Module 1: Introducing the Training and Understanding ATT&CK

Katie Nickels and Adam Pennington

▪ Five modules consisting of YouTube videos and exercises are available at attack.mitre.org/training/cti ▪ Module 1: Introducing training and understanding ATT&CK A. Topic introduction (Video) ▪ Module 2: Mapping to ATT&CK from finished reporting A. Topic introduction (Video) B. Exercise 2: Mapping to ATT&CK from finished reporting (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 2 (Video) ▪ Module 3: Mapping to ATT&CK from raw data A. Topic introduction (Video) B. Exercise 3: Mapping to ATT&CK from raw data (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 3 (Video)

▪ Module 4: Storing and analyzing ATT&CK-mapped intel A. Topic introduction (Video) B. Exercise 4: Comparing layers in ATT&CK Navigator (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 4 (Video) ▪ Module 5: Making ATT&CK-mapped data actionable with defensive recommendations A. Topic introduction (Video) B. Exercise 5: Making defensive recommendations (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 5 and wrap-up (Video)

Make defensive Store & analyze Understand Map data to recommendations ATT&CK-mapped ATT&CK ATT&CK from ATT&CK- data mapped data Module 1 Module 2 Module 4 Module 5 Module 3

▪ How effective are my defenses? ▪ Do I have a chance at detecting APT29? ▪ Is the data I’m collecting useful? ▪ Do I have overlapping tool coverage? ▪ Will this new product help my organization’s defenses?

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15. | 9 | What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven

TTPs •Tough! Tools •Challenging Network/ Host Artifacts •Annoying Domain Names •Simple IP Addresses •Easy Hash Values •Trivial

Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain

Tactics: the adversary’s technical goals Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction

Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact Application Software Removable Media Local Job Scheduling Bypass User Account Control Bash History Application Window Clipboard Data Data Encrypted Defacement Discovery External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe Object Model Repositories Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Custom Command and Exfiltration Over Other Disk Structure Wipe Discovery Control Protocol Network Medium Replication Through AppleScript DLL Search Order Hijacking Credentials in Files Exploitation of Data from Local System Endpoint Denial of Service Removable Media Remote Services CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption Shared Drive Protocol and Control Channel Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Logon Scripts Inhibit System Recovery Credential Access Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Protocol Resource Hijacking

Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation Physical Medium Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Service Stop Algorithms Valid Accounts Execution through Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data Removable Media Manipulation Exploitation for File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication Client Execution Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption

InstallUtil New Service Control Panel Items Password Filter DLL System Information Taint Shared Content Multi-Stage Channels Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking

PowerShell Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools or Information Configuration Discovery Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor Authentication Windows Remote Remote File Copy Regsvr32 Procedures:Setuid and Setgid Disabling SecuritySpecific Tools Interception techniqueManagement implementation System Network Standard Application Layer Rundll32 Startup Items DLL Side-Loading Connections Discovery Protocol

Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic Discovery Protocol Service Execution .bash_profile and .bashrc Exploitation for Exploitation for Privilege Escalation Defense Evasion Signed Binary Account Manipulation System Service Discovery Standard Non-Application Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol

Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service Source Browser Extensions File System Logical Offsets

Space after Filename Change Default Gatekeeper Bypass Third-party Software File Association Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories

User Execution Component Object Hidden Users Model Hijacking Windows Management Hidden Window Instrumentation Create Account HISTCONTROL

Windows Remote External Remote Services Indicator Blocking Management Hidden Files and Directories Indicator Removal XSL Script Processing Hypervisor from Tools

Kernel Modules Indicator Removal on Host achieved Techniques: how the goals are are goals the how Techniques: and Extensions Indirect Command Execution Launch Agent Install Root Certificate ©2019 The MITRE Corporation. ALL RIGHTSLC_LOAD_ RESERVED.DYLIB Addition Approved for public release. DistributionInstallUtil unlimited 19-01075-15. Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading Netsh Helper DLL Modify Registry Office Application Startup Mshta

Port Knocking Network Share Connection Rc.common Removal Redundant Access NTFS File Attributes

Registry Run Obfuscated Files Keys / Startup Folder or Information

Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security Support Provider Process Hollowing Shortcut Modification Redundant Access

SIP and Trust Provider Regsvcs/Regasm Hijacking Regsvr32 System Firmware Rootkit Systemd Service Rundll32 Time Providers Scripting

Windows Management Signed Binary Instrumentation Event Proxy Execution Subscription Signed Script Winlogon Helper DLL Proxy Execution

SIP and Trust Provider Hijacking

Software Packing Space after Filename Template Injection Timestomp

Web Service XSL Script Processing Technique: Spearphishing Attachment

About This Diagram attack.mitre.org • Access ATT&CK technical information

How can I use data I already have to get started with ATT&CK? s n i

p o o i • Contribute to ATT&CK t b a

u f n s u l l c One way to get started using ATT&CK is to look at what data sources you're already collecting and use that data to detect ATT&CK l d m s o e • Follow our blog c o t x n t e r s a l techniques. On our website, we currently have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram, r u e c i t / o e s t n m v

o t r d n b s t o • W atch ATT&CK presentations

r p e we've chosen 12 of those data sources to show the techniques each of them might be able to detect with the right collection and t i e f d i - f y l s i r n t l l - o s i e c h i s r a a c m v i analytics. Check out our w ebsite at for more information on how each technique can be det ected, and speciﬁc s r attack.mitre.org i v i u

h n n p s i v a d o c o o f o d o t e i i g o e n e g r t i i d e r m adversary examples you can use to start detecting adversary behavior with ATT&CK. s m r r n h s e n c i u y i o e n n o n f i h c r e b o i i l i g h j n t l f e e i o e n t i i d o n r i j s n t i n w a a i t d i d c n i i r j t e s l o f i u o k e c h i m t c g y x t b e Yo u can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ ATTACK19 to y s c m e c k o p a a a t e s l a e a a r r r i e t c l g t s a c n m t b e i p i l s l o t a x e n r o i n u i k v g x s e g d p e i learn how we generated this diagram, check out the code, and begin building y our own diagrams from ATT&CK content. r d o e e a m n t d i r e d @MITREattack i i n h r n c n p r m o o s i e r m s d e s e n d r a e t e g m e r e a t t i g s l y s b n o o e c a p i l d f r p x t u e n i o v o i y e e Follow us on Twitter for the l t e n y g s e u i a v w r i n o g s p l c e a s a p n u e d e p o r n p r latest news i s t y i e l d s r o n i p e t m i o b d o e c r li n h r t ib i c n o t m p a d s je o c o f Get St art ed w it h ATT&CK u s y n y r t y c s c r e e n io m h t o c t t c s d a n o o io ta n n in l c m s o o d n a e io r o o i m i k d t e t m c f i a s o ic n t le Use ATT&CK for Cyber Threat Intelligence p d a g a e u m o a d d l o n t if ti d a fr a i o c l e c n le i n e a i h a Cyber threat intelligence comes from many sources, including knowledge of past incidents, t x t f v n o c io p o io attackevals.mitre.org b h n ra g m it je a g in e d commercial threat feeds, information-sharing groups, government threat-sharing programs, c c n k r d re t g o r a c a m e o to b MITRE ATT&CK Evaluations o t h a li and more. ATT&CK gives analysts a common language to communicate across reports and n e o c y g tr a d i d in o c e d _ k n l p c l in d c io organizations, providing a way to structure, compare, and analyze threat intelligence. a o a a t n u lo ij a e n _ h m l t c n or Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact l i g f ite a in in Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction m m d r Communication Through Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact a o Removable Media s _ r Distributed Component Object External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement lc e s Model c e Custom Command and Control a u l Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe m i Protocol c q f Replication Through Removable c s Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe s Media o t a d Exfiltration Over Command and p e Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service u b t s Control Channel n i m s Exfiltration Over Other Network t a Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption t s e Medium m sc c Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery j c a ob fu a Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service n t ip s ob n Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking u a Replication Through Removable d Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation l Media at n Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop io du Image File Execution Options n Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation e Injection r Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation Information Relay 32 g Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking l dl kin PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools n c System Network Configuration u a Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy r Discovery p System Network Connections Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol k e e Discovery e r r r Two-Factor Authentication r o a a MITRE Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol Interception ne o w w Standard Non-Application Layer t ft ft Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery l k Protocol m it o o Service Registry Permissions s s Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port o Weakness d k ty Image File Execution Options u e r Service Execution Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service Injection les yc pa Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets a ha rd- Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass n i i d n th ers Source Launch Daemon Sudo Group Policy Modification e xt vid Space after Filename Launchctl Sudo Caching Hidden Files and Directories e o ns s r Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users io p n u e Trap Local Job Scheduling Web Shell Hidden Window e s m xp r ti Trusted Developer Utilities Login Item HISTCONTROL lo h i To help cyber defenders gain a common understanding Image File Execution Options APT28 it y User Execution Logon Scripts a p v Injection tio e Windows Management w LSASS Driver Indicator Blocking n r - ia Instrumentation v n fo is i io ed Windows Remote Management Modify Existing Service Indicator Removal from Tools Legend APT29 r o t t m ™ cli r in lec le of the threats they face, MITRE d eveloped the ATT&CK XSL Script Processing Netsh Helper DLL Indicator Removal on Host e ™ l b n n o a t d c v New Service Indirect Command Execution Both byp ex ed mo a e MITRE ATTa &CK t e Office Application Startup Install Root Certificate c o a r ss u uti om gh framework. It’s a globally-accessible knowledge base of Path Interception InstallUtil o t u ser n w au hro Plist Modification Launchctl a t cc s ion MITREPort Knocking ALC_MAIN Hijacking TT&CK Techniques Mappedou to Data Sourc es a at ies adversary tactics and t echniques based on real world n t ic r Port Monitors Masquerading t n ito con e a mu os Rc.common Modify Registry tr ep ol v com n r Re-opened Applications Mshta brow Resources d atio observations and open source research contributed by Network Share Connection e Redundant Access Comparing APT28 to APT29 s a rm Removal er e t nfo Registry Run Keys / Startup Folder NTFS File Attributes x n i ten e rom m the cyber community. Scheduled Task Obfuscated Files or Information si t f diu ons ata me Screensaver Plist Modification l m d al ap o sic Security Support Provider Port Knocking plica phy Service Registry Permissions t r Process Doppelgänging io g e e About This Diagram Weakness n sh attack.mitre.org il n ov Setuid and Setgid Process Hollowing im s tio mi f iltra Shortcut Modification Process Injection ng xf y e Used by organizations around the world, ATT&CK SIP and Trust Provider Hijacking Redundant Access • Access ATT&CK technical informationr Startup Items Regsvcs/Regasm s a ition s d How can I use data I already have to get started with ATT&CK? System Firmware Regsvr32 ap ad n p e i le n ar provides a shared understanding of adversary tactics, Systemd Service Rootkit p sc w o i d o ri r i p a t • Contribute to ATT&CK h a t i Time Providers Rundll32 a d b b e me u l f n s b Trap Scripting a l v u o l techniques and procedures and how to detect, prevent, c m One way to get started using ATT&CK is to look at what data sources you're already collecting and use that data to detect ATT&CK l d s re Valid Accounts Signed Binary Proxy Execution m o h s g e y u • Follow our blog hro c o s t t Web Shell Signed Script Proxy Execution x n n t e o s i r t at a l e ic Windows Management l u e c p techniques. On our website, we currently have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram, SIP and Trust Provider Hijacking r e i r Instrumentation Event Subscription m and/ or mitigate them. t / o e s t Winlogon Helper DLL Software Packing n m v o t r d n s t o c b • W atch ATT&CK presentations

Space after Filename r p e a we've chosen 12 of those data sources to show the techniques each of them might be able to detect with the right collection and t i e f d i - f y l s l Template Injection r i t l n l l - o s i w s n c e e b h s Timestomp s r a e o i a r c v m v ic i i r e t analytics. Check out our w ebsite at for more information on how each technique can be det ected, and speciﬁc s attack.mitre.org i v i u

h n Trusted Developer Utilities s i n n p v a d o c o e o f o d o t e Valid Accounts g i i ATT&CK is open and available to any person or o e v n e g r t i i d e r m e adversary examples you can use to start detecting adversary behavior with ATT&CK. s m r r n Virtualization/Sandbox Evasion h s n r e sta c i u n

y da i rd e o n n o c n p e f i h ryp ag c to e k Web Service r c i g a b o l r p i a i g h ph j tion i n t c f e a l e p o c i i e n t i roto s ent ci th i o n r o d j u organization for use at no charge. s l a XSL Script Processing n t i n w a a i t d s i d c n i r t i j l e s o i o u o k f e c h i m t l c g y x y t b e Yo u can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ ATTACK19 to s c m e k o c a p a a t e s l a a e a a r r r t i e c g t l t s a c n m t b e i p i l s l o r t a x e n o i n a u i k g x s ng v i ki e g s d e hijac p p r o ear del p e o learn how we generated this diagram, check out the code, and begin building y our own diagrams from ATT&CK content. a d his e t m m n hing d objec t d via serv ponent ic m i e o r e d @MITREattack c i i n h o r n s c n p r m o i m ™ e r s d ™ e s e n d r a e t e g For sixty years, MITRE has tackled complex problems m e r e a t t i g s l y s b n o o e c a p i l d MITRE ATT&CK f r p x t u e n i o v o i y e e Follow us on Twitter for the l t e n y s e u i a v w r ig n o g s that challenge public safety, stability, and w ell-being. p p l c e spearphishing link a s a ssl/t control panel items Use ATT&CK to Build Yourd Defensive Platform n u e ls in e p o r n p r sp latest news s i is n t y MITRE ATT&Ce Kl Ted chniques Me apped to Data Sourc es r o i p e c m o b d e ti t i o c o r li n h r t n Pioneering t ogether with the cyber community, w e’re ib i c n o t m p a d s je o c o f Get St art ed w it h ATT&CK u s y n y r y s c r Resources t i c e e n o m h t mation o c t dll searc d t s or infor c a s h order h ATT&CK includes resources designed to helpa cybern defenderso o developio analytics that scated file t n n in l ijacking building a stronger, t hreat-informed defense for a c m s o obfu o d n a e io r o o i m i k d t e t m c fi in ta e s detect the techniques used by an adversary. Based d ono threatc intelligence included in l u m Use ATT&CK for Cyber Threat Intelligence p d a g a e safer world. o a t e d l ro dis n t if i ertificat d a f tribute About This Diagre ama ic o root c c l attack.mitre.org d com n stall le i mon pone ATT&CK or provided by analysts, cyber defendersn e cana create a comprehensive set of in i h a dll itoring nt obje Cyber threat intelligence comes from many sources, including knowledge of past incidents, t x t f v n ct mode o c io p o io attackevals.mitre.org l b h n ra g m it j a g in e d • Access ATT&CK technical information commercial threat feeds, information-sharing groups, government threat-sharing programs, analytics to detect threats. c e n vice k r d dyna r c g f ser o r a s m mic d How can I use data I alreadyt have to get started with ATT&CK? o n te a e ial i ys ta c m e en o o b p s MITRE ATT&CK Evaluations ex a d t o n c t o o Initial Access Execution Persistence Privilege Escalation Defense Evasion o Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact n i ti ha i h l i c n t po a te • Contribute to ATT&CK g n o d t de e and more. ATT&CK gives analysts a common language to communicate across reports and e en y g b a n Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation t Account Manipulation Account Discoveryd AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction ic io u d s s r a n f n u Communication Through i r l o e d u t l Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact _ n c d n One way to get started using ATT&CKl is to clook at what data sources you're alrRemovableeady Media collecting and use that data to detect ATT&CK l k i o l n m e d s o e e x p c Distributed Component Object s i c i k e i organizations, providing a way to structure, compare, and analyze threat intelligence. External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement a t r • Follow our blog c m o u o Model a c o t t a r j o x i e o n a t p s r n u Custom Command and Control o i m a w l t Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credentialn Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe o l h u t e c techniques. On our website, we currently haven 50 dif erent data sources mappeProtocold to Enterprise ATT&CK techniques. In this diagram, c r h m ro y i u e _ b t r g e o g - / Replication Through Removable h e s t Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe e l t v n c n m m i o n v Media r l i g o Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact f d o d t r i n u Exfiltration Over Command and d s o t b a n n t n l • W atch ATT&CK presentations e Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registrye Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service i i Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction l Control Channel r o p e e i i a we've chosen 12 of those data sources to show the techniques each of them might be able to detect with the right collection and t d r f d m i m d Communication Through Exfiltration Over Other Network - f y h Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption l s g a o r r o Removable Media i Medium n n _ t l o i r t l - o s s i k Distributed Component Object n c i c e n External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement s o h e r a g Model Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery r i s l f a c m e v c e i n u r Custom Command and Control analytics. Check outa our w ebsite at for more information on how each technique can be det ected, and speciﬁc i s l attack.mitre.org i v Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe m a i i u s Protocol i h n Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service n p q f s c m v

o a d o Replication Through Removable c d s c o g e Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe s o f o d t e Media i o d g i o e Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capturet Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking a o o k Exfiltration Over Command and n e e g t p r i d l Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service u b i s Control Channel e r t m n e r n adversary examples you can use to start detecting adversary behavior with ATT&CK. s m r Replication Through Removable m s s n i h n Exfiltration Over Other Network Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation e a c i t u i y i l Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption Media e s t s o e n n o e r Medium c n h a f c i e c i r s b o m i l n s g h j s Launchctl Component Firmware Hooking Control Panel Items j Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery i n c t l e f c e o g i o n t i i d e u i i o a d n j r a s e r n f n i Image File Execution Options b t i a a t v w i Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service d i Local Job Scheduling Component Object Model Hijacking DCShadown Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation d c i v n t e b t r i j l Injection s e s o n l r i i f n e c u o k h p i o m t Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and g e c y LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation x y a t b e d Yo u can visualize how your owu n data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ ATTACK19 to s c Information Relay m e c k o p Replication Through Removable a d a a t e l d Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation l e s Media a a e a a r e r r n t i r Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking c l g t s a c n t m t b e i p i l s n Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop u l t a i i o n r x e o o n i k n e k v u i d g x o v s t PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools i e g d e i Image File Execution Options p s n r o e t r e learn how we generated this diagram, check out the code, and begin building y our own diagrams from ATT&CK content. d e Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation a m e n h Injection c t d e i r r e d @MITREattack System Network Configuration e i i n h h j r n Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy n c p m o s i o r e LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation n o Discovery i e m s Information Relay r 2 s d l r lp e n d r t e g s g e System Network Connections t a e 3 e o e Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol m l e r t s a e r l n a r Discovery w i l i t s n d p g o e s l y d k t b i l Two-Factor Authentication a p d l PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools c l Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol m o n c e Interception e r t u e a t f p x o y n e System Network Configuration o v i u a e e Follow us on Twitter for the p Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy i l Standard Non-Application Layer r y Discovery l n p a Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery o t e g s Protocol e u a v w v r n s System Network Connections c i i d Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol o o c g e e n s s Discovery k Service Registry Permissions t p l e r r a s a w Scripting e Hypervisor r File Deletion System Time Discovery Uncommonly Used Port o p Two-Factor Authentication r Weakness o r n u a a e e MITRE o Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol d r Interception n o p e o n p r e latest news r e Image File Execution Options p s t y w tw i e d Standard Non-Application Layer Service Execution Setuid and Setgid Filet Permissions Modification Virtualization/Sandbox Evasion Web Service i r t f r l d Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery l Injection k s e r o n i f p e f ATT&CK Use CasesProtocol o o b i m it t y m o d o e c lt Service Registry Permissions i s d e Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets r a l s t Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port o l i n h n r r Weakness i o m d k n b i c ty t p fa p d Image File Execution Options u e ts j o r e c o l Service Execution Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service o d e Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass i u y r o l Injection Get leSt arty ed w it h ATT&CK t n s a n y r c a t y e c s p r c r e t Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets s h c e i m h - o d t Source Launch Daemon Sudo Group Policy Modification li n m o t c m an a p d h o ti rd c a n s o Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass in p c a n o o i s a t n n i l n Space after Filename Launchctl d Sudo Caching Hidden Files and Directories h r l -a c ta m s d o n t e a e o r o it Source Launch Daemon Sudo Group Policy Modification e x n oat k id ti l o o Third-party Software LC_LOAD_DYLIB Addition Valid Accountst Hidden Users o i m if v d a s e t rs Space after Filename Launchctl Sudo Caching Hidden Files and Directories e n g m c i in o w e s n s d n c r l t l p Trap Local Job Scheduling Web Shell s Hidden Window r i d s o o Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users Use ATT&CK for Cyber Threat Intelligence p l g p a u m io da h o d a e l o w n u is o a t e d Trap Local Job Scheduling Web Shell Hidden Window Trustede Developer Utilities Login Item s HISTCONTROL Low Priority an h n tot i i m a d a fr e x r t p a fi o ti rs p Image File Execution Options s l i r s c Trusted Developer Utilities Login Item HISTCONTROL e c User Execution lo Logon Scripts s n e i h i h Injection Legend a n e a To help cyber defeinl ders gain a commaon understanding e Image File Execution Options APT28 t y e e User Execution Logon Scripts a h Windows Management p v f v l Injection p m n Cyberti LSASS Driverthreat intelligence comesIndicator Blocking from many sources, including knowledge of past incidents, ct x t l Instrumentation o e s p Windows Management High Priority c w - i o o LSASS Driver Indicator Blocking n r o c o ia i p Instrumentation v a n a attackevals.mitre.org i d g t Windows Remote Management foModify Existing Service is Indicator Removal from Tools e b h n n io e r m i r Windows Remote Management Modify Existing Service Indicator Removal from Tools o APT29 r o t t Legend c r i ot je aio c m of the threats they facge, MITREin d eveelopedd the ATT&CK c XSL Script Processing Netsh Helper DLLli Indicator Removal on Host n t le le r XSL Script Processing Netsh Helper DLL Indicator Removal on Host commerciale threat feeds, information-sharing groups, government threat-sharing programs, c c a n l b k d e nt n em r t g co va o r a s New Service Indirect Command Execution New Service Indirect Command Execution d e m s Both by ex cr mr e ed mo o o b MITRE ATT&CK Evaluations pa e a o a o t e t i in Office Application Startup Install Root Certificate s Office Application Startup c Install Root Certificate o t f a r h a l sand u more. ATT&CKut gives analysts a common language to communicate across reports and n e in o om gh framework. It’s a globally-accescsible knoy wledgeg base of s je Path Interception InstallUtil io t d t u i i c s Path Interception InstallUtil w r e d n er n o oar e c au hro d _ i p ti Plist Modification Launchctl Detection Threat Intelligence i t n a l c l n k a o Plist Modificationcc Launchctl s p s c rv ion i d c io n n Port Knocking LC_MAIN Hijacking organizations,ou providing a way to structure, compare, and analyze threat intelligence. aile o e at ies adversary tactics and t echniques baseda onja real world at d Port Knocking n LC_MAIN Hijacking ft u s ic or o i Port Monitors Masquerading t n t l co e d e n f un si _ h m tr Port Monitors n Masquerading a m o r u Rc.common Modify Registry tro Finding Gaps in Defense te l t o m rep lc in g o s s Initial Access Execution Persistencel Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact v a i l e co n f e t Re-opened Applications Mshta br Rc.common Modify Registry d t a c io observations and open source researcha contributin ed byin c Drive-by Compromiseo AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction c e i i at p Network Share Connection w e s n d r u Redundant Access Comparing APT28 to APT29 s a m m m Communication Through v r Re-opened Applications Mshta r Removal e Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact u e r o a o r o r e Removable Media f t s nf _ r i Registry Run Keys / Startup Folder NTFS File Attributes n i v processes = search Process:Create Distributed Component Object d x Network Share Connection b e c t External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement e s Redundant Access t y e Model m l i n Removal o e c k s o m u e d Custom Command and Control r the cyber community. Scheduled Task Obfuscated Files or Information s a f iu l Hardware Additions Compiled HTML File i AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe t m r f d i s e o Protocol Registry Run Keys / Startup Folder n NTFS File Attributes c o o ta e q f ti u Replication Through Removable s a m r Screensaver Plist Modification Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe c m s e d l s m a Media l o w t l ica a d p h Scheduled Task Obfuscated Files or Information s p Exfiltration Over Command and o t s e Security Support Provider Port Knocking p i pSpearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service u b a y t s e p i lica Control Channel n i e i ph m s o ja reg = filter processes where (exe == "reg.exe" and parent_exe Exfiltration Over Other Network a Service Registry Permissions t t n r Spearphishing Link Screensaver Execution through API Authentication Package DLL SearchPlist Order Modification Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption e n m Process Doppelgänging io g t s e e p c Weakness n s Medium m il e o n ov sc c r rt k Spearphishing via Service hExecution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery j Setuid and Setgid Process Hollowing o d r o c o i Security Support Providerimm Port Knocking s a f b t p trati fu a x v p n Supply Chain Compromise Exploitation for Client Executioni Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service n il r g Shortcut Modification Process Injection Service Registry Permissions n s l f b t o g Process Doppelgänging i in ex n s i Weakness p m o d Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking y o Used by organizations around the world, ATT&CK l v SIP and Trust Provider Hijacking Redundant Access u o o c a e i == "cmd.exe") Replication Through Removable Setuid and Setgid Process Hollowing r d s d Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation l p Media a c o r Startup Items Regsvcs/Regasm t d t ions n c s e Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop u Shortcut Modification Process Injection a io y dit r r System Firmware Regsvr32 a n o d d i p Image File Execution Options n b r a p Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation e re provides a shared understanding of adversarye tactics, p le Injection - SIP and Trust Provider Hijacking Redundant Access n a Systemd Service Rootkit sc p w r r Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and i d t LSASS Driver ip Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation e r t Information Relay l ha ia 2 p cmd = filterTime Providers processesRundll32 where (exe == "cmd.exe" and Startup Items Regsvcs/Regasm iv ed 3 g Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking b r ro ble m ll in r Trap Scripting t va d k o System FirmwarePowerShell Dylib Hijacking Path InterceptionRegsvr32 DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools s d n remo techniques and procedures and how to detect, prnevent, c c Valid Accounts Signed Binary Proxy Execution System Network Configuration h u a Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy y ug r e Systemd Service Rootkit Discovery s o thro p d System Network Connections s Web Shell Signed Script Proxy Execution n Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol k c io e e Discovery t t r Time Providers Rundll32 e e r g ica r a s parent_exeWindows Management != "explorer.exe"") l Two-Factor Authentication o p a a MITRE SIP and Trust Provider Hijacking Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol r d re t i Instrumentation Event Subscription Interception m ne o in and/ or mitigate them. w w a n Trap Scripting Standard Non-Application Layer t n ft ft Winlogon Helper DLL Software Packing Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery l k g Protocol c m it a k o o Service Registry Permissions s s e Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port Valid Accounts Signed Binary Proxy Execution o c Space after Filename Weakness a d k ty d n Image File Execution Options e d a Service Execution Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service l u r Template Injection Injection l y j reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and we Web Shell Signed Script Proxy Execution ls es c n n i g pa is c b s Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets h a - r Timestomp o Windows Managementerv a i h n ice SIP and Trust Provider Hijacking a t i rd k y Instrumentation EventSigned Subscription Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass n in f i s Trusted Developer Utilities d m n e f th r p Winlogon Helper DLL Software Packing i e c Source Launch Daemon Sudo Group Policy Modification ex e c d t Valid Accounts t m v r n ATT&CK is open and available to any person or vi d o e Space after Filename Launchctl Sudo CachingSpace after Filename Hidden Files and Directories e o e n s e s o i n d reg.hostname == cmd.hostnameVirtualization/Sandbox Evasion ) stan s c r u r s dard cr Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users i p c ge p t ypt Template Injection o o ka Web Service ograp n k i u n pac e k e f hic pro Trap Local Job Scheduling Web Shell Hidden Window e s s s r nticatio m o tocol x m v authe r organization for use at no charge. ti n ™ XSL Script Processing Timestomp p s Trusted Developer Utilities Login Item HISTCONTROL lo h tos re o r i i To help cybt er defendr ers gain a common understanding Image File Execution Options APT28 it y o e n t i User Execution Logon Scripts Trusted Developer Utilities a l p s s v r output reg_and_cmd Injection tio e tw s l p u w m Windows Management u w - LSASS Driver Indicator Blocking n r a ia Instrumentation Valid Accounts v n fo is tc e f e i io ed u c ip p Windows Remote Management Modify Existing Service Indicator Removal from Tools Legend APT29 r c or a n o n i t ct m t of thet threats they face, MITREa d eveloped the ATT&CK spea Virtualization/Sandbox Evasion li n del hijacking le le l u e rphishing via XSL Script Processing Netsh Helper DLL Indicator Removal on Host e d ent object mo l b s c service n l n ompon n o a c ATT&CK t c c v Web Service n d r t New Service Indirect Command Execution Both by ex ia a ed mo a a e pa e o a For sixty years, MITRE has tackled complex problems t e Office Application Startup Install Root Certificate c o a r s XSL Script Processing ss u ut n h ti om gh p framew work. It’s a globally-accessible knowledge base of Path Interception InstallUtil io c t u s t ser n e a w au hro n u i Plist Modification Launchctl a d e t t d p cc e ic s ion f r pearphishing link Port Knocking LC_MAIN Hijacking ss ou g t c control panel ite a that challenge public safety, stability, and w ell-being. at es s r adve ersary etactics and t echniques based on real world s l/tls i nt k i ms t ic ori i Use ATT&CK to Build Your Defensive Platform Port Monitors Masquerading ns c r a n it v pe on o t n v e a mu os tw f Rc.common Modify Registry c tr e r ep i e tio ol s e v com n r le Re-opened Applications Mshta n br w - h e s d Pioneering t ogether with the cyber community, w e’re tio o r observations and open source research contributed by En t e rp rise ow t i a Network Share Connection t i e Redundant Access Comparing APT28 to APT29 s t s a m Removal e e l r - a r e u f n t nfo f tion Registry Run Keys / Startup Folder NTFS File Attributes x m dll se i ATT&CK includes resources designed to help cyber defenders develop analytics that files or informa ten n u a o s arch order hijac e rom m a tt the cyber community. fuscated Scheduled Task Obfuscated Files or Information si o t king building a stronger, t hreat-informed defense for a f diu Useob ATT&CK for Adversary Emulation and Red Teaming ons m l r m ata me c r Screensaver Plist Modification d l m d a al t ib ap a p h o sic o Security Support Provider Port Knocking plica e i t phyp u detect the techniques used by an adversary. Based on threat intelligence included in Service Registry Permissions t i r r Process Doppelgänging io c g e e Weakness n v n sh r m r d il safer world. n oa p te ificate Setuid and Setgid Process Hollowing im e s l istribu f tio c a The best defenseoot cert is a well-tested defense. ATT&CK provides a common adversary mi o o o ted com iltra p s stall r Shortcut Modification Process Injection ng f d o pon xf e u Fra m e w o rk n ll monit c en e ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of i d oring g t obje y a p Used by organizations around the world, ATT&CK SIP and Trust Provider Hijacking Redundant Access l c t t c l t mordel r h Startup Items Regsvcs/Regasm y a p i s t Assessment and Engineering in o o n ion b t a dit e behavior framework basedSystem Firmware on threat Regsvr32intelligence that red teams can use to emulate ap a p ad d analytics to detect threats. ice ple o - n o dync n are it n provides a shared understanding of adversary tactics, Systemd Service Rootkit s a serv m crip e r mic n i u rdwl l l of te t p o o dat c ha i l ia t ia Time Providers Rundll32 ys i a d s d i t den ion s d v t p t o exch b t c e me c Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact t i l in c i an o h b po Trap Scripting ete n ge a l va end n d n r o t d l mo a techniques and procedures and how to detect, prevent, Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction specific threats. This helps cyber defenders find gaps in visibility, defensive tools, andio s a re Valid Accounts Signed Binary Proxy Execution r e s h us y d r c a o m t oug Communication Through r t t e i i n l hr Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact s h i t Web Shell Signed Script Proxy Execution n Removable Media i e i t e exp t l n aotion o Distributed Component Object s k e e ic i Windows Management h l External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement r c o p p m SIP and Trust Provider Hijacking u g l o e Model ro Instrumentation Event Subscription o m r tio m p i s t r and/ or mitigate them. p n n s n n Custom Command and Control m w p r t t i Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe o Winlogon Helper DLL Software Packing h p o t r s Protocol processes—and c then fix them. o n o i c y c e e u y l b Adversary Emulation g l a e g r - i d Replication Through Removable e h Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe Space after Filename a o i v m a s n i n a r o s Media r s a d g y f od e k n r u o s Exfiltration Over Command and n l l k e g e Template Injection e Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service l c c i e h l e Control Channel i w s o n s w i t t e a i a g b g n d c p s c s Exfiltration Over Other Network Timestomp e n o n e hl n - i r r Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption g r vice n o i n i i Medium n o t n o i ti i k c m o n s l n i o e Trusted Developer Utilities n n r o a n g Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery g o fr t r e e a e j t e a d t n c Drive-by Compromise nScheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction n d u i v a Valid Accounts s u i v ATT&CK is open and available to any person or r Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service m p a a m o o d e e n Launchctl Access Token Manipulation Account Manipulation Account Discovery Automated Collection Data Compressed Data Encrypted for Impact g r o r o Exploit Public-Facing Application Deployment Communication Through e o s d r Virtualization/Sandbox Evasion d r stand m i h r i p Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking k o ar y r i Application d h d p Software Removable Media c i e Local Job Scheduling Bypass User Account Control Bash History Application Window Clipboard Data Data Encrypted Defacement l ryp t m p 3 kag t d o e h v b Web Service n g i ac ra e r v t p s a Replication Through Removable phic p o a ication Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation Discovery i ro s nt n t to l c p e Media External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe col s y i uth organization for use at no charge. r 2 a XSL Script Processing e y c a a n e j i s e n d s e n s m i p o e o Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop Credential Dumping Object Model Repositories c c g Hardware Additions Trap Process Injection Disk Structure Wipe g l t Browser Bookmark Custom Command and Exfiltration Over Other i d o c a l r e ri r i k c r l g Image File Execution Options i v s n Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation AppleScript DLL Search Order Hijacking Credentials in Files Discovery Data from Local System Control Protocol Network Medium Endpoinvt Denial of Service d f e l o a c k Injection Replication Through Exploitation of n l r i i l l a y u r c p Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and Removable Media Remote Services e t c t u a LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption r t d Information Relay e p l h a s d m Spearphishing Attachment Command-Line Interface Plist Modification File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel a d a ijacking Exploitation for Inhibit System Recovery spe r p el h Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking arphishi m g ject mod ng v d a ob ia ser p e onent vice i n u p comp n Credential Access k v d e e d _ t Spearphishing Link Compiled HTML File o Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service t b PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools p e ti r e s a h t l n c Protocol e a n c p o For sixty years, MITRE has tackled complex problems System Network Configuration Spearphishing via Service Control Panel Items Ajcecessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking n h l i Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy o e m m l r Discovery in s l a o l i Supply Chain Compromise Dynamic Data Exchange e AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Runtime Data Manipulation r a p a d System Network Connections Exfiltration Over e r t o d b r a Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol a s r t Discovery w t c g l d r Trusted Relationship Execution through API p AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Physical Medtium Service Stop r l f o Two-Factor Authentication l b e Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol m e t Interception e a s s i that challenge public safety, stability, and w ell-being. Valid Accounts t Application Shimming Code Signing Input Prompt Remote Services Algorithms Scheduled Transfer Stored Data Manipulation o Permission Groups Discovery k a Execution through l Man in the Browser e spearphishing lin ssl p v control panel items Standard Non-Application Layer /tls a t l Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery o t Use ATT&CK to Build Your Defensive Platform v in p Protocol Module Load Dylib Hijackicng Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels n Transmitted Data d sp d ss u l o i Service Registry Permissions t e w f h Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port c d o p Weakness Removable Media Manipulation t o r Exploitation for File Systepm Prermissions Weakness Component Firmware Keychain Query Discovery Video Capture Multiband Communication e e io n r u Image File Execution Options n b d o i Pioneering t ogether with the cyber community, w e’re Service Execution Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service r r y Injection Client Execution f e ye Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy a ilt j d e r a Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets a o m Graphical User Interface l Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption t r v n on p d r dll s o t e rmati l c c earch fo Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass n o l o InstallUATT&CKtil ti includesNew Service resourcesn Con trdesignedol Panel Items Pa sstoword F ilthelper DLL cyberSystem Informa tidefenderson Taint Shared Con tedevelopnt analyticsMulti-Stage Cthathannels iles or i s i rder hij ted f r ackin a d g ca e r obfusc d t h k building a stronger, t hreat-informed defense for a Source Launch Daemon Sudo Group Policy Modification Discovery m Mshta pli Path Intercheptmion DCShadow Private Keys Third-party Software Port Knocking o p c a n e i i Space after Filename Launchctl Sudo Caching Hidden Files and Directories PowerShell Port Monitors Securityd Memory System Network Windows Admin Shares Remote Access Tools l m a Deobfuscate/Decode Files j - ta l it n n detect the techniquest used by an adversary. Based on threat intelligence included in o a oRegsvcs/Regasm Service Reagistry Permissions Weakness or Information Configuration Discovery Remote File Copy r r Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users Two-Factor Authentication Windows Remote s n g w s o g safer world. t d Regsvr32 n Setuid and Setgid Disabling Security Tools Interception System Network Management l ate p c distr Trap Local Job Scheduling Web Shell Hidden Window r i ls Standard Application Layer ertific o ibuted da h o Connections Discovery root c w com Protocol s Rundll32 is Startup Items DLL Side-Loading stall k pon Trusted Developer Utilities Login Item HISTCONTROL Low Priority an ATT&CKh or provided to by analysts, cyber defenders can create a comprehensive set of a in er dll monitoring ent obje t p Web Shell Execution Guardrails s ct m Image File Execution Options s Scripting r s System Owner/User Standard Cryptographic u i od User Execution Logon Scripts h el a s n Injection Legend Service Executione .bash_profile and .bashrc e Discovery Protocol e Windows Management p c Exploitation for Exploitation for m l c LSASS Driver Indicator Blocking l Instrumentation s High Priority c g Signed Banalyticsinary Account Mtoanipula tiodetect na Privileg ethreats. Escalation Defense Evasion System Service Discovery Standard Non-Application e p dy Windows Remote Management Modify Existing Service Indicator Removal from Tools c n Proxy Execution e n Layer Protocol ervi ro am Authenticatioon Ptackage SID-History Injecttiioon File Deletion System Time Discovery al of s sctem ic dat XSL Script Processing Netsh Helper DLL Indicator Removal on Host ni sy e a e Signed Script BITS Jobs Sudo a Uncommonly Used Port t de on xch Initial Access eExecutionm Persistence Privilege EscalationFile PermissionDefenses Evasion Credential Access VirDiscoverytualization/Sandbox Lateral Movement Collection Command And Control Exfiltration Impact poin etecti s ange New Service Indirect Command Execution Proxy Execution r Bootkit Sudro mCaching Modification Evasion Web Service end n d s Drive-by Compromise AppleScript .bash_profilefo and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction usio in Office Application Startup Install Root Certificate Communication Through tr SourcExploite Public-Facing Application BrowCMSTPser Extensions Accessibilityn Features Accessibility FFeaturesile System Logical BinaryOff Paddingsets Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact n je i Removable Media e i si c ex Path Interception InstallUtil r e Distributed Component Object is k p e Space after FExternalilen Remoteame Services ChCommand-Lineange D eInterfacefault Account Manipulation AppCert DLLs Gatekeeper BypBITSas Jobss Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement m r t cu o ic Model pro o a io tion Plist Modification Launchctl File Association v Custom Command and Control m w Third-party SHardwareoftw aAdditionsre Compiled HTML File s AppCert DLLs r AppInit DLLs Group Policy ModifBypassicat iUseron Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe o t n n th Protocol r le by c e g oug Replication Through Removable i e e- d h Port Knocking LC_MAIN Hijacking Trusted Developer Utilities CompControlone Panelnt FItemsirfmware AppInit DLLs s Application HShimmingidden Files and DirClearec tCommandories History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe iv n m Media f dr t odu Exfiltration Over Command and MITRE d r n le Port Monitors Masquerading Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account ControlHidden UsersCMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service u l Finding Gaps in Defense te l o Control Channel s s i oad e Exfiltration Over Other Network e h Spearphishing Link a Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption Rc.common Modify Registry a g t r o sc ni ic Medium ontin cu p okin Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking v Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery fr r g Re-opened Applications Mshta fu de r ain ris ov e Network Share Connection Supply Chain Compromiseb Exploitation for Client Execution Bootkit Exploitatione for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service m t Redundant Access o g y i e Removal o k s d d Trusted Relationship Graphical User Interface r Browser Extensions f Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking t o s e k Registry Run Keys / Startup Folder NTFS File Attributes o o i l u n r e e Replication Through Removable m Valid Accounts InstallUtil Change Default File Association l File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation p i l w s Media e h r s Scheduled Task Obfuscated Files or Information t ia i e p ij n ass Launchctl e Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared Webroot Screen Capture Multi-Stage Channels Service Stop ic o g a d ©2019 The MITRE Corporation.Screensaver ALL RIGHTSPlist Modification RESERVED. Approved for public release. Distribution unlimited 19-01075-15. n n m p c e ri Image File Execution Options r v Local Job Scheduling Component Objecte Model Hijacking o DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation v t k e Injection r n l r Security Support Provider Port Knocking d r o p i Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and e n LSASS Driver Createt Account Launch Daemon p Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation x v r d Service Registry Permissions Information l Relay d oe g Process Doppelgänging in s i Weakness m d r Mshta o DLL Search Order Hijacking Newo Service Disablingc Securityo Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking n l e vi i n Setuid and Setgid Process Hollowing o k s d v et PowerShell dp Dylib Hijacking cPath Interception tDLLo Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools cti r c rs e e e sh System Network Configuration e h Shortcut Modification Process Injection y j Regsvcs/Regasm n External Remote Services Plist Modification o DLL Side-Loading Private Keys Windows Remote Management Remote File Copy n o r s r e e b r Discovery i ip l r lp - System Network Connections te r o e SIP and Trust Provider Hijacking Redundant Access Regsvr32 File System Permissions W eakness Port Monitors p Execution Guardrails Securityd Memory Standard Application Layer Protocol a s r e Discovery pl tw t dl l Two-Factor Authentication p l Startup Items Regsvcs/Regasm Rundll32 Hidden Files and Directoriesv Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol m e a ri o Interception te l e r p r Standard Non-Application Layer o a Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery o System Firmware Regsvr32 d t v n Protocol oc n c d ss Service Registry Permissions t w Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port o e Systemd Service Rootkit Weakness e o o pr d e r Image File Execution Options c s d Service Execution Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service r a r Time Providers Rundll32 Injection g e s fi d n y t i d lte Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets i la a n r Trap Scripting n k n t g e p dl Signed Script Proxy Execution Launch Agent a Startup Items Gatekeeper Bypass tio n e o l Valid Accounts Signed Binary Proxy Execution c r r ca e d n d t Source Launch Daemon d Sudo Group Policy Modification ja pli hm m Web Shell Signed Script Proxy Execution n i g p c is c a on Space after Filename Launchctl a Sudo Caching Hidden Files and Directories -a a r l i Windows Management h n t t SIP and Trust Provider Hijacking i n t k y l o Instrumentation Event Subscription o a s r Third-party Software LC_LOAD_DYLIBm Addition Valid Accounts Hidden Users e ff n g p w s Winlogon Helper DLL Software Packing i d n c l p Trap Localm Job Scheduling Web Shell Hidden Windowrc n dar shi ols d o te ow Space after Filename o i Trusted Developer Utilities Login Item HISTCONTROL s e n o i n a e c u c Low Priority ta ph t s d rs oImage File Execution Options s r s t Template Injection User Execution Logon Scripts k i a s k e f h m sInjection r v Legend e e o e Windows Management p n m ™ l Timestomp LSASS Driver e Indicator Blocking r c s r l Instrumentation o o s t r e High Priority ac in t t i p Trusted Developer Utilities Windows Remote Managements Modify Existing Service Indicator Removal from Tools w s e n r w m r u t s l ot tio p u oc Valid Accounts XSL Script Processing Netsh Helper DLL Indicator Removal on Host e i p e c e f em a u c p a s New Service Indirect Command Executionn n m t s Virtualization/Sandbox Evasion o r r t e l n o ls c u c ATT&CK in Office Application Startup Install Root Certificate n f r t Web Service ia a in a a e si jec Path Interception InstallUtil o r e s p t XSL Script Processing n h ti o ic p w a io Plist Modification Launchctl c s v s t n e a ile er n u i nd Port Knocking LC_MAIN Hijacking d e c e f s t d r p i c d f fs r e e tr Port Monitors Masquerading k g Findingt i Gaps in Defense e o s u r a n v at l e t iv e st Rc.common Modify Registry t c ia c f c o s e r e s n vi w il e u pr Re-opened Applications Mshta w - h e s fu e r o e r En t e rp rise ri o i d v Network Share Connectiont b e t Redundant Access t s i y i Removal t o s - d e l u f rk f f a t s e Registry Run Keys / Startup Folder NTFS File Attributesn u m s o o a t i u r a o w l se t m p h Use ATT&CK for Adversary Emulation and Red Teaming Scheduled Task Obfuscated Files or Information m o t ia i c r e p i d l r m e n a t i o ja Screensaver Plist Modification a n m o b p r c e i p th e ro p u r t k Security Support Provider Port Knocking d o p i c n i t p p r x v r ng Service Registry Permissions r m r l a t o Process Doppelgänging n e s i Weakness e l i m o a d v The best defense is a well-tested defense. ATT&CK provides a common adversary o o o o o c p c s l e i Setuid and Setgid Process Hollowing f d o p c e u Fra m e w o rk s r d c o lg d t a p t c s e Shortcut Modification Process Injection t c l n y o r h ri r n y a o e -b r p i t p SIP and Trust Provider Hijacking Redundant Access i b t o e p n e t behavior framework based on threat intelligence that red teams can use to emulate v l a p i d p Startup Items Regsvcs/Regasm o - n o c i o t n n r r u l l ro System Firmware Regsvr32 p e o r o d t i l t i t o n c t c d s i c d v t p i c e Systemd Service Rootkit i n o o h l d r o t d a l a s specifi c threats. This helps cyber defenders fi nd gaps in visibility, defensive tools, and n a r c g s a Time Providers Rundll32 r c o m e t s e d i a i n d l n t t i h i i i a n Trap Scripting p t l n e n o o g h o a pk r m i g l o s c t e Valid Accounts Signed Binary Proxy Execution n p s n n p r t i d p o n processes—and then fix them. n s d o i a l j c Web Shell Signed Script Proxy Execution e e y l a a o i r n d i g i is c r a s o n s s a Windows Management g y f e a k h n n r SIP and Trust Provider Hijacking r k e o s i k g e y Instrumentation Event Subscription c h c i e f s e w m i t t p a i g e f g n p Winlogon Helper DLL Software Packing c c s i e c l n n n - i n i n r m c n i t i o d i c r n m o e o n s l Space after Filename a o o e r n g o t r e s e i n d e a u a j t d t n c u s Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction n d c u i v c r t Template Injection p a o a k i m k o d e e f Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact o r o n s r o r s o d r r m i h i m v p n ™ Application Timestomp y h r i d p s Software Removable Media i r Local Job Scheduling Bypass User Account Control Bash History Application Window Clipboard Data Data Encrypted Defacement t m 3 o e o r e d h v b i

r t i s v t r t o a e a n t n t i Discovery Trusted Developer Utilities c p External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe y s i w s r m c a y n 2 e j l i w e n t s p u d e Credential Dumping Object Model Repositories m i p o u e c g o Hardware Additions Trap Process Injection Disk Structure Wipe l t Browser Bookmark Custom Command and Exfiltration Over Other Valid Accounts e i p c e u r c f c i a r p k c r l g i s AppleScript DLL Search Order Hijacking Credentials in Files Discovery Data from Local System Control Protocol Network Medium Endpoint Denial of Service d f l o a n c k n n t a Exploitation of i Replication Through Virtualization/Sandbox Evasion l i l o t e y u l u r c p c Removable Media Credentials in Registry Domain Trust Discovery Remote Services t c u l a n s c CMSTP Image File Execution Options Injection Firmware Corruption r t ATT&CK Data from Network Custom Cryptographic Exfiltration Over Command Web Service p l h n r t m s a a Spearphishing Attachment Logon Scripts Shared Drive Protocol and Control Channel a d a a a e Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Inhibit System Recovery p i m g o a p e XSL Script Processing u p h i s p Credential Access d d _ t n Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service e b t w p e t c s t a l n n a e Protocol n c p o a u Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking n l i i m l m a r o d e t d p i e c Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Runtime Data Manipulation a a d f r Exfiltration Over r i d a b e t g t c s r e t c g r k i Trusted Relationship AppInit DLLs Input Capture Peripheral Device Discovery Physical Medium Service Stop r f o i Execution through API CMSTP Remote File Copy Input Capture Domain Generation b r e v t a s s i n v t f Valid Accounts Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Algorithms Scheduled Transfer Stored Data Manipulation a o o t w Execution through Man in the Browser t v e r i e t sl e l Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data d u l p w - e e r i h s o En t e rp rise f t i h p d t s i Exploitation for File System Permissions Weakness Component Firmware Keychain Query Discovery Removable Media Video Capture Multiband Communication Manipulation u r t - n b e l u a o i y f f Client Execution e Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy a n u j m s a t o m r a a o t Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption t v o Use ATT&CK for Adversary Emulation and Red Teaming r m l c r c c d r m a i

Control Panel Items Taint Shared Content Multi-Stage Channels s i t b InstallUtil New Service Password Filter DLL System Information

d a h k e i p h p o Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking c it r u e i i n p t PowerShell Port Monitors Securityd Memory System Network Windows Admin Shares Remote Access Tools m r m r a Deobfuscate/Decode Files j n e l a e a c Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy r o o o p The best defense is a well-tested defense. ATT&CK provides a common adversary o f g d o e u s Fra m e w o rk t c Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer c g a p t l c l r t Connections Discovery Protocol s h Rundll32 Startup Items DLL Side-Loading k n y a o p i t i b t o n e Scripting Web Shell Execution Guardrails System Owner/User i a Standard Cryptographic behavior framework based on threat intelligence that red teams can use to emulate u p d n o - c i n Service Execution .bash_profile and .bashrc Discovery Protocol n o t Exploitation for Exploitation for c n u l l p e o r o i l t Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application g i t o c t c d s i d v t p i c Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol i n o h a l n r o t d l a specifi c threats. This helps cyber defenders fi nd gaps in visibility, defensive tools, and a r e s Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port e d r c a o m t t i i n h l i Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service e p t l n o io h o p m g l o s t Source Browser Extensions File System Logical Offsets n r p i s n n p r t p o i processes—and then fix them. n s o i c Space after Filename Gatekeeper Bypass e e y l l a Change Default a o i r d i r a s o n s s a File Association Group Policy Modification g y f e k n Third-party Software r k e o s c g e c i e h s e w t t a i g i Trusted Developer Utilities Component Firmware Hidden Files and Directories g n p c c s n e l n n - i n i n r i i n o MITRE i c m Hidden Users o n s l o e r a n g o t r e a e j t a d t n c Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction n d u u v i r p a a m o d e Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact o r o n s r o d r r m i h i p Application y h r i d p Software Removable Media i Local Job Scheduling Bypass User Account Control Bash History Application Window Clipboard Data Data Encrypted Defacement t m 3 e d h v b i r s v t o a a n t Discovery c p External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe y i c a y n 2 e j i d e e n Credential Dumping Object Model Repositories m i p o e c g o Hardware Additions Trap Process Injection Disk Structure Wipe l t Browser Bookmark Custom Command and Exfiltration Over Other c i a r r k c r l g i s AppleScript DLL Search Order Hijacking Credentials in Files Discovery Data from Local System Control Protocol Network Medium Endpoint Denial of Service d f l o a c k n Replication Through Exploitation of l i i l y u r c p Removable Media Remote Services t c u a CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption r t p l h m s Spearphishing Attachment Command-Line Interface Plist Modification File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel a d a Exploitation for Inhibit System Recovery p g a m p u p e Credential Access d e d _ t Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service b p e

a t l n a Protocol n p o Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking n c l i m m l r a o Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Runtime Data Manipulation a a i d Exfiltration Over d a b r t t c g r Physical Medium r f o Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Service Stop b e s s i t Valid Accounts Application Shimming Code Signing Input Prompt Remote Services Algorithms Scheduled Transfer Stored Data Manipulation o Permission Groups Discovery a Execution through Man in the Browser t v t l Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data d u l p f i h p d Exploitation for File System Permissions Weakness Component Firmware Keychain Query Discovery Removable Media Video Capture Multiband Communication Manipulation u r n b o i Client Execution y Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy a e j o m r a Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption t v r c c

Control Panel Items Taint Shared Content Multi-Stage Channels s i InstallUtil New Service Password Filter DLL System Information Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking d h k

e i i PowerShell Port Monitors Securityd Memory Windows Admin Shares Remote Access Tools m Deobfuscate/Decode Files System Network j n

a Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy r o g t Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer c

Connections Discovery Protocol s Rundll32 Startup Items DLL Side-Loading k

Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic u i Discovery Protocol n Service Execution .bash_profile and .bashrc Exploitation for Exploitation for c Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application g Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service Source Browser Extensions File System Logical Offsets Space after Filename Change Default Gatekeeper Bypass Third-party Software File Association Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories MITRE Hidden Users ATT&CK and CTI

▪ Use knowledge of adversary behaviors to inform defenders

▪ Structuring threat intelligence with ATT&CK allows us to… – Compare behaviors ▪ Groups to each other ▪ Groups over time ▪ Groups to defenses – Communicate in a common language

Registry Run Keys THIS is what the / Startup Folder Oh, we have adversary is doing! (T1060) Registry data, we The Run key is can detect that! AdobeUpdater.

CTI Analyst Defender

Registry Run Keys Company / Startup Folder Company A (T1060) B

APT1337 is FUZZYDUCK using autorun used a Run key

Oh, you mean T1060!

CTI Consumer

Make defensive Store & analyze Understand Map data to recommendations ATT&CK-mapped ATT&CK ATT&CK from ATT&CK- data mapped data Module 1 Module 2 Module 4 Module 5 Module 3