ontrol p
roto
col
drive-b
y com
prom
ise
endpoint denial o
f service
network denial o
f service
obfuscated files or in
formatio
n
remote access tools
spearphishing attachment
standard non-application layer protocoltemplate injection
domain frontingdrive-by compromise
endpoint denial of service
install root certificate
obfuscated files or information
spearphishing link
spearphishing via service
standard cryptographic protocol
web service
applescript
application shimming
browser extensions
bypass user account control
exploitation for client execution
hypervisor
kernel modules and extensions
keychain
rootkit
account manipulation
bits jobs
cmstp
control panel items
create account
distributed component object m
odel
dynamic data exchange
file permissions m
odification
group policy modification
hookin
g
image file
exe
cutio
n o
ptio
ns in
jectio
n
indica
tor re
mova
l on h
ost
indire
ct com
mand e
xecu
tion
inhib
it system
reco
very
kerb
ero
astin
g
llmnr/n
bt-n
s p
ois
onin
g a
nd re
lay
modify
regis
try
new
serv
ice
obfu
scate
d file
s o
r info
rmatio
n
sid
-his
tory
inje
ctio
n
sip
an
d tru
st p
rovid
er h
ijackin
g
sch
ed
ule
d ta
sk
bin
ary
file
met
adat
a
MITRE ATT&CK™
Techniques Mapped to Data Sourc es
About This Diagram
How can I use data I already have to get started w ith ATT&CK?
MITRE
MITRE
MITRE ATT&CK™
Resources
To help cyber defenders gain a common understanding
of the threats they face, MITRE developed the ATT&CK
framework. It ’s a globally-accessible knowledge base of
adversary tact ics and t echniques based on real world
observat ions and open source research contributed by
the cyber community.
Used by organizat ions around the world, ATT&CK
provides a shared understanding of adversary tact ics,
techniques and procedures and how to detect, prevent ,
and/ or mit igate them.
ATT&CK is open and available to any person or
organizat ion for use at no charge.
For sixty years, MITRE has tackled complex problems
that challenge public saf ety, stability, and well-being.
Pioneering together with the cyber community, we’re
building a stronger, threat-informed defense for a
safer world.
ATT&CK™
EnterpriseFramework
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, informat ion-sharing groups, government threat -sharing programs,
and more. ATT&CK gives analysts a common language to communicate across reports and
organizat ions, providing a way to st ructure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analyt ics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analyt ics to detect threats.
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary
behavior framework based on threat intelligence that red teams can use to emulate
specific threats. This helps cyber defenders find gaps in visib ilit y, defensive tools, and
processes—and then fix them.
Get St art ed w it h ATT&CK
at tack.mit re.org
• Access ATT&CK technical informat ion
• Cont ribute to ATT&CK
• Follow our b log
• W atch ATT&CK presentat ions
@MITREat tack
Follow us on Tw it ter for the
latest news
at tackevals.mit re.org
MITRE ATT&CK Evaluat ions
Legend
APT28
APT29
Both
LegendLow Priority
High Priority
Comparing APT28 to APT29
Find ing Gaps in Defense
One way to get started using ATT&CK is to look at what data sources you're already collect ing and use that data to detect ATT&CK
techniques. On our website, we current ly have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram,
we've chosen 12 of those data sources to show the techniques each of them might be able to detect w ith the right collect ion and
analyt ics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and specific
adversary examples you can use t o start detect ing adversary behavior with ATT&CK.
You can visualize how your own data sources map to adversary behavior w ith ATT&CK. Read our blog post at bit .ly/ ATTACK19 to
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content.
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScript
Application DeploymentSoftware
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication ThroughRemovable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Commonly Used Port
Communication ThroughRemovable Media
Connection Proxy
Custom Command andControl Protocol
Custom CryptographicProtocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application LayerProtocol
Standard CryptographicProtocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over AlternativeProtocol
Exfiltration OverPhysical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted DataManipulation
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from NetworkShared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Drive-by Compromise
Exploit Public-FacingApplication
External Remote Services
Hardware Additions
Replication ThroughRemovable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution throughModule Load
Exploitation forClient Execution
Graphical User Interface
InstallUtil
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scripting
Service Execution
Signed BinaryProxy Execution
Signed ScriptProxy Execution
Source
Space after Filename
Third-party Software
Trusted Developer Utilities
DLL Search Order Hijacking
Image File Execution Options Injection
Plist Modification
Valid Accounts
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Dylib Hijacking
File System Permissions Weakness
Hooking
Launch Daemon
New Service
Path Interception
Port Monitors
Service Registry Permissions Weakness
Setuid and Setgid
Startup Items
Web Shell
.bash_profile and .bashrc
Account Manipulation
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change DefaultFile Association
Component Firmware
BITS Jobs
Clear Command History
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Component Object ModelHijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Filesor Information
Disabling Security Tools
DLL Side-Loading
Execution Guardrails
Exploitation forDefense Evasion
File Deletion
File PermissionsModification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Exploitation forPrivilege Escalation
SID-History Injection
Sudo
Sudo Caching
Scheduled Task Binary Padding Network Sniffing
Launchctl
Local Job Scheduling
LSASS Driver
Trap
Access Token Manipulation
Bypass User Account Control
Extra Window Memory Injection
Process Injection
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation forCredential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoningand Relay
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor AuthenticationInterception
Account Discovery
Application WindowDiscovery
Browser BookmarkDiscovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Discovery
Remote System Discovery
Security Software Discovery
System InformationDiscovery
System NetworkConfiguration Discovery
System NetworkConnections Discovery
System Owner/UserDiscovery
System Service Discovery
System Time Discovery
Virtualization/SandboxEvasion
data loss prevention
dll monitoring
kernel driversloaded d
lls
malw
are
reve
rse e
ngin
eering
netw
ork
device lo
gs
network intrusion detection system
ssl/tls inspection
system calls
win
dow
s eve
nt lo
gs
anti-v
irus
dis
ablin
g s
ecu
rity
to
ols
explo
itatio
n for
clie
nt
executio
n
ind
icato
r re
moval fr
om
to
ols
spearp
his
hin
g v
ia s
erv
ice
tem
pla
te inje
ction
user
execution
web s
hell
bin
ary
paddin
gco
de s
ignin
gco
ntrol p
anel i
tem
s
data
com
pre
ssed
data
encr
ypte
dfil
e de
letio
ngr
aphi
cal u
ser in
terfac
e
hook
ing
indi
cato
r rem
oval
from
tool
s
lc_loa
d_dy
lib a
ddition
lc_m
ain
hija
ckin
g
masq
ueradin
g
obfusc
ated fi
les
or info
rmatio
n
redundant a
ccess
rundll3
2
software packing
third-party
software
time providers
automated collection
communication through removable media
data from information repositories
exfiltration over physical medium
hardware additions
replication through removable media
authentication package
component object model hijacking
control panel items
dll search order hijacking
distributed component object modeldynamic data exchange
execution through module loadhooking
lsass driver
netsh helper dllpassword filter dllport monitorspowershellprocess injectionsip and trust provider hijacking
security support provider
time providers
xsl script processing
data encrypted for impact
disk content wipe
disk structure wipe
input capture
lsass driver
ntfs file attributes
two-factor authe
ntication intercep
tion
appce
rt dlls
appin
it dlls
applica
tion sh
imm
ing
auth
entica
tion p
ack
age
com
ponent o
bje
ct m
odel h
ijackin
g
dll s
ide-lo
adin
g
hookin
g
lsass d
river
pow
ers
hell
regsvr3
2
sip
an
d tru
st p
rovid
er h
ijackin
g
se
curi ty
su
pp
or t p
rovid
er
t im
e p
rovid
ers
bin
ary
padd
ing
custo
m c
rypto
gra
phic
pro
tocol
fallb
ack c
hannels
lc_m
ain
hija
ckin
g
multib
and c
om
munic
ation
multila
yer
encry
ption
obfu
scate
d file
s o
r in
form
atio
n
standard
applic
atio
n la
yer
pro
toco
l
standard
cry
pto
gra
phic
pro
toco
l
dom
ain
genera
tion a
lgorith
ms
driv
e-by
com
prom
ise
endp
oint
den
ial o
f ser
vice
forc
ed a
uthe
ntic
atio
n
mul
ti-st
age
chan
nels
netw
ork
deni
al o
f ser
vice
netw
ork
sniffing
reso
urce
hija
ckin
g
cust
om c
omm
and and c
ontrol p
roto
col
drive-b
y com
prom
ise
endpoint denial o
f service
network denial o
f service
obfuscated files or in
formatio
n
remote access tools
spearphishing attachment
standard non-application layer protocoltemplate injection
domain frontingdrive-by compromise
endpoint denial of service
install root certificate
obfuscated files or information
spearphishing link
spearphishing via service
standard cryptographic protocol
web service
applescript
application shimming
browser extensions
bypass user account control
exploitation for client execution
hypervisor
kernel modules and extensions
keychain
rootkit
account manipulation
bits jobs
cmstp
control panel items
create account
distributed component object m
odel
dynamic data exchange
file permissions m
odification
group policy modification
hookin
g
image file
exe
cutio
n o
ptio
ns in
jectio
n
indica
tor re
mova
l on h
ost
indire
ct com
mand e
xecu
tion
inhib
it system
reco
very
kerb
ero
astin
g
llmnr/n
bt-n
s p
ois
onin
g a
nd re
lay
modify
regis
try
new
serv
ice
obfu
scate
d file
s o
r info
rmatio
n
sid
-his
tory
inje
ctio
n
sip
an
d tru
st p
rovid
er h
ijackin
g
sch
ed
ule
d ta
sk
bin
ary
file
met
adat
a
MITRE ATT&CK™
Techniques Mapped to Data Sourc es
About This Diagram
How can I use data I already have to get started w ith ATT&CK?
MITRE
MITRE
MITRE ATT&CK™
Resources
To help cyber defenders gain a common understanding
of the threats they face, MITRE developed the ATT&CK
framework. It ’s a globally-accessible knowledge base of
adversary tact ics and t echniques based on real world
observat ions and open source research contributed by
the cyber community.
Used by organizat ions around the world, ATT&CK
provides a shared understanding of adversary tact ics,
techniques and procedures and how to detect , prevent ,
and/or mit igate them.
ATT&CK is open and available to any person or
organizat ion for use at no charge.
For sixty years, MITRE has tackled complex problems
that challenge public saf ety, stability, and well-being.
Pioneering together with the cyber community, we’re
building a stronger, threat-informed defense for a
safer world.
ATT&CK™
EnterpriseFramework
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, informat ion-sharing groups, government threat -sharing programs,
and more. ATT&CK gives analysts a common language to communicate across reports and
organizat ions, providing a way to st ructure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analyt ics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analyt ics to detect threats.
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary
behavior framework based on threat intelligence that red teams can use to emulate
specific threats. This helps cyber defenders find gaps in visib ilit y, defensive tools, and
processes—and then fix them.
Get St art ed w it h ATT&CK
at tack.mit re.org
• Access ATT&CK technical informat ion
• Cont ribute to ATT&CK
• Follow our b log
• W atch ATT&CK presentat ions
@MITREat tack
Follow us on Tw it ter for the
latest news
at tackevals.mit re.org
MITRE ATT&CK Evaluat ions
Legend
APT28
APT29
Both
LegendLow Priority
High Priority
Comparing APT28 to APT29
Find ing Gaps in Defense
One way to get started using ATT&CK is to look at what data sources you're already collect ing and use that data to detect ATT&CK
techniques. On our website, we current ly have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram,
we've chosen 12 of those data sources to show the techniques each of them might be able to detect w ith the right collect ion and
analyt ics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and specific
adversary examples you can use t o start detect ing adversary behavior with ATT&CK.
You can visualize how your own data sources map to adversary behavior w ith ATT&CK. Read our blog post at bit .ly/ ATTACK19 to
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content.
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScript
Application DeploymentSoftware
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication ThroughRemovable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Commonly Used Port
Communication ThroughRemovable Media
Connection Proxy
Custom Command andControl Protocol
Custom CryptographicProtocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application LayerProtocol
Standard CryptographicProtocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over AlternativeProtocol
Exfiltration OverPhysical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted DataManipulation
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from NetworkShared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Drive-by Compromise
Exploit Public-FacingApplication
External Remote Services
Hardware Additions
Replication ThroughRemovable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution throughModule Load
Exploitation forClient Execution
Graphical User Interface
InstallUtil
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scripting
Service Execution
Signed BinaryProxy Execution
Signed ScriptProxy Execution
Source
Space after Filename
Third-party Software
Trusted Developer Utilities
DLL Search Order Hijacking
Image File Execution Options Injection
Plist Modification
Valid Accounts
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Dylib Hijacking
File System Permissions Weakness
Hooking
Launch Daemon
New Service
Path Interception
Port Monitors
Service Registry Permissions Weakness
Setuid and Setgid
Startup Items
Web Shell
.bash_profile and .bashrc
Account Manipulation
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change DefaultFile Association
Component Firmware
BITS Jobs
Clear Command History
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Component Object ModelHijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Filesor Information
Disabling Security Tools
DLL Side-Loading
Execution Guardrails
Exploitation forDefense Evasion
File Deletion
File PermissionsModification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Exploitation forPrivilege Escalation
SID-History Injection
Sudo
Sudo Caching
Scheduled Task Binary Padding Network Sniffing
Launchctl
Local Job Scheduling
LSASS Driver
Trap
Access Token Manipulation
Bypass User Account Control
Extra Window Memory Injection
Process Injection
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation forCredential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoningand Relay
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor AuthenticationInterception
Account Discovery
Application WindowDiscovery
Browser BookmarkDiscovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Discovery
Remote System Discovery
Security Software Discovery
System InformationDiscovery
System NetworkConfiguration Discovery
System NetworkConnections Discovery
System Owner/UserDiscovery
System Service Discovery
System Time Discovery
Virtualization/SandboxEvasion
data loss prevention
dll monitoring
kernel driversloaded d
lls
malw
are
reve
rse e
ngin
eering
netw
ork
device lo
gs
network intrusion detection system
ssl/tls inspection
system calls
win
dow
s eve
nt lo
gs
anti-v
irus
dis
ab
li ng
se
curi
ty t
oo
ls
exp
loita
tio
n fo
r clie
nt exe
cution
indic
ato
r re
moval fr
om
tools
spe
arp
his
hin
g v
ia s
erv
ice
tem
pla
te inje
ction
user
execution
web s
hell
bin
ary
paddin
gco
de s
ignin
gco
ntrol p
anel i
tem
s
data
com
pre
ssed
data
encr
ypte
dfil
e de
letio
ngr
aphi
cal u
ser in
terfac
e
hook
ing
indi
cato
r rem
oval
from
tool
s
lc_l
oad_
dylib
add
ition
lc_m
ain
hija
ckin
g
masq
ueradin
g
obfusc
ated fi
les
or info
rmatio
n
redundant a
ccess
rundll3
2
software packing
third-party
software
time providers
automated collection
communication through removable media
data from information repositories
exfiltration over physical medium
hardware additions
replication through removable media
authentication package
component object model hijacking
control panel items
dll search order hijacking
distributed component object modeldynamic data exchange
execution through module loadhooking
lsass driver
netsh helper dllpassword filter dllport monitorspowershellprocess injectionsip and trust provider hijacking
security support provider
time providers
xsl script processing
data encrypted for impact
disk content wipe
disk structure wipe
input capture
lsass driver
ntfs file attributes
two-factor authen
tication in
terceptio
n
appce
rt dlls
appin
it dlls
applica
tion sh
imm
ing
auth
entic
atio
n p
ack
age
com
ponent o
bje
ct m
odel h
ijackin
g
dll s
ide-lo
adin
g
hookin
g
lsass d
river
pow
ers
hell
regsvr3
2
sip
an
d tru
st p
rovid
er h
ijackin
g
se
curity
sup
po
rt pro
vi d
er
t im
e p
rovi d
ers
bin
ary
padd
ing
custo
m c
rypto
gra
ph
ic p
roto
col
fallb
ack c
han
nels
lc_m
ain
hija
ckin
g
multib
and c
om
munic
ation
multila
yer
encry
ption
obfu
scate
d file
s or
info
rmation
standard
applic
atio
n la
yer
pro
toco
l
standard
cry
pto
gra
phic
pro
toco
l
dom
ain
genera
tion a
lgorith
ms
driv
e-by
com
pro
mis
e
endp
oint
den
ial o
f ser
vice
forc
ed a
uthe
ntic
atio
n
mul
ti-st
age
chan
nels
netw
ork
deni
al o
f ser
vice
netw
ork sn
iffing
reso
urce
hija
ckin
g
cust
om c
omm
and and c
ontrol p
roto
col
drive-b
y com
prom
ise
endpoint denial o
f service
network denial o
f service
obfuscated files or in
formatio
n
remote access tools
spearphishing attachment
standard non-application layer protocoltemplate injection
domain frontingdrive-by compromise
endpoint denial of service
install root certificate
obfuscated files or information
spearphishing link
spearphishing via service
standard cryptographic protocol
web service
applescript
application shimming
browser extensions
bypass user account control
exploitation for client execution
hypervisor
kernel modules and extensions
keychain
rootkit
account manipulation
bits jobs
cmstp
control panel items
create account
distributed component object m
odel
dynamic data exchange
file permissions m
odification
group policy modification
hookin
g
image file
exe
cutio
n o
ptio
ns in
jectio
n
indica
tor re
mova
l on h
ost
indire
ct com
mand e
xecu
tion
inhib
it system
reco
very
kerb
ero
astin
g
llmnr/n
bt-n
s p
ois
onin
g a
nd re
lay
modify
regis
try
new
serv
ice
obfu
sca
ted file
s o
r info
rmatio
n
sid
-his
tory
inje
ctio
n
sip
and tru
st p
rovid
er h
ijackin
g
sch
ed
ule
d ta
sk
bin
ary
file
met
adat
a
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Getting Started with Detection: Developing Analytics
1 Identify techniques to detect
Write code for detection using existing data
Assign a name, store, and test the analytic
| 21 |
3
2
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Resources for Developing Analytics
▪ There’s a large community of people doing ATT&CK for detection
– What analytics are they running and finding valuable?
– Which of those can you run based on data you already have?
▪ Look at existing repositories, or talk to partner organizations
– Cyber Analytics Repository: https://car.mitre.org/
– Endgame EQL Analytics Library: https://eqllib.readthedocs.io/en/latest/analytics.html
– Sigma: https://github.com/Neo23x0/sigma
▪ For more info, check out the ATT&CK blog on detection:
– https://medium.com/mitre-attack/getting-started-with-attack-detection-a8e49e4960d0
| 22 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
rive by Co pro ise
ploit bli a ingAppli ation
ard are Additions
epli ation T ro g e ovable edia
pearp is ing Atta ent
pearp is ing in
pearp is ing via ervi e
pply C ain Co pro ise
Tr sted elations ip
alid A o nts
Apple ript
C T
Co and ine nter a e
Control anel te s
yna i ata ange
e tion t ro g A
e tion t ro g od le oad ploitation or Client e tion
rap i al ser nter a e
nstall til
a n tl
o al ob ed ling
A river
s ta
o er ell
egsv s egas
egsvr
ndll
ed led Tas
ripting
ervi e e tion
igned inary ro y e tion igned ript ro y e tion
o r e
pa e a ter ilena e
T ird party o t are
Trap
Tr sted eveloper tilities
ser e tion
indo s anage ent nstr entation indo s e ote anage ent
.bas pro ile and .bas r
A essibility eat res
AppCert s
App nit s
Appli ation i ing
A t enti ation a age
T obs
oot it
ro ser tensions
C ange e a lt ileAsso iation
Co ponent ir are
Co ponent b e t odel i a ing
Create A o nt
ear rder i a ing
ylib i a ing
ternal e ote ervi es
ile yste er issions ea ness
idden iles and ire tories
oo ing
ypervisor
age ile e tion ptions n e tionKernel od les and tensions
a n Agent
a n ae on
a n tl
C A Addition
o al ob ed ling
ogin te
ogon ripts
A river
odi y isting ervi e
ets elper
e ervi e
i e Appli ation tart p
at nter eption
list odi i ation
ort Kno ing
ort onitors
. o on
e opened Appli ations
ed ndant A ess
egistry n Keys tart older
ed led Tas
reensaver
e rity pport rovider
ervi e egistry er issions ea ness
ort t odi i ation
and Tr st rovider i a ing
tart p te s
yste ir are
Ti e roviders
Trap
alid A o nts
eb ell
indo s anage ent nstr entation vent bs ription
inlogon elper
A ess To en anip lation
A essibility eat res
AppCert s
App nit s
Appli ation i ing
ypass ser A o nt Control
ear rder i a ing
ylib i a ing
ploitation or rivilege s alation tra indo e ory n e tion ile yste er issions ea ness
oo ing
age ile e tion ptions n e tion
a n ae on
e ervi e
at nter eption
list odi i ation
ort onitors
ro ess n e tion
ed led Tas
ervi e egistry er issions ea ness
et id and etgid
istory n e tion
tart p te s
do
do Ca ing
alid A o nts
eb ell
A ess To en anip lation
inary adding
T obs
ypass ser A o nt Control
Clear Co and istory
C T
Code igning
Co ponent ir are
Co ponent b e t odel i a ing
Control anel te s
C ado
eob s ate e ode iles or n or ation
isabling e rity Tools
ear rder i a ing
ide oading
ploitation or e ense vasion tra indo e ory n e tion
ile eletion
ile yste ogi al sets
ate eeper ypass
idden iles and ire tories
idden sers
idden indo
TC T
age ile e tion ptions n e tion
ndi ator lo ing
ndi ator e oval ro Tools
ndi ator e oval on ost
ndire t Co and e tion
nstall oot Certi i ate
nstall til
a n tl
C A i a ing
as erading
odi y egistry
s ta
et or are Conne tion e oval
T ile Attrib tes
b s ated iles or n or ation
list odi i ation
ort Kno ing
ro ess oppelg nging
ro ess ollo ing
ro ess n e tion
ed ndant A ess
egsv s egas
egsvr
oot it
ndll
ripting
igned inary ro y e tion igned ript ro y e tion and Tr st rovider i a ing
o t are a ing
pa e a ter ilena e
Ti esto p
Tr sted eveloper tilities
alid A o nts
eb ervi e
A o nt anip lation
as istory
r te or e
Credential ping
Credentials in iles
Credentials in egistry
ploitation or CredentialA ess
or ed A t enti ation
oo ing
np t Capt re
np t ro pt
Kerberoasting
Key ain
T oisoning
et or ni ing
ass ord ilter
rivate Keys
epli ation T ro g e ovable edia
e rityd e ory
T o a tor A t enti ation nter eption
A o nt is overy
Appli ation indo is overy
ro ser oo ar is overy
ile and ire tory is overy
et or ervi e anning
et or are is overy
ass ord oli y is overy
erip eral evi e is overy
er ission ro ps is overy
ro ess is overy
ery egistry
e ote yste is overy
e rity o t are is overy
yste n or ation is overy
yste et or Con ig ration is overy yste et or Conne tions is overy yste ner ser is overy
yste ervi e is overy
yste Ti e is overy
Apple ript
Appli ation eploy ent o t are istrib ted Co ponent b e t odel ploitation o e ote ervi es
ogon ripts
ass t e as
ass t e Ti et
e ote es top roto ol
e ote ile Copy
e ote ervi es
epli ation T ro g e ovable edia
ared ebroot
i a ing
Taint ared Content
T ird party o t are
indo s Ad in ares
indo s e ote anage ent
A dio Capt re
A to ated Colle tion
Clipboard ata
ata ro n or ation epositories
ata ro o al yste
ata ro et or ared rive
ata ro e ovable edia
ata taged
ail Colle tion
np t Capt re
an in t e ro ser
reen Capt re
ideo Capt re
A to ated iltration
ata Co pressed
ata n rypted
ata Trans er i e i its
iltration ver Alternative roto ol iltration ver Co andand Control C annel iltration ver t er et or edi iltration ver ysi al edi
ed led Trans er
Co only sed ort
Co ni ation T ro g e ovable edia
Conne tion ro y
C sto Co and andControl roto olC sto Cryptograp i roto ol
ata n oding
ata b s ation
o ain ronting
allba C annels
lti op ro y
lti tage C annels
ltiband Co ni ation
ltilayer n ryption
ort Kno ing
e ote A ess Tools
e ote ile Copy
tandard Appli ation ayer roto ol tandard Cryptograp i roto ol tandard on Appli ation ayer roto ol
n o only sed ort
eb ervi e
Threat Intelligence: APT28 Techniques*
*from open source p w ’ pp
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and Control
| 23 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
rive by Co pro ise
ploit bli a ingAppli ation
ard are Additions
epli ation T ro g e ovable edia
pearp is ing Atta ent
pearp is ing in
pearp is ing via ervi e
pply C ain Co pro ise
Tr sted elations ip
alid A o nts
Apple ript
C T
Co and ine nter a e
Control anel te s
yna i ata ange
e tion t ro g A
e tion t ro g od le oad ploitation or Client e tion
rap i al ser nter a e
nstall til
a n tl
o al ob ed ling
A river
s ta
o er ell
egsv s egas
egsvr
ndll
ed led Tas
ripting
ervi e e tion
igned inary ro y e tion igned ript ro y e tion
o r e
pa e a ter ilena e
T ird party o t are
Trap
Tr sted eveloper tilities
ser e tion
indo s anage ent nstr entation indo s e ote anage ent
.bas pro ile and .bas r
A essibility eat res
AppCert s
App nit s
Appli ation i ing
A t enti ation a age
T obs
oot it
ro ser tensions
C ange e a lt ileAsso iation
Co ponent ir are
Co ponent b e t odel i a ing
Create A o nt
ear rder i a ing
ylib i a ing
ternal e ote ervi es
ile yste er issions ea ness
idden iles and ire tories
oo ing
ypervisor
age ile e tion ptions n e tionKernel od les and tensions
a n Agent
a n ae on
a n tl
C A Addition
o al ob ed ling
ogin te
ogon ripts
A river
odi y isting ervi e
ets elper
e ervi e
i e Appli ation tart p
at nter eption
list odi i ation
ort Kno ing
ort onitors
. o on
e opened Appli ations
ed ndant A ess
egistry n Keys tart older
ed led Tas
reensaver
e rity pport rovider
ervi e egistry er issions ea ness
ort t odi i ation
and Tr st rovider i a ing
tart p te s
yste ir are
Ti e roviders
Trap
alid A o nts
eb ell
indo s anage ent nstr entation vent bs ription
inlogon elper
A ess To en anip lation
A essibility eat res
AppCert s
App nit s
Appli ation i ing
ypass ser A o nt Control
ear rder i a ing
ylib i a ing
ploitation or rivilege s alation tra indo e ory n e tion ile yste er issions ea ness
oo ing
age ile e tion ptions n e tion
a n ae on
e ervi e
at nter eption
list odi i ation
ort onitors
ro ess n e tion
ed led Tas
ervi e egistry er issions ea ness
et id and etgid
istory n e tion
tart p te s
do
do Ca ing
alid A o nts
eb ell
A ess To en anip lation
inary adding
T obs
ypass ser A o nt Control
Clear Co and istory
C T
Code igning
Co ponent ir are
Co ponent b e t odel i a ing
Control anel te s
C ado
eob s ate e ode iles or n or ation
isabling e rity Tools
ear rder i a ing
ide oading
ploitation or e ense vasion tra indo e ory n e tion
ile eletion
ile yste ogi al sets
ate eeper ypass
idden iles and ire tories
idden sers
idden indo
TC T
age ile e tion ptions n e tion
ndi ator lo ing
ndi ator e oval ro Tools
ndi ator e oval on ost
ndire t Co and e tion
nstall oot Certi i ate
nstall til
a n tl
C A i a ing
as erading
odi y egistry
s ta
et or are Conne tion e oval
T ile Attrib tes
b s ated iles or n or ation
list odi i ation
ort Kno ing
ro ess oppelg nging
ro ess ollo ing
ro ess n e tion
ed ndant A ess
egsv s egas
egsvr
oot it
ndll
ripting
igned inary ro y e tion igned ript ro y e tion and Tr st rovider i a ing
o t are a ing
pa e a ter ilena e
Ti esto p
Tr sted eveloper tilities
alid A o nts
eb ervi e
A o nt anip lation
as istory
r te or e
Credential ping
Credentials in iles
Credentials in egistry
ploitation or CredentialA ess
or ed A t enti ation
oo ing
np t Capt re
np t ro pt
Kerberoasting
Key ain
T oisoning
et or ni ing
ass ord ilter
rivate Keys
epli ation T ro g e ovable edia
e rityd e ory
T o a tor A t enti ation nter eption
A o nt is overy
Appli ation indo is overy
ro ser oo ar is overy
ile and ire tory is overy
et or ervi e anning
et or are is overy
ass ord oli y is overy
erip eral evi e is overy
er ission ro ps is overy
ro ess is overy
ery egistry
e ote yste is overy
e rity o t are is overy
yste n or ation is overy
yste et or Con ig ration is overy yste et or Conne tions is overy yste ner ser is overy
yste ervi e is overy
yste Ti e is overy
Apple ript
Appli ation eploy ent o t are istrib ted Co ponent b e t odel ploitation o e ote ervi es
ogon ripts
ass t e as
ass t e Ti et
e ote es top roto ol
e ote ile Copy
e ote ervi es
epli ation T ro g e ovable edia
ared ebroot
i a ing
Taint ared Content
T ird party o t are
indo s Ad in ares
indo s e ote anage ent
A dio Capt re
A to ated Colle tion
Clipboard ata
ata ro n or ation epositories
ata ro o al yste
ata ro et or ared rive
ata ro e ovable edia
ata taged
ail Colle tion
np t Capt re
an in t e ro ser
reen Capt re
ideo Capt re
A to ated iltration
ata Co pressed
ata n rypted
ata Trans er i e i its
iltration ver Alternative roto ol iltration ver Co andand Control C annel iltration ver t er et or edi iltration ver ysi al edi
ed led Trans er
Co only sed ort
Co ni ation T ro g e ovable edia
Conne tion ro y
C sto Co and andControl roto olC sto Cryptograp i roto ol
ata n oding
ata b s ation
o ain ronting
allba C annels
lti op ro y
lti tage C annels
ltiband Co ni ation
ltilayer n ryption
ort Kno ing
e ote A ess Tools
e ote ile Copy
tandard Appli ation ayer roto ol tandard Cryptograp i roto ol tandard on Appli ation ayer roto ol
n o only sed ort
eb ervi e
APT29 Techniques
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and Control
| 24 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
rive by Co pro ise
ploit bli a ingAppli ation
ard are Additions
epli ation T ro g e ovable edia
pearp is ing Atta ent
pearp is ing in
pearp is ing via ervi e
pply C ain Co pro ise
Tr sted elations ip
alid A o nts
Apple ript
C T
Co and ine nter a e
Control anel te s
yna i ata ange
e tion t ro g A
e tion t ro g od le oad ploitation or Client e tion
rap i al ser nter a e
nstall til
a n tl
o al ob ed ling
A river
s ta
o er ell
egsv s egas
egsvr
ndll
ed led Tas
ripting
ervi e e tion
igned inary ro y e tion igned ript ro y e tion
o r e
pa e a ter ilena e
T ird party o t are
Trap
Tr sted eveloper tilities
ser e tion
indo s anage ent nstr entation indo s e ote anage ent
.bas pro ile and .bas r
A essibility eat res
AppCert s
App nit s
Appli ation i ing
A t enti ation a age
T obs
oot it
ro ser tensions
C ange e a lt ileAsso iation
Co ponent ir are
Co ponent b e t odel i a ing
Create A o nt
ear rder i a ing
ylib i a ing
ternal e ote ervi es
ile yste er issions ea ness
idden iles and ire tories
oo ing
ypervisor
age ile e tion ptions n e tionKernel od les and tensions
a n Agent
a n ae on
a n tl
C A Addition
o al ob ed ling
ogin te
ogon ripts
A river
odi y isting ervi e
ets elper
e ervi e
i e Appli ation tart p
at nter eption
list odi i ation
ort Kno ing
ort onitors
. o on
e opened Appli ations
ed ndant A ess
egistry n Keys tart older
ed led Tas
reensaver
e rity pport rovider
ervi e egistry er issions ea ness
ort t odi i ation
and Tr st rovider i a ing
tart p te s
yste ir are
Ti e roviders
Trap
alid A o nts
eb ell
indo s anage ent nstr entation vent bs ription
inlogon elper
A ess To en anip lation
A essibility eat res
AppCert s
App nit s
Appli ation i ing
ypass ser A o nt Control
ear rder i a ing
ylib i a ing
ploitation or rivilege s alation tra indo e ory n e tion ile yste er issions ea ness
oo ing
age ile e tion ptions n e tion
a n ae on
e ervi e
at nter eption
list odi i ation
ort onitors
ro ess n e tion
ed led Tas
ervi e egistry er issions ea ness
et id and etgid
istory n e tion
tart p te s
do
do Ca ing
alid A o nts
eb ell
A ess To en anip lation
inary adding
T obs
ypass ser A o nt Control
Clear Co and istory
C T
Code igning
Co ponent ir are
Co ponent b e t odel i a ing
Control anel te s
C ado
eob s ate e ode iles or n or ation
isabling e rity Tools
ear rder i a ing
ide oading
ploitation or e ense vasion tra indo e ory n e tion
ile eletion
ile yste ogi al sets
ate eeper ypass
idden iles and ire tories
idden sers
idden indo
TC T
age ile e tion ptions n e tion
ndi ator lo ing
ndi ator e oval ro Tools
ndi ator e oval on ost
ndire t Co and e tion
nstall oot Certi i ate
nstall til
a n tl
C A i a ing
as erading
odi y egistry
s ta
et or are Conne tion e oval
T ile Attrib tes
b s ated iles or n or ation
list odi i ation
ort Kno ing
ro ess oppelg nging
ro ess ollo ing
ro ess n e tion
ed ndant A ess
egsv s egas
egsvr
oot it
ndll
ripting
igned inary ro y e tion igned ript ro y e tion and Tr st rovider i a ing
o t are a ing
pa e a ter ilena e
Ti esto p
Tr sted eveloper tilities
alid A o nts
eb ervi e
A o nt anip lation
as istory
r te or e
Credential ping
Credentials in iles
Credentials in egistry
ploitation or CredentialA ess
or ed A t enti ation
oo ing
np t Capt re
np t ro pt
Kerberoasting
Key ain
T oisoning
et or ni ing
ass ord ilter
rivate Keys
epli ation T ro g e ovable edia
e rityd e ory
T o a tor A t enti ation nter eption
A o nt is overy
Appli ation indo is overy
ro ser oo ar is overy
ile and ire tory is overy
et or ervi e anning
et or are is overy
ass ord oli y is overy
erip eral evi e is overy
er ission ro ps is overy
ro ess is overy
ery egistry
e ote yste is overy
e rity o t are is overy
yste n or ation is overy
yste et or Con ig ration is overy yste et or Conne tions is overy yste ner ser is overy
yste ervi e is overy
yste Ti e is overy
Apple ript
Appli ation eploy ent o t are istrib ted Co ponent b e t odel ploitation o e ote ervi es
ogon ripts
ass t e as
ass t e Ti et
e ote es top roto ol
e ote ile Copy
e ote ervi es
epli ation T ro g e ovable edia
ared ebroot
i a ing
Taint ared Content
T ird party o t are
indo s Ad in ares
indo s e ote anage ent
A dio Capt re
A to ated Colle tion
Clipboard ata
ata ro n or ation epositories
ata ro o al yste
ata ro et or ared rive
ata ro e ovable edia
ata taged
ail Colle tion
np t Capt re
an in t e ro ser
reen Capt re
ideo Capt re
A to ated iltration
ata Co pressed
ata n rypted
ata Trans er i e i its
iltration ver Alternative roto ol iltration ver Co andand Control C annel iltration ver t er et or edi iltration ver ysi al edi
ed led Trans er
Co only sed ort
Co ni ation T ro g e ovable edia
Conne tion ro y
C sto Co and andControl roto olC sto Cryptograp i roto ol
ata n oding
ata b s ation
o ain ronting
allba C annels
lti op ro y
lti tage C annels
ltiband Co ni ation
ltilayer n ryption
ort Kno ing
e ote A ess Tools
e ote ile Copy
tandard Appli ation ayer roto ol tandard Cryptograp i roto ol tandard on Appli ation ayer roto ol
n o only sed ort
eb ervi e
Comparing APT28 and APT29
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and Control
APT28
APT29
Both groups
| 25 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
rive by Co pro ise
ploit bli a ingAppli ation
ard are Additions
epli ation T ro g e ovable edia
pearp is ing Atta ent
pearp is ing in
pearp is ing via ervi e
pply C ain Co pro ise
Tr sted elations ip
alid A o nts
Apple ript
C T
Co and ine nter a e
Control anel te s
yna i ata ange
e tion t ro g A
e tion t ro g od le oad ploitation or Client e tion
rap i al ser nter a e
nstall til
a n tl
o al ob ed ling
A river
s ta
o er ell
egsv s egas
egsvr
ndll
ed led Tas
ripting
ervi e e tion
igned inary ro y e tion igned ript ro y e tion
o r e
pa e a ter ilena e
T ird party o t are
Trap
Tr sted eveloper tilities
ser e tion
indo s anage ent nstr entation indo s e ote anage ent
.bas pro ile and .bas r
A essibility eat res
AppCert s
App nit s
Appli ation i ing
A t enti ation a age
T obs
oot it
ro ser tensions
C ange e a lt ileAsso iation
Co ponent ir are
Co ponent b e t odel i a ing
Create A o nt
ear rder i a ing
ylib i a ing
ternal e ote ervi es
ile yste er issions ea ness
idden iles and ire tories
oo ing
ypervisor
age ile e tion ptions n e tionKernel od les and tensions
a n Agent
a n ae on
a n tl
C A Addition
o al ob ed ling
ogin te
ogon ripts
A river
odi y isting ervi e
ets elper
e ervi e
i e Appli ation tart p
at nter eption
list odi i ation
ort Kno ing
ort onitors
. o on
e opened Appli ations
ed ndant A ess
egistry n Keys tart older
ed led Tas
reensaver
e rity pport rovider
ervi e egistry er issions ea ness
ort t odi i ation
and Tr st rovider i a ing
tart p te s
yste ir are
Ti e roviders
Trap
alid A o nts
eb ell
indo s anage ent nstr entation vent bs ription
inlogon elper
A ess To en anip lation
A essibility eat res
AppCert s
App nit s
Appli ation i ing
ypass ser A o nt Control
ear rder i a ing
ylib i a ing
ploitation or rivilege s alation tra indo e ory n e tion ile yste er issions ea ness
oo ing
age ile e tion ptions n e tion
a n ae on
e ervi e
at nter eption
list odi i ation
ort onitors
ro ess n e tion
ed led Tas
ervi e egistry er issions ea ness
et id and etgid
istory n e tion
tart p te s
do
do Ca ing
alid A o nts
eb ell
A ess To en anip lation
inary adding
T obs
ypass ser A o nt Control
Clear Co and istory
C T
Code igning
Co ponent ir are
Co ponent b e t odel i a ing
Control anel te s
C ado
eob s ate e ode iles or n or ation
isabling e rity Tools
ear rder i a ing
ide oading
ploitation or e ense vasion tra indo e ory n e tion
ile eletion
ile yste ogi al sets
ate eeper ypass
idden iles and ire tories
idden sers
idden indo
TC T
age ile e tion ptions n e tion
ndi ator lo ing
ndi ator e oval ro Tools
ndi ator e oval on ost
ndire t Co and e tion
nstall oot Certi i ate
nstall til
a n tl
C A i a ing
as erading
odi y egistry
s ta
et or are Conne tion e oval
T ile Attrib tes
b s ated iles or n or ation
list odi i ation
ort Kno ing
ro ess oppelg nging
ro ess ollo ing
ro ess n e tion
ed ndant A ess
egsv s egas
egsvr
oot it
ndll
ripting
igned inary ro y e tion igned ript ro y e tion and Tr st rovider i a ing
o t are a ing
pa e a ter ilena e
Ti esto p
Tr sted eveloper tilities
alid A o nts
eb ervi e
A o nt anip lation
as istory
r te or e
Credential ping
Credentials in iles
Credentials in egistry
ploitation or CredentialA ess
or ed A t enti ation
oo ing
np t Capt re
np t ro pt
Kerberoasting
Key ain
T oisoning
et or ni ing
ass ord ilter
rivate Keys
epli ation T ro g e ovable edia
e rityd e ory
T o a tor A t enti ation nter eption
A o nt is overy
Appli ation indo is overy
ro ser oo ar is overy
ile and ire tory is overy
et or ervi e anning
et or are is overy
ass ord oli y is overy
erip eral evi e is overy
er ission ro ps is overy
ro ess is overy
ery egistry
e ote yste is overy
e rity o t are is overy
yste n or ation is overy
yste et or Con ig ration is overy yste et or Conne tions is overy yste ner ser is overy
yste ervi e is overy
yste Ti e is overy
Apple ript
Appli ation eploy ent o t are istrib ted Co ponent b e t odel ploitation o e ote ervi es
ogon ripts
ass t e as
ass t e Ti et
e ote es top roto ol
e ote ile Copy
e ote ervi es
epli ation T ro g e ovable edia
ared ebroot
i a ing
Taint ared Content
T ird party o t are
indo s Ad in ares
indo s e ote anage ent
A dio Capt re
A to ated Colle tion
Clipboard ata
ata ro n or ation epositories
ata ro o al yste
ata ro et or ared rive
ata ro e ovable edia
ata taged
ail Colle tion
np t Capt re
an in t e ro ser
reen Capt re
ideo Capt re
A to ated iltration
ata Co pressed
ata n rypted
ata Trans er i e i its
iltration ver Alternative roto ol iltration ver Co andand Control C annel iltration ver t er et or edi iltration ver ysi al edi
ed led Trans er
Co only sed ort
Co ni ation T ro g e ovable edia
Conne tion ro y
C sto Co and andControl roto olC sto Cryptograp i roto ol
ata n oding
ata b s ation
o ain ronting
allba C annels
lti op ro y
lti tage C annels
ltiband Co ni ation
ltilayer n ryption
ort Kno ing
e ote A ess Tools
e ote ile Copy
tandard Appli ation ayer roto ol tandard Cryptograp i roto ol tandard on Appli ation ayer roto ol
n o only sed ort
eb ervi e
Comparing APT28 and APT29
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and Control
Focus on shared techniques APT28
APT29
Both groups
| 26 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Tips for Using ATT&CK for Threat Intelligence
1. Choose a threat group relevant to your organization
2. Map their techniques to ATT&CK
– Or use existing mappings:
https://attack.mitre.org/groups/
https://pan-unit42.github.io/playbook_viewer/
3. Prioritize writing detections for those techniques
Then…
▪ Map many groups, focus on frequently seen techniques across groups
▪ For more info:
– https://medium.com/mitre-attack/getting-started-with-attack-cti-4eb205be4b2f
| 27 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Adversary Emulation: How ATT&CK Can Help
▪ Focus your red team to emulate specific relevant adversaries
– Shows what your network looks like to real threats!
▪ ATT&CK can help you with adversary emulation and red teaming by…
– Focusing on known adversary behaviors
– Describing low-level TTP details that can be emulated
– Providing a common language to express tests and results
▪ Building out an ATT&CK-based adversary emulation program…
1. Try open source or commercial tools to get your feet wet
2. Track and mature what your red team is doing
3. Develop intentional adversary emulation plans based on CTI and detection
| 28 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Getting Started: Using Open Source Tools
▪ No red team? No problem!
▪ Defenders can try out red teaming tools to get your feet wet
– Atomic Red Team: https://github.com/redcanaryco/atomic-red-team
– Red Team Automation: https://github.com/endgameinc/RTA
– CALDERA: https://github.com/mitre/caldera
| 29 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Bringing it Together: Gaps and Assessments
| 30 |
LegendHigh Confidence of DetectionSome Confidence of DetectionLow Confidence of Detection
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Bringing it Together: Gaps and Assessments
| 31 |
LegendHigh Confidence of DetectionSome Confidence of DetectionLow Confidence of Detection
We have some confidence we would detect Automated Exfiltration if executed
We have low confidence we would detect Data Encrypted if executed
We have high confidence we would detect Scheduled Transfer if executed
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Bringing it Together: Gaps and Assessments
| 32 |
LegendHigh Confidence of DetectionSome Confidence of DetectionLow Confidence of Detection
Communicate capabilities with a common reference
Inform tooling purchases for biggest ROI
Identify data sources needed for detection
Knowledge of my detection gaps allows
me to…
Develop analytics targeting high-impact gaps
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
1. Look at the data sources you’re collecting
Tips For Understanding Your Coverage
| 33 |
Windows Admin Shareshttps://attack.mitre.org/techniques/T1077/
Apple ript
C T
Co and ine nter a e
Co piled T ile
Control anel te s
rap i al ser nter a e
nstall til
a n tl
s ta
o er ell
egsv s egas
egsvr
ndll
ed led Tas
ripting
ervi e e tion
igned inary ro y e tion
igned ript ro y e tion
o r e
Trap
ser e tion
indo s anage ent nstr entation
indo s e ote anage ent
ript ro essing
.bas pro ile and .bas r
Appli ation i ing
C ange e a lt ile Asso iation
Create A o nt
ear rder i a ing
ile yste er issions ea ness
idden iles and ire tories
Kernel od les and tensions
a n tl
C A Addition
odi y isting ervi e
e ervi e
i e Appli ation tart p
list odi i ation
ed led Tas
reensaver
ervi e egistry er issions ea ness
et id and etgid
ort t odi i ation
yste d ervi e
Trap
A ess To en anip lation
Appli ation i ing
ypass ser A o nt Control
ear rder i a ing
ile yste er issions ea ness
e ervi e
list odi i ation
ed led Tas
ervi e egistry er issions ea ness
et id and etgid
do Ca ing
A ess To en anip lation
ypass ser A o nt Control
C T
Co pile A ter elivery
Co piled T ile
Control anel te s
eob s ate e ode iles or n or ation
isabling e rity Tools
ear rder i a ing
ile eletion
ile er issions odi i ation
idden iles and ire tories
ndi ator lo ing
ndi ator e oval ro Tools
ndi ator e oval on ost
ndire t Co and e tion
nstall til
a n tl
odi y egistry
s ta
et or are Conne tion e oval
T ile Attrib tes
b s ated iles or n or ation
list odi i ation
egsv s egas
egsvr
ndll
ripting
igned inary ro y e tion
igned ript ro y e tion
Ti esto p
irt ali ation andbo vasion
ript ro essing
as istory
Credential ping
Credentials in iles
Credentials in egistry
np t ro pt
A o nt is overy
Appli ation indo is overy
ro ser oo ar is overy
o ain Tr st is overy
ile and ire tory is overy
et or ervi e anning
et or are is overy
ass ord oli y is overy
er ission ro ps is overy
ro ess is overy
ery egistry
e ote yste is overy
e rity o t are is overy
yste n or ation is overy
yste et or Con ig ration is overy yste et or Conne tions is overy
yste ner ser is overy
yste ervi e is overy
yste Ti e is overy
irt ali ation andbo vasion
Apple ript
indo s Ad in ares
indo s e ote anage ent
A to ated Colle tion
ata ro o al yste
ata ro et or ared rive
ata ro e ovable edia
ata taged
ata Co pressed
ata n rypted
p
ata estr tion
ata n rypted or pa t
is Content ipe
n ibit yste e overy
ervi e top
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
1. Look at the data sources you’re collecting
2. Map your analytics to ATT&CK techniques they might detect
Tips For Understanding Your Coverage
| 34 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
1. Look at the data sources you’re collecting
2. Map your analytics to ATT&CK techniques they might detect
3. Map your tools to ATT&CK
– Read documentation
– Ask the vendor!
4. Find reports of prior activity
– What have you caught?
– What did you find a post-mortem?
5. Talk to your teams!
– Ask your red teams their favorite TTPs
– Ask your hunters what they struggle with
– Ask your IR team what they’ve seen
Tips For Understanding Your Coverage
| 35 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Following Up On Gaps: Prioritized Remediation
LegendHigh Confidence of DetectionSome Confidence of DetectionLow Confidence of Detection
© 2019 The MITRE Corporation. All rights reserved.
Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
Prioritizing Remediations: Examples
LegendHigh Confidence of DetectionSome Confidence of DetectionLow Confidence of Detection
© 2019 The MITRE Corporation. All rights reserved.
Prioritized Technique
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
Prioritizing Remediations: Examples
LegendHigh Confidence of DetectionSome Confidence of DetectionLow Confidence of Detection
© 2019 The MITRE Corporation. All rights reserved.
Prioritized Technique
Focus on Exploit Public-Facing Application and Data Content Wipeas they can have significant impact to operations
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
Prioritizing Remediations: Examples
LegendHigh Confidence of DetectionSome Confidence of DetectionLow Confidence of Detection
© 2019 The MITRE Corporation. All rights reserved.
Prioritized Technique
Command-Line Interface, Credential Dumping, and Standard Application Layer Protocol are popular techniques and can give the biggest
return on investment
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
Prioritizing Remediations: Examples
LegendHigh Confidence of DetectionSome Confidence of DetectionLow Confidence of Detection
© 2019 The MITRE Corporation. All rights reserved.
Prioritized Technique
Startup Items, InstallUtil, and System Time Discovery are used by threat actors most relevant to your network
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
Prioritizing Remediations: Examples
LegendHigh Confidence of DetectionSome Confidence of DetectionLow Confidence of Detection
© 2019 The MITRE Corporation. All rights reserved.
Prioritized Technique
Existing logs can be used to detect Remote File Copy and Data From Removable Media, making analytic development easier
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Remediating Gaps: Tips for Prioritization
1. Small lists of techniques are great for short-term wins
2. Follow one of two paradigms:
– A technique or two across tactics, or
– Many techniques in one tactic
3. Focus on techniques that are immediately relevant
– Are they used by relevant threat actors?
– Are they popular or frequently occurring?
– Are they easy to execute and do they enable more techniques?
– Are the necessary logs readily accessible?
| 42 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Closing Thoughts
| 43 |
Long-Term Integration
Tune or Acquire New
Defenses
Assess Defensive Coverage
Identify High Priority
Gaps
| 44 |
Assessments and
Engineering
Adversary Emulation Exercises
• Threat intelligence• Sightings data• Relevant threat models
• Writing detections• ATT&CK evaluations• Public resources
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.
Links and Contact
▪ Andy Applebaum
– @andyplayse4
▪ ATT&CK
– https://attack.mitre.org
– @MITREattack
▪ Data + Code
– https://github.com/mitre/cti (STIX data)
– https://github.com/mitre-attack (code)
▪ CALDERA
– https://github.com/mitre/caldera
▪ ATT&CK-based Product Evals
– https://attackevals.mitre.org/
▪ ATT&CKcon
– https://www.mitre.org/attackcon
▪ Blog
– https://medium.com/mitre-attack
| 45 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.