ATT&CK Matrix

From enterprise
Revision as of 17:18, 11 July 2017 by Default (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The ATT&CK Matrix for Enterprise provides a visual representation of the adversarial techniques described in the ATT&CK for Enterprise threat model.

Tactic categories are listed on the top row individual techniques as cells underneath each tactic to denote that technique can be used to accomplish that particular tactic. Techniques can span multiple tactic categories signifying that they can be used for more than one purpose.

Windows ATT&CK for Enterprise Matrix

Initial Access Drive-by CompromiseExploit Public-Facing ApplicationHardware AdditionsReplication Through Removable MediaSpearphishing AttachmentSpearphishing LinkSpearphishing via ServiceSupply Chain CompromiseTrusted RelationshipValid Accounts
Execution CMSTPCommand-Line InterfaceControl Panel ItemsDynamic Data ExchangeExecution through APIExecution through Module LoadExploitation for Client ExecutionGraphical User InterfaceInstallUtilLSASS DriverMshtaPowerShellRegsvcs/RegasmRegsvr32Rundll32Scheduled TaskScriptingService ExecutionSigned Binary Proxy ExecutionSigned Script Proxy ExecutionThird-party SoftwareTrusted Developer UtilitiesUser ExecutionWindows Management InstrumentationWindows Remote Management
Persistence Accessibility FeaturesAppCert DLLsAppInit DLLsApplication ShimmingAuthentication PackageBITS JobsBootkitBrowser ExtensionsChange Default File AssociationComponent FirmwareComponent Object Model HijackingCreate AccountDLL Search Order HijackingExternal Remote ServicesFile System Permissions WeaknessHidden Files and DirectoriesHookingHypervisorImage File Execution Options InjectionLSASS DriverLogon ScriptsModify Existing ServiceNetsh Helper DLLNew ServiceOffice Application StartupPath InterceptionPort MonitorsRedundant AccessRegistry Run Keys / Start FolderSIP and Trust Provider HijackingScheduled TaskScreensaverSecurity Support ProviderService Registry Permissions WeaknessShortcut ModificationSystem FirmwareTime ProvidersValid AccountsWeb ShellWindows Management Instrumentation Event SubscriptionWinlogon Helper DLL
Privilege Escalation Access Token ManipulationAccessibility FeaturesAppCert DLLsAppInit DLLsApplication ShimmingBypass User Account ControlDLL Search Order HijackingExploitation for Privilege EscalationExtra Window Memory InjectionFile System Permissions WeaknessHookingImage File Execution Options InjectionNew ServicePath InterceptionPort MonitorsProcess InjectionSID-History InjectionScheduled TaskService Registry Permissions WeaknessValid AccountsWeb Shell
Defense Evasion Access Token ManipulationBITS JobsBinary PaddingBypass User Account ControlCMSTPCode SigningComponent FirmwareComponent Object Model HijackingControl Panel ItemsDCShadowDLL Search Order HijackingDLL Side-LoadingDeobfuscate/Decode Files or InformationDisabling Security ToolsExploitation for Defense EvasionExtra Window Memory InjectionFile DeletionFile System Logical OffsetsHidden Files and DirectoriesImage File Execution Options InjectionIndicator BlockingIndicator Removal from ToolsIndicator Removal on HostIndirect Command ExecutionInstall Root CertificateInstallUtilMasqueradingModify RegistryMshtaNTFS File AttributesNetwork Share Connection RemovalObfuscated Files or InformationProcess DoppelgängingProcess HollowingProcess InjectionRedundant AccessRegsvcs/RegasmRegsvr32RootkitRundll32SIP and Trust Provider HijackingScriptingSigned Binary Proxy ExecutionSigned Script Proxy ExecutionSoftware PackingTimestompTrusted Developer UtilitiesValid AccountsWeb Service
Credential Access Account ManipulationBrute ForceCredential DumpingCredentials in FilesCredentials in RegistryExploitation for Credential AccessForced AuthenticationHookingInput CaptureKerberoastingLLMNR/NBT-NS PoisoningNetwork SniffingPassword Filter DLLPrivate KeysReplication Through Removable MediaTwo-Factor Authentication Interception
Discovery Account DiscoveryApplication Window DiscoveryBrowser Bookmark DiscoveryFile and Directory DiscoveryNetwork Service ScanningNetwork Share DiscoveryPassword Policy DiscoveryPeripheral Device DiscoveryPermission Groups DiscoveryProcess DiscoveryQuery RegistryRemote System DiscoverySecurity Software DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Owner/User DiscoverySystem Service DiscoverySystem Time Discovery
Lateral Movement Application Deployment SoftwareDistributed Component Object ModelExploitation of Remote ServicesLogon ScriptsPass the HashPass the TicketRemote Desktop ProtocolRemote File CopyRemote ServicesReplication Through Removable MediaShared WebrootTaint Shared ContentThird-party SoftwareWindows Admin SharesWindows Remote Management
Collection Audio CaptureAutomated CollectionClipboard DataData StagedData from Information RepositoriesData from Local SystemData from Network Shared DriveData from Removable MediaEmail CollectionInput CaptureMan in the BrowserScreen CaptureVideo Capture
Exfiltration Automated ExfiltrationData CompressedData EncryptedData Transfer Size LimitsExfiltration Over Alternative ProtocolExfiltration Over Command and Control ChannelExfiltration Over Other Network MediumExfiltration Over Physical MediumScheduled Transfer
Command and Control Commonly Used PortCommunication Through Removable MediaConnection ProxyCustom Command and Control ProtocolCustom Cryptographic ProtocolData EncodingData ObfuscationDomain FrontingFallback ChannelsMulti-Stage ChannelsMulti-hop ProxyMultiband CommunicationMultilayer EncryptionRemote Access ToolsRemote File CopyStandard Application Layer ProtocolStandard Cryptographic ProtocolStandard Non-Application Layer ProtocolUncommonly Used PortWeb Service

Mac ATT&CK for Enterprise Matrix

Initial Access Drive-by CompromiseExploit Public-Facing ApplicationHardware AdditionsSpearphishing AttachmentSpearphishing LinkSpearphishing via ServiceSupply Chain CompromiseTrusted RelationshipValid Accounts
Execution AppleScriptCommand-Line InterfaceExploitation for Client ExecutionGraphical User InterfaceLaunchctlLocal Job SchedulingScriptingSourceSpace after FilenameThird-party SoftwareTrapUser Execution
Persistence .bash_profile and .bashrcBrowser ExtensionsCreate AccountDylib HijackingHidden Files and DirectoriesKernel Modules and ExtensionsLC_LOAD_DYLIB AdditionLaunch AgentLaunch DaemonLaunchctlLocal Job SchedulingLogin ItemLogon ScriptsPlist ModificationPort KnockingRc.commonRe-opened ApplicationsRedundant AccessStartup ItemsTrapValid AccountsWeb Shell
Privilege Escalation Dylib HijackingExploitation for Privilege EscalationLaunch DaemonPlist ModificationProcess InjectionSetuid and SetgidStartup ItemsSudoSudo CachingValid AccountsWeb Shell
Defense Evasion Binary PaddingClear Command HistoryCode SigningDisabling Security ToolsExploitation for Defense EvasionFile DeletionGatekeeper BypassHISTCONTROLHidden Files and DirectoriesHidden UsersHidden WindowIndicator Removal from ToolsIndicator Removal on HostInstall Root CertificateLC_MAIN HijackingLaunchctlMasqueradingObfuscated Files or InformationPlist ModificationPort KnockingProcess InjectionRedundant AccessRootkitScriptingSpace after FilenameValid AccountsWeb Service
Credential Access Bash HistoryBrute ForceCredentials in FilesExploitation for Credential AccessInput CaptureInput PromptKeychainNetwork SniffingPrivate KeysSecurityd MemoryTwo-Factor Authentication Interception
Discovery Account DiscoveryApplication Window DiscoveryBrowser Bookmark DiscoveryFile and Directory DiscoveryNetwork Service ScanningNetwork Share DiscoveryPassword Policy DiscoveryPermission Groups DiscoveryProcess DiscoveryRemote System DiscoverySecurity Software DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Owner/User Discovery
Lateral Movement AppleScriptApplication Deployment SoftwareExploitation of Remote ServicesLogon ScriptsRemote File CopyRemote ServicesSSH HijackingThird-party Software
Collection Audio CaptureAutomated CollectionClipboard DataData StagedData from Information RepositoriesData from Local SystemData from Network Shared DriveData from Removable MediaInput CaptureScreen CaptureVideo Capture
Exfiltration Automated ExfiltrationData CompressedData EncryptedData Transfer Size LimitsExfiltration Over Alternative ProtocolExfiltration Over Command and Control ChannelExfiltration Over Other Network MediumExfiltration Over Physical MediumScheduled Transfer
Command and Control Commonly Used PortCommunication Through Removable MediaConnection ProxyCustom Command and Control ProtocolCustom Cryptographic ProtocolData EncodingData ObfuscationDomain FrontingFallback ChannelsMulti-Stage ChannelsMulti-hop ProxyMultiband CommunicationMultilayer EncryptionPort KnockingRemote Access ToolsRemote File CopyStandard Application Layer ProtocolStandard Cryptographic ProtocolStandard Non-Application Layer ProtocolUncommonly Used PortWeb Service

Linux ATT&CK for Enterprise Matrix

Initial Access Drive-by CompromiseExploit Public-Facing ApplicationHardware AdditionsSpearphishing AttachmentSpearphishing LinkSpearphishing via ServiceSupply Chain CompromiseTrusted RelationshipValid Accounts
Execution Command-Line InterfaceExploitation for Client ExecutionGraphical User InterfaceLocal Job SchedulingScriptingSourceSpace after FilenameThird-party SoftwareTrapUser Execution
Persistence .bash_profile and .bashrcBootkitBrowser ExtensionsCreate AccountHidden Files and DirectoriesKernel Modules and ExtensionsLocal Job SchedulingPort KnockingRedundant AccessTrapValid AccountsWeb Shell
Privilege Escalation Exploitation for Privilege EscalationProcess InjectionSetuid and SetgidSudoSudo CachingValid AccountsWeb Shell
Defense Evasion Binary PaddingClear Command HistoryDisabling Security ToolsExploitation for Defense EvasionFile DeletionHISTCONTROLHidden Files and DirectoriesIndicator Removal from ToolsIndicator Removal on HostInstall Root CertificateMasqueradingObfuscated Files or InformationPort KnockingProcess InjectionRedundant AccessRootkitScriptingSpace after FilenameTimestompValid AccountsWeb Service
Credential Access Bash HistoryBrute ForceCredentials in FilesExploitation for Credential AccessInput CaptureNetwork SniffingPrivate KeysTwo-Factor Authentication Interception
Discovery Account DiscoveryBrowser Bookmark DiscoveryFile and Directory DiscoveryNetwork Service ScanningPassword Policy DiscoveryPermission Groups DiscoveryProcess DiscoveryRemote System DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Owner/User Discovery
Lateral Movement Application Deployment SoftwareExploitation of Remote ServicesRemote File CopyRemote ServicesSSH HijackingThird-party Software
Collection Audio CaptureAutomated CollectionClipboard DataData StagedData from Information RepositoriesData from Local SystemData from Network Shared DriveData from Removable MediaInput CaptureScreen Capture
Exfiltration Automated ExfiltrationData CompressedData EncryptedData Transfer Size LimitsExfiltration Over Alternative ProtocolExfiltration Over Command and Control ChannelExfiltration Over Other Network MediumExfiltration Over Physical MediumScheduled Transfer
Command and Control Commonly Used PortCommunication Through Removable MediaConnection ProxyCustom Command and Control ProtocolCustom Cryptographic ProtocolData EncodingData ObfuscationDomain FrontingFallback ChannelsMulti-Stage ChannelsMulti-hop ProxyMultiband CommunicationMultilayer EncryptionPort KnockingRemote Access ToolsRemote File CopyStandard Application Layer ProtocolStandard Cryptographic ProtocolStandard Non-Application Layer ProtocolUncommonly Used PortWeb Service

ATT&CK for Enterprise Matrix Images

Windows ATT&CK for Enterprise Matrix

MITRE ATT&CK Matrix - Overview of ATT&CK tactics and techniques

Uses

Windows-Based Defensive Gap Analysis

An organization can use the ATT&CK Matrix as a way to visualize defensive coverage of techniques and identify where gaps exist. Prioritization of building detection and defensive capabilities against techniques can be done based on documented adversary use, with an emphasis on techniques used heavily across multiple adversary groups.

The example below is a notional case where an organization has deployed some amount of host-based sensing and intrusion detection analytics to complement perimeter-focused sensors and is assessing where to invest resources next to cover more techniques. It is not based on an actual enterprise network environment, sensors, or analytic coverage of cyber adversary behavior.

MITRE ATT&CK Matrix Example Use for Defensive Gap Analysis