module 1: introducing the training and … workshop...module 1: introducing the training and...
TRANSCRIPT
Module 1:Introducing the Training and
Understanding ATT&CK
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Using MITRE ATT&CK™ for Cyber Threat Intelligence
Training
Katie Nickels and Adam Pennington
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Training Overview
▪ Five modules consisting of YouTube videos and exercises are available at attack.mitre.org/training/cti
▪ Module 1: Introducing training and understanding ATT&CK
A. Topic introduction (Video)
▪ Module 2: Mapping to ATT&CK from finished reporting
A. Topic introduction (Video)
B. Exercise 2: Mapping to ATT&CK from finished reporting (Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 2 (Video)
▪ Module 3: Mapping to ATT&CK from raw data
A. Topic introduction (Video)
B. Exercise 3: Mapping to ATT&CK from raw data (Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 3 (Video)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Training Overview
▪ Module 4: Storing and analyzing ATT&CK-mapped intel
A. Topic introduction (Video)
B. Exercise 4: Comparing layers in ATT&CK Navigator (Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 4 (Video)
▪ Module 5: Making ATT&CK-mapped data actionable with defensive recommendations
A. Topic introduction (Video)
B. Exercise 5: Making defensive recommendations (Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 5 and wrap-up (Video)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 1 Module 2Module 3
Module 4 Module 5
Introduction to ATT&CK and Applying it to CTI
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Tough Questions for Defenders
▪How effective are my defenses?
▪Do I have a chance at detecting APT29?
▪ Is the data I’m collecting useful?
▪Do I have overlapping tool coverage?
▪Will this new product help my organization’s defenses?
| 8 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
| 9 |
What is
?A knowledge base of adversary behavior
➢ Based on real-world observations➢ Free, open, and globally accessible➢ A common language➢ Community-driven
The Difficult Task of Detecting TTPs
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s Pyramid of Pain©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
TTPs
Tools
Network/ Host Artifacts
Domain Names
IP Addresses
Hash Values
•Tough!
•Challenging
•Annoying
•Simple
•Easy
•Trivial
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
© 2019 The MITRE Corporation. All rights reserved. Matrix current as of May 2019.
Command and Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment Software
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application WindowDiscoveryBrute Force
Credential Dumping Browser Bookmark DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation forCredential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System InformationDiscoveryPrivate Keys
Securityd Memory System Network Configuration Discovery
Two-Factor AuthenticationInterception
System Network Connections Discovery
System Owner/UserDiscovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object ModelHijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors Deobfuscate/Decode Filesor InformationRegsvcs/Regasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution .bash_profile and .bashrc Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Signed Binary Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management Instrumentation Event
Subscription
Signed Binary Proxy Execution
Signed ScriptProxy ExecutionWinlogon Helper DLL
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Breaking Down ATT&CK
Tactics: the adversary’s technical goals
Te
ch
niq
ue
s:
ho
w t
he
go
als
are
a
ch
iev
ed
Procedures: Specific technique implementation
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
ATT&CK Use Cases
Threat Intelligenceprocesses = search Process:Createreg = filter processes where (exe == "reg.exe" and parent_exe== "cmd.exe")cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname)output reg_and_cmd
Detection
Adversary Emulation
Assessment and Engineering
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
MITRE ATT&CK™
Techniques Mapped to Data Sourc es
About This Diagram
How can I use data I already have to get started w ith ATT&CK?
MITRE
MITRE
MITRE ATT&CK™
Resources
To help cyber defenders gain a common understanding
of the threats they face, MITRE developed the ATT&CK
framework. It ’s a globally-accessible knowledge base of
adversary tact ics and t echniques based on real world
observat ions and open source research contributed by
the cyber community.
Used by organizat ions around the world, ATT&CK
provides a shared understanding of adversary tact ics,
techniques and procedures and how to detect , prevent ,
and/ or mit igate them.
ATT&CK is open and available to any person or
organizat ion for use at no charge.
For sixty years, MITRE has tackled complex problems
that challenge public saf ety, stability, and well-being.
Pioneering together with the cyber community, we’re
building a stronger, threat-informed defense for a
safer world.
ATT&CK™
EnterpriseFramework
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, informat ion-sharing groups, government threat -sharing programs,
and more. ATT&CK gives analysts a common language to communicate across reports and
organizat ions, providing a way to st ructure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analyt ics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analyt ics to detect threats.
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary
behavior framework based on threat intelligence that red teams can use to emulate
specific threats. This helps cyber defenders find gaps in visib ilit y, defensive tools, and
processes—and then fix them.
Get St art ed w it h ATT&CK
at tack.mit re.org
• Access ATT&CK technical informat ion
• Cont ribute to ATT&CK
• Follow our b log
• W atch ATT&CK presentat ions
@MITREat tack
Follow us on Tw it ter for the
latest news
at tackevals.mit re.org
MITRE ATT&CK Evaluat ions
Legend
APT28
APT29
Both
LegendLow Priority
High Priority
Comparing APT28 to APT29
Find ing Gaps in Defense
One way to get started using ATT&CK is to look at what data sources you're already collect ing and use that data to detect ATT&CK
techniques. On our website, we current ly have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram,
we've chosen 12 of those data sources to show the techniques each of them might be able to detect w ith the right collect ion and
analyt ics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and specific
adversary examples you can use t o start detect ing adversary behavior with ATT&CK.
You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit .ly/ ATTACK19 to
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content.
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScript
Application DeploymentSoftware
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication ThroughRemovable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Commonly Used Port
Communication ThroughRemovable Media
Connection Proxy
Custom Command andControl Protocol
Custom CryptographicProtocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application LayerProtocol
Standard CryptographicProtocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over AlternativeProtocol
Exfiltration OverPhysical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted DataManipulation
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from NetworkShared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Drive-by Compromise
Exploit Public-FacingApplication
External Remote Services
Hardware Additions
Replication ThroughRemovable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution throughModule Load
Exploitation forClient Execution
Graphical User Interface
InstallUtil
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scripting
Service Execution
Signed BinaryProxy Execution
Signed ScriptProxy Execution
Source
Space after Filename
Third-party Software
Trusted Developer Utilities
DLL Search Order Hijacking
Image File Execution Options Injection
Plist Modification
Valid Accounts
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Dylib Hijacking
File System Permissions Weakness
Hooking
Launch Daemon
New Service
Path Interception
Port Monitors
Service Registry Permissions Weakness
Setuid and Setgid
Startup Items
Web Shell
.bash_profile and .bashrc
Account Manipulation
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change DefaultFile Association
Component Firmware
BITS Jobs
Clear Command History
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Component Object ModelHijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Filesor Information
Disabling Security Tools
DLL Side-Loading
Execution Guardrails
Exploitation forDefense Evasion
File Deletion
File PermissionsModification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Exploitation forPrivilege Escalation
SID-History Injection
Sudo
Sudo Caching
Scheduled Task Binary Padding Network Sniffing
Launchctl
Local Job Scheduling
LSASS Driver
Trap
Access Token Manipulation
Bypass User Account Control
Extra Window Memory Injection
Process Injection
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation forCredential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoningand Relay
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor AuthenticationInterception
Account Discovery
Application WindowDiscovery
Browser BookmarkDiscovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Discovery
Remote System Discovery
Security Software Discovery
System InformationDiscovery
System NetworkConfiguration Discovery
System NetworkConnections Discovery
System Owner/UserDiscovery
System Service Discovery
System Time Discovery
Virtualization/SandboxEvasion
data loss prevention
dll monitoring
kernel driversloaded d
lls
malw
are
reve
rse e
ngin
eering
netw
ork
device lo
gs
network intrusion detection system
ssl/tls inspection
system calls
win
dow
s eve
nt lo
gs
anti-v
irus
dis
abl in
g s
ecu
rity
to
ols
explo
itatio
n f
or
clie
nt
exe
cu
tio
n
ind
icato
r re
moval fr
om
to
ols
spea
rphis
hin
g v
ia s
erv
ice
tem
pla
te inje
ction
user
execution
web s
hell
bin
ary
paddin
gco
de s
ignin
gco
ntrol p
anel i
tem
s
data
com
pre
ssed
data
encr
ypte
dfil
e d
elet
ion
grap
hica
l use
r in
terfac
e
hook
ing
indi
cato
r rem
oval
from
tool
s
lc_l
oad_
dylib
add
ition
lc_m
ain
hija
ckin
g
masq
ueradin
g
obfusc
ated fi
les
or info
rmatio
n
redundant a
ccess
rundll3
2
software packing
third-party
software
time providers
automated collection
communication through removable media
data from information repositories
exfiltration over physical medium
hardware additions
replication through removable media
authentication package
component object model hijacking
control panel items
dll search order hijacking
distributed component object modeldynamic data exchange
execution through module loadhooking
lsass driver
netsh helper dllpassword filter dllport monitorspowershellprocess injectionsip and trust provider hijacking
security support provider
time providers
xsl script processing
data encrypted for impact
disk content wipe
disk structure wipe
input capture
lsass driver
ntfs file attributes
two-factor au
thenticatio
n interception
appce
rt dlls
appin
it dlls
applica
tion sh
imm
ing
auth
entica
tion p
acka
ge
com
ponent o
bje
ct m
odel h
ijackin
g
dll s
ide-lo
adin
g
hookin
g
lsass d
rive
r
pow
ers
he
ll
reg
svr3
2
sip
and
trust p
rovid
er h
ijackin
g
se
curity
su
pp
ort p
rovid
er
tim
e p
rovi d
ers
bin
ary
pa
dd
ing
custo
m c
ryp
tog
rap
hic
pro
toco
l
fallb
ack c
hannels
lc_m
ain
hija
ckin
g
multib
and c
om
munic
ation
multila
yer
encr
yption
obfu
scate
d file
s o
r in
form
atio
n
standard
applic
atio
n la
yer
pro
toco
l
standard
cry
pto
gra
phic
pro
toco
l
dom
ain
genera
tion a
lgorith
ms
driv
e-by
com
prom
ise
endp
oint
den
ial o
f ser
vice
forc
ed a
uthe
ntic
atio
n
mul
ti-st
age
chan
nels
netw
ork
deni
al o
f ser
vice
netw
ork sn
iffing
reso
urce
hija
ckin
g
cust
om c
omm
and and c
ontrol p
roto
col
drive-b
y com
prom
ise
endpoint denial o
f service
network denial o
f service
obfuscated files or in
formatio
n
remote access tools
spearphishing attachment
standard non-application layer protocoltemplate injection
domain frontingdrive-by compromise
endpoint denial of service
install root certificate
obfuscated files or information
spearphishing link
spearphishing via service
standard cryptographic protocol
web service
applescript
application shimming
browser extensions
bypass user account control
exploitation for client execution
hypervisor
kernel modules and extensions
keychain
rootkit
account manipulation
bits jobs
cmstp
control panel items
create account
distributed component object m
odel
dynamic data exchange
file permissions m
odification
group policy modification
hookin
g
image file
exe
cutio
n o
ptio
ns in
jectio
n
indica
tor re
mova
l on h
ost
indire
ct com
mand e
xecu
tion
inhib
it system
reco
very
kerb
ero
astin
g
llmnr/n
bt-n
s p
ois
onin
g a
nd re
lay
modify
regis
try
new
serv
ice
obfu
scate
d file
s o
r info
rmatio
n
sid
-his
tory
inje
ctio
n
sip
an
d tru
st p
rovid
er h
ijackin
g
sch
ed
ule
d ta
sk
bin
ary
file
met
adat
a
MITRE ATT&CK™
Techniques Mapped to Data Sourc es
About This Diagram
How can I use data I already have to get started w ith ATT&CK?
MITRE
MITRE
MITRE ATT&CK™
Resources
To help cyber defenders gain a common understanding
of the threats they face, MITRE developed the ATT&CK
framework. It ’s a globally-accessible knowledge base of
adversary tact ics and t echniques based on real world
observat ions and open source research contributed by
the cyber community.
Used by organizat ions around the world, ATT&CK
provides a shared understanding of adversary tact ics,
techniques and procedures and how to detect, prevent ,
and/ or mit igate them.
ATT&CK is open and available to any person or
organizat ion for use at no charge.
For sixty years, MITRE has tackled complex problems
that challenge public saf ety, stability, and well-being.
Pioneering together with the cyber community, we’re
building a stronger, threat-informed defense for a
safer world.
ATT&CK™
EnterpriseFramework
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, informat ion-sharing groups, government threat -sharing programs,
and more. ATT&CK gives analysts a common language to communicate across reports and
organizat ions, providing a way to st ructure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analyt ics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analyt ics to detect threats.
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary
behavior framework based on threat intelligence that red teams can use to emulate
specific threats. This helps cyber defenders find gaps in visib ilit y, defensive tools, and
processes—and then fix them.
Get St art ed w it h ATT&CK
at tack.mit re.org
• Access ATT&CK technical informat ion
• Cont ribute to ATT&CK
• Follow our b log
• W atch ATT&CK presentat ions
@MITREat tack
Follow us on Tw it ter for the
latest news
at tackevals.mit re.org
MITRE ATT&CK Evaluat ions
Legend
APT28
APT29
Both
LegendLow Priority
High Priority
Comparing APT28 to APT29
Find ing Gaps in Defense
One way to get started using ATT&CK is to look at what data sources you're already collect ing and use that data to detect ATT&CK
techniques. On our website, we current ly have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram,
we've chosen 12 of those data sources to show the techniques each of them might be able to detect w ith the right collect ion and
analyt ics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and specific
adversary examples you can use t o start detect ing adversary behavior with ATT&CK.
You can visualize how your own data sources map to adversary behavior w ith ATT&CK. Read our blog post at bit .ly/ ATTACK19 to
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content.
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScript
Application DeploymentSoftware
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication ThroughRemovable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Commonly Used Port
Communication ThroughRemovable Media
Connection Proxy
Custom Command andControl Protocol
Custom CryptographicProtocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application LayerProtocol
Standard CryptographicProtocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over AlternativeProtocol
Exfiltration OverPhysical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted DataManipulation
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from NetworkShared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Drive-by Compromise
Exploit Public-FacingApplication
External Remote Services
Hardware Additions
Replication ThroughRemovable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution throughModule Load
Exploitation forClient Execution
Graphical User Interface
InstallUtil
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scripting
Service Execution
Signed BinaryProxy Execution
Signed ScriptProxy Execution
Source
Space after Filename
Third-party Software
Trusted Developer Utilities
DLL Search Order Hijacking
Image File Execution Options Injection
Plist Modification
Valid Accounts
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Dylib Hijacking
File System Permissions Weakness
Hooking
Launch Daemon
New Service
Path Interception
Port Monitors
Service Registry Permissions Weakness
Setuid and Setgid
Startup Items
Web Shell
.bash_profile and .bashrc
Account Manipulation
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change DefaultFile Association
Component Firmware
BITS Jobs
Clear Command History
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Component Object ModelHijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Filesor Information
Disabling Security Tools
DLL Side-Loading
Execution Guardrails
Exploitation forDefense Evasion
File Deletion
File PermissionsModification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Exploitation forPrivilege Escalation
SID-History Injection
Sudo
Sudo Caching
Scheduled Task Binary Padding Network Sniffing
Launchctl
Local Job Scheduling
LSASS Driver
Trap
Access Token Manipulation
Bypass User Account Control
Extra Window Memory Injection
Process Injection
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation forCredential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoningand Relay
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor AuthenticationInterception
Account Discovery
Application WindowDiscovery
Browser BookmarkDiscovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Discovery
Remote System Discovery
Security Software Discovery
System InformationDiscovery
System NetworkConfiguration Discovery
System NetworkConnections Discovery
System Owner/UserDiscovery
System Service Discovery
System Time Discovery
Virtualization/SandboxEvasion
data loss prevention
dll monitoring
kernel driversloaded d
lls
malw
are
reve
rse e
ngin
eering
netw
ork
device lo
gs
network intrusion detection system
ssl/tls inspection
system calls
win
dow
s eve
nt lo
gs
anti-v
irus
dis
ablin
g s
ecu
rity
to
ols
explo
itatio
n for
clie
nt
executio
n
ind
icato
r re
moval fr
om
to
ols
spearp
his
hin
g v
ia s
erv
ice
tem
pla
te inje
ction
user
execution
web s
hell
bin
ary
paddin
gco
de s
ignin
gco
ntrol p
anel i
tem
s
data
com
pre
ssed
data
encr
ypte
dfil
e de
letio
ngr
aphi
cal u
ser in
terfac
e
hook
ing
indi
cato
r rem
oval
from
tool
s
lc_loa
d_dy
lib a
ddition
lc_m
ain
hija
ckin
g
masq
ueradin
g
obfusc
ated fi
les
or info
rmatio
n
redundant a
ccess
rundll3
2
software packing
third-party
software
time providers
automated collection
communication through removable media
data from information repositories
exfiltration over physical medium
hardware additions
replication through removable media
authentication package
component object model hijacking
control panel items
dll search order hijacking
distributed component object modeldynamic data exchange
execution through module loadhooking
lsass driver
netsh helper dllpassword filter dllport monitorspowershellprocess injectionsip and trust provider hijacking
security support provider
time providers
xsl script processing
data encrypted for impact
disk content wipe
disk structure wipe
input capture
lsass driver
ntfs file attributes
two-factor authe
ntication intercep
tion
appce
rt dlls
appin
it dlls
applica
tion sh
imm
ing
auth
entica
tion p
ack
age
com
ponent o
bje
ct m
odel h
ijackin
g
dll s
ide-lo
adin
g
hookin
g
lsass d
river
pow
ers
hell
regsvr3
2
sip
an
d tru
st p
rovid
er h
ijackin
g
se
curi ty
su
pp
or t p
rovid
er
t im
e p
rovid
ers
bin
ary
padd
ing
custo
m c
rypto
gra
phic
pro
tocol
fallb
ack c
hannels
lc_m
ain
hija
ckin
g
multib
and c
om
munic
ation
multila
yer
encry
ption
obfu
scate
d file
s o
r in
form
atio
n
standard
applic
atio
n la
yer
pro
toco
l
standard
cry
pto
gra
phic
pro
toco
l
dom
ain
genera
tion a
lgorith
ms
driv
e-by
com
prom
ise
endp
oint
den
ial o
f ser
vice
forc
ed a
uthe
ntic
atio
n
mul
ti-st
age
chan
nels
netw
ork
deni
al o
f ser
vice
netw
ork
sniffing
reso
urce
hija
ckin
g
cust
om c
omm
and and c
ontrol p
roto
col
drive-b
y com
prom
ise
endpoint denial o
f service
network denial o
f service
obfuscated files or in
formatio
n
remote access tools
spearphishing attachment
standard non-application layer protocoltemplate injection
domain frontingdrive-by compromise
endpoint denial of service
install root certificate
obfuscated files or information
spearphishing link
spearphishing via service
standard cryptographic protocol
web service
applescript
application shimming
browser extensions
bypass user account control
exploitation for client execution
hypervisor
kernel modules and extensions
keychain
rootkit
account manipulation
bits jobs
cmstp
control panel items
create account
distributed component object m
odel
dynamic data exchange
file permissions m
odification
group policy modification
hookin
g
image file
exe
cutio
n o
ptio
ns in
jectio
n
indica
tor re
mova
l on h
ost
indire
ct com
mand e
xecu
tion
inhib
it system
reco
very
kerb
ero
astin
g
llmnr/n
bt-n
s p
ois
onin
g a
nd re
lay
modify
regis
try
new
serv
ice
obfu
scate
d file
s o
r info
rmatio
n
sid
-his
tory
inje
ctio
n
sip
an
d tru
st p
rovid
er h
ijackin
g
sch
ed
ule
d ta
sk
bin
ary
file
met
adat
a
MITRE ATT&CK™
Techniques Mapped to Data Sourc es
About This Diagram
How can I use data I already have to get started w ith ATT&CK?
MITRE
MITRE
MITRE ATT&CK™
Resources
To help cyber defenders gain a common understanding
of the threats they face, MITRE developed the ATT&CK
framework. It ’s a globally-accessible knowledge base of
adversary tact ics and t echniques based on real world
observat ions and open source research contributed by
the cyber community.
Used by organizat ions around the world, ATT&CK
provides a shared understanding of adversary tact ics,
techniques and procedures and how to detect , prevent ,
and/or mit igate them.
ATT&CK is open and available to any person or
organizat ion for use at no charge.
For sixty years, MITRE has tackled complex problems
that challenge public saf ety, stability, and well-being.
Pioneering together with the cyber community, we’re
building a stronger, threat-informed defense for a
safer world.
ATT&CK™
EnterpriseFramework
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, informat ion-sharing groups, government threat -sharing programs,
and more. ATT&CK gives analysts a common language to communicate across reports and
organizat ions, providing a way to st ructure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analyt ics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analyt ics to detect threats.
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary
behavior framework based on threat intelligence that red teams can use to emulate
specific threats. This helps cyber defenders find gaps in visib ilit y, defensive tools, and
processes—and then fix them.
Get St art ed w it h ATT&CK
at tack.mit re.org
• Access ATT&CK technical informat ion
• Cont ribute to ATT&CK
• Follow our b log
• W atch ATT&CK presentat ions
@MITREat tack
Follow us on Tw it ter for the
latest news
at tackevals.mit re.org
MITRE ATT&CK Evaluat ions
Legend
APT28
APT29
Both
LegendLow Priority
High Priority
Comparing APT28 to APT29
Find ing Gaps in Defense
One way to get started using ATT&CK is to look at what data sources you're already collect ing and use that data to detect ATT&CK
techniques. On our website, we current ly have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram,
we've chosen 12 of those data sources to show the techniques each of them might be able to detect w ith the right collect ion and
analyt ics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and specific
adversary examples you can use t o start detect ing adversary behavior with ATT&CK.
You can visualize how your own data sources map to adversary behavior w ith ATT&CK. Read our blog post at bit .ly/ ATTACK19 to
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content.
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScript
Application DeploymentSoftware
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication ThroughRemovable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Commonly Used Port
Communication ThroughRemovable Media
Connection Proxy
Custom Command andControl Protocol
Custom CryptographicProtocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application LayerProtocol
Standard CryptographicProtocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over AlternativeProtocol
Exfiltration OverPhysical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted DataManipulation
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from NetworkShared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Drive-by Compromise
Exploit Public-FacingApplication
External Remote Services
Hardware Additions
Replication ThroughRemovable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution throughModule Load
Exploitation forClient Execution
Graphical User Interface
InstallUtil
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scripting
Service Execution
Signed BinaryProxy Execution
Signed ScriptProxy Execution
Source
Space after Filename
Third-party Software
Trusted Developer Utilities
DLL Search Order Hijacking
Image File Execution Options Injection
Plist Modification
Valid Accounts
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Dylib Hijacking
File System Permissions Weakness
Hooking
Launch Daemon
New Service
Path Interception
Port Monitors
Service Registry Permissions Weakness
Setuid and Setgid
Startup Items
Web Shell
.bash_profile and .bashrc
Account Manipulation
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change DefaultFile Association
Component Firmware
BITS Jobs
Clear Command History
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Component Object ModelHijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Filesor Information
Disabling Security Tools
DLL Side-Loading
Execution Guardrails
Exploitation forDefense Evasion
File Deletion
File PermissionsModification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Exploitation forPrivilege Escalation
SID-History Injection
Sudo
Sudo Caching
Scheduled Task Binary Padding Network Sniffing
Launchctl
Local Job Scheduling
LSASS Driver
Trap
Access Token Manipulation
Bypass User Account Control
Extra Window Memory Injection
Process Injection
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation forCredential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoningand Relay
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor AuthenticationInterception
Account Discovery
Application WindowDiscovery
Browser BookmarkDiscovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Discovery
Remote System Discovery
Security Software Discovery
System InformationDiscovery
System NetworkConfiguration Discovery
System NetworkConnections Discovery
System Owner/UserDiscovery
System Service Discovery
System Time Discovery
Virtualization/SandboxEvasion
data loss prevention
dll monitoring
kernel driversloaded d
lls
malw
are
reve
rse e
ngin
eering
netw
ork
device lo
gs
network intrusion detection system
ssl/tls inspection
system calls
win
dow
s eve
nt lo
gs
anti-v
irus
dis
ab
li ng
se
curi
ty t
oo
ls
exp
loita
tio
n fo
r clie
nt exe
cution
indic
ato
r re
moval fr
om
tools
spe
arp
his
hin
g v
ia s
erv
ice
tem
pla
te inje
ction
user
execution
web s
hell
bin
ary
paddin
gco
de s
ignin
gco
ntrol p
anel i
tem
s
data
com
pre
ssed
data
encr
ypte
dfil
e de
letio
ngr
aphi
cal u
ser in
terfac
e
hook
ing
indi
cato
r rem
oval
from
tool
s
lc_l
oad_
dylib
add
ition
lc_m
ain
hija
ckin
g
masq
ueradin
g
obfusc
ated fi
les
or info
rmatio
n
redundant a
ccess
rundll3
2
software packing
third-party
software
time providers
automated collection
communication through removable media
data from information repositories
exfiltration over physical medium
hardware additions
replication through removable media
authentication package
component object model hijacking
control panel items
dll search order hijacking
distributed component object modeldynamic data exchange
execution through module loadhooking
lsass driver
netsh helper dllpassword filter dllport monitorspowershellprocess injectionsip and trust provider hijacking
security support provider
time providers
xsl script processing
data encrypted for impact
disk content wipe
disk structure wipe
input capture
lsass driver
ntfs file attributes
two-factor authen
tication in
terceptio
n
appce
rt dlls
appin
it dlls
applica
tion sh
imm
ing
auth
entic
atio
n p
ack
age
com
ponent o
bje
ct m
odel h
ijackin
g
dll s
ide-lo
adin
g
hookin
g
lsass d
river
pow
ers
hell
regsvr3
2
sip
an
d tru
st p
rovid
er h
ijackin
g
se
curity
sup
po
rt pro
vi d
er
t im
e p
rovi d
ers
bin
ary
padd
ing
custo
m c
rypto
gra
ph
ic p
roto
col
fallb
ack c
han
nels
lc_m
ain
hija
ckin
g
multib
and c
om
munic
ation
multila
yer
encry
ption
obfu
scate
d file
s or
info
rmation
standard
applic
atio
n la
yer
pro
toco
l
standard
cry
pto
gra
phic
pro
toco
l
dom
ain
genera
tion a
lgorith
ms
driv
e-by
com
pro
mis
e
endp
oint
den
ial o
f ser
vice
forc
ed a
uthe
ntic
atio
n
mul
ti-st
age
chan
nels
netw
ork
deni
al o
f ser
vice
netw
ork sn
iffing
reso
urce
hija
ckin
g
cust
om c
omm
and and c
ontrol p
roto
col
drive-b
y com
prom
ise
endpoint denial o
f service
network denial o
f service
obfuscated files or in
formatio
n
remote access tools
spearphishing attachment
standard non-application layer protocoltemplate injection
domain frontingdrive-by compromise
endpoint denial of service
install root certificate
obfuscated files or information
spearphishing link
spearphishing via service
standard cryptographic protocol
web service
applescript
application shimming
browser extensions
bypass user account control
exploitation for client execution
hypervisor
kernel modules and extensions
keychain
rootkit
account manipulation
bits jobs
cmstp
control panel items
create account
distributed component object m
odel
dynamic data exchange
file permissions m
odification
group policy modification
hookin
g
image file
exe
cutio
n o
ptio
ns in
jectio
n
indica
tor re
mova
l on h
ost
indire
ct com
mand e
xecu
tion
inhib
it system
reco
very
kerb
ero
astin
g
llmnr/n
bt-n
s p
ois
onin
g a
nd re
lay
modify
regis
try
new
serv
ice
obfu
sca
ted file
s o
r info
rmatio
n
sid
-his
tory
inje
ctio
n
sip
and tru
st p
rovid
er h
ijackin
g
sch
ed
ule
d ta
sk
bin
ary
file
met
adat
a
ATT&CK and CTI
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Threat Intelligence – How ATT&CK Can Help
▪ Use knowledge of adversary behaviors to inform defenders
▪ Structuring threat intelligence with ATT&CK allows us to…
– Compare behaviors
▪ Groups to each other
▪ Groups over time
▪ Groups to defenses
– Communicate in a common language
| 21 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Communicate to Defenders
CTI Analyst Defender
Registry Run Keys / Startup Folder
(T1060)THIS is what the adversary is doing! The Run key is AdobeUpdater.
Oh, we have Registry data, we can detect that!
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Communicate Across the Community
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
CTI Consumer
Registry Run Keys / Startup Folder
(T1060)
Oh, you mean T1060!
APT1337 is using autorun
FUZZYDUCK used a Run key
Company A
Company B
Process of Applying ATT&CK to CTI
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 1 Module 2Module 3
Module 4 Module 5
End of Module 1
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 2:Mapping to ATT&CK from a Finished Report
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 1 Module 2Module 3
Module 4 Module 5
Why is it Difficult to Map CTI to ATT&CK?
▪ Requires a shift in analyst thinking
– Indicators → behaviors
▪ Volume of ATT&CK techniques
▪ “Technical” detail of some ATT&CK techniques
But it’s worthwhile because this process…▪ Forces analysts to shift to thinking about behaviors
▪ Allows them to learn about new adversary techniques
▪ Pushes them to learn the “technical” side
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Mapping to ATT&CK
0. Understand ATT&CK
1. Find the behavior
2. Research the behavior
3. Translate the behavior into a tactic
4. Figure out what technique applies to the behavior
5. Compare your results to other analysts
Two key sources for where you get information:
1. Finished reporting
2. Raw data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
0. Understand ATT&CK
▪ You need to know what to look for before you can do this
▪ To get analysts started:
– Watch an ATT&CK presentation like Sp4rkcon
– Read the Philosophy Paper and items from our Getting Started page
– Read the Tactic descriptions
– Skim the Technique list
▪ Encourage ongoing learning and discussion
– Have analysts present a technique a week in your team training
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
1. Find the Behavior
▪ Different mindset from looking for indicators
▪ Look for what the adversary or software does
▪ Focus on initial compromise and post-compromise details
– Info that may not be useful for ATT&CK mapping:
▪ Static malware analysis
▪ Infrastructure registration information
▪ Industry/victim targeting information
1. Find the Behavior
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
[Tactic] | 1. [Technique] [Tactic] | 2. [Technique]
2. Research the Behavior
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
▪ CTI analysts may not be familiar with adversary/software behavior
▪ Encourage them to do additional research:
– Of your own team or organization (defenders/red teamers)
– Of external resources
▪ Time-consuming, but builds better analysts
▪ Understanding of core behavior helps with next steps
2. Research the Behavior
https://en.wikipedia.org/wiki/SOCKS
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
https://www.speedguide.net/port.php?port=1913?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Translate the Behavior into a Tactic
▪ What is the adversary trying to accomplish?
▪ Often requires domain expertise
– Finished intel can give you context
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
▪ Only 12 options:
– Initial Access
– Execution
– Persistence
– Privilege Escalation
– Defense Evasion
– Credential Access
– Discovery
– Lateral Movement
– Collection
– Command and Control
– Exfiltration
– Impact
3. Translate the Behavior into a Tactic
▪ “When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913. … Once the connection to the server is established, the malware expects a message containing at least three bytes from the server. These first three bytes are the command identifier. The following commands are supported by the malware … “
– A connection in order to command the malware to do something → Command and Control
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies
▪ Often the toughest part
▪ Not every behavior is necessarily a technique
▪ Key strategies:
1. Look at the list of Techniques for the identified Tactic
2. Search attack.mitre.org
▪ Try key words
▪ Try “procedure”-level detail
▪ Try specific command strings
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies
Protocol vs.
Port
→ 2 techniques?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies
“the malware first establishes a SOCKS5 connection”
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies
“establishes a SOCKS5 connection to
192.157.198.103 using TCP port 1913”
“CTRL+ F” FTW
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Rinse and Repeat
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
Privilege Escalation | 3. Exploitation for Privilege Escalation (T1068)Execution | 4. Command-Line Interface (T1059)
Discovery | 5. System Owner/User Discovery (T1033)
Persistence – | 6. Scheduled Task (T1053)
Command and Control | 1. Standard Non-Application Layer Protocol (T1095)Command and Control |
2. Uncommonly Used Port (T1065)
Exercise 2: Cybereason Cobalt Kitty Report
▪ Analyze a threat report to find the Enterprise ATT&CK techniques
– 22 highlighted techniques in the Cybereason Cobalt Kitty report
▪ Choose a PDF from attack.mitre.org/training/cti under Exercise 2
– Choose your own adventure: start with “highlights only” or “tactic hints”
▪ Use the PDF or a text document/piece of paper to record your results
▪ Write down the ATT&CK tactic and technique you think applies to each highlight
▪ Tips:
– Do keyword searches of our website: https://attack.mitre.org
– Remember that you don’t have to be perfect
– Use this as a chance to dive into ATT&CK
▪ Please pause. We suggest giving yourself 30 minutes for this exercise.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 2 Optional Bonus Step:Compare your results to other analysts
▪ Step 5 of the process: Compare your results to other analysts
▪ Helps hedge against analyst biases
– More likely to identify techniques you’ve previously identified
Analyst 1 Analyst 2
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
Command-Line Interface (T1059)
System Owner/User Discovery (T1033)
Scheduled Task (T1053)
Uncommonly Used Port (T1065)
Multi-Stage Channels (T1104)
Exploitation for Privilege Escalation (T1068)
Command-Line Interface (T1059)
Scheduled Task (T1053)
Uncommonly Used Port (T1065)
Custom Command and Control Protocol (T1094)Standard Non-Application Layer Protocol (T1095)
Discuss why it’s different
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Finishing Exercise 2 (Optional Bonus Step)
▪ Now, compare your answers to another analyst’s answers
▪ Compare what you each had for each technique answer
– Discuss where there are differences – why did you have different answers?
– It’s okay to disagree!
▪ Please pause. We suggest giving yourself 10 minutes for this part of the exercise. If you do not have other analysts to discuss your answers with, you may advance to the next portion.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over the Exercise – Cybereason Report
▪ Think about:
– What were the easiest & hardest techniques to identify?
– How did you identify each technique?
– What challenges did you have? How did you address them?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Cybereason Cobalt Kitty Report
1. Two types of payloads were found in the spear-phishing emails … link to a malicious site
– Initial Access - Spearphishing Link (T1192)
2. Two types of payloads were found in the spear-phishing emails … Word documents
– Initial Access - Spearphishing Attachment (T1193)
3. Two types of payloads were found in the spear-phishing emails … Word documents with malicious macros
– Defense Evasion/Execution – Scripting (T1064)
4. Two types of payloads were found in the spear-phishing emails
– Execution – User Execution (T1204)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
https://cybr.ly/cobaltkitty
Cybereason Cobalt Kitty Report
5.
– Execution - Command-Line Interface (T1059)
6. The two scheduled tasks are created on infected Windows
– Execution/Persistence - Scheduled Task (T1053)
7. schtasks /create /sc MINUTE /tn "Windows Error Reporting" /tr"mshta.exe about:'<script language=\"vbscript\“…
– Execution/Defense Evasion - Mshta (T1170)
8. That downloads and executes an additional payload from the same server
– Command and Control - Remote File Copy (T1105)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
https://cybr.ly/cobaltkitty
Cybereason Cobalt Kitty Report
9.
– Execution - PowerShell (T1086)
10. it will pass an obfuscated and XOR’ed PowerShell payload to cmd.exe
– Defense Evasion - Obfuscated Files or Information (T1027)
11. The attackers used trivial but effective persistence techniques .. Those techniques consist of: Windows Registry Autorun
– Persistence - Registry Run Keys / Startup Folder (T1060)
12. the attackers used NTFS Alternate Data Stream to hide their payloads
– Defense Evasion - NTFS File Attributes (T1096)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
https://cybr.ly/cobaltkitty
Cybereason Cobalt Kitty Report
13 & 14. The attackers created and/or modified Windows Services
– Persistence – New Service (T1050)
– Persistence – Modify Existing Service (T1031)
15 & 16. The attackers used a malicious Outlook backdoor macro … edited a specific registry value to create persistence
– Persistence – Office Application Startup (T1137)
– Defense Evasion – Modify Registry (T1112)
17. The attackers used different techniques and protocols to communicate with the C&C servers … HTTP
– Command and Control - Standard Application Layer Protocol (T1071)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
https://cybr.ly/cobaltkitty
Cybereason Cobalt Kitty Report
18. :80 (in traffic from compromised machine to C&C server)
– Command and Control - Commonly Used Port (T1043)
19 & 20. The attackers downloaded COM scriptlets using regsvr32.exe
– Command and Control - Remote File Copy (T1105)
– Execution - Regsvr32 (T1117)
21. binary was renamed “kb-10233.exe”, masquerading as a Windows update
– Defense Evasion - Masquerading (T1036)
22. network scanning against entire ranges…looking for open ports…
– Discovery - Network Service Scanning (T1046)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
https://cybr.ly/cobaltkitty
Optional Exercise 2 Bonus Report
▪ If you’d like more practice mapping finished reporting to ATT&CK, work through the FireEye APT39 report in the same manner. The PDF is available at attack.mitre.org/training/cti under Exercise 2. (No tactic hints option this time!)
▪ Answers are provided in a separate PDF.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Skipping Steps in the Process
Once you’re experienced, you maybe able to skip steps
…but this increases your bias
…and it won’t work every time
0. Understand ATT&CK
1. Find the behavior
2. Research the behavior
3. Translate the behavior into a tactic
4. Figure out what technique applies to the behavior
5. Compare your results to other analysts
Sometimes
we jump
directly here
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 1 Module 2Module 3
Module 4 Module 5
End of Module 2
Module 3:Mapping to ATT&CK from Raw Data
Process of Applying ATT&CK to CTI
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 1 Module 2Module 3
Module 4 Module 5
Mapping to ATT&CK from Raw Data
▪ So far, working from intel where activity has already been analyzed
▪ Analysis of techniques/behaviors directly from source data
– Likely more information available at the procedure level
– Not reinterpreting another analyst’s prose
– Greater knowledge/expertise required to interpret intent/tactic
▪ Broad set of possible data can contain behaviors
– Shell commands, malware, forensic disk images, packets
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Mapping to ATT&CK
0. Understand ATT&CK
1. Find the behavior
2. Research the behavior
3. Translate the behavior into a tactic
4. Figure out what technique applies to the behavior
5. Compare your results to other analysts
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
ipconfig /all
sc.exe \\ln334656-pc create
.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old
C:\$Recycle.Bin\Shockwave_network.vsdxCommands captured by Sysmon being run interactively via cmd.exe
10.2.13.44:32123 -> 128.29.32.4:443
128.29.32.4:443 -> 10.2.13.44:32123
Flows from malware in a sandbox
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Netsh
New reg keys during an incident
1. Find the Behavior
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
▪ Can be similar to analysis of finished reporting for raw data
▪ May require expertise in the specific data type
– Network, forensics, malware, Windows cmd line, etc
▪ May require multiple data sources, more context
– Additional questions to responders/analysts
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old
C:\$Recycle.Bin\Shockwave_network.vsdx
– Can make some educated guesses, but not enough context
File analysis:
When recycler.exe is executed, it gives the following output:
C:\recycler.exe
RAR 3.70 Copyright (c) 1993-2007 Alexander Roshal 22 May 2007
Shareware version Type RAR -? for help
– Aha! Based on the analysis we can Google the flags to RAR and determine that it is being used to compress and encrypt the file
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old
C:\$Recycle.Bin\Shockwave_network.vsdx
And the file being compressed/encrypted is a Visio diagram, probably exfiltration
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Translate the Behavior into a Tactic
ipconfig /all
– Specific procedure only mapped to System Network Configuration Discovery
– System Network Configuration Discovery -> Discovery✅
– Seen being run via Sysmon -> Execution
.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old
C:\$Recycle.Bin\Shockwave_network.vsdx
– We figured out researching this that “vsdx” is Visio data
– Moderate confidence Exfiltration, commands around this could make clearer
– Seen being run via Sysmon -> Execution
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies
▪ Similar to working with finished reporting we may jump straight here
– Procedure may map directly to Technique/Tactic
– May have enough experience to compress steps
ipconfig /all
– Specific procedure in System Network Configuration Discovery (T1016)
– Also Command-Line Interface (T1059)
.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old
C:\$Recycle.Bin\Shockwave_network.vsdx
– We figured out researching this that “a –hp” compresses/encrypts
– Appears to be Data Compressed (T1002) and Data Encrypted (T1022)
– Also Command-Line Interface (T1059)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Concurrent Techniques
▪ Don’t just think of what’s happening – think of how it’s happening
▪ Certain tactics commonly have concurrent techniques:
– Execution
– Defense Evasion
– Collection
▪ Examples:
– Data Compressed + Data Encrypted (2x Exfiltration)
– Spearphishing Attachment + User Execution (Initial Access + Execution)
– Data from Local System + Email Collection (2x Collection)
– Process Discovery + Command-Line Interface (Discovery + Execution)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Different Types of Techniques
▪ Not all techniques are created equal!
– Credit to Red Canary: https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
▪ Some are specific
– Rundll32
– Netsh Helper DLL
▪ Some are broad
– Scripting
– Obfuscated Files or Information
▪ Some capture “how” the behavior occurs
– Masquerading
– Data Transfer Size Limits
– Automated Collection©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
5. Compare Your Results to Other Analysts
▪ Same caveats about hedging biases
▪ May need a broader set of skills/experience to work with types of data
Analyst 1 Analyst 2
• Packets
• Malware/Reversing
• Windows command line
• Windows Events
• Disk forensics
• macOS/Linux
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Pros/cons of Mapping from the Two Different Sources
Step Raw Finished
Find the behavior Nearly everything may be a
behavior (not all ATT&CK)
May be buried amongst prose, IOCs, etc
Research the behavior May need to look at multiple
sources, data types. May also
be a known procedure
May have more info/context, may also
have lost detail in writing
Translate the behavior into a
tactic
Have to map to adversary
intent, need domain
knowledge/expertise
Often intent has been postulated by report
author
Figure out what technique
applies to the behavior
May have a procedure that
maps straight to technique, or
may require deep
understanding to understand
how accomplished
May be as simple as a text match to
description/procedure, or may be too
vague to tell
Compare your results to other
analysts
May need multiple analysts to
cover all data sources
More likely in a form where other analysts
needed for coverage/hedge against bias
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 3: Working with raw data
▪ You’re going to be examining two tickets from a simulated incident
▪ Ticket 473822
– Series of commands interactively executed via cmd.exe on an end system
▪ Ticket 473845
– Pieces of a malware analysis of the primary RAT used in the incident
▪ Both tickets are at https://attack.mitre.org/training/cti under Exercise 3
▪ Use whatever to record your results or download and edit
▪ Identify as many behaviors as possible
▪ Annotate the behaviors that are ATT&CK techniques
▪ Please pause. We suggest giving yourself 25 minutes for this exercise.©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise Questions
▪ What questions would you have asked of your incident responders?
▪ What was easier/harder than working with finished reporting?
▪ What other types of data do you commonly encounter with behaviors?
▪ Did you notice any behaviors that you couldn’t find a technique for?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over Exercise 3 (Ticket 473822)
ipconfig /all
arp -a
echo %USERDOMAIN%\%USERNAME%
tasklist /v
sc query
systeminfo
net group "Domain Admins" /domain
net user /domain
net group "Domain Controllers" /domain
netsh advfirewall show allprofiles
netstat -ano
System Network Configuration Discovery (T1016)
System Network Configuration Discovery (T1016)
System Owner / User Discovery (T1033)
Process Discovery (T1057)
System Service Discovery (T1007)
All are Execution - Command-Line Interface (T1059)
System Information Discovery (T1082)
Permission Groups Discovery (T1069)
Account Discovery (T1087)
Remote System Discovery (T1018)
System Network Configuration Discovery (T1016)
System Network Connections Discovery (T1049)
Dis
co
very
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over Exercise 3 (Ticket 473845)
C2 protocol is base64 encoded commands over https. The RAT beacons every
30 seconds requesting a command.
UPLOAD file (upload a file server->client)
DOWNLOAD file (download a file client->server)
SHELL command (runs a command via cmd.exe)
PSHELL command (runs a command via powershell.exe)
EXEC path (executes a PE at the path given via CreateProcess)
SLEEP n (skips n beacons)
10.1.1.1:24123 -> 129.83.44.12:443
129.83.44.12:443 -> 10.1.1.1:24123
Copy C:\winspoo1.exe -> C:\Windows\System32\winspool.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winspool
REG_SZ "C:\Windows\System32\winspool.exe"
Execution - Command-Line Interface (T1059)
Execution - Powershell (T1086)
Execution - Execution through API (T1106)
Command and Control - Commonly Used Port (T1043)
Command and Control - Data Encoding (T1132)
Command and Control - Standard Application Layer Protocol (T1071)
Defense Evasion - Masquerading (T1036)
Persistence - Registry Run Keys (T1060)
Command and Control – Remote File Copy (T1105)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
From Raw Data to Finished Reporting with ATT&CK
▪ We’ve talked about augmenting reports with ATT&CK and analyzing data with ATT&CK, possibly in parallel with analysis for reporting
▪ If you are creating reporting with ATT&CK techniques, we recommend keeping the techniques with the related procedures for context
– Allows other analysts to examine the mapping for themselves
– Allows much easier capture of how a technique was done
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Finished Reporting Examples
During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all1’ via the Windows command shell2.
1. Discovery – System Network Configuration Discovery (T1016)
2. Execution – Command-Line Interface (T1059)
System Network Configuration Discovery (T1016) and Command-Line Interface (T1059) - During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all’ via the Windows command shell.
Instead of
Appendix C – ATT&CK Techniques
▪ System Network Configuration Discovery
▪ Command-Line Interface
▪ Hardware Additions©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 1 Module 2Module 3
Module 4 Module 5
End of Module 3
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 4:Storing and Analyzing ATT&CK-Mapped Data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 1 Module 2Module 3
Module 4 Module 5
Considerations When Storing ATT&CK-Mapped Intel
▪ Who’s consuming it?
– Human or machine?
– Requirements?
▪ How will you provide context?
– Include full text?
▪ How detailed will it be?
– Just a Technique, or a Procedure?
– How will you capture that detail? (Free text?)
▪ How will you link it to other intel?
– Incident, group, campaign, indicator…
▪ How will you import and export data?
– Format?©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
The community is still
figuring this out!
Ways to Store and Display ATT&CK-Mapped Intel
¯\_(ツ)_/¯
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Store and Display ATT&CK-Mapped Intel
Courtesy of Alexandre Dulaunoy
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Store and Display ATT&CK-Mapped Intel
Courtesy of Alexandre Dulaunoy
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ability to link to indicators
and files
Ways to Express and Store ATT&CK-Mapped Intel
https://www.anomali.com/blog/weekly-threat-briefing-google-spots-attacks-exploiting-ios-zero-day-flaws
…
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Techniques at the
end of a report
Ways to Express and Store ATT&CK-Mapped Intel
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Techniques at the end of a report
Ways to Express and Store ATT&CK-Mapped Intel
https://www.crowdstrike.com/resources/reports/2018-crowdstrike-global-threat-report-blurring-the-lines-between-statecraft-and-tradecraft/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Techniques at the
beginning of a report
Ways to Express and Store ATT&CK-Mapped Intel
https://www.digitalshadows.com/blog-and-research/mitre-attck-and-the-mueller-gru-indictment-lessons-for-organizations/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Adding additional
info to an ATT&CK
technique
Ways to Express and Store ATT&CK-Mapped Intel
https://www.recordedfuture.com/mitre-attack-framework/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
With
timestamps
Ways to Express and Store ATT&CK-Mapped Intel
https://pan-unit42.github.io/playbook_viewer/©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Machine readable
Linking techniques to indicators
Ways to Express and Store ATT&CK-Mapped Intel
https://attack.mitre.org/groups/G0007/
What else could we do?
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
Credential Dumping
(T1003)
Full-Text Report ATT&CK Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
Process of Applying ATT&CK to CTI
So now we have some ATT&CK-mapped intel…
What can we do with it?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Initial Access
rive by Compromise
xploit ublic acingApplication
ardware Additions
Replication ThroughRemovable Media
pearphishing Attachment
pearphishing ink
pearphishing via ervice
upply Chain Compromise
Trusted Relationship
alid Accounts
Execution
Apple cript
CM T
Command ine Interface
Control anel Items
ynamic ata xchange
xecution through A I
xecution through Module oad xploitation for Client xecution
raphical ser Interface
Install til
aunchctl
ocal ob cheduling
A river
Mshta
ower hell
Regsvcs Regasm
Regsvr
Rundll
cheduled Task
cripting
ervice xecution
igned inary roxy xecution igned cript roxy xecution
ource
pace after ilename
Third party oftware
Trap
Trusted eveloper tilities
ser xecution
Windows ManagementInstrumentationWindows RemoteManagement
Persistence
.bash profile and .bashrc
Accessibility eatures
AppCert s
AppInit s
Application himming
Authentication ackage
IT obs
ootkit
rowser xtensions
Change efault ileAssociation
Component irmware
Component b ect Model i acking
Create Account
earch rder i acking
ylib i acking
xternal Remote ervices
ile ystem ermissionsWeakness
idden iles and irectories
ooking
ypervisor
Image ile xecution ptionsIn ection ernel Modules and xtensions
aunch Agent
aunch aemon
aunchctl
C A I Addition
ocal ob cheduling
ogin Item
ogon cripts
A river
Modify xisting ervice
Netsh elper
New ervice
ffice Application tartup
ath Interception
list Modification
ort nocking
ort Monitors
Rc.common
Re opened Applications
Redundant Access
Registry Run eys tart older
cheduled Task
creensaver
ecurity upport rovider
ervice Registry ermissionsWeakness
hortcut Modification
I and Trust rovider i acking
tartup Items
ystem irmware
Time roviders
Trap
alid Accounts
Web hell
Windows ManagementInstrumentation vent ubscription
Winlogon elper
Privilege Escalation
Access Token Manipulation
Accessibility eatures
AppCert s
AppInit s
Application himming
ypass ser Account Control
earch rder i acking
ylib i acking
xploitation for rivilege scalation xtra Window MemoryIn ection ile ystem ermissionsWeakness
ooking
Image ile xecution ptionsIn ection
aunch aemon
New ervice
ath Interception
list Modification
ort Monitors
rocess In ection
cheduled Task
ervice Registry ermissionsWeakness
etuid and etgid
I istory In ection
tartup Items
udo
udo Caching
alid Accounts
Web hell
Defense Evasion
Access Token Manipulation
inary adding
IT obs
ypass ser Account Control
Clear Command istory
CM T
Code igning
Component irmware
Component b ect Model i acking
Control anel Items
C hadow
eobfuscate ecode iles orInformation
isabling ecurity Tools
earch rder i acking
ide oading
xploitation for efense vasion xtra Window MemoryIn ection
ile eletion
ile ystem ogical ffsets
atekeeper ypass
idden iles and irectories
idden sers
idden Window
I TC NTR
Image ile xecution ptionsIn ection
Indicator locking
Indicator Removal from Tools
Indicator Removal on ost
Indirect Command xecution
Install Root Certificate
Install til
aunchctl
C MAIN i acking
Masquerading
Modify Registry
Mshta
Network hare ConnectionRemoval
NT ile Attributes
bfuscated iles orInformation
list Modification
ort nocking
rocess oppelg nging
rocess ollowing
rocess In ection
Redundant Access
Regsvcs Regasm
Regsvr
Rootkit
Rundll
cripting
igned inary roxy xecution igned cript roxy xecution I and Trust rovider i acking
oftware acking
pace after ilename
Timestomp
Trusted eveloper tilities
alid Accounts
Web ervice
Credential Access
Account Manipulation
ash istory
rute orce
Credential umping
Credentials in iles
Credentials in Registry
xploitation for CredentialAccess
orced Authentication
ooking
Input Capture
Input rompt
erberoasting
eychain
MNR N T N oisoning
Network niffing
assword ilter
rivate eys
Replication ThroughRemovable Media
ecurityd Memory
Two actor AuthenticationInterception
Discovery
Account iscovery
Application Window iscovery
rowser ookmark iscovery
ile and irectory iscovery
Network ervice canning
Network hare iscovery
assword olicy iscovery
eripheral evice iscovery
ermission roups iscovery
rocess iscovery
uery Registry
Remote ystem iscovery
ecurity oftware iscovery
ystem Information iscovery
ystem NetworkConfiguration iscovery ystem Network Connections iscovery ystem wner ser iscovery
ystem ervice iscovery
ystem Time iscovery
Lateral Movement
Apple cript
Application eployment oftware istributed Component b ect Model xploitation of Remote ervices
ogon cripts
ass the ash
ass the Ticket
Remote esktop rotocol
Remote ile Copy
Remote ervices
Replication ThroughRemovable Media
hared Webroot
i acking
Taint hared Content
Third party oftware
Windows Admin hares
Windows RemoteManagement
Collection
Audio Capture
Automated Collection
Clipboard ata
ata from InformationRepositories
ata from ocal ystem
ata from Network hared rive
ata from Removable Media
ata taged
mail Collection
Input Capture
Man in the rowser
creen Capture
ideo Capture
Exfiltration
Automated xfiltration
ata Compressed
ata ncrypted
ata Transfer i e imits
xfiltration ver Alternative rotocol xfiltration ver Commandand Control Channel xfiltration ver therNetwork Medium xfiltration ver hysicalMedium
cheduled Transfer
Command And Control
Commonly sed ort
Communication ThroughRemovable Media
Connection roxy
Custom Command andControl rotocolCustom Cryptographic rotocol
ata ncoding
ata bfuscation
omain ronting
allback Channels
Multi hop roxy
Multi tage Channels
Multiband Communication
Multilayer ncryption
ort nocking
Remote Access Tools
Remote ile Copy
tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol
ncommonly sed ort
Web ervice
APT28 Techniques*
*from open source reporting we’ve mapped
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and Control
Initial Access
rive by Compromise
xploit ublic acingApplication
ardware Additions
Replication ThroughRemovable Media
pearphishing Attachment
pearphishing ink
pearphishing via ervice
upply Chain Compromise
Trusted Relationship
alid Accounts
Execution
Apple cript
CM T
Command ine Interface
Control anel Items
ynamic ata xchange
xecution through A I
xecution through Module oad xploitation for Client xecution
raphical ser Interface
Install til
aunchctl
ocal ob cheduling
A river
Mshta
ower hell
Regsvcs Regasm
Regsvr
Rundll
cheduled Task
cripting
ervice xecution
igned inary roxy xecution igned cript roxy xecution
ource
pace after ilename
Third party oftware
Trap
Trusted eveloper tilities
ser xecution
Windows ManagementInstrumentationWindows RemoteManagement
Persistence
.bash profile and .bashrc
Accessibility eatures
AppCert s
AppInit s
Application himming
Authentication ackage
IT obs
ootkit
rowser xtensions
Change efault ileAssociation
Component irmware
Component b ect Model i acking
Create Account
earch rder i acking
ylib i acking
xternal Remote ervices
ile ystem ermissionsWeakness
idden iles and irectories
ooking
ypervisor
Image ile xecution ptionsIn ection ernel Modules and xtensions
aunch Agent
aunch aemon
aunchctl
C A I Addition
ocal ob cheduling
ogin Item
ogon cripts
A river
Modify xisting ervice
Netsh elper
New ervice
ffice Application tartup
ath Interception
list Modification
ort nocking
ort Monitors
Rc.common
Re opened Applications
Redundant Access
Registry Run eys tart older
cheduled Task
creensaver
ecurity upport rovider
ervice Registry ermissionsWeakness
hortcut Modification
I and Trust rovider i acking
tartup Items
ystem irmware
Time roviders
Trap
alid Accounts
Web hell
Windows ManagementInstrumentation vent ubscription
Winlogon elper
Privilege Escalation
Access Token Manipulation
Accessibility eatures
AppCert s
AppInit s
Application himming
ypass ser Account Control
earch rder i acking
ylib i acking
xploitation for rivilege scalation xtra Window MemoryIn ection ile ystem ermissionsWeakness
ooking
Image ile xecution ptionsIn ection
aunch aemon
New ervice
ath Interception
list Modification
ort Monitors
rocess In ection
cheduled Task
ervice Registry ermissionsWeakness
etuid and etgid
I istory In ection
tartup Items
udo
udo Caching
alid Accounts
Web hell
Defense Evasion
Access Token Manipulation
inary adding
IT obs
ypass ser Account Control
Clear Command istory
CM T
Code igning
Component irmware
Component b ect Model i acking
Control anel Items
C hadow
eobfuscate ecode iles orInformation
isabling ecurity Tools
earch rder i acking
ide oading
xploitation for efense vasion xtra Window MemoryIn ection
ile eletion
ile ystem ogical ffsets
atekeeper ypass
idden iles and irectories
idden sers
idden Window
I TC NTR
Image ile xecution ptionsIn ection
Indicator locking
Indicator Removal from Tools
Indicator Removal on ost
Indirect Command xecution
Install Root Certificate
Install til
aunchctl
C MAIN i acking
Masquerading
Modify Registry
Mshta
Network hare ConnectionRemoval
NT ile Attributes
bfuscated iles orInformation
list Modification
ort nocking
rocess oppelg nging
rocess ollowing
rocess In ection
Redundant Access
Regsvcs Regasm
Regsvr
Rootkit
Rundll
cripting
igned inary roxy xecution igned cript roxy xecution I and Trust rovider i acking
oftware acking
pace after ilename
Timestomp
Trusted eveloper tilities
alid Accounts
Web ervice
Credential Access
Account Manipulation
ash istory
rute orce
Credential umping
Credentials in iles
Credentials in Registry
xploitation for CredentialAccess
orced Authentication
ooking
Input Capture
Input rompt
erberoasting
eychain
MNR N T N oisoning
Network niffing
assword ilter
rivate eys
Replication ThroughRemovable Media
ecurityd Memory
Two actor AuthenticationInterception
Discovery
Account iscovery
Application Window iscovery
rowser ookmark iscovery
ile and irectory iscovery
Network ervice canning
Network hare iscovery
assword olicy iscovery
eripheral evice iscovery
ermission roups iscovery
rocess iscovery
uery Registry
Remote ystem iscovery
ecurity oftware iscovery
ystem Information iscovery
ystem NetworkConfiguration iscovery ystem Network Connections iscovery ystem wner ser iscovery
ystem ervice iscovery
ystem Time iscovery
Lateral Movement
Apple cript
Application eployment oftware istributed Component b ect Model xploitation of Remote ervices
ogon cripts
ass the ash
ass the Ticket
Remote esktop rotocol
Remote ile Copy
Remote ervices
Replication ThroughRemovable Media
hared Webroot
i acking
Taint hared Content
Third party oftware
Windows Admin hares
Windows RemoteManagement
Collection
Audio Capture
Automated Collection
Clipboard ata
ata from InformationRepositories
ata from ocal ystem
ata from Network hared rive
ata from Removable Media
ata taged
mail Collection
Input Capture
Man in the rowser
creen Capture
ideo Capture
Exfiltration
Automated xfiltration
ata Compressed
ata ncrypted
ata Transfer i e imits
xfiltration ver Alternative rotocol xfiltration ver Commandand Control Channel xfiltration ver therNetwork Medium xfiltration ver hysicalMedium
cheduled Transfer
Command And Control
Commonly sed ort
Communication ThroughRemovable Media
Connection roxy
Custom Command andControl rotocolCustom Cryptographic rotocol
ata ncoding
ata bfuscation
omain ronting
allback Channels
Multi hop roxy
Multi tage Channels
Multiband Communication
Multilayer ncryption
ort nocking
Remote Access Tools
Remote ile Copy
tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol
ncommonly sed ort
Web ervice
APT29 Techniques
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and Control
Initial Access
rive by Compromise
xploit ublic acingApplication
ardware Additions
Replication ThroughRemovable Media
pearphishing Attachment
pearphishing ink
pearphishing via ervice
upply Chain Compromise
Trusted Relationship
alid Accounts
Execution
Apple cript
CM T
Command ine Interface
Control anel Items
ynamic ata xchange
xecution through A I
xecution through Module oad xploitation for Client xecution
raphical ser Interface
Install til
aunchctl
ocal ob cheduling
A river
Mshta
ower hell
Regsvcs Regasm
Regsvr
Rundll
cheduled Task
cripting
ervice xecution
igned inary roxy xecution igned cript roxy xecution
ource
pace after ilename
Third party oftware
Trap
Trusted eveloper tilities
ser xecution
Windows ManagementInstrumentationWindows RemoteManagement
Persistence
.bash profile and .bashrc
Accessibility eatures
AppCert s
AppInit s
Application himming
Authentication ackage
IT obs
ootkit
rowser xtensions
Change efault ileAssociation
Component irmware
Component b ect Model i acking
Create Account
earch rder i acking
ylib i acking
xternal Remote ervices
ile ystem ermissionsWeakness
idden iles and irectories
ooking
ypervisor
Image ile xecution ptionsIn ection ernel Modules and xtensions
aunch Agent
aunch aemon
aunchctl
C A I Addition
ocal ob cheduling
ogin Item
ogon cripts
A river
Modify xisting ervice
Netsh elper
New ervice
ffice Application tartup
ath Interception
list Modification
ort nocking
ort Monitors
Rc.common
Re opened Applications
Redundant Access
Registry Run eys tart older
cheduled Task
creensaver
ecurity upport rovider
ervice Registry ermissionsWeakness
hortcut Modification
I and Trust rovider i acking
tartup Items
ystem irmware
Time roviders
Trap
alid Accounts
Web hell
Windows ManagementInstrumentation vent ubscription
Winlogon elper
Privilege Escalation
Access Token Manipulation
Accessibility eatures
AppCert s
AppInit s
Application himming
ypass ser Account Control
earch rder i acking
ylib i acking
xploitation for rivilege scalation xtra Window MemoryIn ection ile ystem ermissionsWeakness
ooking
Image ile xecution ptionsIn ection
aunch aemon
New ervice
ath Interception
list Modification
ort Monitors
rocess In ection
cheduled Task
ervice Registry ermissionsWeakness
etuid and etgid
I istory In ection
tartup Items
udo
udo Caching
alid Accounts
Web hell
Defense Evasion
Access Token Manipulation
inary adding
IT obs
ypass ser Account Control
Clear Command istory
CM T
Code igning
Component irmware
Component b ect Model i acking
Control anel Items
C hadow
eobfuscate ecode iles orInformation
isabling ecurity Tools
earch rder i acking
ide oading
xploitation for efense vasion xtra Window MemoryIn ection
ile eletion
ile ystem ogical ffsets
atekeeper ypass
idden iles and irectories
idden sers
idden Window
I TC NTR
Image ile xecution ptionsIn ection
Indicator locking
Indicator Removal from Tools
Indicator Removal on ost
Indirect Command xecution
Install Root Certificate
Install til
aunchctl
C MAIN i acking
Masquerading
Modify Registry
Mshta
Network hare ConnectionRemoval
NT ile Attributes
bfuscated iles orInformation
list Modification
ort nocking
rocess oppelg nging
rocess ollowing
rocess In ection
Redundant Access
Regsvcs Regasm
Regsvr
Rootkit
Rundll
cripting
igned inary roxy xecution igned cript roxy xecution I and Trust rovider i acking
oftware acking
pace after ilename
Timestomp
Trusted eveloper tilities
alid Accounts
Web ervice
Credential Access
Account Manipulation
ash istory
rute orce
Credential umping
Credentials in iles
Credentials in Registry
xploitation for CredentialAccess
orced Authentication
ooking
Input Capture
Input rompt
erberoasting
eychain
MNR N T N oisoning
Network niffing
assword ilter
rivate eys
Replication ThroughRemovable Media
ecurityd Memory
Two actor AuthenticationInterception
Discovery
Account iscovery
Application Window iscovery
rowser ookmark iscovery
ile and irectory iscovery
Network ervice canning
Network hare iscovery
assword olicy iscovery
eripheral evice iscovery
ermission roups iscovery
rocess iscovery
uery Registry
Remote ystem iscovery
ecurity oftware iscovery
ystem Information iscovery
ystem NetworkConfiguration iscovery ystem Network Connections iscovery ystem wner ser iscovery
ystem ervice iscovery
ystem Time iscovery
Lateral Movement
Apple cript
Application eployment oftware istributed Component b ect Model xploitation of Remote ervices
ogon cripts
ass the ash
ass the Ticket
Remote esktop rotocol
Remote ile Copy
Remote ervices
Replication ThroughRemovable Media
hared Webroot
i acking
Taint hared Content
Third party oftware
Windows Admin hares
Windows RemoteManagement
Collection
Audio Capture
Automated Collection
Clipboard ata
ata from InformationRepositories
ata from ocal ystem
ata from Network hared rive
ata from Removable Media
ata taged
mail Collection
Input Capture
Man in the rowser
creen Capture
ideo Capture
Exfiltration
Automated xfiltration
ata Compressed
ata ncrypted
ata Transfer i e imits
xfiltration ver Alternative rotocol xfiltration ver Commandand Control Channel xfiltration ver therNetwork Medium xfiltration ver hysicalMedium
cheduled Transfer
Command And Control
Commonly sed ort
Communication ThroughRemovable Media
Connection roxy
Custom Command andControl rotocolCustom Cryptographic rotocol
ata ncoding
ata bfuscation
omain ronting
allback Channels
Multi hop roxy
Multi tage Channels
Multiband Communication
Multilayer ncryption
ort nocking
Remote Access Tools
Remote ile Copy
tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol
ncommonly sed ort
Web ervice
Comparing APT28 and APT29
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and Control
Overlay known gaps
APT28
APT29
Both groups
ATT&CK Navigator
▪ One option for getting started with storing and analyzing in a simple way
▪ Open source (JSON), so you can customize it
▪ Allows you you visualize data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
ATT&CK Navigator Demo Video
Exercise 4: Comparing Layers in ATT&CK Navigator
▪ Docs you will need are at attack.mitre.org/training/cti under Exercise 4
– Step-by-step instructions are in the “Comparing ayers in Navigator”
– Techniques are listed in the “A T 9 and Cobalt itty techniques”
1. Open ATT&CK Navigator: http://bit.ly/attacknav
2. Enter techniques from APT39 and Cobalt Kitty/OceanLotus into separate Navigator layers with a unique score for each layer’s techniques
3. Combine the layers in Navigator to create a third layer
4. Make your third layer look pretty
5. Make a list of the techniques that overlap between the two groups
▪ Please pause. We suggest giving yourself 15 minutes for this exercise.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Initial Access
rive by Compromise
xploit ublic acingApplication
ardware Additions
Replication ThroughRemovable Media
pearphishing Attachment
pearphishing ink
pearphishing via ervice
upply Chain Compromise
Trusted Relationship
alid Accounts
Execution
Apple cript
CM T
Command ine Interface
Compiled TM ile
Control anel Items
ynamic ata xchange
xecution through A I
xecution through Module oad xploitation for Client xecution
raphical ser Interface
Install til
aunchctl
ocal ob cheduling
A river
Mshta
ower hell
Regsvcs Regasm
Regsvr
Rundll
cheduled Task
cripting
ervice xecution
igned inary roxy xecution igned cript roxy xecution
ource
pace after ilename
Third party oftware
Trap
Trusted eveloper tilities
ser xecution
Windows ManagementInstrumentationWindows RemoteManagement
cript rocessing
Persistence
.bash profile and .bashrc
Accessibility eatures
Account Manipulation
AppCert s
AppInit s
Application himming
Authentication ackage
IT obs
ootkit
rowser xtensions
Change efault ileAssociation
Component irmware
Component b ect Model i acking
Create Account
earch rder i acking
ylib i acking
xternal Remote ervices
ile ystem ermissionsWeakness
idden iles and irectories
ooking
ypervisor
Image ile xecution ptionsIn ection ernel Modules and xtensions
aunch Agent
aunch aemon
aunchctl
C A I Addition
ocal ob cheduling
ogin Item
ogon cripts
A river
Modify xisting ervice
Netsh elper
New ervice
ffice Application tartup
ath Interception
list Modification
ort nocking
ort Monitors
Rc.common
Re opened Applications
Redundant Access
Registry Run eys tartup older
cheduled Task
creensaver
ecurity upport rovider
ervice Registry ermissionsWeakness
etuid and etgid
hortcut Modification
I and Trust rovider i acking
tartup Items
ystem irmware
Time roviders
Trap
alid Accounts
Web hell
Windows ManagementInstrumentation vent ubscription
Winlogon elper
Privilege Escalation
Access Token Manipulation
Accessibility eatures
AppCert s
AppInit s
Application himming
ypass ser Account Control
earch rder i acking
ylib i acking
xploitation for rivilege scalation xtra Window MemoryIn ection ile ystem ermissionsWeakness
ooking
Image ile xecution ptionsIn ection
aunch aemon
New ervice
ath Interception
list Modification
ort Monitors
rocess In ection
cheduled Task
ervice Registry ermissionsWeakness
etuid and etgid
I istory In ection
tartup Items
udo
udo Caching
alid Accounts
Web hell
Defense Evasion
Access Token Manipulation
inary adding
IT obs
ypass ser Account Control
Clear Command istory
CM T
Code igning
Compiled TM ile
Component irmware
Component b ect Model i acking
Control anel Items
C hadow
eobfuscate ecode iles orInformation
isabling ecurity Tools
earch rder i acking
ide oading
xploitation for efense vasion xtra Window MemoryIn ection
ile eletion
ile ermissions Modification
ile ystem ogical ffsets
atekeeper ypass
idden iles and irectories
idden sers
idden Window
I TC NTR
Image ile xecution ptionsIn ection
Indicator locking
Indicator Removal from Tools
Indicator Removal on ost
Indirect Command xecution
Install Root Certificate
Install til
aunchctl
C MAIN i acking
Masquerading
Modify Registry
Mshta
Network hare ConnectionRemoval
NT ile Attributes
bfuscated iles orInformation
list Modification
ort nocking
rocess oppelg nging
rocess ollowing
rocess In ection
Redundant Access
Regsvcs Regasm
Regsvr
Rootkit
Rundll
cripting
igned inary roxy xecution igned cript roxy xecution I and Trust rovider i acking
oftware acking
pace after ilename
Template In ection
Timestomp
Trusted eveloper tilities
alid Accounts
Web ervice
cript rocessing
Credential Access
Account Manipulation
ash istory
rute orce
Credential umping
Credentials in iles
Credentials in Registry
xploitation for CredentialAccess
orced Authentication
ooking
Input Capture
Input rompt
erberoasting
eychain
MNR N T N oisoning
Network niffing
assword ilter
rivate eys
ecurityd Memory
Two actor AuthenticationInterception
Discovery
Account iscovery
Application Window iscovery
rowser ookmark iscovery
ile and irectory iscovery
Network ervice canning
Network hare iscovery
Network niffing
assword olicy iscovery
eripheral evice iscovery
ermission roups iscovery
rocess iscovery
uery Registry
Remote ystem iscovery
ecurity oftware iscovery
ystem Information iscovery
ystem NetworkConfiguration iscovery ystem Network Connections iscovery ystem wner ser iscovery
ystem ervice iscovery
ystem Time iscovery
Lateral Movement
Apple cript
Application eployment oftware istributed Component b ect Model xploitation of Remote ervices
ogon cripts
ass the ash
ass the Ticket
Remote esktop rotocol
Remote ile Copy
Remote ervices
Replication ThroughRemovable Media
hared Webroot
i acking
Taint hared Content
Third party oftware
Windows Admin hares
Windows RemoteManagement
Collection
Audio Capture
Automated Collection
Clipboard ata
ata from InformationRepositories
ata from ocal ystem
ata from Network hared rive
ata from Removable Media
ata taged
mail Collection
Input Capture
Man in the rowser
creen Capture
ideo Capture
Exfiltration
Automated xfiltration
ata Compressed
ata ncrypted
ata Transfer i e imits
xfiltration ver Alternative rotocol xfiltration ver Commandand Control Channel xfiltration ver therNetwork Medium xfiltration ver hysicalMedium
cheduled Transfer
Command And Control
Commonly sed ort
Communication ThroughRemovable Media
Connection roxy
Custom Command andControl rotocolCustom Cryptographic rotocol
ata ncoding
ata bfuscation
omain ronting
allback Channels
Multi hop roxy
Multi tage Channels
Multiband Communication
Multilayer ncryption
ort nocking
Remote Access Tools
Remote ile Copy
tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol
ncommonly sed ort
Web ervice
Initial Access
rive by Compromise
xploit ublic acingApplication
ardware Additions
Replication ThroughRemovable Media
pearphishing Attachment
pearphishing ink
pearphishing via ervice
upply Chain Compromise
Trusted Relationship
alid Accounts
Execution
Apple cript
CM T
Command ine Interface
Compiled TM ile
Control anel Items
ynamic ata xchange
xecution through A I
xecution through Module oad xploitation for Client xecution
raphical ser Interface
Install til
aunchctl
ocal ob cheduling
A river
Mshta
ower hell
Regsvcs Regasm
Regsvr
Rundll
cheduled Task
cripting
ervice xecution
igned inary roxy xecution igned cript roxy xecution
ource
pace after ilename
Third party oftware
Trap
Trusted eveloper tilities
ser xecution
Windows ManagementInstrumentationWindows RemoteManagement
cript rocessing
Persistence
.bash profile and .bashrc
Accessibility eatures
Account Manipulation
AppCert s
AppInit s
Application himming
Authentication ackage
IT obs
ootkit
rowser xtensions
Change efault ileAssociation
Component irmware
Component b ect Model i acking
Create Account
earch rder i acking
ylib i acking
xternal Remote ervices
ile ystem ermissionsWeakness
idden iles and irectories
ooking
ypervisor
Image ile xecution ptionsIn ection ernel Modules and xtensions
aunch Agent
aunch aemon
aunchctl
C A I Addition
ocal ob cheduling
ogin Item
ogon cripts
A river
Modify xisting ervice
Netsh elper
New ervice
ffice Application tartup
ath Interception
list Modification
ort nocking
ort Monitors
Rc.common
Re opened Applications
Redundant Access
Registry Run eys tartup older
cheduled Task
creensaver
ecurity upport rovider
ervice Registry ermissionsWeakness
etuid and etgid
hortcut Modification
I and Trust rovider i acking
tartup Items
ystem irmware
Time roviders
Trap
alid Accounts
Web hell
Windows ManagementInstrumentation vent ubscription
Winlogon elper
Privilege Escalation
Access Token Manipulation
Accessibility eatures
AppCert s
AppInit s
Application himming
ypass ser Account Control
earch rder i acking
ylib i acking
xploitation for rivilege scalation xtra Window MemoryIn ection ile ystem ermissionsWeakness
ooking
Image ile xecution ptionsIn ection
aunch aemon
New ervice
ath Interception
list Modification
ort Monitors
rocess In ection
cheduled Task
ervice Registry ermissionsWeakness
etuid and etgid
I istory In ection
tartup Items
udo
udo Caching
alid Accounts
Web hell
Defense Evasion
Access Token Manipulation
inary adding
IT obs
ypass ser Account Control
Clear Command istory
CM T
Code igning
Compiled TM ile
Component irmware
Component b ect Model i acking
Control anel Items
C hadow
eobfuscate ecode iles orInformation
isabling ecurity Tools
earch rder i acking
ide oading
xploitation for efense vasion xtra Window MemoryIn ection
ile eletion
ile ermissions Modification
ile ystem ogical ffsets
atekeeper ypass
idden iles and irectories
idden sers
idden Window
I TC NTR
Image ile xecution ptionsIn ection
Indicator locking
Indicator Removal from Tools
Indicator Removal on ost
Indirect Command xecution
Install Root Certificate
Install til
aunchctl
C MAIN i acking
Masquerading
Modify Registry
Mshta
Network hare ConnectionRemoval
NT ile Attributes
bfuscated iles orInformation
list Modification
ort nocking
rocess oppelg nging
rocess ollowing
rocess In ection
Redundant Access
Regsvcs Regasm
Regsvr
Rootkit
Rundll
cripting
igned inary roxy xecution igned cript roxy xecution I and Trust rovider i acking
oftware acking
pace after ilename
Template In ection
Timestomp
Trusted eveloper tilities
alid Accounts
Web ervice
cript rocessing
Credential Access
Account Manipulation
ash istory
rute orce
Credential umping
Credentials in iles
Credentials in Registry
xploitation for CredentialAccess
orced Authentication
ooking
Input Capture
Input rompt
erberoasting
eychain
MNR N T N oisoning
Network niffing
assword ilter
rivate eys
ecurityd Memory
Two actor AuthenticationInterception
Discovery
Account iscovery
Application Window iscovery
rowser ookmark iscovery
ile and irectory iscovery
Network ervice canning
Network hare iscovery
Network niffing
assword olicy iscovery
eripheral evice iscovery
ermission roups iscovery
rocess iscovery
uery Registry
Remote ystem iscovery
ecurity oftware iscovery
ystem Information iscovery
ystem NetworkConfiguration iscovery ystem Network Connections iscovery ystem wner ser iscovery
ystem ervice iscovery
ystem Time iscovery
Lateral Movement
Apple cript
Application eployment oftware istributed Component b ect Model xploitation of Remote ervices
ogon cripts
ass the ash
ass the Ticket
Remote esktop rotocol
Remote ile Copy
Remote ervices
Replication ThroughRemovable Media
hared Webroot
i acking
Taint hared Content
Third party oftware
Windows Admin hares
Windows RemoteManagement
Collection
Audio Capture
Automated Collection
Clipboard ata
ata from InformationRepositories
ata from ocal ystem
ata from Network hared rive
ata from Removable Media
ata taged
mail Collection
Input Capture
Man in the rowser
creen Capture
ideo Capture
Exfiltration
Automated xfiltration
ata Compressed
ata ncrypted
ata Transfer i e imits
xfiltration ver Alternative rotocol xfiltration ver Commandand Control Channel xfiltration ver therNetwork Medium xfiltration ver hysicalMedium
cheduled Transfer
Command And Control
Commonly sed ort
Communication ThroughRemovable Media
Connection roxy
Custom Command andControl rotocolCustom Cryptographic rotocol
ata ncoding
ata bfuscation
omain ronting
allback Channels
Multi hop roxy
Multi tage Channels
Multiband Communication
Multilayer ncryption
ort nocking
Remote Access Tools
Remote ile Copy
tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol
ncommonly sed ort
Web ervice
Initial Access
rive by Compromise
xploit ublic acingApplication
ardware Additions
Replication ThroughRemovable Media
pearphishing Attachment
pearphishing ink
pearphishing via ervice
upply Chain Compromise
Trusted Relationship
alid Accounts
Execution
Apple cript
CM T
Command ine Interface
Compiled TM ile
Control anel Items
ynamic ata xchange
xecution through A I
xecution through Module oad xploitation for Client xecution
raphical ser Interface
Install til
aunchctl
ocal ob cheduling
A river
Mshta
ower hell
Regsvcs Regasm
Regsvr
Rundll
cheduled Task
cripting
ervice xecution
igned inary roxy xecution igned cript roxy xecution
ource
pace after ilename
Third party oftware
Trap
Trusted eveloper tilities
ser xecution
Windows ManagementInstrumentationWindows RemoteManagement
cript rocessing
Persistence
.bash profile and .bashrc
Accessibility eatures
Account Manipulation
AppCert s
AppInit s
Application himming
Authentication ackage
IT obs
ootkit
rowser xtensions
Change efault ileAssociation
Component irmware
Component b ect Model i acking
Create Account
earch rder i acking
ylib i acking
xternal Remote ervices
ile ystem ermissionsWeakness
idden iles and irectories
ooking
ypervisor
Image ile xecution ptionsIn ection ernel Modules and xtensions
aunch Agent
aunch aemon
aunchctl
C A I Addition
ocal ob cheduling
ogin Item
ogon cripts
A river
Modify xisting ervice
Netsh elper
New ervice
ffice Application tartup
ath Interception
list Modification
ort nocking
ort Monitors
Rc.common
Re opened Applications
Redundant Access
Registry Run eys tartup older
cheduled Task
creensaver
ecurity upport rovider
ervice Registry ermissionsWeakness
etuid and etgid
hortcut Modification
I and Trust rovider i acking
tartup Items
ystem irmware
Time roviders
Trap
alid Accounts
Web hell
Windows ManagementInstrumentation vent ubscription
Winlogon elper
Privilege Escalation
Access Token Manipulation
Accessibility eatures
AppCert s
AppInit s
Application himming
ypass ser Account Control
earch rder i acking
ylib i acking
xploitation for rivilege scalation xtra Window MemoryIn ection ile ystem ermissionsWeakness
ooking
Image ile xecution ptionsIn ection
aunch aemon
New ervice
ath Interception
list Modification
ort Monitors
rocess In ection
cheduled Task
ervice Registry ermissionsWeakness
etuid and etgid
I istory In ection
tartup Items
udo
udo Caching
alid Accounts
Web hell
Defense Evasion
Access Token Manipulation
inary adding
IT obs
ypass ser Account Control
Clear Command istory
CM T
Code igning
Compiled TM ile
Component irmware
Component b ect Model i acking
Control anel Items
C hadow
eobfuscate ecode iles orInformation
isabling ecurity Tools
earch rder i acking
ide oading
xploitation for efense vasion xtra Window MemoryIn ection
ile eletion
ile ermissions Modification
ile ystem ogical ffsets
atekeeper ypass
idden iles and irectories
idden sers
idden Window
I TC NTR
Image ile xecution ptionsIn ection
Indicator locking
Indicator Removal from Tools
Indicator Removal on ost
Indirect Command xecution
Install Root Certificate
Install til
aunchctl
C MAIN i acking
Masquerading
Modify Registry
Mshta
Network hare ConnectionRemoval
NT ile Attributes
bfuscated iles orInformation
list Modification
ort nocking
rocess oppelg nging
rocess ollowing
rocess In ection
Redundant Access
Regsvcs Regasm
Regsvr
Rootkit
Rundll
cripting
igned inary roxy xecution igned cript roxy xecution I and Trust rovider i acking
oftware acking
pace after ilename
Template In ection
Timestomp
Trusted eveloper tilities
alid Accounts
Web ervice
cript rocessing
Credential Access
Account Manipulation
ash istory
rute orce
Credential umping
Credentials in iles
Credentials in Registry
xploitation for CredentialAccess
orced Authentication
ooking
Input Capture
Input rompt
erberoasting
eychain
MNR N T N oisoning
Network niffing
assword ilter
rivate eys
ecurityd Memory
Two actor AuthenticationInterception
Discovery
Account iscovery
Application Window iscovery
rowser ookmark iscovery
ile and irectory iscovery
Network ervice canning
Network hare iscovery
Network niffing
assword olicy iscovery
eripheral evice iscovery
ermission roups iscovery
rocess iscovery
uery Registry
Remote ystem iscovery
ecurity oftware iscovery
ystem Information iscovery
ystem NetworkConfiguration iscovery ystem Network Connections iscovery ystem wner ser iscovery
ystem ervice iscovery
ystem Time iscovery
Lateral Movement
Apple cript
Application eployment oftware istributed Component b ect Model xploitation of Remote ervices
ogon cripts
ass the ash
ass the Ticket
Remote esktop rotocol
Remote ile Copy
Remote ervices
Replication ThroughRemovable Media
hared Webroot
i acking
Taint hared Content
Third party oftware
Windows Admin hares
Windows RemoteManagement
Collection
Audio Capture
Automated Collection
Clipboard ata
ata from InformationRepositories
ata from ocal ystem
ata from Network hared rive
ata from Removable Media
ata taged
mail Collection
Input Capture
Man in the rowser
creen Capture
ideo Capture
Exfiltration
Automated xfiltration
ata Compressed
ata ncrypted
ata Transfer i e imits
xfiltration ver Alternative rotocol xfiltration ver Commandand Control Channel xfiltration ver therNetwork Medium xfiltration ver hysicalMedium
cheduled Transfer
Command And Control
Commonly sed ort
Communication ThroughRemovable Media
Connection roxy
Custom Command andControl rotocolCustom Cryptographic rotocol
ata ncoding
ata bfuscation
omain ronting
allback Channels
Multi hop roxy
Multi tage Channels
Multiband Communication
Multilayer ncryption
ort nocking
Remote Access Tools
Remote ile Copy
tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol
ncommonly sed ort
Web ervice
Exercise 4: Comparing Layers in ATT&CK Navigator
APT39
Both groups
OceanLotus
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 4: Comparing Layers in ATT&CK Navigator
▪ Here are the overlapping techniques:
1. Spearphishing Attachment
2. Spearphishing Link
3. Scheduled Task
4. Scripting
5. User Execution
6. Registry Run Keys/Startup Folder
7. Network Service Scanning
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 1 Module 2Module 3
Module 4 Module 5
End of Module 4
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 5:Making Defensive Recommendations from
ATT&CK-Mapped Data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 1 Module 2Module 3
Module 4 Module 5
Applying Technique Intelligence to Defense
▪ We’ve now seen a few ways to identify techniques seen in the wild
– Extracted from finished reporting
– Extracted from raw/incident data
– Leveraging data already mapped by ATT&CK team
▪ Can identify techniques used by multiple groups we care about
– May be our highest priority starting point
▪ How do we make that intelligence actionable?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process for Making Recommendations from Techniques
0. Determine priority techniques
1. Research how techniques are being used
2. Research defensive options related to technique
3. Research organizational capability/constraints
4. Determine what tradeoffs are for org on specific options
5. Make recommendations
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
0. Determine Priority Techniques
▪ Multiple ways to prioritize, today focused on leveraging CTI
1. Data sources: what data do you have already?
2. Threat intelligence: what are your adversaries doing?
3. Tools: what can your current tools cover?
4. Red team: what can you see red teamers doing?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
0. Determine Priority Techniques
▪ Threat intelligence: what are your adversaries doing?
1. Spearphishing Attachment
2. Spearphishing Link
3. Scheduled Task
4. Scripting
5. User Execution
6. Registry Run Keys/Startup Folder
7. Network Service Scanning
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
1. Research How Techniques Are Being Used
▪ What specific procedures are being used for a given technique?
– Important that our defensive response overlaps with activity
From the APT39 Report
FireEye Intelligence has observed APT39 leverage spear phishing emails with malicious attachments and/or hyperlinks typically resulting in a POWBAT infection
– Execution – User Execution (T1204)
From the Cobalt Kitty Report
Two types of payloads were found in the spear-phishing emails
– Execution – User Execution (T1204)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
1. Research How Techniques Are Being Used
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
▪ Many sources provide defensive information indexed to ATT&CK
– ATT&CK
▪ Data Sources
▪ Detections
▪ Mitigations
▪ Research linked to from Technique pages
– MITRE Cyber Analytics Repository (CAR)
– Roberto Rodrigue ’s ThreatHunter-Playbook
– Atomic Threat Coverage
▪ Supplement with your own research
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
▪ Further research shows that for Windows to generate event 4688 multiple GPO changes are required and it is very noisy
▪ Similar information can be gathered via Sysmon with better filtering
Sept 2018 ver 1.0 MalwareArchaeology.com Page 11 of 15
WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
Execution Service Execution T1035 4688 Process CMD Line
4688 Process Execution
4657 Windows Registry
7045 New Service
7040 Service Change
Execution User Execution T1204 4688 Process CMD Line
4688 Process Execution
Anti-virus
Execution Windows Management Instrumentation
T1047 4688 Process CMD Line
4688 Process Execution
4624 Authentication logs
Netflow/Enclave netflow
Execution,Lateral Movement Third-party Software
T1072 4688 Process Execution
5156 Windows Firewall
4663 File monitoring
4657 Windows Registry
Binary file metadata
Third-party application logs
Execution,Lateral Movement Windows Remote Management
T1028 4688 Process CMD Line
4688 Process Execution
5156 Windows Firewall
5140/5145 Net Shares
4663 File monitoring
4624 Authentication logs
Netflow/Enclave netflow
Execution,Persistence LSASS Driver T1177 4688 Process Execution
4663 File monitoring
DLL monitoring
Loaded DLLs Sysmon - ID 6 Kernel drivers
API monitoring
Execution,Persistence,Privilege Escalation
Scheduled Task T1053 4688 Process CMD Line
4688 Process Execution
4663 File monitoring
Windows event logs
Exfiltration Automated Exfiltration
T1020 4688 Process Execution
4688 Process CMD Line
5156 Windows Firewall
4663 File monitoring
Exfiltration Data Compressed T1002 4688 Process Execution
4688 Process CMD Line
4663 File Monitoring
5156 Windows Firewall
IDS/IPS DLP Binary file metadata
Exfiltration Data Encrypted T1022 4688 Process Execution
4688 Process CMD Line
4663 File monitoring
Binary file metadata
IDS/IPS DLP Network protocol analysis
Exfiltration Data Transfer Size Limits
T1030 5156 Windows Firewall
4688 Process Execution
Packet capture Netflow/Enclave netflow
Exfiltration Exfiltration Over Alternative Protocol
T1048 4688 Process Execution
5156 Windows Firewall
Packet capture Netflow/Enclave netflow
Network protocol analysis
User interface
Exfiltration Exfiltration Over Command and Control Channel
T1041 4688 Process Execution
5156 Windows Firewall
LMD - SRUM User interface
Exfiltration Exfiltration Over Other Network Medium
T1011 4688 Process Execution
4688 Process CMD Line
5156 Windows Firewall
User interface
https://www.malwarearchaeology.com/s/Windows-ATTCK_Logging-Cheat-Sheet_ver_Sept_2018.pdf
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
▪ ATT&CK:
– https://attack.mitre.org
▪ Cyber Analytics Repository:
– https://car.mitre.org/
▪ Threat Hunter Playbook
– https://github.com/hunters-forge/ThreatHunter-Playbook
▪ Windows ATT&CK Logging Cheatsheet
– https://www.malwarearchaeology.com/cheat-sheets
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
▪ User training
▪ Application whitelisting
▪ Block unknown files in transit
▪ NIPS
▪ File detonation systems
▪ Monitor command-line arguments
– Windows Event Log 4688
– Sysmon
▪ Anti-Virus
▪ Endpoint sensing
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Research Organizational Capabilities/Constraints
▪ What data sources, defenses, mitigations are already collected/in place?
– Some options may be inexpensive/simple
– Possibly new analytics on existing sources
▪ What products are already deployed that may have add’l capabilities?
– E.g. able to gather new data sources/implement new mitigations
▪ Is there anything about the organization that may preclude responses?
– E.g. user constraints/usage patterns
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Research Organizational Capabilities/Constraints
▪ Notional Capabilities
– Windows Events already collected to SIEM (but not process info)
– Evaluating application whitelisting tools
– Highly technical workforce
– Already have an email file detonation appliance
– Already have anti-virus on all endpoints
▪ Notional Constraints
– SIEM at close to license limit, increase would be prohibitive
– Large portion of user population developers, run arbitrary binaries
– Files in transit usually encrypted passing by NIPS
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Determine What Tradeoffs Are for Org on Specific Options
▪ How do each of the identified options fit into your org?
▪ Example Positives
– Leveraging existing strengths/tools/data sources
– Close fit with specific threat
▪ Example Negatives
– Cost not commiserate with risk averted
– Poor cultural fit with organization
▪ Highly dependent on your specific organization
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Determine What Tradeoffs Are for Org on Specific Options
Defensive option Example Pros Example Cons
Increase user training around clicking on attachments
Covers most common use case, technical workforce likely will make good sensors
Time investment by all users, training fatigue
Enforcement of application whitelisting
Already examining whitelisting solution, most binaries of concern never seen before
Developer population heavily impacted if prevented from running arbitrary binaries. High support cost.
Monitor command-line arguments/create analytic
Collecting events already, already feeding into a SIEM
Volume of logs from processes likely unacceptable license cost.
Anti-Virus Already in place Limited signature coverage
Install endpoint detection and response (EDR) product
Possibly best visibility without greatly increasing log volumes
No existing tool, prohibitively expensive
Email Detonation Appliance Already in place May not have full visibility into inbound email
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
5. Make Recommendations
▪ Could be technical, policy, or risk acceptance
▪ Could be for management, SOC, IT, all of the above
▪ Some potential recommendation types:
– Technical
▪ Collect new data sources
▪ Write a detection/analytic from existing data
▪ Change a config/engineering changes
▪ New tool
– Policy changes
▪ Technical/human
– Accept risk
▪ Some things are undetectable/unmitigable or not worth the tradeoff
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software
Automated Collection Communication Through Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model
Data from InformationRepositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over OtherNetwork Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Commandand Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms
Service Stop
Valid Accounts Execution through Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media
Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object ModelHijacking
LLMNR/NBT-NS Poisoningand Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Filesor Information
Securityd Memory System Network Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception
Windows RemoteManagement
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery
Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/UserDiscovery
Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege EscalationExploitation for
Defense EvasionSigned Binary Proxy Execution
Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRc.common
Redundant Access NTFS File Attributes
Registry Run Keys / Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
5. Make Recommendations
LegendHigh Confidence of Detection
Some Confidence of DetectionLow Confidence of DetectionPrioritized Technique
We’ll tackle Spearphishing Attachment and
Spearphishing Link via new user training
Supply Chain Compromise and Component Firmware
are beyond our capability and resources to stop or detect,
so we’ll accept the risk
None of our existing tools have visibility into
Command-Line Interface so we’ll need to
obtain something new
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
5. Make Recommendations (Example)
1. New user training around not clicking on attachments
– Policy changed matched with a technical workforce
2. Continued use of AV
– No additional cost
3. Increase coverage of email detonation
– Taking advantage of existing tools
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 5: Defensive Recommendations
Worksheet in attack.mitre.org/training/cti under Exercise 5
“Making Defensive Recommendations Guided Exercise”
Download the worksheet and work through recommendation process
0. Determine priority techniques
1. Research how techniques are being used
2. Research defensive options related to technique
3. Research organizational capability/constraints
4. Determine what tradeoffs are for org on specific options
5. Make recommendations
▪ Please pause. We suggest giving yourself 15 minutes for this exercise.©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over the Exercise
▪ What resources were helpful to you finding defensive options?
▪ What kind of recommendations did you end up making?
▪ Did you consider doing nothing or accepting risk?
▪ Were there any options that were completely inappropriate for you?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
0. Determine Priority Techniques
▪ Threat intelligence: what are your adversaries doing?
1. Spearphishing Attachment
2. Spearphishing Link
3. Scheduled Task
4. Scripting
5. User Execution
6. Registry Run Keys/Startup Folder
7. Network Service Scanning
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
1. Research How Techniques Are Being Used
From the Cobalt Kitty Report
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Within a Word Macro
2. Research Defensive Options Related to Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Research Organizational Capabilities/Constraints
▪ For this exercise, assume that you have Windows Event Log Collection going to a SIEM, but no ability to collect process execution logging.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Determine What Tradeoffs Are for Org on Specific Options
Defensive option Pros Cons
Monitor scheduled task creation from common utilities using command-line invocation
Would allow us to collect detailed information on how task added.
Organization has no ability to collect process execution logging.
Configure event logging for scheduled task creation and changes
Fits well into existing Windows Event Log collection system, would be simple to implement enterprise wide.
Increases collected log volumes.
Sysinternals Autoruns may also be used
Would collect on other persistence techniques as well. Tool is free.
Not currently installed, would need to be added to all systems along with data collection and analytics of results.
Monitor processes and command-line arguments
Would allow us to collect detailed information on how task added.
Organization has no ability to collect process execution logging.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
5. Make Recommendations
Given the limitations and sources we pointed at, likely answers similar to:
▪ Enable "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service, and create analytics around Event ID 106 - Scheduled task registered, and Event ID 140 - Scheduled task updated
Possibly
▪ Use Autoruns to watch for changes that could be attempts at persistence
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
In Closing
Understand ATT&CK
Map data to ATT&CK
Store & analyze ATT&CK-mapped
data
Make defensive recommendations
from ATT&CK-mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 1 Module 2Module 3
Module 4 Module 5
https://[email protected]@MITREattack
Adam Pennington@_whatshisface
Katie Nickels@likethecoins
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
End of Module 5
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.