The MITRE PRE-ATT&CK Matrix™ is an overview of the tactics and techniques described in the PRE-ATT&CK model. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span more than one tactic because they can be used for different purposes.

Last Modified: 2018-04-18 17:59:24.739000
Priority Definition PlanningPriority Definition DirectionTarget SelectionTechnical Information GatheringPeople Information GatheringOrganizational Information GatheringTechnical Weakness IdentificationPeople Weakness IdentificationOrganizational Weakness IdentificationAdversary OPSECEstablish & Maintain InfrastructurePersona DevelopmentBuild CapabilitiesTest CapabilitiesStage Capabilities
Assess KITs/KIQs benefitsAssign KITs, KIQs, and/or intelligence requirementsDetermine approach/attack vectorAcquire OSINT data sets and informationAcquire OSINT data sets and informationAcquire OSINT data sets and informationAnalyze application security postureAnalyze organizational skillsets and deficienciesAnalyze business processesAcquire and/or use 3rd party infrastructure servicesAcquire and/or use 3rd party infrastructure servicesBuild social network personaBuild and configure delivery systemsReview logs and residual tracesDisseminate removable media
Assess current holdings, needs, and wantsReceive KITs/KIQs and determine requirementsDetermine highest level tactical elementConduct active scanningAggregate individual's digital footprintConduct social engineeringAnalyze architecture and configuration postureAnalyze social and business relationships, interests, and affiliationsAnalyze organizational skillsets and deficienciesAcquire and/or use 3rd party software servicesAcquire and/or use 3rd party software servicesChoose pre-compromised mobile app developer account credentials or signing keysBuild or acquire exploitsTest ability to evade automated mobile application security analysis performed by app storesDistribute malicious software development tools
Assess leadership areas of interestSubmit KITs, KIQs, and intelligence requirementsDetermine operational elementConduct passive scanningConduct social engineeringDetermine 3rd party infrastructure servicesAnalyze data collectedAssess targeting optionsAnalyze presence of outsourced capabilitiesAcquire or compromise 3rd party signing certificatesAcquire or compromise 3rd party signing certificatesChoose pre-compromised persona and affiliated accountsC2 protocol developmentTest callback functionalityFriend/Follow/Connect to targets of interest
Assign KITs/KIQs into categoriesTask requirementsDetermine secondary level tactical elementConduct social engineeringIdentify business relationshipsDetermine centralization of IT managementAnalyze hardware/software security defensive capabilitiesAssess opportunities created by business dealsAnonymity servicesBuy domain nameDevelop social network persona digital footprintCompromise 3rd party or closed-source vulnerability/exploit informationTest malware in various execution environmentsHardware or software supply chain implant
Conduct cost/benefit analysisDetermine strategic targetDetermine 3rd party infrastructure servicesIdentify groups/rolesDetermine physical locationsAnalyze organizational skillsets and deficienciesAssess security posture of physical locationsCommon, high volume protocols and softwareCompromise 3rd party infrastructure to support deliveryFriend/Follow/Connect to targets of interestCreate custom payloadsTest malware to evade detectionPort redirector
Create implementation planDetermine domain and IP address spaceIdentify job postings and needs/gapsDumpster diveIdentify vulnerabilities in third-party software librariesAssess vulnerability of 3rd party vendorsCompromise 3rd party infrastructure to support deliveryCreate backup infrastructureObtain Apple iOS enterprise distribution key pair and certificateCreate infected removable mediaTest physical accessUpload, install, and configure software/tools
Create strategic planDetermine external network trust dependenciesIdentify people of interestIdentify business processes/tempoResearch relevant vulnerabilities/CVEsDNSCalcDomain registration hijackingDiscover new exploits and monitor exploit-provider forumsTest signature detection for file upload/email filters
Derive intelligence requirementsDetermine firmware versionIdentify personnel with an authority/privilegeIdentify business relationshipsResearch visibility gap of security vendorsData HidingDynamic DNSIdentify resources required to build capabilities
Develop KITs/KIQsDiscover target logon/email address formatIdentify sensitive personnel informationIdentify job postings and needs/gapsTest signature detectionDynamic DNSInstall and configure hardware, network, and systemsObtain/re-use payloads
Generate analyst intelligence requirementsEnumerate client configurationsIdentify supply chainsIdentify supply chainsFast Flux DNSObfuscate infrastructurePost compromise tool development
Identify analyst level gapsEnumerate externally facing software applications technologies, languages, and dependenciesMine social mediaObtain templates/branding materialsHost-based hiding techniquesObtain booter/stressor subscriptionRemote access tool development
Identify gap areasIdentify job postings and needs/gapsMisattributable credentialsProcure required equipment and software
Receive operator KITs/KIQs taskingIdentify security defensive capabilitiesNetwork-based hiding techniquesSSL certificate acquisition for domain
Identify supply chainsNon-traditional or less attributable payment optionsSSL certificate acquisition for trust breaking
Identify technology usage patternsOS-vendor provided communication channelsShadow DNS
Identify web defensive servicesObfuscate infrastructureUse multiple DNS infrastructures
Map network topologyObfuscate operational infrastructure
Mine technical blogs/forumsObfuscate or encrypt code
Obtain domain/IP registration informationObfuscation or cryptography
Spearphishing for InformationPrivate whois services
Proxy/protocol relays
Secure and protect infrastructure