Post on 14-Feb-2020
transcript
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats.
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teamscan use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools and processes—and then fix them.
No matter how strong your patching, compliance and security software, a determined cyber adversary can typically find a way into your network.
But how did the attacker get in? How are they moving around? And how can you use that knowledge to detect, mitigate and prevent future attacks? The MITRE ATT&CK™ framework answers those questions by providing a globally accessible knowledge base of adversary tactics and techniques that are based on real-world observations of adversaries’ operations against computer networks. Armed with this knowledge, organizations and security vendors can work toward improving detection and prevention methods.
Pioneering with the Cyber Community for Collaborative Defense
ATT&CK was first created by a MITRE internal research program using our own data and operations. Now based on published, open source threat information, MITRE provides the framework as a resource to the cyber community. Anyone is free to leverage it, and everyone is free to use and contribute to ATT&CK.
By making the ATT&CK knowledge base globally accessible, MITRE supports a growing community that is fostering innovation in open source tools, products and services based on the framework. ATT&CK is experiencing significant growth across the cybersecurity community, with wide adoption from industry, government and security vendors including organizations like Microsoft, IBM, USAA, JPMorgan Chase, and Palo Alto.
With the creation of ATT&CK, MITRE is partnering with the cyber community to fulfill its mission to solve problems for a safer world.
Using Adversary Behavior toStrengthen Cyber Defense
Get Started with ATT&CK
Join the ATT&CK CommunityMITRE encourages other researchers, analysts and cyber defenders to join our community and contribute new techniques and information.
Finding Gaps in Defense
Comparing APT 28 to Deep Panda
MITRE ATT&CK Resourcesattack.mitre.org • Access ATT&CK technical information • Contribute to ATT&CK • Follow our blog • Watch ATT&CK presentations
@MITREattackFollow us on Twitter for the latest news.
attack.mitre.org
The MITRE ATT&CK™
Enterprise Frameworkattack.mitre.org
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288.
Ini�al Access Execu�on Persistence Privilege Escala�on Defense Evasion Creden�alAccess Discovery Lateral Movement Collec�on Exfiltra�on Command and ControlValid Accounts Scheduled Task XSL Script Processing Network Sniffing Windows Remote
ManagementVideo Capture Scheduled Transfer Web Service
Trusted Rela�onship Trap Process Injec�on Two-Factor Authen�ca�on Intercep�on
System Time Discovery Screen Capture Exfiltra�on Over Physical Medium
Uncommonly Used PortSupply Chain Compromise LSASS Driver Extra Window Memory Injec�on System Service Discovery Third-party So�ware Man in the Browser Standard Non-Applica�on
Layer ProtocolSpearphishing via Service Local Job Scheduling Bypass User Account Control Private Keys System Owner/User Discovery
Taint Shared Content Input Capture Exfiltra�on Over Command and Control ChannelSpearphishing Link Launchctl Access Token Manipula�on Password Filter DLL SSH Hijacking Email Collec�on Standard Applica�on
Layer ProtocolSpearphishing A�achment XSL Script Processing Valid Accounts LLMNR/NBT-NS Poisoning System NetworkConfigura�on Discovery
Shared Webroot Data Staged Data Transfer Size Limits
Replica�on ThroughRemovable Media
Windows RemoteManagement
Plist Modifica�on Keychain Replica�on Through Removable Media
Data from Removable Media Data Encrypted Remote Access ToolsImage File Execu�on Op�ons Injec�on Kerberoas�ng Security So�ware Discovery Data from Network
Shared DriveData Compressed Port Knocking
Exploit Public-FacingApplica�on
User Execu�on DLL Search Order Hijacking Input Prompt Remote System Discovery Remote File Copy Automated Exfiltra�on Mul�layer Encryp�onTrusted Developer U�li�es Web Shell Web Service Input Capture Query Registry Remote Desktop Protocol Data from Informa�on
RepositoriesExfiltra�on Over Other
Network MediumMul�band Communica�on
Hardware Addi�ons Third-party So�ware Startup Items Trusted Developer U�li�es Hooking Process Discovery Pass the Ticket Mul�-Stage ChannelsDrive-by Compromise Space a�er Filename Setuid and Setgid Timestomp Forced Authen�ca�on Permission Groups Discovery Pass the Hash Automated Collec�on Exfiltra�on Over
Alterna�ve ProtocolMul�-hop Proxy
Source Service Registry Permissions Weakness Template Injec�on Exploita�on forCreden�al Access
Peripheral Device Discovery Logon Scripts Audio Capture Fallback Channels
Signed ScriptProxy Execu�on
Port Monitors Space a�er Filename Password Policy Discovery Exploita�on of Remote Services
Data from Local System Domain Fron�ngPath Intercep�on So�ware Packing Creden�als in Files Network Share Discovery Clipboard Data Data Obfusca�on
Service Execu�on New Service SIP and Trust Provider Hijacking
Creden�al Dumping Network Service Scanning Applica�on Deployment So�ware
Data EncodingScrip�ng Launch Daemon Brute Force File and Directory Discovery Custom Cryptographic
ProtocolRundll32 Hooking Signed Binary Proxy Execu�on
Bash History Browser Bookmark Discovery Windows Admin SharesRegsvr32 File System Permissions Weakness Account Manipula�on Applica�on Window
DiscoveryRemote Services Connec�on Proxy
Regsvcs/Regasm Dylib Hijacking Rundll32 Securityd Memory Distributed Component Object Model
Communica�on ThroughRemovable MediaPowerShell Applica�on Shimming Rootkit Creden�als in Registry System Network
Connec�ons DiscoveryMshta AppInit DLLs Regsvr32 AppleScript Standard Cryptographic ProtocolInstallU�l AppCert DLLs Regsvcs/Regasm System Informa�on
DiscoveryGraphical User Interface Accessibility Features Redundant Access Remote File Copy
Exploita�on for Client Execu�on
Winlogon Helper DLL Sudo Caching Process Hollowing Account Discovery Custom Command andControl ProtocolWindows Management
Instrumenta�onEvent Subscrip�on
Sudo Process DoppelgangingExecu�on through API SID-History Injec�on Port Knocking Commonly Used Port
Dynamic Data Exchange Exploita�on forPrivilege Escala�on
Obfuscated Filesor Informa�onControl Panel Items SIP and Trust Provider
HijackingCompiled HTML File Network ShareConnec�on RemovalCommand-Line Interface Security Support Provider
CMSTP Screensaver Modify RegistryAppleScript Registry Run
Keys / Startup FolderMasquerading
Windows ManagementInstrumenta�on
LC_MAIN HijackingRe-opened Applica�ons Launchctl
Signed BinaryProxy Execu�on
Rc.common InstallU�lPort Knocking Install Root Cer�ficate
Execu�on throughModule Load
Office Applica�on Startup Indirect Command Execu�onNetsh Helper DLL Component Firmware
Modify Exis�ng Service Indicator Removal from ToolsLogon Scripts Indicator Blocking
Login Item HISTCONTROLLC_LOAD_DYLIB Addi�on Hidden Window
Launch Agent Hidden Users
Kernel Modulesand Extensions
Hidden Files and DirectoriesGatekeeper Bypass
Hidden Files and Directories File System Logical OffsetsExternal Remote Services File Permissions Modifica�on
Create Account File Dele�on
Component Object ModelHijacking
Exploita�on forDefense Evasion
Change DefaultFile Associa�on
Disabling Security Tools
Deobfuscate/Decode Filesor Informa�onBootkit
BITS Jobs Control Panel ItemsAuthen�ca�on Package Component Object
Model HijackingAccount Manipula�on.bash_profile and .bashrc Compiled HTML File
Time Providers Code SigningSystem Firmware CMSTP
Shortcut Modifica�on Clear Command HistoryRedundant Access BITS Jobs
Hypervisor Signed Script Proxy Execu�onComponent Firmware Scrip�ng
Browser Extensions NTFS File A�ributesMshta
Indicator Removal on HostDLL Side-Loading
DCShadow