ATT&CK Matrix

From enterprise
Jump to: navigation, search

The ATT&CK Matrix for Enterprise provides a visual representation of the adversarial techniques described in the ATT&CK for Enterprise threat model.

Tactic categories are listed on the top row individual techniques as cells underneath each tactic to denote that technique can be used to accomplish that particular tactic. Techniques can span multiple tactic categories signifying that they can be used for more than one purpose.

Windows ATT&CK for Enterprise Matrix

Persistence Accessibility FeaturesAppInit DLLsApplication ShimmingAuthentication PackageBootkitChange Default File AssociationComponent FirmwareComponent Object Model HijackingDLL Search Order HijackingExternal Remote ServicesFile System Permissions WeaknessHidden Files and DirectoriesHypervisorLocal Port MonitorLogon ScriptsModify Existing ServiceNetsh Helper DLLNew ServiceOffice Application StartupPath InterceptionRedundant AccessRegistry Run Keys / Start FolderScheduled TaskSecurity Support ProviderService Registry Permissions WeaknessShortcut ModificationSystem FirmwareValid AccountsWeb ShellWindows Management Instrumentation Event SubscriptionWinlogon Helper DLL
Privilege Escalation Access Token ManipulationAccessibility FeaturesAppInit DLLsApplication ShimmingBypass User Account ControlDLL InjectionDLL Search Order HijackingExploitation of VulnerabilityFile System Permissions WeaknessLocal Port MonitorNew ServicePath InterceptionScheduled TaskService Registry Permissions WeaknessValid AccountsWeb Shell
Defense Evasion Access Token ManipulationBinary PaddingBypass User Account ControlCode SigningComponent FirmwareComponent Object Model HijackingDLL InjectionDLL Search Order HijackingDLL Side-LoadingDeobfuscate/Decode Files or InformationDisabling Security ToolsExploitation of VulnerabilityFile DeletionFile System Logical OffsetsHidden Files and DirectoriesIndicator BlockingIndicator Removal from ToolsIndicator Removal on HostInstall Root CertificateInstallUtilMasqueradingModify RegistryNTFS Extended AttributesNetwork Share Connection RemovalObfuscated Files or InformationProcess HollowingRedundant AccessRegsvcs/RegasmRegsvr32RootkitRundll32ScriptingSoftware PackingTimestompTrusted Developer UtilitiesValid Accounts
Credential Access Account ManipulationBrute ForceCreate AccountCredential DumpingCredentials in FilesExploitation of VulnerabilityInput CaptureNetwork SniffingPrivate KeysTwo-Factor Authentication Interception
Discovery Account DiscoveryApplication Window DiscoveryFile and Directory DiscoveryNetwork Service ScanningNetwork Share DiscoveryPeripheral Device DiscoveryPermission Groups DiscoveryProcess DiscoveryQuery RegistryRemote System DiscoverySecurity Software DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Owner/User DiscoverySystem Service DiscoverySystem Time Discovery
Lateral Movement Application Deployment SoftwareExploitation of VulnerabilityLogon ScriptsPass the HashPass the TicketRemote Desktop ProtocolRemote File CopyRemote ServicesReplication Through Removable MediaShared WebrootTaint Shared ContentThird-party SoftwareWindows Admin SharesWindows Remote Management
Execution Application ShimmingCommand-Line InterfaceExecution through APIExecution through Module LoadGraphical User InterfaceInstallUtilPowerShellProcess HollowingRegsvcs/RegasmRegsvr32Rundll32Scheduled TaskScriptingService ExecutionThird-party SoftwareTrusted Developer UtilitiesWindows Management InstrumentationWindows Remote Management
Collection Audio CaptureAutomated CollectionClipboard DataData StagedData from Local SystemData from Network Shared DriveData from Removable MediaEmail CollectionInput CaptureScreen CaptureVideo Capture
Exfiltration Automated ExfiltrationData CompressedData EncryptedData Transfer Size LimitsExfiltration Over Alternative ProtocolExfiltration Over Command and Control ChannelExfiltration Over Other Network MediumExfiltration Over Physical MediumScheduled Transfer
Command and Control Commonly Used PortCommunication Through Removable MediaConnection ProxyCustom Command and Control ProtocolCustom Cryptographic ProtocolData EncodingData ObfuscationFallback ChannelsMulti-Stage ChannelsMultiband CommunicationMultilayer EncryptionRemote File CopyStandard Application Layer ProtocolStandard Cryptographic ProtocolStandard Non-Application Layer ProtocolUncommonly Used PortWeb Service

Mac ATT&CK for Enterprise Matrix

Persistence .bash_profile and .bashrcCron JobDylib HijackingHidden Files and DirectoriesLC_LOAD_DYLIB AdditionLaunch AgentLaunch DaemonLaunchctlLogin ItemLogon ScriptsPlist ModificationRc.commonRe-opened ApplicationsRedundant AccessStartup ItemsTrapValid AccountsWeb Shell
Privilege Escalation Dylib HijackingExploitation of VulnerabilityLaunch DaemonPlist ModificationSetuid and SetgidStartup ItemsSudoValid AccountsWeb Shell
Defense Evasion Binary PaddingClear Command HistoryCode SigningDisabling Security ToolsExploitation of VulnerabilityFile DeletionGatekeeper BypassHISTCONTROLHidden Files and DirectoriesHidden UsersHidden WindowIndicator Removal from ToolsIndicator Removal on HostLC_MAIN HijackingLaunchctlMasqueradingPlist ModificationRedundant AccessScriptingSpace after FilenameValid Accounts
Credential Access Bash HistoryBrute ForceCreate AccountCredentials in FilesExploitation of VulnerabilityInput CaptureInput PromptKeychainNetwork SniffingPrivate KeysSecurityd MemoryTwo-Factor Authentication Interception
Discovery Account DiscoveryApplication Window DiscoveryFile and Directory DiscoveryNetwork Service ScanningNetwork Share DiscoveryPermission Groups DiscoveryProcess DiscoveryRemote System DiscoverySecurity Software DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Owner/User Discovery
Lateral Movement AppleScriptApplication Deployment SoftwareExploitation of VulnerabilityLogon ScriptsRemote File CopyRemote ServicesThird-party Software
Execution AppleScriptCommand-Line InterfaceGraphical User InterfaceLaunchctlScriptingSourceSpace after FilenameThird-party SoftwareTrap
Collection Automated CollectionClipboard DataData StagedData from Local SystemData from Network Shared DriveData from Removable MediaInput CaptureScreen Capture
Exfiltration Automated ExfiltrationData CompressedData EncryptedData Transfer Size LimitsExfiltration Over Alternative ProtocolExfiltration Over Command and Control ChannelExfiltration Over Other Network MediumExfiltration Over Physical MediumScheduled Transfer
Command and Control Commonly Used PortCommunication Through Removable MediaConnection ProxyCustom Command and Control ProtocolCustom Cryptographic ProtocolData EncodingData ObfuscationFallback ChannelsMulti-Stage ChannelsMultiband CommunicationMultilayer EncryptionRemote File CopyStandard Application Layer ProtocolStandard Cryptographic ProtocolStandard Non-Application Layer ProtocolUncommonly Used PortWeb Service

Linux ATT&CK for Enterprise Matrix

Persistence .bash_profile and .bashrcBootkitCron JobHidden Files and DirectoriesRc.commonRedundant AccessTrapValid AccountsWeb Shell
Privilege Escalation Exploitation of VulnerabilitySetuid and SetgidSudoValid AccountsWeb Shell
Defense Evasion Binary PaddingClear Command HistoryDisabling Security ToolsExploitation of VulnerabilityFile DeletionHISTCONTROLHidden Files and DirectoriesIndicator Removal from ToolsIndicator Removal on HostInstall Root CertificateMasqueradingRedundant AccessScriptingSpace after FilenameTimestompValid Accounts
Credential Access Bash HistoryBrute ForceCreate AccountCredentials in FilesExploitation of VulnerabilityInput CaptureNetwork SniffingPrivate KeysTwo-Factor Authentication Interception
Discovery Account DiscoveryFile and Directory DiscoveryNetwork Service ScanningPermission Groups DiscoveryProcess DiscoveryRemote System DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Owner/User Discovery
Lateral Movement Application Deployment SoftwareExploitation of VulnerabilityRemote File CopyRemote ServicesThird-party Software
Execution Command-Line InterfaceGraphical User InterfaceScriptingSourceSpace after FilenameThird-party SoftwareTrap
Collection Audio CaptureAutomated CollectionClipboard DataData StagedData from Local SystemData from Network Shared DriveData from Removable MediaInput CaptureScreen Capture
Exfiltration Automated ExfiltrationData CompressedData EncryptedData Transfer Size LimitsExfiltration Over Alternative ProtocolExfiltration Over Command and Control ChannelExfiltration Over Other Network MediumExfiltration Over Physical MediumScheduled Transfer
Command and Control Commonly Used PortCommunication Through Removable MediaConnection ProxyCustom Command and Control ProtocolCustom Cryptographic ProtocolData EncodingData ObfuscationFallback ChannelsMulti-Stage ChannelsMultiband CommunicationMultilayer EncryptionRemote File CopyStandard Application Layer ProtocolStandard Cryptographic ProtocolStandard Non-Application Layer ProtocolUncommonly Used PortWeb Service

ATT&CK for Enterprise Matrix Images

Windows ATT&CK for Enterprise Matrix

MITRE ATT&CK Matrix - Overview of ATT&CK tactics and techniques

Uses

Windows-Based Defensive Gap Analysis

An organization can use the ATT&CK Matrix as a way to visualize defensive coverage of techniques and identify where gaps exist. Prioritization of building detection and defensive capabilities against techniques can be done based on documented adversary use, with an emphasis on techniques used heavily across multiple adversary groups.

The example below is a notional case where an organization has deployed some amount of host-based sensing and intrusion detection analytics to complement perimeter-focused sensors and is assessing where to invest resources next to cover more techniques. It is not based on an actual enterprise network environment, sensors, or analytic coverage of cyber adversary behavior.

MITRE ATT&CK Matrix Example Use for Defensive Gap Analysis