Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

PRE-ATT&CK Techniques

PRE-ATT&CK Techniques: 174
ID Name Description
T1307 Acquire and/or use 3rd party infrastructure services

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.

T1329 Acquire and/or use 3rd party infrastructure services

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.

T1330 Acquire and/or use 3rd party software services

A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.

T1308 Acquire and/or use 3rd party software services

A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.

T1310 Acquire or compromise 3rd party signing certificates

Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is.

T1332 Acquire or compromise 3rd party signing certificates

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is.

T1247 Acquire OSINT data sets and information

Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world.

T1266 Acquire OSINT data sets and information

Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise.

T1277 Acquire OSINT data sets and information

Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world.

T1275 Aggregate individual's digital footprint

In addition to a target's social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target's username can mine to determine the target's larger digital footprint via publicly available sources.

T1293 Analyze application security posture

An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way.

T1288 Analyze architecture and configuration posture

An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls.

T1301 Analyze business processes

Business processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other

T1287 Analyze data collected

An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture.

T1294 Analyze hardware/software security defensive capabilities

An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way.

T1289 Analyze organizational skillsets and deficiencies

Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.

T1300 Analyze organizational skillsets and deficiencies

Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.

T1297 Analyze organizational skillsets and deficiencies

Understanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation.

T1303 Analyze presence of outsourced capabilities

Outsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing.

T1295 Analyze social and business relationships, interests, and affiliations

Social media provides insight into the target's affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail.

T1306 Anonymity services

Anonymity services reduce the amount of information available that can be used to track an adversary's activities. Multiple options are available to hide activity, limit tracking, and increase anonymity.

T1236 Assess current holdings, needs, and wants

Analysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement.

T1229 Assess KITs/KIQs benefits

Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) may be further subdivided to focus on political, economic, diplomatic, military, financial, or intellectual property categories. An adversary may specify KITs or KIQs in this manner in order to understand how the information they are pursuing can have multiple uses and to consider all aspects of the types of information they need to target for a particular purpose. KIT.

T1224 Assess leadership areas of interest

Leadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT.

T1299 Assess opportunities created by business deals

During mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable.

T1302 Assess security posture of physical locations

Physical access may be required for certain types of adversarial actions.

T1296 Assess targeting options

An adversary may assess a target's operational security (OPSEC) practices in order to identify targeting options. A target may share different information in different settings or be more of less cautious in different environments.

T1298 Assess vulnerability of 3rd party vendors

Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be.

T1238 Assign KITs, KIQs, and/or intelligence requirements

Once generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission.

T1228 Assign KITs/KIQs into categories

Leadership organizes Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) into three types of categories and creates more if necessary. An example of a description of key players KIT would be when an adversary assesses the cyber defensive capabilities of a nation-state threat actor.

T1381 Authentication attempt ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1386 Authorized user performs requested cyber action ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1384 Automated system performs requested action ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1347 Build and configure delivery systems

Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments.

T1349 Build or acquire exploits

An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise.

T1341 Build social network persona

For attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (Facebook, LinkedIn, Twitter, Google+, etc.).

T1328 Buy domain name

Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

T1352 C2 protocol development

Command and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media.

T1391 Choose pre-compromised mobile app developer account credentials or signing keys

The adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer's identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps.

T1343 Choose pre-compromised persona and affiliated accounts

For attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

T1321 Common, high volume protocols and software

Certain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic.

T1312 Compromise 3rd party infrastructure to support delivery

Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle.

T1334 Compromise 3rd party infrastructure to support delivery

Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle.

T1354 Compromise 3rd party or closed-source vulnerability/exploit information

There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack.

T1388 Compromise of externally facing system ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1254 Conduct active scanning

Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system.

T1226 Conduct cost/benefit analysis

Leadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries.

T1253 Conduct passive scanning

Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system.

T1279 Conduct social engineering

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.

T1249 Conduct social engineering

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.

T1268 Conduct social engineering

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.

T1376 Conduct social engineering or HUMINT operation ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1383 Confirmation of launched compromise achieved ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1339 Create backup infrastructure

Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable.

T1345 Create custom payloads

A payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment.

T1232 Create implementation plan

Implementation plans specify how the goals of the strategic plan will be executed.

T1355 Create infected removable media

Use of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware.

T1231 Create strategic plan

Strategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out.

T1374 Credential pharming ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1320 Data Hiding

Certain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known.

T1380 Deploy exploit using advertising ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1230 Derive intelligence requirements

Leadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement.

T1284 Determine 3rd party infrastructure services

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise.

T1260 Determine 3rd party infrastructure services

Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization.

T1245 Determine approach/attack vector

The approach or attack vector outlines the specifics behind how the adversary would like to attack the target. As additional information is known through the other phases of PRE-ATT&CK, an adversary may update the approach or attack vector.

T1285 Determine centralization of IT management

Determining if a "corporate" help desk exists, the degree of access and control it has, and whether there are "edge" units that may have different support processes and standards.

T1250 Determine domain and IP address space

Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network.

T1259 Determine external network trust dependencies

Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs).

T1258 Determine firmware version

Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions.

T1243 Determine highest level tactical element

From a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency.

T1242 Determine operational element

If going from strategic down to tactical or vice versa, an adversary would next consider the operational element. For example, the specific company within an industry or agency within a government.

T1282 Determine physical locations

Physical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility.

T1244 Determine secondary level tactical element

The secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability.

T1241 Determine strategic target

An adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector.

T1227 Develop KITs/KIQs

Leadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management's intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations.

T1342 Develop social network persona digital footprint

Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.

T1350 Discover new exploits and monitor exploit-provider forums

An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits.

T1255 Discover target logon/email address format

Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format.

T1379 Disseminate removable media

Removable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access.

T1394 Distribute malicious software development tools

An adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools.

T1382 DNS poisoning ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1324 DNSCalc

DNS Calc is a technique in which the octets of an IP address are used to calculate the port for command and control servers from an initial DNS request.

T1323 Domain Generation Algorithms (DGA)

The use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers.

T1326 Domain registration hijacking

Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant.

T1286 Dumpster dive

Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest.

T1333 Dynamic DNS

Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs.

T1311 Dynamic DNS

Dynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service.

T1262 Enumerate client configurations

Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers.

T1261 Enumerate externally facing software applications technologies, languages, and dependencies

Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary.

T1377 Exploit public-facing application ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1325 Fast Flux DNS

A technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record.

T1344 Friend/Follow/Connect to targets of interest

Once a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.

T1364 Friend/Follow/Connect to targets of interest

A form of social engineering designed build trust and to lay the foundation for future interactions or attacks.

T1234 Generate analyst intelligence requirements

Analysts may receive Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from leadership or key decision makers and generate intelligence requirements to articulate intricacies of information required on a topic or question.

T1365 Hardware or software supply chain implant

During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance.

T1314 Host-based hiding techniques

Host based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code.

T1385 Human performs requested action of physical nature ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1233 Identify analyst level gaps

Analysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ).

T1280 Identify business processes/tempo

Understanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic.

T1272 Identify business relationships

Business relationship information includes the associates of a target and may be discovered via social media sites such as LinkedIn or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship.

T1283 Identify business relationships

Business relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship.

T1225 Identify gap areas

Leadership identifies gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ).

T1270 Identify groups/roles

Personnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator.

T1248 Identify job postings and needs/gaps

Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms.

T1267 Identify job postings and needs/gaps

Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts.

T1278 Identify job postings and needs/gaps

Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts.

T1269 Identify people of interest

The attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target.

T1271 Identify personnel with an authority/privilege

Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers.

T1348 Identify resources required to build capabilities

As with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out.

T1263 Identify security defensive capabilities

Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses.

T1274 Identify sensitive personnel information

An adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online.

T1246 Identify supply chains

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain.

T1276 Identify supply chains

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships.

T1265 Identify supply chains

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain.

T1264 Identify technology usage patterns

Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.

T1389 Identify vulnerabilities in third-party software libraries

Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library.

T1256 Identify web defensive services

An adversary can attempt to identify web defensive services as CloudFlare, IPBan, and Snort. This may be done by passively detecting services, like CloudFlare routing, or actively, such as by purposefully tripping security defenses.

T1336 Install and configure hardware, network, and systems

An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure.

T1375 Leverage compromised 3rd party resources ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1252 Map network topology

A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related.

T1273 Mine social media

An adversary may research available open source information about a target commonly found on social media sites such as Facebook, Instagram, or Pinterest. Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary.

T1257 Mine technical blogs/forums

Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use.

T1322 Misattributable credentials

The use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case.

T1315 Network-based hiding techniques

Technical network hiding techniques are methods of modifying traffic to evade network signature detection or to utilize misattribution techniques. Examples include channel/IP/VLAN hopping, mimicking legitimate operations, or seeding with misinformation.

T1316 Non-traditional or less attributable payment options

Using alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts.

T1309 Obfuscate infrastructure

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc.

T1331 Obfuscate infrastructure

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc.

T1318 Obfuscate operational infrastructure

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc.

T1319 Obfuscate or encrypt code

Obfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption.

T1313 Obfuscation or cryptography

Obfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption.

T1392 Obtain Apple iOS enterprise distribution key pair and certificate

The adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected).

T1396 Obtain booter/stressor subscription

Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks.

T1251 Obtain domain/IP registration information

For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization.

T1281 Obtain templates/branding materials

Templates and branding materials may be used by an adversary to add authenticity to social engineering message.

T1346 Obtain/re-use payloads

A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available.

T1390 OS-vendor provided communication channels

Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices.

T1363 Port redirector

Redirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack.

T1353 Post compromise tool development

After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data.

T1305 Private whois services

Every domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain.

T1335 Procure required equipment and software

An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.

T1304 Proxy/protocol relays

Proxies act as an intermediary for clients seeking resources from other systems. Using a proxy may make it more difficult to track back the origin of a network communication.

T1373 Push-notification client-side exploit ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1239 Receive KITs/KIQs and determine requirements

Applicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary's nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities.

T1235 Receive operator KITs/KIQs tasking

Analysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement.

T1351 Remote access tool development

A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT.

T1378 Replace legitimate binary with malware ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1291 Research relevant vulnerabilities/CVEs

Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable.

T1290 Research visibility gap of security vendors

If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools.

T1358 Review logs and residual traces

Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code.

T1395 Runtime code download and execution ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1317 Secure and protect infrastructure

An adversary may secure and protect their infrastructure just as defenders do. This could include the use of VPNs, security software, logging and monitoring, passwords, or other defensive measures.

T1340 Shadow DNS

The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner.

T1367 Spear phishing messages with malicious attachments ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1369 Spear phishing messages with malicious links ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1368 Spear phishing messages with text only ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1397 Spearphishing for Information

Spearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means.

T1337 SSL certificate acquisition for domain

Certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of Wachovia -- homoglyphs).

T1338 SSL certificate acquisition for trust breaking

Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks.

T1237 Submit KITs, KIQs, and intelligence requirements

Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system.

T1371 Targeted client-side exploitation ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1366 Targeted social media phishing ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1240 Task requirements

Once divided into the most granular parts, analysts work with collection managers to task the collection management system with requirements and sub-requirements.

T1393 Test ability to evade automated mobile application security analysis performed by app stores

Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices.

T1356 Test callback functionality

Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached.

T1357 Test malware in various execution environments

Malware may perform differently on different platforms (computer vs handheld) and different operating systems (Ubuntu vs OS X), and versions (Windows 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed.

T1359 Test malware to evade detection

An adversary can run their code on systems with cyber security protections, such as antivirus products, in place to see if their code is detected. They can also test their malware on freely available public services.

T1360 Test physical access

An adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access.

T1292 Test signature detection

An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure.

T1361 Test signature detection for file upload/email filters

An adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS).

T1387 Unauthorized user introduces compromise delivery mechanism ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1372 Unconditional client-side exploitation/Injected Website/Driveby ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1370 Untargeted client-side exploitation ****Deprecation Warning****

This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.

T1362 Upload, install, and configure software/tools

An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure.

T1327 Use multiple DNS infrastructures

A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records.