An Introduction to ATT&CK

Andy Applebaum ATIEC 2019 September 24th, 2019

▪ An Overview of the (Enterprise) MITRE ATT&CK framework ▪ Use Cases in 15 minutes (or less!) – Detection – Cyber Threat Intelligence – Adversary Emulation – Assessments and Enginering

MITRE’s ATT&CK Framework https://www.youtube.com/watch?v=0BEf6s1iu5g © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14. | 4 | Understanding Our Defenses Within the Perimeter

MITRE’s ATT&CK Framework https://www.youtube.com/watch?v=0BEf6s1iu5g © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14. | 5 | Understanding Our Defenses Within the Perimeter

Scan hosts for artifacts Block attachments based on MD5

Alert on DNS requests Block bad IP ranges MITRE’s ATT&CK Framework https://www.youtube.com/watch?v=0BEf6s1iu5g © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14. | 6 | ATT&CK in Context: The Pyramid of Pain

Scan hosts for artifacts

Alert on DNS requests

Block bad IP ranges

Block attachments based on MD5

Source: David Bianco https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html TTPs = Tactics, Techniques, and Procedures

ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques, developed by MITRE based on real-world observations of adversaries’ operations.

Source: David Bianco attack.mitre.org https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html TTPs = Tactics, Techniques, and Procedures

Tactics – Adversary’s technical goal

Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact Application Local Job Scheduling Bypass User Account Control Bash History Application Window Software Clipboard Data Removable Media Data Encrypted Defacement External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Object Model Repositories Custom Command and Exfiltration Over Other Disk Structure Wipe Replication Through AppleScript DLL Search Order Hijacking Credentials in Files Discovery Exploitation of Data from Local System Control Protocol Network Medium Endpoint Denial of Service Removable Media CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Remote Services Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery Spearphishing Link Compiled HTML File Valid Accounts Credential Access Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Protocol Resource Hijacking Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Physical Medium Service Stop Valid Accounts Execution through Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Algorithms Scheduled Transfer Stored Data Manipulation Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data Exploitation for File System Permissions Weakness Component Firmware Keychain Query Registry Removable Media Video Capture Multiband Communication Manipulation Client Execution Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption InstallUtil New Service Control Panel Items Password Filter DLL System Information Taint Shared Content Multi-Stage Channels Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking PowerShell Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer Rundll32 Startup Items DLL Side-Loading Connections Discovery Protocol Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic Service Execution .bash_profile and .bashrc Exploitation for Exploitation for Discovery Protocol Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service

Source Browser Extensions File System Logical Offsets How How goal achieved is Space after Filename Change Default Gatekeeper Bypass

– Third-party Software File Association Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories User Execution Component Object Hidden Users Windows Management Model Hijacking Hidden Window Instrumentation Create Account HISTCONTROL Windows Remote External Remote Services Indicator Blocking Management Hidden Files and Directories Indicator Removal XSL Script Processing Hypervisor from Tools Kernel Modules Indicator Removal on Host and Extensions Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil

Techniques Techniques Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading Netsh Helper DLL Modify Registry Office Application Startup Mshta Port Knocking Network Share Connection Rc.common Removal Redundant Access NTFS File Attributes Registry Run Obfuscated Files © 2019 The MITRE Corporation. All rights reserved. ApprovedKeys / Startup for Folder public release. Distribution unlimitedor Information 18-3288-14. Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security Support Provider Process Hollowing | 9 | Publicly Available The ATT&CK Matrix attack.mitre.org

Tactics – Adversary’s technical goal

Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact DriveInitial-by Compromise Scheduled Task Privilege DefenseBinary Padding CredentialNetwork Sniffing LateralAppleScript Audio Capture Commonly Used Port AutomatedCommand Exfiltration Data Destruction Exploit Public-Facing Execution LaunchctlPersistence Access Token Manipulation Account Manipulation DiscoveryAccount Discovery Application Deployment CollectionAutomated Collection CommunicationExfiltration Through Data Compressed Data EncryptedImpact for Impact AccessApplication Local Job Scheduling EscalationBypass User Account EvasionControl AccessBash History Application Window MovementSoftware Clipboard Data Removable Media andData Control Encrypted Defacement External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Object Model Repositories Custom Command and Exfiltration Over Other Disk Structure Wipe Replication Through AppleScript DLL Search Order Hijacking Credentials in Files Discovery Exploitation of Data from Local System Control Protocol Network Medium Endpoint Denial of Service Removable Media CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Remote Services Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery Spearphishing Link Compiled HTML File Valid Accounts Credential Access Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Protocol Resource Hijacking Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Physical Medium Service Stop Valid Accounts Execution through Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Algorithms Scheduled Transfer Stored Data Manipulation Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data Exploitation for File System Permissions Weakness Component Firmware Keychain Query Registry Removable Media Video Capture Multiband Communication Manipulation Client Execution Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption InstallUtil New Service Control Panel Items Password Filter DLL System Information Taint Shared Content Multi-Stage Channels Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking PowerShell Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer Rundll32 Startup Items DLL Side-Loading Connections Discovery Protocol Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic Service Execution .bash_profile and .bashrc Exploitation for Exploitation for Discovery Protocol Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service

Source Browser Extensions File System Logical Offsets How How goal achieved is Space after Filename Change Default Gatekeeper Bypass

Techniques Techniques Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading Netsh Helper DLL Modify Registry Office Application Startup Mshta Port Knocking Network Share Connection Rc.common Removal Redundant Access NTFS File Attributes Registry Run Obfuscated Files © 2019 The MITRE Corporation. All rights reserved. ApprovedKeys / Startup for Folder public release. Distribution unlimitedor Information 18-3288-14. Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security Support Provider Process Hollowing | 10 | Publicly Available The ATT&CK Matrix attack.mitre.org

Tactics – Adversary’s technical goal

Source Browser Extensions File System Logical Offsets How How goal achieved is Space after Filename Change Default Gatekeeper Bypass

– Third-party Software File Association Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories User Execution Component Object Hidden Users Windows Management Model Hijacking Hidden Window Instrumentation Create Account HISTCONTROL Windows Remote External Remote Services Indicator Blocking Management Hidden Files and Directories Indicator Removal XSL Script Processing Hypervisor from ProceduresTools – Specific technique implementation Kernel Modules Indicator Removal on Host and Extensions Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil

Techniques Techniques Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading Netsh Helper DLL Modify Registry Office Application Startup Mshta Port Knocking Network Share Connection Rc.common Removal Redundant Access NTFS File Attributes Registry Run Obfuscated Files © 2019 The MITRE Corporation. All rights reserved. ApprovedKeys / Startup for Folder public release. Distribution unlimitedor Information 18-3288-14. Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security Support Provider Process Hollowing | 11 | Publicly Available The ATT&CK Matrix attack.mitre.org

Tactics – Adversary’s technical goal

Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact Application Local Job Scheduling Bypass User Account Control Bash History Application Window Software Clipboard Data Removable Media Data Encrypted Defacement External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Object Model Repositories Custom Command and Exfiltration Over Other Disk Structure Wipe Replication Through AppleScript DLL Search Order Hijacking Credentials in Files Discovery Exploitation of Data from Local System Control Protocol Network Medium Endpoint Denial of Service Removable Media CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Remote Services Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery Spearphishing Link Compiled HTML File Valid Accounts Credential Access Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service Spearphishing via Service Control Panel Items Accessibility Features DescribesBITS Jobs postForced Authentication-compromiseNetwork Share Discovery Pass the TicketadversaryData Staged behaviorsData Obfuscation Protocol Resource Hijacking Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Physical Medium Service Stop Valid Accounts Execution through Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Algorithms Scheduled Transfer Stored Data Manipulation Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data Exploitation for File System Permissions Weakness Component Firmware Keychain Query Registry Removable Media Video Capture Multiband Communication Manipulation Client Execution Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption InstallUtil New Service Control Panel Items Password Filter DLL System Information Taint Shared Content Multi-Stage Channels Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking PowerShell Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy Regsvr32 Setuid and Setgid FocusesDisabling Security Tools on describingInterception System Network adversaryManagement TTPs, Standardnot Application LayerIoCs Rundll32 Startup Items DLL Side-Loading Connections Discovery Protocol Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic Service Execution .bash_profile and .bashrc Exploitation for Exploitation for Discovery Protocol Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service

Source Browser Extensions File System Logical Offsets How How goal achieved is Space after Filename Change Default Gatekeeper Bypass

– Third-party Software File Association Group Policy Modification Trusted Developer Utilities Component Firmware GroundedHidden Files and Directories in real data from cyber incidents User Execution Component Object Hidden Users Windows Management Model Hijacking Hidden Window Instrumentation Create Account HISTCONTROL Windows Remote External Remote Services Indicator Blocking Management Hidden Files and Directories Indicator Removal XSL Script Processing Hypervisor from ProceduresTools – Specific technique implementation Kernel Modules Indicator Removal on Host and Extensions Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil Techniques Techniques Login Item DecouplesLaunchctl the problem from the solution Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading Netsh Helper DLL Modify Registry Office Application Startup Mshta Port Knocking Network Share Connection Rc.common Removal Redundant Access NTFS File Attributes Registry Run Obfuscated Files © 2019 The MITRE Corporation. All rights reserved. ApprovedKeys / Startup for Folder public release. Distribution unlimitedor Information 18-3288-14. Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security Support Provider Process Hollowing | 12 | Example Technique: New Service

Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1 Platform: Windows Permissions required: Administrator, SYSTEM Effective permissions: SYSTEM Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation • … Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors • … Data sources: Windows registry, process monitoring, command-line parameters Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016.

Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This group reportedly compromised the Democratic National Committee in April 2016.5 Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG- 4127 1 2 3 4 5 6 7 Techniques: • Data Obfuscation 1 • Indicator Removal on Host 5 • Connection Proxy 1 8 • Timestomp 5 • Standard Application Layer Protocol 1 • Credential Dumping 10 • Remote File Copy 8 9 • Screen Capture 10 11 • Rundll32 8 9 • Bootkit 7 and more… Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer, CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. …

Conference Talks ATT&CK Navigator

Public ATT&CK Knowledge Base

Structured Content PRE- and Mobile ATT&CK

attack.mitre.org

ATT&CK Evaluations

attackevals.mitre.org CALDERA: Automated Adversary Emulation Plans Adversary Emulation

▪ Develop detection rules ▪ Ingest threat intelligence

▪ Measure their security posture ▪ Automate intrusion response

▪ Quantify their security posture ▪ Build threat models

▪ Guide threat hunting efforts ▪ Train blue/red teams

▪ Evaluate/analyze defensive tools ▪ Run red team exercises

▪ Write threat intelligence reports ▪ Classify malware behaviors

Financial Retail ▪ SF Fed Reserve ▪ Target ▪ Bank of America ▪ Best Buy ▪ JP Morgan ▪ PepsiCo ▪ FS-ISAC ▪ Under Armour Experian ▪ Media Tech ▪ NBCUniversal ▪ Microsoft ▪ Nielsen Intel ▪ Defense ▪ Airbnb ▪ Boeing ▪ Verizon ▪ Booz Allen ▪ Box Others Security ▪ General Electric ▪ RevSec ▪ Deloitte ▪ FireEye ▪ Pfizer ▪ AppGuard ▪ GSK ▪ CrowdStrike

▪ Felipe Espósito, @Pr0teus Operations Center 89 individuals + ▪ FS-ISAC ▪ Pedro Harrison ▪ Hans Christoffer Gaardløs ▪ Praetorian ▪ Itamar Mizrahi ▪ Rahmat Nurfauzi, @infosecn1nja, PT Xynexis orgs contributing ▪ Itzik Kotler, SafeBreach International ▪ Jacob Wilkin, Trustwave, SpiderLabs ▪ Red Canary to ATT&CK! ▪ Jan Miller, CrowdStrike ▪ RedHuntLabs (@redhuntlabs) ▪ Alain Homewood, Insomnia Security ▪ Jared Atkinson, @jaredcatkinson ▪ Ricardo Dias ▪ Alan Neville, @abnev ▪ Jeremy Galloway ▪ Richard Gold, Digital Shadows ▪ Anastasios Pingios ▪ John Lambert, Microsoft Threat Intelligence ▪ Richie Cyrus, SpecterOps ▪ Andrew Smith, @jakx_ Center ▪ Robby Winchester, @robwinchester3 ▪ Barry Shteiman, Exabeam ▪ John Strand ▪ Robert Falcone ▪ Bartosz Jerzman ▪ Josh Abraham ▪ Romain Dumont, ESET ▪ Bryan Lee ▪ Justin Warner, ICEBRG ▪ Ryan Becwar ▪ Carlos Borges, CIP ▪ Leo Loobeek, @leoloobeek ▪ Ryan Benson, Exabeam ▪ Casey Smith ▪ Loic Jaquemet ▪ Scott Lundgren, @5twenty9, Carbon Black ▪ Christiaan Beek, @ChristiaanBeek ▪ Marc-Etienne M.Léveillé, ESET ▪ Stefan Kanthak ▪ Cody Thomas, SpecterOps ▪ Mark Wee ▪ Sudhanshu Chauhan, @Sudhanshu_C ▪ Craig Aitchison ▪ Matt Graeber, @mattifestation, SpecterOps ▪ Sunny Neo ▪ Daniel Oakley ▪ Matt Kelly, @breakersall ▪ Sylvain Gil, Exabeam ▪ Darren Spruell ▪ Matthew Demaske, Adaptforward ▪ Teodor Cimpoesu ▪ Dave Westgard ▪ Matthew Molyett, @s1air ▪ Tim MalcomVetter ▪ David Ferguson, CyberSponse ▪ McAfee ▪ Tom Ueltschi @c_APT_ure ▪ David Lu, Tripwire ▪ Michael Cox ▪ Tony Lambert, Red Canary ▪ David Routin ▪ Mike Kemmerer ▪ Travis Smith, Tripwire ▪ Ed Williams, Trustwave, SpiderLabs ▪ Milos Stojadinovic ▪ Tristan Bennett, Seamless Intelligence ▪ Edward Millington ▪ Mnemonic ▪ Valerii Marchuk, Cybersecurity Help s.r.o. ▪ Elger Vinicius S. Rodrigues, @elgervinicius, ▪ Nick Carr, FireEye ▪ Veeral Patel CYBINT Centre ▪ Nik Seetharaman, Palantir ▪ Vincent Le Toux ▪ Elia Florio, Microsoft ▪ Nishan Maharjan, @loki248 ▪ Walker Johnson ▪ Emily Ratliff, IBM ▪ Oddvar Moe, @oddvarmoe ▪ Ye Yint Min Thu Htut, Offensive Security ▪ ENDGAME ▪ Omkar Gudhate Team, DBS Bank ▪ Eric Kuehn, Secure Ideas ▪ Patrick Campbell, @pjcampbe11 ▪ Yonatan Gotlib, Deep Instinct ▪ Erye Hernandez, Palo Alto Networks ▪ Paul Speulstra, AECOM Global Security

Starting Places for Using ATT&CK (in 15 minutes) ™ MITRE ATT&CK™ MITRE ATT&CK Techniques Mapped to Data Sourc es Resources

About This Diagram attack.mitre.org • Access ATT&CK technical information

How can I use dat a I already have to get st arted w it h ATT&CK? s n i

p o o i • Contribute to ATT&CK t b a

u f n s u l l c One way to get started using ATT&CK is to look at what data sources you're already collecting and use that data to detect ATT&CK l d m s o e • Follow our blog c o t x n t e r s a l techniques. On our website, we currently have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram, r u e c i t / o e s t n m v

o t r d n b s t o • Watch ATT&CK presentations

r p e we've chosen 12 of those data sources to show the techniques each of them might be able to detect with the right collection and t i e f d i - f y l s i r n t l l - o s i e c h i s r a a c m v i analytics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and speciﬁc s r i v i u

h n n p s i v a d o c o o f o d o t e i i g o e n e g r t i i d e r m adversary examples you can use t o start detecting adversary behavior with ATT&CK. s m r r n h s e n c i u y i o e n n o n f i h c r e b o i i l i g h j n t l f e e i o e n t i i d o n r i j s n t i n w a a i t d i d c n i i r j t e s l o f i u o k e c h i m t c g y x t b e Yo u can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ ATTACK19 to y e s c m c k o p a a a t e s l a e a a r r r i e t c l g t s a c n m t b e i p i l s l o t a x e n r o i n u i k v g x s e g d p e i learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content. r d o e e a m n t d i e d @MITREattack i r i n h r n c n p r m o o s i e r m s d e s e n d r a e t e g m e r e a t t i g s l y s b n o o e c a p i l d f r p x t u e n i o v o i y e e Follow us on Twitter for the l t e n y g s e u i a v w r i n o g s p l c e a s a p n u e d e p o r n p r latest news i s t y i e l d s r o n i p e t m i o b d o e c r li n h r t ib i c n o t m p a d s je o c o f Get St art ed w it h ATT&CK u s y n y r t y c s c r e e n io m h t o c t t c s d a n o o io ta n n in l c m s o o d n a e io r o o i m i k d t e t m c f i a s o ic n t le Use ATT&CK for Cyber Threat Intelligence p d a g a e u m o a d d l o n t if ti d a fr a i o c l e c n le i n e a i h a Cyber threat intelligence comes from many sources, including knowledge of past incidents, t x t f v n o c io p o io attackevals.mitre.org b h n ra g m it je a g in e d commercial threat feeds, information-sharing groups, government threat-sharing programs, c c n k r d re t g o r a c a m e o to b MITRE ATT&CK Evaluations o t h a li and more. ATT&CK gives analysts a common language to communicate across reports and n e o c y g tr a d i d in o c e d _ k n l p c l in d c io organizations, providing a way to structure, compare, and analyze threat intelligence. a o a a t n u lo ij a e n _ h m l t c n or Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact l i g f ite a in in Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction m m d r Communication Through Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact a o Removable Media s _ r Distributed Component Object External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement lc e s Model c e Custom Command and Control a u l Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe m i Protocol c q f Replication Through Removable c s Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe s Media o t a d Exfiltration Over Command and p e Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service u b t s Control Channel n i m s Exfiltration Over Other Network t a Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption t s e Medium m sc c Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery j c a ob fu a Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service n t ip s ob n Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking u a Replication Through Removable d Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation l Media at n Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop io du Image File Execution Options Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation n e Injection r Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation Information Relay 32 g Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking l dl kin PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools n c System Network Configuration u a Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy r Discovery p System Network Connections Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol k e e Discovery e r r r Two-Factor Authentication r o a a MITRE Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol Interception ne o w w Standard Non-Application Layer t ft ft Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery l k Protocol m it o o Service Registry Permissions s s Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port o Weakness d k ty Image File Execution Options u e r Service Execution Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service Injection les yc pa Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets a ha rd- Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass n i i d n th ers Source Launch Daemon Sudo Group Policy Modification e xt vid Space after Filename Launchctl Sudo Caching Hidden Files and Directories e o ns s r Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users io p n u e Trap Local Job Scheduling Web Shell Hidden Window e s m xp r ti Trusted Developer Utilities Login Item HISTCONTROL lo h i To help cyber defenders gain a common understanding Image File Execution Options APT28 it y User Execution Logon Scripts a Injection tio pe v Windows Management w LSASS Driver Indicator Blocking n r - ia Instrumentation v n fo is i io ed Windows Remote Management Modify Existing Service Indicator Removal from Tools Legend APT29 r o t t m ™ cli r in lec le of the threats they face, MITRE developed the ATT&CK XSL Script Processing Netsh Helper DLL Indicator Removal on Host e ™ l b n n o a t d c v New Service Indirect Command Execution Both by ex ed mo pa e MITRE ATTa &CK t e Office Application Startup Install Root Certificate c o a r ss u uti om gh framework. It’s a globally-accessible knowledge base of Path Interception InstallUtil o t u ser n w au hro Plist Modification Launchctl a t cc s ion MITREPort Knocking ALC_MAIN Hijacking TT&CK Techniques Mapp edou to Data Sourc es a at ies adversary tactics and t echniques based on real world n t ic r Port Monitors Masquerading t n ito con e a mu os Rc.common Modify Registry tr ep ol v com n r Re-opened Applications Mshta brow Resources d atio observations and open source research contributed by Network Share Connection e Redundant Access Comparing APT28 to APT29 s a rm Removal er e t nfo Registry Run Keys / Startup Folder NTFS File Attributes x n i ten e rom m the cyber community. Scheduled Task Obfuscated Files or Information si t f diu ons ata me Screensaver Plist Modification l m d al ap o sic Security Support Provider Port Knocking plica phy Service Registry Permissions t r Process Doppelgänging io g e e About This Diagram Weakness n sh attack.mitre.org il n ov Setuid and Setgid Process Hollowing im s tio mi f iltra Shortcut Modification Process Injection ng xf y e Used by organizations around the world, ATT&CK SIP and Trust Provider Hijacking Redundant Access • Access ATT&CK technical informationr Startup Items Regsvcs/Regasm s a ition s d How can I use dat a I already have to get st arted w it h ATT&CK? System Firmware Regsvr32 ap ad n p e i le n ar provides a shared understanding of adversary tactics, Systemd Service Rootkit p sc w o i d o ri r i p a t • Contribute to ATT&CK h a t i Time Providers Rundll32 a d b b e me u l f n s b Trap Scripting a l v u o l techniques and procedures and how to detect, prevent, c m One way to get started using ATT&CK is to look at what data sources you're already collecting and use that data to detect ATT&CK l d s re Valid Accounts Signed Binary Proxy Execution m o h s g e y u • Follow our blog hro c o s t t Web Shell Signed Script Proxy Execution x n n t e o s i r t at a l e ic Windows Management l u e c p techniques. On our website, we currently have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram, SIP and Trust Provider Hijacking r e i r Instrumentation Event Subscription m and/ or mitigate them. t / o e s t Winlogon Helper DLL Software Packing n m v o t r d n s t o c b • Watch ATT&CK presentations Space after Filename r p e a we've chosen 12 of those data sources to show the techniques each of them might be able to detect with the right collection and t i e f d i - f y l s l Template Injection r i t l n l l - o s i w s n c e e b h s Timestomp s r a e o i a r c v m v ic i i e r t attack.mitre.org s analytics. Check out our w ebsite at for more information on how each technique can be det ected, and speciﬁc i v i u

h n Trusted Developer Utilities s i n n p v a d o c o e o f o d o t e Valid Accounts g i i ATT&CK is open and available to any person or e v o n e g r t i i d e r m e adversary examples you can use t o start detecting adversary behavior with ATT&CK. s m r r n Virtualization/Sandbox Evasion h s n r e sta c i u n

y da i rd e o n n o c n p e f i h ryp ag c to e k Web Service r c i g a b o l r p i a g h ph j tion i i n t c e a l e f p o c i i e n t i roto s ent ci th i o n r o d j u organization for use at no charge. s l a XSL Script Processing n t i n w a a i t d s i d c n i r t i j l e s o i o u o k f e c h i m t l c g y x t b e Yo u can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ ATTACK19 to y s c m e k o c a p a a t e s l a a e a a r r r t i e c g t l t s a c n m t b e i p i l s l o r t a x e n o i n a u i k g x s ng v i ki e g c s d e hija p p r o ear del p e o learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content. a d his e t m m n hing d objec t d via serv ponent ic m i e o e d @MITREattack c i r i n h o r n s c n p r m o i m ™ e r s d ™ e s e n d r a e t e g For sixty years, MITRE has tackled complex problems m e r e a t t i g s l y s b n o o e c a p i l d MITRE ATT&CK f r p x t u e n i o v o i y e e Follow us on Twitter for the l t e n y s e u i a v w r ig n o g s that challenge public saf ety, stability, and well-being. p p l c e spearphishing link a s a ssl/t control panel items Use ATT&CK to Build Yourd Defensive Platformn u e ls in e p o r n p r sp latest news s i is n t y MITRE ATT&Ce Kl Ted chniques Me app ed to Data Sourc es r o i p e c m o b d e ti t i o c o r li n h r t n Pioneering t ogether with the cyber community, we’re ib i c n o t m p a d s je o c o f Get St art ed w it h ATT&CK u s y n y r y s c r Resources t i m h c o e d e n o t t formation c t ll search o ATT&CK includes resources designed tod helpa cybern defenderso developi analytics that d files or in c a n ls rder hijack o o obfuscate t n n i ing building a stronger, threat-informed defense for a c m s d o n a e o r o o k ti o m ic m if i d a e t ic n t le s Use ATT&CK for Cyber Threat Intelligence detect the techniques used by an adversary.p Basedd ono threat gintelligence included in a u m d a e l safer world. o a t te d d ro dis n t if i ertifica a f tribute About This Diagre ama ic o root c c l d com n stall le i mon attack.mitre.org pone ATT&CK or provided by analysts, cyber defendersn e cana create a comprehensive set of in i h a dll itoring nt obje Cyber threat intelligence comes from many sources, including knowledge of past incidents, t x t f v n ct mode o c io p o io attackevals.mitre.org l b h n ra g m it j a g in e d • Access ATT&CK technical information commercial threat feeds, information-sharing groups, government threat-sharing programs, analytics to detect threats. c e n vice k r d dyna How can I use dat a I alrr eadyc hag ve to get st arted w it h ATT&CK? f ser o r a s m mic d t o n te a e ial i ys ta c m e den o o b p s MITRE ATT&CK Evaluations ex a t o n c t o o Initial Access Execution Persistence Privilege Escalation Defense Evasion o Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact n i ti ha oi h l i c n t p a te • Contribute to ATT&CK ge n o d t de and more. ATT&CK gives analysts a common language to communicate across reports and e en y g b a n Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation t Account Manipulation Account Discoveryd AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction ic io u s d s r a n f n u Communication Through i r l o e d u t l Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact _ n c d n One way to get started using ATT&CKl is to clook at what data sources you're alrRemovableeady Media collecting and use that data to detect ATT&CK l k i o l n m e d s o e e x p c Distributed Component Object s i c i k e i organizations, providing a way to structure, compare, and analyze threat intelligence. External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement a t r • Follow our blog c m o u o Model a c o t t a r j o x i e o n a t p s r n u Custom Command and Control o i m a w l t Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credentialn Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe o l h u t e c techniques. On our website, we currently haven 50 dif erent data sources mappeProtocold to Enterprise ATT&CK techniques. In this diagram, c r h m ro y i u e _ b t r g e o g Replication Through Removable - / h e s t Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files t File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe e l v n c n o m m i n v Media r Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact l i g f o d o d t r i n u Exfiltration Over Command and d s o t b a n n t n l • Watch ATT&CK presentations e Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service i i Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction e l Control Channel r o p e e i i a we've chosen 12 of those data sources to show the techniques each of them might be able to detect with the right collection and t d r f d m i m d Communication Through Exfiltration Over Other Network - f y h Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption l s g a o r r o Removable Media i Medium n n _ t l o i r t l - o s s i k Distributed Component Object n c i e n External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement c s o h e r Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery a g Model r i s l f a c m e v c e i n u r Custom Command and Control analytics. Check outa our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and speciﬁc i s l Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe i v m a i i u s Protocol i h n Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service n p q f s c m v

o a d o Replication Through Removable c d s c o g e Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe s o f o d t e Media i o d o g i Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capturet Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking a o e o k Exfiltration Over Command and n e e g t p r i d l Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service u b i s Control Channel | 20 | e r t m n e r n adversary examples you can use t o start detecting adversary behavior with ATT&CK. s m r Replication Through Removable m s s n i h n Exfiltration Over Other Network Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation e a c i t u i y i l Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption Media e s t s o e n n e r Medium c o n f i h a c c r e i s b o m i l n s g h j s Launchctl Component Firmware Hooking Control Panel Items j Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery i n c t l e f c e o g i o n t i i d e i u i a d o n j r a s e r n f n i Image File Execution Options b t i a a t v w i Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service d i Local Job Scheduling Component Object Model Hijacking DCShadown Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation d c i v n t e b t r Injection i j l s e s o n l r i i f n e c u o k h p i o m t Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and g e c y LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation x y a t b e d Yo u can visualize how your owu n data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ ATTACK19 to s c Information Relay m e c k o p Replication Through Removable a d a a t e l d Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation l e s Media a a e a a r e r r n t i r Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking c l g t s a c n t m t b e i p i l s n Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop u l t a i i o n r x e o o n i k n e k v u i o d g x s t v PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools i e g d e i Image File Execution Options s n r o p e t r e learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content. d e Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation a m e n h Injection c t d e i r e d @MITREattack System Network Configuration e i r i n h h j r n Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy n c p m o s i o r e LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation n o Discovery i e m s Information Relay r 2 s d l r lp e n d r t e g s g e System Network Connections t a e 3 e o e Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol m l e r t s a e r l n a r Discovery w i l i t s n d p g o e s l y d k t b i l PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools Two-Factor Authentication c a p l d l Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol m o n c e a Interception e f r p x t u e n e System Network Configuration t o v o i y u a e e Follow us on Twitter for the p Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy i l Standard Non-Application Layer r y Discovery l n p a Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery o t e g s Protocol e u a v w v r n s System Network Connections c i i d Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol o o c g e e n s s Discovery k Service Registry Permissions t p l e r r a s a w Scripting e Hypervisor r File Deletion System Time Discovery Uncommonly Used Port o p Two-Factor Authentication Weakness o r n u a a e e MITRE o Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol r d r Interception n o p e o n p r e latest news r ATT&CK Core Use Cases Image File Execution Options p w w i d e s t y e Standard Non-Application Layer Service Execution Setuid and Setgid Filet Permissions Modification Virtualization/Sandbox Evasion Web Service i r t ft r l d Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery l Injection k s e r o n i f p e f Protocol m it t y m o o o b d o e c ilt Service Registry Permissions i s d e Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets r a l s t Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port o l i n h r r Weakness i n o m d k n b i c ty t p fa p d Image File Execution Options u e ts j o r e c o l Service Execution Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service o d e Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass i u y r o l Injection Get leSt arty ed w it h ATT&CK t n s a n y r c a t y e c s p r c r e t Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets s h c e i m h - o d Source Launch Daemon Sudo Group Policy Modification li n m o t c t m an a p d h o ti rd c a n s o Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass in p c a n o o i s a t n n i l n Space after Filename Launchctl d Sudo Caching Hidden Files and Directories h r l -a c ta m s d o n t e a e o r o it Source Launch Daemon Sudo Group Policy Modification e x n oat k id ti l o o Third-party Software LC_LOAD_DYLIB Addition Valid Accountst Hidden Users o i m if v d a s e t rs Space after Filename Launchctl Sudo Caching Hidden Files and Directories e n g m c i in o w e s n s d n c r l t l p Trap Local Job Scheduling Web Shell s Hidden Window r i d s o o Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users Use ATT&CK for Cyber Threat Intelligence p l g p a u m io da h o d a e l o w n u is o a e d Trap Local Job Scheduling Web Shell Hidden Window t Trustede Developer Utilities Login Item s HISTCONTROL Low Priority an h n tot i i m a d a fr e x r t p a fi o ti rs p Image File Execution Options s l i r s c Trusted Developer Utilities Login Item HISTCONTROL e User Execution lo Logon Scripts c n e i h h Injection Legend a n s To help cyber defenl ders gain a commaon understanding Image File Execution Options APT28 it y e e e a i e User Execution Logon Scripts a h Windows Management p v f v Injection p m n l Cyberti LSASS Driverthreat intelligence comesIndicator Blocking from many sources, including knowledge of past incidents, ct x t l Instrumentation o e s p Windows Management High Priority c w - i o o LSASS Driver Indicator Blocking n r o c o ia i p Instrumentation v a n a attackevals.mitre.org i d g t Windows Remote Management foModify Existing Service is Indicator Removal from Tools e b h n n io e r m i r Windows Remote Management Modify Existing Service Indicator Removal from Tools o APT29 t t Legend r c or i t je aio c m of the threats they facge, MITREin deveelopedd the ATT&CK c XSL Script Processing Netsh Helper DLLli Indicator Removal on Host n o t le le r XSL Script Processing Netsh Helper DLL Indicator Removal on Host commerciale threat feeds, information-sharing groups, government threat-sharing programs, c c a n l b k d e nt n em r t g co va o r a s New Service Indirect Command Execution New Service Indirect Command Execution b d e m s Both y ex cr mr e ed mo o o b MITRE ATT&CK Evaluations pa e a o a o t e t i in Office Application Startup Install Root Certificate s Office Application Startup c Install Root Certificate o t f a r h a l sand u more. ATT&CKut gives analysts a common language to communicate across reports and n e in o om gh framework. It’s a globally-accescsible knoy wledgeg base of s je Path Interception InstallUtil io t d t u i i c s Path Interception InstallUtil w r e d n er n o oar e c au hro d _ i p ti Plist Modification Launchctl Detection Threat Intelligence i t n a l c l n k a o Plist Modificationcc Launchctl s p s c rv ion i d c io n n Port Knocking LC_MAIN Hijacking organizations,ou providing a way to structure, compare, and analyze threat intelligence. aile o e at ies adversary tactics and t echniques baseda onja real world at d Port Knocking n LC_MAIN Hijacking ft u s ic or o i Port Monitors Masquerading t n t l co e d e n f un si _ h m tr Port Monitors n Masquerading a m o r u Rc.common Modify Registry tro Finding Gaps in Defense te l t o m rep lc in g o s s Initial Access Execution Persistencel Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact v a i l e co n f e t Re-opened Applications Mshta br Rc.common Modify Registry d t a c io observations and open source researcha contributin ed byin c Drive-by Compromiseo AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction c e i i at p Network Share Connection w e s n d r u Redundant Access Comparing APT28 to APT29 s a m m m Communication Through v r Re-opened Applications Mshta r Removal Exploit Public-Facing Applicatione CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact u e r o a o r o r e Removable Media f t s nf _ r i Registry Run Keys / Startup Folder NTFS File Attributes n i v processes = search Process:Create Distributed Component Object x Network Share Connection b d e t External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement c e s Redundant Access t y e Model m l i n Removal o e c k s o m u e d Custom Command and Control r the cyber community. Scheduled Task Obfuscated Files or Information s a f iu l Hardware Additions Compiled HTML File i AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe t m r f d i s e o Protocol Registry Run Keys / Startup Folder n NTFS File Attributes c o o ta e q f ti u Replication Through Removable s a m r Screensaver Plist Modification Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe c m s e d l s m a Media l o w t l ica a d p h Scheduled Task Obfuscated Files or Information s p Exfiltration Over Command and o t s Security Support Provider Port Knocking p i e pSpearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service u b a y t s e p i lica Control Channel n i e i ph m s o ja reg = filter processes where (exe == "reg.exe" and parent_exe Exfiltration Over Other Network a Service Registry Permissions t t n r Spearphishing Link Screensaver Execution through API Authentication Package DLL SearchPlist Order Modification Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption e n m Process Doppelgänging io g t s e e p c Weakness n s Medium m il e o n ov sc c r rt k Spearphishing via Service hExecution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery j Setuid and Setgid Process Hollowing o d r o c o i Security Support Providerimm Port Knocking s a f b t p trati fu a x v p n Supply Chain Compromise Exploitation for Client Executioni Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service n il r g Shortcut Modification Process Injection Service Registry Permissions n s l f b t o g Process Doppelgänging i in ex n s i Weakness p m o d Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking y o Used by organizations around the world, ATT&CK l v SIP and Trust Provider Hijacking Redundant Access u o o c a e i == "cmd.exe") Replication Through Removable Setuid and Setgid Process Hollowing r d s d Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation l p Media a c r Startup Items Regsvcs/Regasm t d to ions n c s e Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop u Shortcut Modification Process Injection a io y dit r r System Firmware Regsvr32 a n o d d i p Image File Execution Options n b a p Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation e r re provides a shared understanding of adversarye tactics, p le Injection - SIP and Trust Provider Hijacking Redundant Access n a Systemd Service Rootkit sc p w r r Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and i d t LSASS Driver ip Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation e r t Information Relay l ha ia 2 p cmd = filterTime Providers processesRundll32 where (exe == "cmd.exe" and Startup Items Regsvcs/Regasm iv ed 3 g Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking b r ro ble m ll in r Trap Scripting t a d k o System Firmware Regsvr32 v PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools s d n remo techniques and procedures and how to detect, prnevent, c c Valid Accounts Signed Binary Proxy Execution System Network Configuration h u a Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy y g r e Discovery u Systemd Service Rootkit s o thro p d System Network Connections s Web Shell Signed Script Proxy Execution n Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol k c io e e Discovery t t r Time Providers Rundll32 e e r g ica r a s parent_exeWindows Management != "explorer.exe"") l Two-Factor Authentication o p a a MITRE SIP and Trust Provider Hijacking Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol r d re i Instrumentation Event Subscription Interception m ne o in and/ or mitigate them. w tw ta n Trap Scripting Standard Non-Application Layer tk n ft f Winlogon Helper DLL Software Packing Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery l Protocol c m it a k o o g Service Registry Permissions s s e Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port Valid Accounts Signed Binary Proxy Execution o c Space after Filename Weakness a d k ty Image File Execution Options e d a r d n Service Execution Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service l u j Template Injection Injection y reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and we Web Shell Signed Script Proxy Execution ls le c n n i g pa is c b s Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets s h - Timestomp Windows Managementerv a a io h n r ice SIP and Trust Provider Hijacking a t i rd k y Instrumentation EventSigned Subscription Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass n in f i s Trusted Developer Utilities d m n e f th r p Winlogon Helper DLL Software Packing i e c Source Launch Daemon Sudo Group Policy Modification ex e c d t Valid Accounts t m v r n ATT&CK is open and available to any person or vi d o e Space after Filename Launchctl Sudo CachingSpace after Filename Hidden Files and Directories e o e n s e s o i n d reg.hostname == cmd.hostnameVirtualization/Sandbox Evasion ) stan s c r u r s dard cr Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users i p c ge p t ypt Template Injection o o ka Web Service ograp n k i u n pac e k e f hic pro Trap Local Job Scheduling Web Shell Hidden Window e s s s r nticatio m o tocol x m v authe r organization for use at no charge. ti n ™ XSL Script Processing Timestomp p s Trusted Developer Utilities Login Item HISTCONTROL lo h tos re o r i i To help cybt er defendr ers gain a common understanding Image File Execution Options APT28 it y o e n t i User Execution Logon Scripts Trusted Developer Utilities a l s s v r output reg_and_cmd Injection tio pe tw s l p u w m Windows Management u w - LSASS Driver Indicator Blocking n r a ia Instrumentation Valid Accounts v n fo is tc e f e i io ed u c ip p Windows Remote Management Modify Existing Service Indicator Removal from Tools Legend APT29 r c or a n o n i t ct m t of thet threats they face, MITREa developed the ATT&CK spea Virtualization/Sandbox Evasion li n del hijacking le le l u e rphishing via s XSL Script Processing Netsh Helper DLL Indicator Removal on Host e d l ent object mo l b s c ervice n n ompon n o a c ATT&CK t c c v Web Service n d r t New Service Indirect Command Execution Both by ex ia a ed mo a a e pa e o a For sixty years, MITRE has tackled complex problems t e Office Application Startup Install Root Certificate c o a r s XSL Script Processing ss u ut n h ti om gh p framew work. It’s a globally-accessible knowledge base of Path Interception InstallUtil io c t u s t ser n e a w au hro n u i Plist Modification Launchctl a d e t t d p cc e ic s that challenge public saf ety, stability, and well-being. ion f r pearphishing link Port Knocking LC_MAIN Hijacking ss ou g t c control panel ite a at es s r adve ersary etactics and t echniques based on real world s l/tls i nt k i ms t ic ri i Use ATT&CK to Build Your Defensive Platform Port Monitors Masquerading ns c r a n ito v pe on o t n v e a mu os tw f Rc.common Modify Registry c tr e r ep i e tio ol s e v com n r le Re-opened Applications Mshta n br w - h e s d Pioneering t ogether with the cyber community, we’re tio o r observations and open source research contributed by Enterprise ow t i a Network Share Connection t i e Redundant Access Comparing APT28 to APT29 s t s a m Removal e e l r - a r e u f n t nfo f tion Registry Run Keys / Startup Folder NTFS File Attributes x m dll se i ATT&CK includes resources designed to help cyber defenders develop analytics that files or informa ten n u a o s arch order hijac e rom m a tt the cyber community. Usefusc aATT&CKted for AdversaryScheduled Task Obfuscated Emulation Files or Information and Red Teaming si o t king building a stronger, threat-informed defense for a f diu ob ons m l r m ata me c r Screensaver Plist Modification d l m d a al t ib ap a p h o sic o Security Support Provider Port Knocking plica e i t phyp u detect the techniques used by an adversary. Based on threat intelligence included in Service Registry Permissions t i r r Process Doppelgänging io c g e e Weakness n v n sh r m r d il safer world. n oa p te ificate Setuid and Setgid Process Hollowing im e s l istribu f tio c a The best defenseoot cert is a well-tested defense. ATT&CK provides a common adversary mi o o o ted com iltra p s stall r Shortcut Modification Process Injection ng f d o pon xf e u Framework n ll monit c en e ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of i d oring g t obje y a p Used by organizations around the w orld, ATT&CK SIP and Trust Provider Hijacking Redundant Access l c t t c l t mordel r h Startup Items Regsvcs/Regasm y a p i s t Assessment and Engineering n o o n ion i b t a dit e behavior framework basedSystem Firmware on threat Regsvr32intelligence that red teams can use to emulate ap a p ad d analytics to detect threats. ce ple o - n o dync n are it n provides a shared understanding of adversary tactics, i Systemd Service Rootkit s a serv m crip e r mic n i u rdwl l l of te t p o o dat c ha i l ia t ia Time Providers Rundll32 s a d s t den on sy d v i t o exch b t c med ic Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact ti t p i le in c i an o h b po Trap Scripting ete n ge a l va end n d n r o t d l mo a techniques and procedures and how to detect, prevent, Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction specific threats. This helps cyber defenders find gaps in visibility, defensive tools, andio s a re Valid Accounts Signed Binary Proxy Execution r e s h us y d r c a o m t oug Communication Through r t t e i i n l hr Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact s h i t Web Shell Signed Script Proxy Execution n Removable Media i e i t e exp t l n aotion o Distributed Component Object s k e e ic i Windows Management h l External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement r c o p p m SIP and Trust Provider Hijacking u g l o e Model ro Instrumentation Event Subscription o m r tio m p i s t r and/ or mitigate them. p n n s n n Custom Command and Control m w p r t t i Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe o Winlogon Helper DLL Software Packing h p o t r s Protocol processes—andc then fix them. o i o n c y c e e u y l b Adversary Emulation g l a e g r Replication Through Removable e- h i d Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe Space after Filename a o i v m a s n i n a r o s Media r s a d g y f od e k n r u o s Exfiltration Over Command and l k e g Template Injection n le e Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service l c c i e h l e Control Channel i w s o n s w i t t e a i a g b g n d c p s c s Exfiltration Over Other Network Timestomp e n o n e hl n - i r r Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption g r vice n o i n i i Medium n o t n o i ti i k c m o n s l n i o e Trusted Developer Utilities n r o n a g Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery g n o fr t r e e a e j t e a d t n c Drive-by Compromise inScheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction n d u a Valid Accounts s u i v v ATT&CK is open and available to any person or r Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service m p a a m e o o d e n Launchctl Access Token Manipulation Account Manipulation Account Discovery Automated Collection Data Compressed Data Encrypted for Impact g r o r o Exploit Public-Facing Application Deployment Communication Through e o s d r Virtualization/Sandbox Evasion d r stand m i h r i p Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking k o ar y r i Application d h d p Software Removable Media c i e Local Job Scheduling Bypass User Account Control Bash History Application Window Clipboard Data Data Encrypted Defacement l ryp t m p 3 kag t d o e h v b Web Service n gr i pac a e r v t s a Replication Through Removable phic p o a ication Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation Discovery i ro s nt n t to l c p e Media External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe col s y i uth organization for use at no charge. r 2 a XSL Script Processing e c a a y n e j i s e n d s e n s m i p o e o Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop Credential Dumping Object Model Repositories c l c g Hardware Additions Trap Process Injection Disk Structure Wipe g t Browser Bookmark Custom Command and Exfiltration Over Other i d o c ri a l r e r i k c r l Image File Execution Options g i v s n Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation AppleScript DLL Search Order Hijacking Credentials in Files Discovery Data from Local System Control Protocol Network Medium Endpoinvt Denial of Service d f e l o a c k Injection Replication Through Exploitation of n l r i i l l a y u r c p Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and Removable Media Credentials in Registry Domain Trust Discovery Remote Services e t c t u a LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation CMSTP Image File Execution Options Injection Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption r t d Information Relay e p l h d a s m Spearphishing Attachment Command-Line Interface Plist Modification File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel a d a ijacking Exploitation for Inhibit System Recovery spe r p el h Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking arphishi m g ject mod ng v d a t ob ia ser p e onen vice i n u p comp n Credential Access k v d e e d _ t Spearphishing Link Compiled HTML File o Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service t b PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools p e ti r e s t c a h l n Protocol e a For sixty years, MITRE has tackled complex problems n c p o System Network Configuration Spearphishing via Service Control Panel Items Ajcecessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking n h l i Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy o e m m l r Discovery in s l a o r lp i System Network Connections Supply Chain Compromise Dynamic Data Exchange e AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Runtime Data Manipulation a a d Exfiltration Over e r t o d b r a Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol a s r t Discovery w t c g l d r Trusted Relationship Execution through API p AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Physical Medtium Service Stop r l f o Two-Factor Authentication l b e Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol m e t Interception e a s s i that challenge public saf ety, stability, and well-being. Valid Accounts t Application Shimming Code Signing Input Prompt Remote Services Algorithms Scheduled Transfer Stored Data Manipulation o Permission Groups Discovery k a Execution through l Man in the Browser e spearphishing lin ssl p v control panel items Standard Non-Application Layer /tls a t l Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery o t Use ATT&CK to Build Your Defensive Platform v in p Protocol Module Load Dylib Hijackicng Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels n Transmitted Data d sp d ss u l o i Service Registry Permissions t e w f h Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port c d o p Weakness Removable Media Manipulation t o r Exploitation for File Systepm Prermissions Weakness Component Firmware Keychain Query Discovery Video Capture Multiband Communication e e io n r u Image File Execution Options n b d o Pioneering t ogether with the cyber community, we’re Service Execution Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service r r i y Injection Client Execution f e ye Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy a ilt j d e r a Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets a o m Graphical User Interface l Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption t r v n on p d r dll s o t e rmati l c c earch o Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass nf o l o InstallUATT&CKtil ti includesNew Service resourcesn Con trdesignedol Panel Items Pa sstoword F ilthelper DLL cyberSystem Informa tidefenderson Taint Shared Con tedevelopnt analyticsMulti-Stage Cthathannels iles or i s i rder hij ted f r ackin a d g ca e r obfusc d t h k building a stronger, threat-informed defense for a Source Launch Daemon Sudo Group Policy Modification Discovery m Mshta pli Path Intercheptmion DCShadow Private Keys Third-party Software Port Knocking o p c a n e i i Space after Filename Launchctl Sudo Caching Hidden Files and Directories PowerShell Port Monitors Securityd Memory System Network Windows Admin Shares Remote Access Tools l m a Deobfuscate/Decode Files j - ta l it n n detect the techniquest used by an adversary. Based on threat intelligence included in o a oRegsvcs/Regasm Service Reagistry Permissions Weakness or Information Configuration Discovery Remote File Copy r r Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users Two-Factor Authentication Windows Remote s n g w s o g safer world. t d Regsvr32 n Setuid and Setgid Disabling Security Tools Interception System Network Management l ate p c distr Trap Local Job Scheduling Web Shell Hidden Window r i ls Standard Application Layer ertific o ibuted da h o Connections Discovery root c w com Protocol s Rundll32 is Startup Items DLL Side-Loading stall k pon Trusted Developer Utilities Login Item HISTCONTROL Low Priority an ATT&CKh or provided to by analysts, cyber defenders can create a comprehensive set of a in er dll monitoring ent obje t p Web Shell Execution Guardrails s ct m Image File Execution Options s Scripting r s System Owner/User Standard Cryptographic u i od User Execution Logon Scripts h el a s n Injection Legend Service Executione .bash_profile and .bashrc e Discovery Protocol e Windows Management p c Exploitation for Exploitation for m l c LSASS Driver Indicator Blocking l Instrumentation s High Priority c g Signed Banalyticsinary Account Mtoanipula tiodetect na Privileg ethreats. Escalation Defense Evasion System Service Discovery Standard Non-Application e p dy Windows Remote Management Modify Existing Service Indicator Removal from Tools c n Proxy Execution e n Layer Protocol ervi ro am Authenticatioon Ptackage SID-History Injecttiioon File Deletion System Time Discovery al of s sctem ic dat XSL Script Processing Netsh Helper DLL Indicator Removal on Host ni sy e a e Signed Script BITS Jobs Sudo a Uncommonly Used Port t de on xch Initial Access eExecutionm Persistence Privilege EscalationFile PermissionDefenses Evasion Credential Access VirDiscoverytualization/Sandbox Lateral Movement Collection Command And Control Exfiltration Impact poin etecti s ange New Service Indirect Command Execution Proxy Execution r Bootkit Sudro mCaching Modification Evasion Web Service end n d s Drive-by Compromise AppleScript .bash_profilefo and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction usio in Office Application Startup Install Root Certificate Communication Through tr SourcExploite Public-Facing Application BrowCMSTPser Extensions Accessibilityn Features Accessibility FFeaturesile System Logical BinaryOff Paddingsets Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact n je i Removable Media e i si c ex Path Interception InstallUtil r e Distributed Component Object is k p e Space after FExternalilen Remoteame Services ChCommand-Lineange D eInterfacefault Account Manipulation AppCert DLLs Gatekeeper BypBITSas Jobss Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement m r t cu o ic Model pro o a io tion Plist Modification Launchctl File Association v Custom Command and Control m w Third-party SHardwareoftw aAdditionsre Compiled HTML File s AppCert DLLs AppInit DLLs Group Policy ModifBypassicat iUseron Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe o t n n th r Protocol r le by c e g oug Replication Through Removable i e e- d h Port Knocking LC_MAIN Hijacking Trusted Developer Utilities CompControlone Panelnt FItemsirfmware AppInit DLLs s Application HShimmingidden Files and DirClearec tCommandories History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe iv n m Media f dr t odu MITRE d Exfiltration Over Command and r n le Port Monitors Masquerading Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account ControlHidden UsersCMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service u l Finding Gaps in Defense te l o Control Channel s s i oad e Exfiltration Over Other Network e h Spearphishing Link a Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption g t r o Rc.common Modify Registry sc ia ic Medium ontin cu p okin Spearphishing via Service Execution through Module Load BITS nJobs Dylib Hijacking v Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery fr r g Re-opened Applications Mshta fu e r ain ris ov e Network Share Connection Supply Chain Compromiseb Exploitation for Client Execution d Bootkit Exploitatione for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service m t Redundant Access o g y i e Removal o k s d d Trusted Relationship Graphical User Interface r Browser Extensions f Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking t o s e k Registry Run Keys / Startup Folder NTFS File Attributes o o i l u n r e e Replication Through Removable m Valid Accounts InstallUtil Change Default File Association l File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation p i w s Media e h r ls Scheduled Task Obfuscated Files or Information t ia i e p ij n ass © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14. Launchctl e Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop ic o g a d Screensaver Plist Modification n n m p c e ri Image File Execution Options r v Local Job Scheduling Component Objecte Model Hijacking o DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation v t k e Injection r n l r Security Support Provider Port Knocking d r o p i Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and e n LSASS Driver Createt Account Launch Daemon p Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation x v r d Service Registry Permissions Information l Relay d oe g Process Doppelgänging in s i Weakness m d r Mshta o DLL Search Order Hijacking Newo Service Disablingc Securityo Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking n l e vi i n Setuid and Setgid Process Hollowing o k s d v et PowerShell dp Dylib Hijacking cPath Interception tDLLo Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools cti r c rs e e e sh System Network Configuration e h Shortcut Modification Process Injection y j Regsvcs/Regasm n External Remote Services Plist Modification o DLL Side-Loading Private Keys Windows Remote Management Remote File Copy n o r s r e e b r Discovery i ip l r lp - System Network Connections te r o e SIP and Trust Provider Hijacking Redundant Access Regsvr32 File System Permissions W eakness Port Monitors p Execution Guardrails Securityd Memory Standard Application Layer Protocol a s r e Discovery pl tw t dl l Two-Factor Authentication p l Startup Items Regsvcs/Regasm Rundll32 Hidden Files and Directoriesv Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol m e a ri o Interception te l e r p r Standard Non-Application Layer o a Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery o System Firmware Regsvr32 d t v n Protocol oc n c d ss Service Registry Permissions t w Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port o e Systemd Service Rootkit Weakness e o o pr d e r Image File Execution Options c s d Service Execution Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service r a r Time Providers Rundll32 Injection g e s fi d n y t i d lte Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets i la a n r Trap Scripting n k n t g e p dl Signed Script Proxy Execution Launch Agent a Startup Items Gatekeeper Bypass tio n e o l Valid Accounts Signed Binary Proxy Execution c r r ca e d n d t Source Launch Daemon d Sudo Group Policy Modification ja pli hm m Web Shell Signed Script Proxy Execution n i g p c is c a on Space after Filename Launchctl Sudo Caching Hidden Files and Directories a a l i Windows Management a h n - t r t SIP and Trust Provider Hijacking i n t k y l o Instrumentation Event Subscription a r Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users o s m e ff n g p w s Winlogon Helper DLL Software Packing i d n c l p Trap Localm Job Scheduling Web Shell Hidden Windowrc n dar shi ols d o te ow Space after Filename o i Trusted Developer Utilities Login Item HISTCONTROL s e n o i n a e c u c Low Priority ta ph t s d rs oImage File Execution Options s r s t Template Injection User Execution Logon Scripts k i a s k e f h m sInjection r v Legend e e o e Windows Management p n m ™ l Timestomp LSASS Driver e Indicator Blocking r c s r l Instrumentation o o s t r e High Priority ac in t t i p Trusted Developer Utilities Windows Remote Managements Modify Existing Service Indicator Removal from Tools w s e n r w m r u t s l ot tio p u oc Valid Accounts XSL Script Processing Netsh Helper DLL Indicator Removal on Host e i p e c e f em a u c p a s New Service Indirect Command Executionn n m t s Virtualization/Sandbox Evasion o r r t e l n o ls c u c ATT&CK in Office Application Startup Install Root Certificate n f r t Web Service ia a in a a e si jec Path Interception InstallUtil o r e s p t XSL Script Processing n h ti o ic p w a io Plist Modification Launchctl c s v s t n e a ile er n u i nd Port Knocking LC_MAIN Hijacking d e c e f s t d r p i c d f fs e e tr Port Monitors Masquerading k g Findingt i Gaps in Defense e o r s u r a n v at l e t iv e st Rc.common Modify Registry t c ia c f c o s e r e s n vi w il e u pr Re-opened Applications Mshta w - h e s fu e r o e r Enterprise ri o v Network Share Connectiont i b d e t Redundant Access t s i y i Removal t o s - d e l u f rk f f a s e Registry Run Keys / Startup Folder NTFS File Attributes o t u n u a o m s w l o e a tt im p r h Use ATT&CK for Adversary Emulation and Red Teaming Scheduled Task Obfuscated Files or Information o t a is c r e p i m d l r m e ni a i o ja Screensaver Plist Modification n m t b p r c e ia p h e ro p o u r t k Security Support Provider Port Knocking t d o p i c n i t p p r x v r ng Service Registry Permissions r m r l a t o Process Doppelgänging n e s i Weakness e l i m o a d v The best defense is a well-tested defense. ATT&CK provides a common adversary o o o o o c p c s l e i Setuid and Setgid Process Hollowing f d o p c e u Framework s r d c o lg d t a p t c s e Shortcut Modification Process Injection t c l n y o r h ri r n y a o e -b r p i t p SIP and Trust Provider Hijacking Redundant Access i o p n e t behavior framework based on threat intelligence that red teams can use to emulate b t e l a p d p Startup Items Regsvcs/Regasm o - n c iv i n o n r o u t l r p e r o tr l l t o System Firmware Regsvr32 io d c i d s i c d v t p t o n t c c e Systemd Service Rootkit i i h o t n o o a l d s specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and n r a c d g l a a Time Providers Rundll32 r c r o m e t s s e d i a i n d l n t t i h i i i a n Trap Scripting p t l n e n o o g h o a pk r m i g l o s c t e Valid Accounts Signed Binary Proxy Execution n p s n n p r t p d o i d n processes—and then fix them. n s o i ja c Web Shell Signed Script Proxy Execution e e y l l a a o i r n d i g i is c r a s o n s s a Windows Management g y f e a k h n n r SIP and Trust Provider Hijacking r k e o s i k g e y Instrumentation Event Subscription c h c i e f s e w m i t t p a i g e f g n p Winlogon Helper DLL Software Packing c c s i e c l n n n - i n i n r m c n i t i o d i c r n m o e o n s l Space after Filename a o o e r n g o t r e s e i n d e a u a j t d t n c Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction n u c s d u i v c r t Template Injection p a o a k i m e k o d e f Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact o r o n s r o r s o d r r m i h i m v p n ™ Application Timestomp y h r i d p s Software Removable Media i r Local Job Scheduling Bypass User Account Control Bash History Application Window Clipboard Data Data Encrypted Defacement t m 3 o e o r e d h v b i

r t i s v t r t o a e a n t n t i Discovery Trusted Developer Utilities c p External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe y s i w s r m c a y n 2 e j l i w e n t s p u d e Credential Dumping Object Model Repositories m i p o u e c g o Hardware Additions Trap Process Injection Disk Structure Wipe l t Browser Bookmark Custom Command and Exfiltration Over Other Valid Accounts e i p c e f u r c c i a r p k c r l g i s AppleScript DLL Search Order Hijacking Credentials in Files Discovery Data from Local System Control Protocol Network Medium Endpoint Denial of Service d f l o a n c k n n t a Replication Through Exploitation of Virtualization/Sandbox Evasion l i i l o t e y u l u r c p c Removable Media CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Remote Services Firmware Corruption t c u tl a n s c ATT&CK Data from Network Custom Cryptographic Exfiltration Over Command r Web Service p l h n r t m s a a Spearphishing Attachment Logon Scripts Shared Drive Protocol and Control Channel a d a a a e Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Inhibit System Recovery p i m g o a p e XSL Script Processing u p h i s p Credential Access d d _ t n Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service e b t w p e t c s t a l n n a e Protocol n c p o a u Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking n l i i m l m a r o d e t d p i e c Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Runtime Data Manipulation a a d f r Exfiltration Over r i d a b e t g t c s r e t c g r k i Trusted Relationship AppInit DLLs Input Capture Peripheral Device Discovery Physical Medium Service Stop r f o i Execution through API CMSTP Remote File Copy Input Capture Domain Generation b r e v t a s s i n v t f Valid Accounts Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Algorithms Scheduled Transfer Stored Data Manipulation a o o t w Execution through Man in the Browser t v e r i e t sl e l Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data d u l p w - e e r i h s o Enterprise f t i h p d t s i Exploitation for File System Permissions Weakness Component Firmware Keychain Query Discovery Removable Media Video Capture Multiband Communication Manipulation u r t - n b e l u a o i y f f Client Execution e Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy a n u j m s a t o m r a a o t Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption Use ATT&CK for Adversary Emulation and Red Teamingt v o r m l c r c c d r m a i

Control Panel Items Taint Shared Content Multi-Stage Channels s i t b InstallUtil New Service Password Filter DLL System Information

d a h k e i p h p o Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking c it r u e i i n p t PowerShell Port Monitors Securityd Memory System Network Windows Admin Shares Remote Access Tools m r m r a Deobfuscate/Decode Files j n e l a e a c Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy r o o o p The best defense is a well-tested defense. ATT&CK provides a common adversary o f g d o e u s Framework t c Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer c g a p t l c l r t Connections Discovery Protocol s h Rundll32 Startup Items DLL Side-Loading k n y a o p i t i b t o n e Scripting Web Shell Execution Guardrails System Owner/User i a Standard Cryptographic behavior framework based on threat intelligence that red teams can use to emulate u p d n o - c i n Service Execution .bash_profile and .bashrc Discovery Protocol n o t Exploitation for Exploitation for c n u l l p e o r o i l t Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application g i t o c t c d s i d v t p i c Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol i n o h a l n r o t d l a specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and a r e s Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port e d r c a o m t t i i n h l i Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service e p t l n o io h o p m g l o s t Source Browser Extensions File System Logical Offsets n r p i s n n p r t p o i processes—and then fix them. s o i n c Space after Filename Change Default Gatekeeper Bypass e e y l l a a o i r d i r a s o n s s a File Association Group Policy Modification g y f e k n Third-party Software r k e o s c g e c i e h s e w t t a i g i Trusted Developer Utilities Component Firmware Hidden Files and Directories g n p c c s e l n n n - i n i n r n o i MITRE i i c m Hidden Users o n s l o e r a n g o t r e a e j t a d t n c Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction n d u u v i r p a a m o d e Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact o r o n s r o d r r m i h i p Application y h r i d p Software Removable Media i Local Job Scheduling Bypass User Account Control Bash History Application Window Clipboard Data Data Encrypted Defacement t m 3 e d h v b i r s v t o a a n t Discovery c p External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe y i c a y n 2 e j i d e e n Credential Dumping Object Model Repositories m i p o e c g o Hardware Additions Trap Process Injection Disk Structure Wipe l t Browser Bookmark Custom Command and Exfiltration Over Other c i a r r k c r l g i s AppleScript DLL Search Order Hijacking Credentials in Files Discovery Data from Local System Control Protocol Network Medium Endpoint Denial of Service d f l o a c k n Replication Through Exploitation of l i i l y u r c p Removable Media Credentials in Registry Domain Trust Discovery Remote Services t c u a CMSTP Image File Execution Options Injection Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption r t p l h m s Spearphishing Attachment Command-Line Interface Plist Modification File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel a d a Exploitation for Inhibit System Recovery p g a m p u p e Credential Access d e d _ t Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service b p e

a t l n a Protocol n p o Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking n c l i m m l r a o Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Runtime Data Manipulation a a i d Exfiltration Over d a b r t t c g r Physical Medium r f o Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Service Stop b e s s i t Valid Accounts Application Shimming Code Signing Input Prompt Remote Services Algorithms Scheduled Transfer Stored Data Manipulation o Permission Groups Discovery a Execution through Man in the Browser t v t l Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data d u l p f i h p d Exploitation for File System Permissions Weakness Component Firmware Keychain Query Discovery Removable Media Video Capture Multiband Communication Manipulation u r n b o i Client Execution y Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy a e j o m r a Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption t v r c c

Control Panel Items Taint Shared Content Multi-Stage Channels s i InstallUtil New Service Password Filter DLL System Information Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking d h k

e i i PowerShell Port Monitors Securityd Memory Windows Admin Shares Remote Access Tools m Deobfuscate/Decode Files System Network j n

a Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy r o g t Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer c

Connections Discovery Protocol s Rundll32 Startup Items DLL Side-Loading k

Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic u i Discovery Protocol n Service Execution .bash_profile and .bashrc Exploitation for Exploitation for c Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application g Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service Source Browser Extensions File System Logical Offsets Space after Filename Change Default Gatekeeper Bypass Third-party Software File Association Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories MITRE Hidden Users | 21 | Getting Started with Detection: Developing Analytics

1 Identify techniques to detect

Write code for 2 detection using existing data

3 Assign a name, store, and test the analytic

▪ There’s a large community of people doing ATT&CK for detection – What analytics are they running and finding valuable? – Which of those can you run based on data you already have?

▪ Look at existing repositories, or talk to partner organizations – Cyber Analytics Repository: https://car.mitre.org/ – Endgame EQL Analytics Library: https://eqllib.readthedocs.io/en/latest/analytics.html – Sigma: https://github.com/Neo23x0/sigma

▪ For more info, check out the ATT&CK blog on detection: – https://medium.com/mitre-attack/getting-started-with-attack-detection-a8e49e4960d0

Initial Privilege Defense Credential Lateral Command Execution Persistence Discovery Collection Exfiltration Access Escalation Evasion Access Movement and Control rive by Co pro ise Apple ript .bas pro ile and .bas r A ess To en anip lation A ess To en anip lation A o nt anip lation A o nt is overy Apple ript A dio Capt re A to ated iltration Co only sed ort ploit bli a ing Appli ation indo Appli ation eploy ent Co ni ation T ro g Appli ation C T A essibility eat res A essibility eat res inary adding as istory is overy o t are A to ated Colle tion ata Co pressed e ovable edia istrib ted Co ponent ard are Additions Co and ine nter a e AppCert s AppCert s T obs r te or e ro ser oo ar is overy b e t odel Clipboard ata ata n rypted Conne tion ro y epli ation T ro g ploitation o e ote ata ro n or ation C sto Co and and e ovable edia Control anel te s App nit s App nit s ypass ser A o nt ControlCredential ping ile and ire tory is overy ervi es epositories ata Trans er i e i its Control roto ol iltration ver Alternative C sto Cryptograp i pearp is ing Atta ent yna i ata ange Appli ation i ing Appli ation i ing Clear Co and istory Credentials in iles et or ervi e anning ogon ripts ata ro o al yste roto ol roto ol ata ro et or ared iltration ver Co and pearp is ing in e tion t ro g A A t enti ation a age ypass ser A o nt ControlC T Credentials in egistry et or are is overy ass t e as rive and Control C annel ata n oding e tion t ro g od le ploitation or Credential iltration ver t er pearp is ing via ervi e oad T obs ear rder i a ing Code igning A ess ass ord oli y is overy ass t e Ti et ata ro e ovable edia et or edi ata b s ation ploitation or Client iltration ver ysi al pply C ain Co pro ise e tion oot it ylib i a ing Co ponent ir are or ed A t enti ation erip eral evi e is overy e ote es top roto ol ata taged edi o ain ronting ploitation or rivilege Co ponent b e t odel Tr sted elations ip rap i al ser nter a e ro ser tensions s alation i a ing oo ing er ission ro ps is overy e ote ile Copy ail Colle tion ed led Trans er allba C annels C ange e a lt ile tra indo e ory alid A o nts nstall til Asso iation n e tion Control anel te s np t Capt re ro ess is overy e ote ervi es np t Capt re lti op ro y ile yste er issions epli ation T ro g a n tl Co ponent ir are ea ness C ado np t ro pt ery egistry e ovable edia an in t e ro ser lti tage C annels Co ponent b e t odel eob s ate e ode iles or o al ob ed ling i a ing oo ing n or ation Kerberoasting e ote yste is overy ared ebroot reen Capt re ltiband Co ni ation age ile e tion ptions A river Create A o nt n e tion isabling e rity Tools Key ain e rity o t are is overy i a ing ideo Capt re ltilayer n ryption s ta ear rder i a ing a n ae on ear rder i a ing T oisoning yste n or ation is overyTaint ared Content ort Kno ing yste et or o er ell ylib i a ing e ervi e ide oading et or ni ing Con ig ration is overy T ird party o t are e ote A ess Tools ploitation or e ense yste et or Conne tions egsv s egas ternal e ote ervi es at nter eption vasion ass ord ilter is overy indo s Ad in ares e ote ile Copy ile yste er issions tra indo e ory yste ner ser indo s e ote tandard Appli ation ayer egsvr ea ness list odi i ation n e tion rivate Keys is overy anage ent roto ol epli ation T ro g tandard Cryptograp i ndll idden iles and ire tories ort onitors ile eletion e ovable edia yste ervi e is overy roto ol tandard on Appli ation ed led Tas oo ing ro ess n e tion ile yste ogi al sets e rityd e ory yste Ti e is overy ayer roto ol T o a tor A t enti ation ripting ypervisor ed led Tas ate eeper ypass nter eption n o only sed ort age ile e tion ptions ervi e egistry er issions ervi e e tion n e tion ea ness idden iles and ire tories eb ervi e igned inary ro y Kernel od les and e tion tensions et id and etgid idden sers igned ript ro y e tion a n Agent istory n e tion idden indo o r e a n ae on tart p te s TC T age ile e tion ptions pa e a ter ilena e a n tl do n e tion T ird party o t are C A Addition do Ca ing ndi ator lo ing Trap o al ob ed ling alid A o nts ndi ator e oval ro Tools Tr sted eveloper tilities ogin te eb ell ndi ator e oval on ost ser e tion ogon ripts ndire t Co and e tion indo s anage ent nstr entation A river nstall oot Certi i ate indo s e ote anage ent odi y isting ervi e nstall til ets elper a n tl *from open source e ervi e C A i a ing i e Appli ation tart p as erading at nter eption odi y egistry list odi i ation s ta p w ’ pp et or are Conne tion ort Kno ing e oval ort onitors T ile Attrib tes b s ated iles or . o on n or ation e opened Appli ations list odi i ation ed ndant A ess ort Kno ing egistry n Keys tart older ro ess oppelg nging © 2019 The MITRE Corporation. All rights reserved. ed led Approved Tas for public release. Distribution ro essunlimited ollo ing 18-3288-14. reensaver ro ess n e tion e rity pport rovider ed ndant A ess ervi e egistry er issions ea ness egsv s egas ort t odi i ation egsvr and Tr st rovider i a ing oot it tart p te s ndll yste ir are ripting igned inary ro y Ti e roviders e tion igned ript ro y Trap e tion and Tr st rovider alid A o nts i a ing eb ell o t are a ing indo s anage ent nstr entation vent pa e a ter ilena e bs ription inlogon elper Ti esto p Tr sted eveloper tilities alid A o nts eb ervi e | 24 | APT29 Techniques

Initial Privilege Defense Credential Lateral Command Execution Persistence Discovery Collection Exfiltration Access Escalation Evasion Access Movement and Control rive by Co pro ise Apple ript .bas pro ile and .bas r A ess To en anip lation A ess To en anip lation A o nt anip lation A o nt is overy Apple ript A dio Capt re A to ated iltration Co only sed ort ploit bli a ing Appli ation indo Appli ation eploy ent Co ni ation T ro g Appli ation C T A essibility eat res A essibility eat res inary adding as istory is overy o t are A to ated Colle tion ata Co pressed e ovable edia istrib ted Co ponent ard are Additions Co and ine nter a e AppCert s AppCert s T obs r te or e ro ser oo ar is overy b e t odel Clipboard ata ata n rypted Conne tion ro y epli ation T ro g ploitation o e ote ata ro n or ation C sto Co and and e ovable edia Control anel te s App nit s App nit s ypass ser A o nt ControlCredential ping ile and ire tory is overy ervi es epositories ata Trans er i e i its Control roto ol iltration ver Alternative C sto Cryptograp i pearp is ing Atta ent yna i ata ange Appli ation i ing Appli ation i ing Clear Co and istory Credentials in iles et or ervi e anning ogon ripts ata ro o al yste roto ol roto ol ata ro et or ared iltration ver Co and pearp is ing in e tion t ro g A A t enti ation a age ypass ser A o nt ControlC T Credentials in egistry et or are is overy ass t e as rive and Control C annel ata n oding e tion t ro g od le ploitation or Credential iltration ver t er pearp is ing via ervi e oad T obs ear rder i a ing Code igning A ess ass ord oli y is overy ass t e Ti et ata ro e ovable edia et or edi ata b s ation ploitation or Client iltration ver ysi al pply C ain Co pro ise e tion oot it ylib i a ing Co ponent ir are or ed A t enti ation erip eral evi e is overy e ote es top roto ol ata taged edi o ain ronting ploitation or rivilege Co ponent b e t odel Tr sted elations ip rap i al ser nter a e ro ser tensions s alation i a ing oo ing er ission ro ps is overy e ote ile Copy ail Colle tion ed led Trans er allba C annels C ange e a lt ile tra indo e ory alid A o nts nstall til Asso iation n e tion Control anel te s np t Capt re ro ess is overy e ote ervi es np t Capt re lti op ro y ile yste er issions epli ation T ro g a n tl Co ponent ir are ea ness C ado np t ro pt ery egistry e ovable edia an in t e ro ser lti tage C annels Co ponent b e t odel eob s ate e ode iles or o al ob ed ling i a ing oo ing n or ation Kerberoasting e ote yste is overy ared ebroot reen Capt re ltiband Co ni ation age ile e tion ptions A river Create A o nt n e tion isabling e rity Tools Key ain e rity o t are is overy i a ing ideo Capt re ltilayer n ryption s ta ear rder i a ing a n ae on ear rder i a ing T oisoning yste n or ation is overyTaint ared Content ort Kno ing yste et or o er ell ylib i a ing e ervi e ide oading et or ni ing Con ig ration is overy T ird party o t are e ote A ess Tools ploitation or e ense yste et or Conne tions egsv s egas ternal e ote ervi es at nter eption vasion ass ord ilter is overy indo s Ad in ares e ote ile Copy ile yste er issions tra indo e ory yste ner ser indo s e ote tandard Appli ation ayer egsvr ea ness list odi i ation n e tion rivate Keys is overy anage ent roto ol epli ation T ro g tandard Cryptograp i ndll idden iles and ire tories ort onitors ile eletion e ovable edia yste ervi e is overy roto ol tandard on Appli ation ed led Tas oo ing ro ess n e tion ile yste ogi al sets e rityd e ory yste Ti e is overy ayer roto ol T o a tor A t enti ation ripting ypervisor ed led Tas ate eeper ypass nter eption n o only sed ort age ile e tion ptions ervi e egistry er issions ervi e e tion n e tion ea ness idden iles and ire tories eb ervi e igned inary ro y Kernel od les and e tion tensions et id and etgid idden sers igned ript ro y e tion a n Agent istory n e tion idden indo o r e a n ae on tart p te s TC T age ile e tion ptions pa e a ter ilena e a n tl do n e tion T ird party o t are C A Addition do Ca ing ndi ator lo ing Trap o al ob ed ling alid A o nts ndi ator e oval ro Tools Tr sted eveloper tilities ogin te eb ell ndi ator e oval on ost ser e tion ogon ripts ndire t Co and e tion indo s anage ent nstr entation A river nstall oot Certi i ate indo s e ote anage ent odi y isting ervi e nstall til ets elper a n tl e ervi e C A i a ing i e Appli ation tart p as erading at nter eption odi y egistry list odi i ation s ta et or are Conne tion ort Kno ing e oval ort onitors T ile Attrib tes b s ated iles or . o on n or ation e opened Appli ations list odi i ation ed ndant A ess ort Kno ing egistry n Keys tart older ro ess oppelg nging © 2019 The MITRE Corporation. All rights reserved. ed led Approved Tas for public release. Distribution ro essunlimited ollo ing 18-3288-14. reensaver ro ess n e tion e rity pport rovider ed ndant A ess ervi e egistry er issions ea ness egsv s egas ort t odi i ation egsvr and Tr st rovider i a ing oot it tart p te s ndll yste ir are ripting igned inary ro y Ti e roviders e tion igned ript ro y Trap e tion and Tr st rovider alid A o nts i a ing eb ell o t are a ing indo s anage ent nstr entation vent pa e a ter ilena e bs ription inlogon elper Ti esto p Tr sted eveloper tilities alid A o nts eb ervi e | 25 | Comparing APT28 and APT29

Initial Privilege Defense Credential Lateral Command Execution Persistence Discovery Collection Exfiltration Access Escalation Evasion Access Movement and Control rive by Co pro ise Apple ript .bas pro ile and .bas r A ess To en anip lation A ess To en anip lation A o nt anip lation A o nt is overy Apple ript A dio Capt re A to ated iltration Co only sed ort ploit bli a ing Appli ation indo Appli ation eploy ent Co ni ation T ro g Appli ation C T A essibility eat res A essibility eat res inary adding as istory is overy o t are A to ated Colle tion ata Co pressed e ovable edia istrib ted Co ponent ard are Additions Co and ine nter a e AppCert s AppCert s T obs r te or e ro ser oo ar is overy b e t odel Clipboard ata ata n rypted Conne tion ro y epli ation T ro g ploitation o e ote ata ro n or ation C sto Co and and e ovable edia Control anel te s App nit s App nit s ypass ser A o nt ControlCredential ping ile and ire tory is overy ervi es epositories ata Trans er i e i its Control roto ol iltration ver Alternative C sto Cryptograp i pearp is ing Atta ent yna i ata ange Appli ation i ing Appli ation i ing Clear Co and istory Credentials in iles et or ervi e anning ogon ripts ata ro o al yste roto ol roto ol ata ro et or ared iltration ver Co and pearp is ing in e tion t ro g A A t enti ation a age ypass ser A o nt ControlC T Credentials in egistry et or are is overy ass t e as rive and Control C annel ata n oding e tion t ro g od le ploitation or Credential iltration ver t er pearp is ing via ervi e oad T obs ear rder i a ing Code igning A ess ass ord oli y is overy ass t e Ti et ata ro e ovable edia et or edi ata b s ation ploitation or Client iltration ver ysi al pply C ain Co pro ise e tion oot it ylib i a ing Co ponent ir are or ed A t enti ation erip eral evi e is overy e ote es top roto ol ata taged edi o ain ronting ploitation or rivilege Co ponent b e t odel Tr sted elations ip rap i al ser nter a e ro ser tensions s alation i a ing oo ing er ission ro ps is overy e ote ile Copy ail Colle tion ed led Trans er allba C annels C ange e a lt ile tra indo e ory alid A o nts nstall til Asso iation n e tion Control anel te s np t Capt re ro ess is overy e ote ervi es np t Capt re lti op ro y ile yste er issions epli ation T ro g a n tl Co ponent ir are ea ness C ado np t ro pt ery egistry e ovable edia an in t e ro ser lti tage C annels Co ponent b e t odel eob s ate e ode iles or o al ob ed ling i a ing oo ing n or ation Kerberoasting e ote yste is overy ared ebroot reen Capt re ltiband Co ni ation age ile e tion ptions A river Create A o nt n e tion isabling e rity Tools Key ain e rity o t are is overy i a ing ideo Capt re ltilayer n ryption s ta ear rder i a ing a n ae on ear rder i a ing T oisoning yste n or ation is overyTaint ared Content ort Kno ing yste et or o er ell ylib i a ing e ervi e ide oading et or ni ing Con ig ration is overy T ird party o t are e ote A ess Tools ploitation or e ense yste et or Conne tions egsv s egas ternal e ote ervi es at nter eption vasion ass ord ilter is overy indo s Ad in ares e ote ile Copy ile yste er issions tra indo e ory yste ner ser indo s e ote tandard Appli ation ayer egsvr ea ness list odi i ation n e tion rivate Keys is overy anage ent roto ol epli ation T ro g tandard Cryptograp i ndll idden iles and ire tories ort onitors ile eletion e ovable edia yste ervi e is overy roto ol tandard on Appli ation ed led Tas oo ing ro ess n e tion ile yste ogi al sets e rityd e ory yste Ti e is overy ayer roto ol T o a tor A t enti ation ripting ypervisor ed led Tas ate eeper ypass nter eption n o only sed ort age ile e tion ptions ervi e egistry er issions ervi e e tion n e tion ea ness idden iles and ire tories eb ervi e igned inary ro y Kernel od les and e tion tensions et id and etgid idden sers igned ript ro y e tion a n Agent istory n e tion idden indo o r e a n ae on tart p te s TC T age ile e tion ptions pa e a ter ilena e a n tl do n e tion T ird party o t are C A Addition do Ca ing ndi ator lo ing Trap o al ob ed ling alid A o nts ndi ator e oval ro Tools Tr sted eveloper tilities ogin te eb ell ndi ator e oval on ost ser e tion ogon ripts ndire t Co and e tion indo s anage ent nstr entation A river nstall oot Certi i ate indo s e ote anage ent odi y isting ervi e nstall til APT28 ets elper a n tl e ervi e C A i a ing i e Appli ation tart p as erading at nter eption odi y egistry list odi i ation s ta APT29 et or are Conne tion ort Kno ing e oval ort onitors T ile Attrib tes b s ated iles or . o on n or ation e opened Appli ations list odi i ation Both groups ed ndant A ess ort Kno ing egistry n Keys tart older ro ess oppelg nging © 2019 The MITRE Corporation. All rights reserved. ed led Approved Tas for public release. Distribution ro essunlimited ollo ing 18-3288-14. reensaver ro ess n e tion e rity pport rovider ed ndant A ess ervi e egistry er issions ea ness egsv s egas ort t odi i ation egsvr and Tr st rovider i a ing oot it tart p te s ndll yste ir are ripting igned inary ro y Ti e roviders e tion igned ript ro y Trap e tion and Tr st rovider alid A o nts i a ing eb ell o t are a ing indo s anage ent nstr entation vent pa e a ter ilena e bs ription inlogon elper Ti esto p Tr sted eveloper tilities alid A o nts eb ervi e | 26 | Comparing APT28 and APT29

Initial Privilege Defense Credential Lateral Command Execution Persistence Discovery Collection Exfiltration Access Escalation Evasion Access Movement and Control rive by Co pro ise Apple ript .bas pro ile and .bas r A ess To en anip lation A ess To en anip lation A o nt anip lation A o nt is overy Apple ript A dio Capt re A to ated iltration Co only sed ort ploit bli a ing Appli ation indo Appli ation eploy ent Co ni ation T ro g Appli ation C T A essibility eat res A essibility eat res inary adding as istory is overy o t are A to ated Colle tion ata Co pressed e ovable edia istrib ted Co ponent ard are Additions Co and ine nter a e AppCert s AppCert s T obs r te or e ro ser oo ar is overy b e t odel Clipboard ata ata n rypted Conne tion ro y epli ation T ro g ploitation o e ote ata ro n or ation C sto Co and and e ovable edia Control anel te s App nit s App nit s ypass ser A o nt ControlCredential ping ile and ire tory is overy ervi es epositories ata Trans er i e i its Control roto ol iltration ver Alternative C sto Cryptograp i pearp is ing Atta ent yna i ata ange Appli ation i ing Appli ation i ing Clear Co and istory Credentials in iles et or ervi e anning ogon ripts ata ro o al yste roto ol roto ol ata ro et or ared iltration ver Co and pearp is ing in e tion t ro g A A t enti ation a age ypass ser A o nt ControlC T Credentials in egistry et or are is overy ass t e as rive and Control C annel ata n oding e tion t ro g od le ploitation or Credential iltration ver t er pearp is ing via ervi e oad T obs ear rder i a ing Code igning A ess ass ord oli y is overy ass t e Ti et ata ro e ovable edia et or edi ata b s ation ploitation or Client iltration ver ysi al pply C ain Co pro ise e tion oot it ylib i a ing Co ponent ir are or ed A t enti ation erip eral evi e is overy e ote es top roto ol ata taged edi o ain ronting ploitation or rivilege Co ponent b e t odel Tr sted elations ip rap i al ser nter a e ro ser tensions s alation i a ing oo ing er ission ro ps is overy e ote ile Copy ail Colle tion ed led Trans er allba C annels C ange e a lt ile tra indo e ory alid A o nts nstall til Asso iation n e tion Control anel te s np t Capt re ro ess is overy e ote ervi es np t Capt re lti op ro y ile yste er issions epli ation T ro g a n tl Co ponent ir are ea ness C ado np t ro pt ery egistry e ovable edia an in t e ro ser lti tage C annels Co ponent b e t odel eob s ate e ode iles or o al ob ed ling i a ing oo ing n or ation Kerberoasting e ote yste is overy ared ebroot reen Capt re ltiband Co ni ation age ile e tion ptions A river Create A o nt n e tion isabling e rity Tools Key ain e rity o t are is overy i a ing ideo Capt re ltilayer n ryption s ta ear rder i a ing a n ae on ear rder i a ing T oisoning yste n or ation is overyTaint ared Content ort Kno ing yste et or o er ell ylib i a ing e ervi e ide oading et or ni ing Con ig ration is overy T ird party o t are e ote A ess Tools ploitation or e ense yste et or Conne tions egsv s egas ternal e ote ervi es at nter eption vasion ass ord ilter is overy indo s Ad in ares e ote ile Copy ile yste er issions tra indo e ory yste ner ser indo s e ote tandard Appli ation ayer egsvr ea ness list odi i ation n e tion rivate Keys is overy anage ent roto ol epli ation T ro g tandard Cryptograp i ndll idden iles and ire tories ort onitors ile eletion e ovable edia yste ervi e is overy roto ol tandard on Appli ation ed led Tas oo ing ro ess n e tion ile yste ogi al sets e rityd e ory yste Ti e is overy ayer roto ol T o a tor A t enti ation ripting ypervisor ed led Tas ate eeper ypass nter eption n o only sed ort age ile e tion ptions ervi e egistry er issions ervi e e tion n e tion ea ness idden iles and ire tories eb ervi e igned inary ro y Kernel od les and e tion tensions et id and etgid idden sers igned ript ro y e tion a n Agent istory n e tion idden indo o r e a n ae on tart p te s TC T age ile e tion ptions pa e a ter ilena e a n tl do n e tion T ird party o t are C A Addition do Ca ing ndi ator lo ing Focus on shared Trap o al ob ed ling alid A o nts ndi ator e oval ro Tools Tr sted eveloper tilities ogin te eb ell ndi ator e oval on ost ser e tion ogon ripts ndire t Co and e tion indo s anage ent nstr entation A river nstall oot Certi i ate indo s e ote odi y isting ervi e nstall til techniques anage ent APT28 ets elper a n tl e ervi e C A i a ing i e Appli ation tart p as erading at nter eption odi y egistry list odi i ation s ta APT29 et or are Conne tion ort Kno ing e oval ort onitors T ile Attrib tes b s ated iles or . o on n or ation e opened Appli ations list odi i ation Both groups ed ndant A ess ort Kno ing egistry n Keys tart older ro ess oppelg nging © 2019 The MITRE Corporation. All rights reserved. ed led Approved Tas for public release. Distribution ro essunlimited ollo ing 18-3288-14. reensaver ro ess n e tion e rity pport rovider ed ndant A ess ervi e egistry er issions ea ness egsv s egas ort t odi i ation egsvr and Tr st rovider i a ing oot it tart p te s ndll yste ir are ripting igned inary ro y Ti e roviders e tion igned ript ro y Trap e tion and Tr st rovider alid A o nts i a ing eb ell o t are a ing indo s anage ent nstr entation vent pa e a ter ilena e bs ription inlogon elper Ti esto p Tr sted eveloper tilities alid A o nts eb ervi e | 27 | Tips for Using ATT&CK for Threat Intelligence

1. Choose a threat group relevant to your organization 2. Map their techniques to ATT&CK – Or use existing mappings: https://attack.mitre.org/groups/ https://pan-unit42.github.io/playbook_viewer/ 3. Prioritize writing detections for those techniques

Then… ▪ Map many groups, focus on frequently seen techniques across groups ▪ For more info: – https://medium.com/mitre-attack/getting-started-with-attack-cti-4eb205be4b2f

▪ Focus your red team to emulate specific relevant adversaries – Shows what your network looks like to real threats!

▪ ATT&CK can help you with adversary emulation and red teaming by… – Focusing on known adversary behaviors – Describing low-level TTP details that can be emulated – Providing a common language to express tests and results

▪ Building out an ATT&CK-based adversary emulation program… 1. Try open source or commercial tools to get your feet wet 2. Track and mature what your red team is doing 3. Develop intentional adversary emulation plans based on CTI and detection © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14. | 29 | Getting Started: Using Open Source Tools

▪ No red team? No problem! ▪ Defenders can try out red teaming tools to get your feet wet – Atomic Red Team: https://github.com/redcanaryco/atomic-red-team – Red Team Automation: https://github.com/endgameinc/RTA – CALDERA: https://github.com/mitre/caldera

High Confidence of Detection Legend Some Confidence of Detection Low Confidence of Detection

We have some confidence we would detect Automated Exfiltration if executed

We have low confidence we would detect Data Encrypted if executed

We have high confidence we would detect Scheduled Transfer if executed

High Confidence of Detection Legend Some Confidence of Detection Low Confidence of Detection

Communicate capabilities with a common reference

Knowledge of my Inform tooling purchases for biggest ROI detection gaps allows me to… Identify data sources needed for detection

High Confidence of Detection Develop analytics targetingLegend highSome-impact Confidence gaps of Detection Low Confidence of Detection

1. Look at the data sources you’re collecting

p Apple ript .bas pro ile and .bas r A ess To en anip lation A ess To en anip lation as istory A o nt is overy Apple ript A to ated Colle tion ata Co pressed ata estr tion

C T Appli ation i ing Appli ation i ing ypass ser A o nt Control Credential ping Appli ation indo is overy indo s Ad in ares ata ro o al yste ata n rypted ata n rypted or pa t

Co and ine nter a e C ange e a lt ile Asso iation ypass ser A o nt Control C T Credentials in iles ro ser oo ar is overy indo s e ote anage ent ata ro et or ared rive is Content ipe Co piled T ile Create A o nt ear rder i a ing Co pile A ter elivery Credentials in egistry o ain Tr st is overy ata ro e ovable edia n ibit yste e overy

Control anel te s ear rder i a ing ile yste er issions ea ness Co piled T ile np t ro pt ile and ire tory is overy ata taged ervi e top

rap i al ser nter a e ile yste er issions ea ness e ervi e Control anel te s et or ervi e anning eob s ate e ode iles or nstall til idden iles and ire tories list odi i ation n or ation et or are is overy a n tl Kernel od les and tensions ed led Tas isabling e rity Tools ass ord oli y is overy ervi e egistry er issions s ta a n tl ea ness ear rder i a ing er ission ro ps is overy o er ell C A Addition et id and etgid ile eletion ro ess is overy

egsv s egas odi y isting ervi e do Ca ing ile er issions odi i ation ery egistry

egsvr e ervi e idden iles and ire tories e ote yste is overy

ndll i e Appli ation tart p ndi ator lo ing e rity o t are is overy

ed led Tas list odi i ation ndi ator e oval ro Tools yste n or ation is overy yste et or Con ig ration ripting ed led Tas ndi ator e oval on ost is overy yste et or Conne tions ervi e e tion reensaver ndire t Co and e tion is overy ervi e egistry er issions igned inary ro y e tion ea ness nstall til yste ner ser is overy igned ript ro y e tion et id and etgid a n tl yste ervi e is overy

o r e ort t odi i ation odi y egistry yste Ti e is overy

Trap yste d ervi e s ta irt ali ation andbo vasion

ser e tion Trap et or are Conne tion e oval indo s anage ent nstr entation T ile Attrib tes indo s e ote anage ent b s ated iles or n or ation

ript ro essing list odi i ation

egsv s egas

egsvr

ndll

ripting

igned inary ro y e tion

igned ript ro y e tion Ti esto p Windows Admin Shares irt ali ation andbo vasion https://attack.mitre.org/techniques/T1077/ ript ro essing

1. Look at the data sources you’re collecting 2. Map your analytics to ATT&CK techniques they might detect

1. Look at the data sources you’re collecting 2. Map your analytics to ATT&CK techniques they might detect 3. Map your tools to ATT&CK – Read documentation – Ask the vendor! 4. Find reports of prior activity – What have you caught? – What did you find a post-mortem? 5. Talk to your teams! – Ask your red teams their favorite TTPs – Ask your hunters what they struggle with – Ask your IR team what they’ve seen © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14. Following Up On Gaps: Prioritized Remediation

Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact Application Local Job Scheduling Bypass User Account Control Bash History Application Window Software Clipboard Data Removable Media Data Encrypted Defacement External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Object Model Repositories Custom Command and Exfiltration Over Other Disk Structure Wipe Replication Through AppleScript DLL Search Order Hijacking Credentials in Files Discovery Exploitation of Data from Local System Control Protocol Network Medium Endpoint Denial of Service Removable Media CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Remote Services Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery Spearphishing Link Compiled HTML File Valid Accounts Credential Access Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Protocol Resource Hijacking Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Physical Medium Service Stop Valid Accounts Execution through Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Algorithms Scheduled Transfer Stored Data Manipulation Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data Exploitation for File System Permissions Weakness Component Firmware Keychain Query Registry Removable Media Video Capture Multiband Communication Manipulation Client Execution Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption InstallUtil New Service Control Panel Items Password Filter DLL System Information Taint Shared Content Multi-Stage Channels Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking PowerShell Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer Rundll32 Startup Items DLL Side-Loading Connections Discovery Protocol Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic Service Execution .bash_profile and .bashrc Exploitation for Exploitation for Discovery Protocol Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application CommandProxy Execution-LineAuthentication Interface Package SID-History, Injection CredentialFile Deletion DumpingSystem, Time Discovery Layer Protocol Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service and StandardSource ApplicationBrowser Extensions LayerFile System Logical Protocol Offsets are Space after Filename Change Default Gatekeeper Bypass Third-party Software File Association Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories popularUser ExecutiontechniquesComponent Object and can giveHidden Users the biggest Windows Management Model Hijacking Hidden Window Instrumentation Create Account HISTCONTROL Windows Remote External Remote Services Indicator Blocking Management returnHidden Files and Directories on investmentIndicator Removal XSL Script Processing Hypervisor from Tools Kernel Modules Indicator Removal on Host and Extensions Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading High Confidence of Detection Netsh Helper DLL Modify Registry Office Application Startup Mshta Port Knocking Some Confidence of Detection Network Share Connection Legend Rc.common Removal Redundant Access NTFS File Attributes Low Confidence of Detection Registry Run Obfuscated Files Keys / Startup Folder or Information Prioritized Technique Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security Support Provider Process Hollowing © ©2019 2019 The The MITRE MITRE Corporation. Corporation. All All rights rights reserved. reserved.Shortcut Modification Approved for public release. DistributionRedundant Accessunlimited 18-3288-14. SIP and Trust Provider Regsvcs/Regasm Hijacking Regsvr32 System Firmware Rootkit Prioritizing Remediations: Examples

Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact Application Local Job Scheduling Bypass User Account Control Bash History Application Window Software Clipboard Data Removable Media Data Encrypted Defacement External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe StartupHardware Additions ItemsTrap, InstallUtil, andProcess Injection System CredentialTime Dumping DiscoveryBrowser Bookmark Objectare Model usedRepositories by threatCustom Command and Exfiltration Over Other Disk Structure Wipe Replication Through AppleScript DLL Search Order Hijacking Credentials in Files Discovery Exploitation of Data from Local System Control Protocol Network Medium Endpoint Denial of Service Removable Media CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Remote Services Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery Spearphishing Link Compiled HTML File actorsValid most Accounts relevant Credentialto Access yourNetwork network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Protocol Resource Hijacking Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Physical Medium Service Stop Valid Accounts Execution through Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Algorithms Scheduled Transfer Stored Data Manipulation Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data Exploitation for File System Permissions Weakness Component Firmware Keychain Query Registry Removable Media Video Capture Multiband Communication Manipulation Client Execution Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption InstallUtil New Service Control Panel Items Password Filter DLL System Information Taint Shared Content Multi-Stage Channels Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking PowerShell Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer Rundll32 Startup Items DLL Side-Loading Connections Discovery Protocol Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic Service Execution .bash_profile and .bashrc Exploitation for Exploitation for Discovery Protocol Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service Source Browser Extensions File System Logical Offsets Space after Filename Change Default Gatekeeper Bypass Third-party Software File Association Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories User Execution Component Object Hidden Users Windows Management Model Hijacking Hidden Window Instrumentation Create Account HISTCONTROL Windows Remote External Remote Services Indicator Blocking Management Hidden Files and Directories Indicator Removal XSL Script Processing Hypervisor from Tools Kernel Modules Indicator Removal on Host and Extensions Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading High Confidence of Detection Netsh Helper DLL Modify Registry Office Application Startup Mshta Port Knocking Some Confidence of Detection Network Share Connection Legend Rc.common Removal Redundant Access NTFS File Attributes Low Confidence of Detection Registry Run Obfuscated Files Keys / Startup Folder or Information Prioritized Technique Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security Support Provider Process Hollowing © ©2019 2019 The The MITRE MITRE Corporation. Corporation. All All rights rights reserved. reserved.Shortcut Modification Approved for public release. DistributionRedundant Accessunlimited 18-3288-14. SIP and Trust Provider Regsvcs/Regasm Hijacking Regsvr32 System Firmware Rootkit Prioritizing Remediations: Examples

1. Small lists of techniques are great for short-term wins

2. Follow one of two paradigms: – A technique or two across tactics, or – Many techniques in one tactic

3. Focus on techniques that are immediately relevant – Are they used by relevant threat actors? – Are they popular or frequently occurring? – Are they easy to execute and do they enable more techniques? – Are the necessary logs readily accessible?

Closing Thoughts | 44 | Long-Term Integration

Identify High Tune or • Threat intelligence Priority Acquire New • Writing detections • Sightings data Gaps Defenses • ATT&CK evaluations • Relevant threat models • Public resources

Assess Defensive Coverage Assessments Adversary and Emulation Engineering Exercises

▪ Andy Applebaum ▪ CALDERA – [email protected] – https://github.com/mitre/caldera – @andyplayse4 ▪ ATT&CK-based Product Evals ▪ ATT&CK – https://attackevals.mitre.org/ – https://attack.mitre.org – @MITREattack ▪ ATT&CKcon – [email protected] – https://www.mitre.org/attackcon

▪ Data + Code ▪ Blog – https://github.com/mitre/cti (STIX data) – https://medium.com/mitre-attack – https://github.com/mitre-attack (code)