Adversarial Tactics, Techniques & Common Knowledge

From enterprise
Revision as of 02:29, 20 July 2017 by Bstrom (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Welcome to ATT&CK

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a threat modeling methodology and suite of models for the various phases of an adversary's lifecycle and platforms that are known to be targeted by cyber threats. ATT&CK models are useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

ATT&CK for Enterprise

ATT&CK for Enterprise is a threat model and framework that describes the actions an adversary may take while operating within an enterprise network.

Enterprise Platform Coverage

The MITRE ATT&CK Matrix™ is a visualization of the tactics and techniques. It aligns individual techniques under the tactics in which they can be applied.

News and Updates

See Past Updates for previous changes.


ATT&CK Matrix for Enterprise

The full ATT&CK Matrix below includes techniques spanning Windows, Mac, and Linux platforms and can be used to navigate through the threat models.

Persistence .bash_profile and .bashrcAccessibility FeaturesAppInit DLLsApplication ShimmingAuthentication PackageBootkitChange Default File AssociationComponent FirmwareComponent Object Model HijackingCron JobDLL Search Order HijackingDylib HijackingExternal Remote ServicesFile System Permissions WeaknessHidden Files and DirectoriesHypervisorLC_LOAD_DYLIB AdditionLaunch AgentLaunch DaemonLaunchctlLocal Port MonitorLogin ItemLogon ScriptsModify Existing ServiceNetsh Helper DLLNew ServiceOffice Application StartupPath InterceptionPlist ModificationRc.commonRe-opened ApplicationsRedundant AccessRegistry Run Keys / Start FolderScheduled TaskSecurity Support ProviderService Registry Permissions WeaknessShortcut ModificationStartup ItemsSystem FirmwareTrapValid AccountsWeb ShellWindows Management Instrumentation Event SubscriptionWinlogon Helper DLL
Privilege Escalation Access Token ManipulationAccessibility FeaturesAppInit DLLsApplication ShimmingBypass User Account ControlDLL InjectionDLL Search Order HijackingDylib HijackingExploitation of VulnerabilityFile System Permissions WeaknessLaunch DaemonLocal Port MonitorNew ServicePath InterceptionPlist ModificationScheduled TaskService Registry Permissions WeaknessSetuid and SetgidStartup ItemsSudoValid AccountsWeb Shell
Defense Evasion Access Token ManipulationBinary PaddingBypass User Account ControlClear Command HistoryCode SigningComponent FirmwareComponent Object Model HijackingDLL InjectionDLL Search Order HijackingDLL Side-LoadingDeobfuscate/Decode Files or InformationDisabling Security ToolsExploitation of VulnerabilityFile DeletionFile System Logical OffsetsGatekeeper BypassHISTCONTROLHidden Files and DirectoriesHidden UsersHidden WindowIndicator BlockingIndicator Removal from ToolsIndicator Removal on HostInstall Root CertificateInstallUtilLC_MAIN HijackingLaunchctlMasqueradingModify RegistryNTFS Extended AttributesNetwork Share Connection RemovalObfuscated Files or InformationPlist ModificationProcess HollowingRedundant AccessRegsvcs/RegasmRegsvr32RootkitRundll32ScriptingSoftware PackingSpace after FilenameTimestompTrusted Developer UtilitiesValid Accounts
Credential Access Account ManipulationBash HistoryBrute ForceCreate AccountCredential DumpingCredentials in FilesExploitation of VulnerabilityInput CaptureInput PromptKeychainNetwork SniffingPrivate KeysSecurityd MemoryTwo-Factor Authentication Interception
Discovery Account DiscoveryApplication Window DiscoveryFile and Directory DiscoveryNetwork Service ScanningNetwork Share DiscoveryPeripheral Device DiscoveryPermission Groups DiscoveryProcess DiscoveryQuery RegistryRemote System DiscoverySecurity Software DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Owner/User DiscoverySystem Service DiscoverySystem Time Discovery
Lateral Movement AppleScriptApplication Deployment SoftwareExploitation of VulnerabilityLogon ScriptsPass the HashPass the TicketRemote Desktop ProtocolRemote File CopyRemote ServicesReplication Through Removable MediaShared WebrootTaint Shared ContentThird-party SoftwareWindows Admin SharesWindows Remote Management
Execution AppleScriptApplication ShimmingCommand-Line InterfaceExecution through APIExecution through Module LoadGraphical User InterfaceInstallUtilLaunchctlPowerShellProcess HollowingRegsvcs/RegasmRegsvr32Rundll32Scheduled TaskScriptingService ExecutionSourceSpace after FilenameThird-party SoftwareTrapTrusted Developer UtilitiesWindows Management InstrumentationWindows Remote Management
Collection Audio CaptureAutomated CollectionClipboard DataData StagedData from Local SystemData from Network Shared DriveData from Removable MediaEmail CollectionInput CaptureScreen CaptureVideo Capture
Exfiltration Automated ExfiltrationData CompressedData EncryptedData Transfer Size LimitsExfiltration Over Alternative ProtocolExfiltration Over Command and Control ChannelExfiltration Over Other Network MediumExfiltration Over Physical MediumScheduled Transfer
Command and Control Commonly Used PortCommunication Through Removable MediaConnection ProxyCustom Command and Control ProtocolCustom Cryptographic ProtocolData EncodingData ObfuscationFallback ChannelsMulti-Stage ChannelsMultiband CommunicationMultilayer EncryptionRemote File CopyStandard Application Layer ProtocolStandard Cryptographic ProtocolStandard Non-Application Layer ProtocolUncommonly Used PortWeb Service