Adversarial Tactics, Techniques & Common Knowledge

From enterprise
Revision as of 16:03, 1 August 2018 by Bstrom (talk | contribs)
Jump to: navigation, search
Welcome to ATT&CK

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

Note: A MITRE Partnership Network (MPN) account is not required to view and use the ATT&CK site.

API Migration (May 2018)

We are in the process of migrating to new infrastructure in the coming months. A new website will be stood up to display ATT&CK content and the MediaWiki API is being transitioned to a STIX/TAXII 2.0 API. Please see here for details. If you are using the MediaWiki API, please begin migrating and reach out to with questions. The MediaWiki site will be deprecated (will not be receiving content updates) when the new website is released in August 2018. At this time the Wiki will be moved and API will still be available but will eventually be taken offline at a date that is TBD, but will not be sooner than November 2018.

ATT&CK for Enterprise

ATT&CK for Enterprise is an adversary behavior model that describes the actions an adversary may take to compromise and operate within an enterprise network.

Enterprise Platform Coverage

The MITRE ATT&CK Matrix™ is a visualization of the tactics and techniques. It aligns individual techniques under the tactics in which they can be applied.

News and Updates

ATT&CK Matrix for Enterprise

The full ATT&CK Matrix below includes techniques spanning Windows, Mac, and Linux platforms and can be used to navigate through the knowledge base.

Initial Access Drive-by CompromiseExploit Public-Facing ApplicationHardware AdditionsReplication Through Removable MediaSpearphishing AttachmentSpearphishing LinkSpearphishing via ServiceSupply Chain CompromiseTrusted RelationshipValid Accounts
Execution AppleScriptCMSTPCommand-Line InterfaceControl Panel ItemsDynamic Data ExchangeExecution through APIExecution through Module LoadExploitation for Client ExecutionGraphical User InterfaceInstallUtilLSASS DriverLaunchctlLocal Job SchedulingMshtaPowerShellRegsvcs/RegasmRegsvr32Rundll32Scheduled TaskScriptingService ExecutionSigned Binary Proxy ExecutionSigned Script Proxy ExecutionSourceSpace after FilenameThird-party SoftwareTrapTrusted Developer UtilitiesUser ExecutionWindows Management InstrumentationWindows Remote Management
Persistence .bash_profile and .bashrcAccessibility FeaturesAppCert DLLsAppInit DLLsApplication ShimmingAuthentication PackageBITS JobsBootkitBrowser ExtensionsChange Default File AssociationComponent FirmwareComponent Object Model HijackingCreate AccountDLL Search Order HijackingDylib HijackingExternal Remote ServicesFile System Permissions WeaknessHidden Files and DirectoriesHookingHypervisorImage File Execution Options InjectionKernel Modules and ExtensionsLC_LOAD_DYLIB AdditionLSASS DriverLaunch AgentLaunch DaemonLaunchctlLocal Job SchedulingLogin ItemLogon ScriptsModify Existing ServiceNetsh Helper DLLNew ServiceOffice Application StartupPath InterceptionPlist ModificationPort KnockingPort MonitorsRc.commonRe-opened ApplicationsRedundant AccessRegistry Run Keys / Start FolderSIP and Trust Provider HijackingScheduled TaskScreensaverSecurity Support ProviderService Registry Permissions WeaknessShortcut ModificationStartup ItemsSystem FirmwareTime ProvidersTrapValid AccountsWeb ShellWindows Management Instrumentation Event SubscriptionWinlogon Helper DLL
Privilege Escalation Access Token ManipulationAccessibility FeaturesAppCert DLLsAppInit DLLsApplication ShimmingBypass User Account ControlDLL Search Order HijackingDylib HijackingExploitation for Privilege EscalationExtra Window Memory InjectionFile System Permissions WeaknessHookingImage File Execution Options InjectionLaunch DaemonNew ServicePath InterceptionPlist ModificationPort MonitorsProcess InjectionSID-History InjectionScheduled TaskService Registry Permissions WeaknessSetuid and SetgidStartup ItemsSudoSudo CachingValid AccountsWeb Shell
Defense Evasion Access Token ManipulationBITS JobsBinary PaddingBypass User Account ControlCMSTPClear Command HistoryCode SigningComponent FirmwareComponent Object Model HijackingControl Panel ItemsDCShadowDLL Search Order HijackingDLL Side-LoadingDeobfuscate/Decode Files or InformationDisabling Security ToolsExploitation for Defense EvasionExtra Window Memory InjectionFile DeletionFile System Logical OffsetsGatekeeper BypassHISTCONTROLHidden Files and DirectoriesHidden UsersHidden WindowImage File Execution Options InjectionIndicator BlockingIndicator Removal from ToolsIndicator Removal on HostIndirect Command ExecutionInstall Root CertificateInstallUtilLC_MAIN HijackingLaunchctlMasqueradingModify RegistryMshtaNTFS File AttributesNetwork Share Connection RemovalObfuscated Files or InformationPlist ModificationPort KnockingProcess DoppelgängingProcess HollowingProcess InjectionRedundant AccessRegsvcs/RegasmRegsvr32RootkitRundll32SIP and Trust Provider HijackingScriptingSigned Binary Proxy ExecutionSigned Script Proxy ExecutionSoftware PackingSpace after FilenameTimestompTrusted Developer UtilitiesValid AccountsWeb Service
Credential Access Account ManipulationBash HistoryBrute ForceCredential DumpingCredentials in FilesCredentials in RegistryExploitation for Credential AccessForced AuthenticationHookingInput CaptureInput PromptKerberoastingKeychainLLMNR/NBT-NS PoisoningNetwork SniffingPassword Filter DLLPrivate KeysSecurityd MemoryTwo-Factor Authentication Interception
Discovery Account DiscoveryApplication Window DiscoveryBrowser Bookmark DiscoveryFile and Directory DiscoveryNetwork Service ScanningNetwork Share DiscoveryPassword Policy DiscoveryPeripheral Device DiscoveryPermission Groups DiscoveryProcess DiscoveryQuery RegistryRemote System DiscoverySecurity Software DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Owner/User DiscoverySystem Service DiscoverySystem Time Discovery
Lateral Movement AppleScriptApplication Deployment SoftwareDistributed Component Object ModelExploitation of Remote ServicesLogon ScriptsPass the HashPass the TicketRemote Desktop ProtocolRemote File CopyRemote ServicesReplication Through Removable MediaSSH HijackingShared WebrootTaint Shared ContentThird-party SoftwareWindows Admin SharesWindows Remote Management
Collection Audio CaptureAutomated CollectionClipboard DataData StagedData from Information RepositoriesData from Local SystemData from Network Shared DriveData from Removable MediaEmail CollectionInput CaptureMan in the BrowserScreen CaptureVideo Capture
Exfiltration Automated ExfiltrationData CompressedData EncryptedData Transfer Size LimitsExfiltration Over Alternative ProtocolExfiltration Over Command and Control ChannelExfiltration Over Other Network MediumExfiltration Over Physical MediumScheduled Transfer
Command and Control Commonly Used PortCommunication Through Removable MediaConnection ProxyCustom Command and Control ProtocolCustom Cryptographic ProtocolData EncodingData ObfuscationDomain FrontingFallback ChannelsMulti-Stage ChannelsMulti-hop ProxyMultiband CommunicationMultilayer EncryptionPort KnockingRemote Access ToolsRemote File CopyStandard Application Layer ProtocolStandard Cryptographic ProtocolStandard Non-Application Layer ProtocolUncommonly Used PortWeb Service