Module 1: Introducing the Training and Understanding ATT&CK
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Using MITRE ATT&CKTM for Cyber Threat Intelligence Training
Katie Nickels and Adam Pennington
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Training Overview
▪ Five modules consisting of YouTube videos and exercises are available at attack.mitre.org/training/cti
▪ Module 1: Introducing training and understanding ATT&CK A. Topic introduction (Video)
▪ Module 2: Mapping to ATT&CK from finished reporting
A. Topic introduction (Video)
B. Exercise 2: Mapping to ATT&CK from finished reporting (Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 2 (Video)
▪ Module 3: Mapping to ATT&CK from raw data
A. Topic introduction (Video)
B. Exercise 3: Mapping to ATT&CK from raw data
(Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 3 (Video)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Training Overview
▪ Module 4: Storing and analyzing ATT&CK-mapped intel
A. Topic introduction (Video)
B. Exercise 4: Comparing layers in ATT&CK Navigator
(Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 4 (Video)
▪ Module 5: Making ATT&CK-mapped data actionable with defensive recommendations
A. Topic introduction (Video)
B. Exercise 5: Making defensive recommendations
(Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 5 and wrap-up (Video)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Module 1
Map data to ATT&CK
Module 2 Module 3
Store & analyze ATT&CK-mapped data
Module 4
Make defensive recommendations from ATT&CK- mapped data
Module 5
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Introduction to ATT&CK and Applying it to CTI
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Tough Questions for Defenders
▪How effective are my defenses?
▪Do I have a chance at detecting APT29?
▪Is the data I’m collecting useful?
▪Do I have overlapping tool coverage?
▪Will this new product help my organization’s defenses?
|8|
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
What is
A knowledge base of adversary behavior
➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language
➢ Community-driven
?
|9|
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
The Difficult Task of Detecting TTPs
•Tough! •Challenging
TTPs Tools
Network/ Host Artifacts
Domain Names
IP Addresses
Hash Values
•Annoying •Simple
•Easy •Trivial
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s Pyramid of Pain
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
Breaking Down ATT&CK
Tactics: the adversary’s technical goals
Initial Access
Execution Persistence Privilege Escalation Defense Evasion
Credential Access Discovery
Command and Control
Impact
Drive-by Compromise
AppleScript
Audio Capture
Commonly Used Port
Automated Exfiltration
Data Destruction
Dynamic Data Exchange
Execution through API
InstallUtil
Mshta PowerShell
Regsvr32
Rundll32
Scripting
Service Execution
.bash_profile and .bashrc
AppCert DLLs
AppInit DLLs
New Service Path Interception
Startup Items
Web Shell
Exploitation for Privilege Escalation
Clear Command History
CMSTP
Control Panel Items DCShadow
DLL Side-Loading
Hooking
Password Policy Discovery
System Information Discovery
Exfiltration Over Physical Medium
Trusted Relationship
Input Capture
Peripheral Device Discovery
Remote File Copy
Input Capture
Domain Generation Algorithms
Service Stop
Valid Accounts
Execution through Module Load
Application Shimming
Code Signing
Input Prompt
Permission Groups Discovery
Remote Services
Man in the Browser
Scheduled Transfer
Stored Data Manipulation
Dylib Hijacking
Compiled HTML File
Kerberoasting
Process Discovery
Replication Through Removable Media
Screen Capture
Fallback Channels
Transmitted Data Manipulation
Exploitation for Client Execution
File System Permissions Weakness
Component Firmware
Keychain
Query Registry
Video Capture
Multiband Communication
Graphical User Interface
Hooking
Launch Daemon
Component Object Model Hijacking
LLMNR/NBT-NS Poisoning and Relay
Remote System Discovery
Shared Webroot
Multi-hop Proxy
Security Software Discovery
SSH Hijacking
Multilayer Encryption
Password Filter DLL Private Keys
Taint Shared Content Third-party Software
Multi-Stage Channels Port Knocking
Procedures: Specific technique implementation
Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools
Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy
Regsvcs/Regasm
Inte
rcep
tion
M
Setuid and Setgid Disabling Security Tools
nt
System Network Standard Application Layer
anageme
Connections Discovery Protocol
Execution Guardrails
Exploitation for Defense Evasion
System Owner/User Discovery
Standard Cryptographic Protocol
Signed Binary Proxy Execution
Account Manipulation
System Service Discovery
Standard Non-Application Layer Protocol
Authentication Package
SID-History Injection
File Deletion
System Time Discovery
Signed Script Proxy Execution
Bootkit
BITS Jobs
Sudo
File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Sudo Caching
Web Service
Source
Browser Extensions
File System Logical Offsets
Space after Filename
Change Default File Association
Gatekeeper Bypass
Third-party Software
Trusted Developer Utilities
Component Firmware
Group Policy Modification
Hidden Files and Directories
User Execution
Windows Management Instrumentation
Windows Remote Management
XSL Script Processing
Component Object Model Hijacking
External Remote Services
Hidden Users
Hidden Window
Create Account
HISTCONTROL
Indicator Blocking
Hidden Files and
Hypervisor
Directories
Indicator Removal from Tools
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Login Item Launchctl Logon Scripts LC_MAIN Hijacking
Lateral Movement
Collection
Exfiltration
Scheduled Task Binary Padding
Network Sniffing
Exploit Public-Facing Application
Launchctl
Access Token Manipulation
Account Manipulation
Account Discovery
Application Deployment Software
Automated Collection
Communication Through Removable Media
Data Compressed
Data Encrypted for Impact
Local Job Scheduling
Bypass User Account Control
Bash History
Application Window Discovery
Clipboard Data
Data Encrypted
Defacement
External Remote Services
Extra Window Memory Injection
Brute Force
Connection Proxy
Data Transfer Size Limits
Disk Content Wipe
Command-Line Interface
LSASS Driver
Trap
Plist Modification
Browser Bookmark Discovery
Distributed Component Object Model
Data from Information Repositories
Hardware Additions
Process Injection
Credential Dumping
Custom Command and Control Protocol
Exfiltration Over Other Network Medium
Disk Structure Wipe
Replication Through Removable Media
AppleScript
Credentials in Files
Data from Local System
Endpoint Denial of Service
CMSTP
DLL Search Order Hijacking
Image File Execution Options Injection
Exploitation of Remote Services
Credentials in Registry
Domain Trust Discovery
Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Command and Control Channel
Firmware Corruption
Spearphishing Attachment
Exploitation for Credential Access
File and Directory Discovery
Logon Scripts
Inhibit System Recovery
Spearphishing Link
Compiled HTML File
Valid Accounts
Network Service Scanning
Pass the Hash
Data from Removable Media
Data Encoding
Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service
Control Panel Items
Accessibility Features
BITS Jobs
Forced Authentication
Network Share Discovery
Pass the Ticket
Data Staged
Data Obfuscation
Resource Hijacking
Supply Chain Compromise
Remote Desktop Protocol
Email Collection
Domain Fronting
Runtime Data Manipulation
Techniques: how the goals are achieved
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
we’ve chosen 12 of those data sources to show the techniques each of them might be able to detect with the right colle
T
ems
ExploitPublic-FacingApplication External Remote Services Hardware Additions
Replication Through Removable Media
Spearphishing Attachment Spearphishing Link SpearphishingviaService Supply Chain Compromise Trusted Relationship
Valid Accounts
ATT&CK Use C
CRoemmovuanbilceaMtioendiTahrough Connection Proxy CPruosttocmolCommand and Control Custom Cryptographic Protocol DataEncoding
Data Obfuscation DomainFronting
Domain Generation Algorithms Fallback Channels
Multi-hop Proxy
SpearphishingLink Spearphishing via Service Supply Chain Compromise Trusted Relationship
Valid Accounts
ExecutionthroughAPI AuthenticationPackage DLLSearchOrderHijacking CodeSigning ExploitationforCredential Access NetworkShareDiscovery PasstheTicket DatafromRemovableMedia DataObfuscation EMxefdiltiruamtionOverOtherNetwork FirmwareCorruption
AccessibilityFeatures Account Manipulation AppCert DLLs
AppInit DLLs ApplicationShimming Authentication Package BITSJobs
Bootkit
Browser Extensions
Change Default File Association
ApplicationDeploymentSoftware DMiosdtreibluted Component Object Exploitation of Remote Services Logon Scripts
DataCompressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol ECxofniltroaltiConhaOnvnerlCommandand EMxefdiltiruamtion Over Other Network ExfiltrationOverPhysicalMedium Scheduled Transfer
DataEncryptedforImpact Defacement
Disk Content Wipe
Disk Structure Wipe EndpointDenialofService Firmware Corruption InhibitSystemRecovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop
Stored Data Manipulation Transmitted Data Manipulation
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
DynamicDataExchange
Execution through API
ExecutionthroughModuleLoad
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared W ebroot Screen Capture Multi-Stage Channels
Local Job Scheduling Component Object Model Hijacking ImnjeacgteioFnile Execution Options DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication
LSASS Driver Create Account Launch Daemon DIneforbmfuasticoante/Decode Files or LRLeMlaNyR/NBT -NS Poisoning and Remote System Discovery Taint Shared Content Multilayer Encryption
Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking
PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys SDyisctoevmerNyetwork Configuration Windows Remote Management Remote File Copy
Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory SDyisctoevmerNyetwork Connections Standard Application Layer Protocol
AccessibilityFeatures AppCert DLLs
AppInit DLLs
Application Shimming BypassUser AccountControl DLL Search Order Hijacking DylibHijacking
BinaryPadding
BITS Jobs
Bypass User Account Control Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
BashHistory
Brute Force
Credential Dumping
Credentials in Files CredentialsinRegistry Exploitation for Credential Access Forced Authentication
Hooking
Input Capture
Input Prompt
ApplicationWindowDiscovery Browser Bookmark Discovery Domain Trust Discovery
File and Directory Discovery NetworkServiceScanning Network Share Discovery NetworkSniffing
AutomatedCollection
Clipboard Data
Data from Information Repositories Data from Local System DatafromNetworkSharedDrive Data from Removable Media DataStaged
Email Collection
Input Capture
Man in the Browser
analytics.Check out our website at attack.mitre.org for more information on how each technique can be detected,and
Exploitation for Privilege Escalation Extra Window Memory Injection
File System Permissions W eakness
Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery
Component Object Model Hijacking Image File Execution Options DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation
Hidden Files and Dir
Scripting Hypervisor SWeeravikcneeRssegistry Permissions File Deletion System Time Discovery Service Execution ImnjeacgteioFnile Execution Options Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion
Signed Binary Proxy Execution Signed Script Proxy Execution Source
Space after Filename Third-party Software
Trap
Trusted Developer Utilities User Execution
Windows Management Instrumentation
Windows Remote Management XSL Script Processing
Kernel Modules and Extensions Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition Local Job Scheduling Login Item
Logon Scripts
LSASS Driver
Modify Existing Service Netsh Helper DLL
New Service
Office Application Startup Path Interception
Plist Modification
Port Knocking
SID-History Injection Startup Items
Sudo
Sudo Caching
Valid Accounts Web Shell
File System Logical Of fsets Gatekeeper Bypass
Group Policy Modification Hidden Files and Directories Hidden Users
Hidden Window HISTCONTROL
ImnjeacgteioFnile Execution Options Indicator Blocking
Indicator Removal from Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil
Launchctl
LC_MAIN Hijacking
Use ATT&CK for Cyber Threat Intelligence
ectories Process
n for Defense Evasion
System Owner/User
Discovery
Standard Cryptographic Protocol
Injection Exploitatio
Interception
Tools
Two-Factor Authentication
Hypervisor
Service Registry Permissions
Weakness File Deletion System Time Discovery
Rundll32
Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery SPtraontodcaorld Non-Application Layer
Detection
at Intelligence
PasstheHash
Pass the Ticket RemoteDesktopProtocol Remote File Copy
Remote Services
RMepdliacation Through Removable
Change Default File Association
ComponentFirmware
File System Permissions W eakness
Hooking
Component Object Model Hijacking ControlPanelItems
Input Prompt Kerberoasting
Permission Groups Discovery ProcessDiscovery
RMepdliacation Through Removable
SharedWebroot
Man in the Browser ScreenCapture
Multi-hop Proxy Multi-StageChannels
ases
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK conten
Legend
comm
cial threat feeds,
ation-sharing groups, government threat-sharing programs, ysts a common language to communicate across reports and
Uncommonly Used Port Web Service
APT28 APT29 Both
Signed Script Proxy Executio Source
Space after Filename Third-party Software
Trap
Trusted Developer Utilities
gent Launch Daemon
Launchctl
tartup Items Sudo
Sudo Caching
Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery
Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms
Scheduled Transfer
Network Denial of Service Resource Hijacking Runtime Data Manipulation ServiceStop
adversary examples you can use to start detecting adversary behavior with ATT&CK.
Graphical User Interface InstallUtil
Launchctl
Local Job Scheduling LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution Kernel Modules and Extensions
n
Get
St
a
rted
XSL Script Processing
Port Knocking
st
and m
organ
tions, providing a
ay to structure, compare, and analyze threat intelligence.
Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels
You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ AT
Cre
ning
and
Dyl
ib Hija
ate Ac
cking
Path
Interce
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Plist Modification
Port Monitors
Process Injection
Scheduled Task
SDyisctoevmerNyetwork Configuration SDyisctoevmerNyetwork Connections System Owner/User Discovery System Service Discovery
with ATT&CK
Gatekeeper Bypass
Group Policy Modification Hidden Files and Directories
Hooking
Image File Execution Options Injection
Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion SID-History Injection File System Logical Of fsets
Launch A
S
Injection
LC_LOAD_DYLIB Addition Valid Accounts Hidden Users
ption
DLL
Se
D
eobfus
cate/D
ecode Fi
les or
LLMN
Information Relay
tion
arch O
rder Hi
jac
DLL Side-Loading
Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection
Private Keys Securityd Memory
Two-Factor Authentication Interception
Windows Remote Management
Remote File Copy
Standard Application Layer Protocol Standard Cryptographic Protocol
Standard Non-Application Layer Protocol
Uncommonly Used Port
Web Service
Low Priority
king
Pas
R/NB
swor
T -NS
Poiso
count
DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking
La
unch Da
emon
Rem
d Filte
r DLL
S
ystem
Info
ote S
ystem Dis
rmatio
cov
n Discove
ery
Tain
ry
Wind
tSh
ared
Conte
ows A
dmin
Shares
Re
nt
Multil
ayer E
mote
Acces
ncrypt
ion
Tran
s Tools
smitted D
ata Ma
nipula
Local J
Netsh He
ob Schedu
Path Interception
Plist M
ificati
Launch
od
on
ctl LC_MAIN Hijacking
Finding Gaps in Defense
lper D
In
Ins
InstallUti
ling
We
Cyberthreatintelligencece
. ATT&CK gives Thrawnal
b Shell
Hidden W
Login Item
Logon Scripts Image File Execution Options
o
LSASS Deriver r Inidincator Bflockoing rm
LL
New Service Indirect Command Execution
Office A
ioz ar e
e
pplicat
ion S
tartup
HISTCONTROL
Legend
di
cator R
em
tall Ro
indow
mes from many sources, including knowledge of past incidents,
User Execution
Windows Management
Instrumentation
Windows Remote Management Modify Existing Service Indicator Removal from
High Priority
Injectio
n
oval on
ot Ce
Ho
rtificat
l
Tools
== “cmd.exe”)
Process Hollowing Process Injection Redundant Access Regsvcs/Regasm
Port Monitors
Rc.common
Re-opened Applications Mshta
processes = search Process:Create Registry Run Keys / Startup Folder NTFS File Attributes
Redundant Access NRetmwovrkalShare Connection
Scheduled Task Obfuscated Files or Information Screensaver Plist Modification
Se
curity Supp
ort Provider
Port Knocki
Process Doppelgänging
Service Registry Permissions Weakness
Setuid and Setgid
Shortcut Modification
and Trust
Provider Hi
jacking
SIP
Startup Items
System Firmware Regsvr32
Masquerading Modify Registry
Comparing APT28 to APT29
reg = filter processes where (exe == “reg.exe” and parent_exe
ng
cmd = filter processes where (exe == “cmd.exe” and Time Providers Rundll32
Systemd Service Rootkit
Trap Scripting
Valid Accounts Signed Binary Proxy Execution
parent_exe != “explorer.exe””)
We
Windows Management SIP and Trust Provider Hijacking Instrumentation Event Subscription
b Shell
Signed Scri
Space after Filename
jection Timestomp
Template In
pt Proxy Ex
Trusted Developer Utilities
Valid Accounts
ecution
reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and
reg.hostname == cmd.hostname)
Virtualization/Sandbox Evasion
Web Service output reg_and_cmdXSL Script Processing
Winlogon Helper DLL Software Packing
Port Monitors
Rc.common
Exploit Public-Facing ApplicatioRne-opened AppliCcMatSioTPns
External Remote Services Redundant AcceCssommand-Line Interface
Hardware Additions Compiled HTML File
Registry Run Keys / Startup Folder
Replication Through Removable Control Panel Items Media
Masquerading
Privilege Escalation
Modify Registry
Access Token Manipulation AccessibMilitsyhFteaatures
AppCertNDeLLtws ork Share Connection
Removal
AppInit DLLs
NTFS File Attributes
AppInit DLLs
Application Shimming
Authentication Package
BITSJobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
ImnjeacgteioFnile Execution Options
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
ModifyExistingService
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access NRetmwovrkalShare Connection
Initial Access
Execution
Persistence
.bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs
Defense Evasion
Access Token Manipulation Binary Padding
BITS Jobs
Bypass User Account Control Clear Command History CMSTP
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry Exploitation for Credential Access ForcedAuthentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LRLeMlaNyR/NBT -NS Poisoning and Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication Interception
Discovery
Account Discovery
Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery
File and Directory Discovery Network Service Scanning Network Share Discovery NetworkSniffing
Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery
Query Registry
Remote System Discovery Security Software Discovery System Information Discovery SDyisctoevmerNyetwork Configuration SDyisctoevmerNyetwork Connections System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software DMiosdtreibluted Component Object Exploitation of Remote Services Logon Scripts
Pass the Hash
Pass the Ticket RemoteDesktopProtocol Remote File Copy
Remote Services
RMepdliacation Through Removable Shared W ebroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories Data from Local System
Data from Network Shared Drive Data from Removable Media DataStaged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port CRoemmovuanbilceaMtioendiTahrough Connection Proxy CPruosttocmolCommand and Control Custom Cryptographic Protocol Data Encoding
Data Obfuscation
DomainFronting
Domain Generation Algorithms Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol ECxofniltroaltiConhaOnvnerlCommand and EMxefdiltiruamtion Over Other Network ExfiltrationOverPhysicalMedium Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service Firmware Corruption InhibitSystemRecovery Network Denial of Service Resource Hijacking
Runtime Data Manipulation Service Stop
Stored Data Manipulation Transmitted Data Manipulation
Drive-by Compromise
AppleScript
Spearphishing Attachment Spearphishing Link SpearphishingviaService Supply Chain Compromise Trusted Relationship
Valid Accounts
Scheduled Task Dynamic Data Exchange Screensaver Execution through API SecuritySupportEPxreocvutiidoenrthroughModuleLoad Service Registry PExeprlomitaistisoinofnorsClient Execution Weakness Graphical User Interface Setuid and SetgidInstallUtil
Shortcut ModificaLtaiounchctl
Local Job Scheduling
SIP and Trust Provider Hijacking
LSASS Driver Startup Items Mshta
System FirmwarePowerShell Systemd ServiceRegsvcs/Regasm
Application Shimming
Bypass UOsberfuAscaoutendt CFonilterosl or Information
Redundant Access
Launch Daemon
New SerRviecegsvcs/Regasm
Path InteRrcegptsiovnr32 Plist ModRifoicoatikonit Port Monitors
Rundll32
Setuid and Setgid
Signed Script Proxy Execution
SID-History Injection
SIP and Trust Provider Hijacking
Startup Items
Sudo Software Packing Sudo CaSchpinagce after Filename
Valid Accounts
Template Injection
Web Shell
Time Providers Trap
Valid Accounts Web Shell
Regsvr32 Rundll32 Scheduled Task Scripting
Service Execution
Signed Binary Proxy Execution
Process Injection
SchedulSedcrTiapstking SWeravkicneeRSsseiginsterydPBerimnaisrsyionPsroxy Execution
DCShadow DIneforbmfuasticoante/Decode Files or Disabling Security Tools
DLL Search Order Hijacking DLL Side-Loading
Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion
File Permissions Modification File System Logical Of fsets Gatekeeper Bypass
Group Policy Modification Hidden Files and Directories Hidden Users
Hidden Window HISTCONTROL
ImnjeacgteioFnile Execution Options Indicator Blocking IndicatorRemovalfrom Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking Masquerading
Modify Registry
Mshta
Windows Management
Instrumentation ESvigenetdSucrbipstcPrriopxtyioEnxecution Winlogon HelperSDoLurLce
Space after Filename Third-party Software
Trap
Trusted Developer Utilities User Execution
Windows Management Instrumentation WindowsRemoteManagement XSL Script Processing
Timestomp
Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service
XSL Script Processing
DLL SeaPrclhisOt MrdeordHiifjiaccakitniogn DylibHijPacokirntgKnocking
Exploitation for Privilege Escalation Extra WiPndrowceMsesmDoroypInpjecltgioännging File SystPemroPcersmsisHsionlsloWwienagkness HookingProcess Injection ImnjeacgteioFnile Execution Options
Code Signing CompileAfterDelivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking Control Panel Items
&CK for Adversary Emulation and Red Teaming
Registry Run Keys / Startup Folder NTFS File Attributes
APT28
Legend APT29 Both
Comparing APT28 to APT29
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop analytics that
Use ATT
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions Process Doppelgänging Weakness
Assessment and Engineering
Obfuscated Files or Information Plist Modification
Port Knocking
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
The best defense is a well-tested defense. ATT&CK provides a common adversary
analytics to detect threats.
behavior framework base
d
on threat
i
ntelligence that red teams can use to emulate
Setuid and Setgid Process Hollowing
Shortcut Modification
SIP and Trust Provider Hijacking
Process Injection Redundant Access Regsvcs/Regasm
Startup Items
System F
irmware Systemd Service
Regs
vr32 Rootkit
AdhveersaryEmulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application External Remote Services Hardware Additions
Replication Through Removable Media
Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface Compiled HTML File
Control Panel Items
Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution Signed Script Proxy Execution Source
Space after Filename Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management Instrumentation
Windows Remote Management XSL Script Processing
Persistence
.bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association Component Firmware
Component Object Model Hijacking Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness Hidden Files and Directories Hooking
Hypervisor
ImnjeacgteioFnile Execution Options
Kernel Modules and Extensions Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Privilege Escalation
Access Token Manipulation Accessibility Features AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation Extra Window Memory Injection
File System Permissions W eakness Hooking
ImnjeacgteioFnile Execution Options Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
SWeeravikcneeRssegistry Permissions
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation Binary Padding
BITS Jobs
Bypass User Account Control Clear Command History CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking Control Panel Items
DCShadow
DIneforbmfuasticoante/Decode Files or Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion Extra Window Memory Injection File Deletion
File Permissions Modification
File System Logical Of fsets Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories Hidden Users
Hidden Window
HISTCONTROL
ImnjeacgteioFnile Execution Options Indicator Blocking
Indicator Removal from Tools Indicator Removal on Host
Indirect Command Execution Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry Exploitation for Credential Access Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LRLeMlaNyR/NBT -NS Poisoning and Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory TInwteor-cFeapcttionr Authentication
Discovery
Account Discovery
Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery
File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing
Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery
Query Registry
Remote System Discovery Security Software Discovery System Information Discovery SDyisctoevmerNyetwork Configuration SDyisctoevmerNyetwork Connections System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software DMiosdtreibluted Component Object Exploitation of Remote Services Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol Remote File Copy
Remote Services
RMepdliacation Through Removable Shared W ebroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories Data from Local System
Data from Network Shared Drive Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port CRoemmovuanbilceaMtioendiTahrough Connection Proxy CPruosttocmolCommand and Control Custom Cryptographic Protocol Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol Standard Cryptographic Protocol SPtraontodcaorld Non-Application Layer Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol ECxofniltroaltiConhaOnvnerlCommand and EMxefdiltiruamtion Over Other Network Exfiltration Over Physical Medium Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service Firmware Corruption
Inhibit System Recovery Network Denial of Service Resource Hijacking
Runtime Data Manipulation Service Stop
Stored Data Manipulation Transmitted Data Manipulation
Legend
Low Priority High Priority
Finding Gaps in Defense
specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and
processes—and then fix t
m.
Time Providers Rundll32
Trap Scripting
Valid Accounts Signed Binary Proxy Execution Web Shell Signed Script Proxy Execution Windows Management SIP and Trust Provider Hijacking
Instrume
Winlo
n
ntation Event Subscriptio
gon Helper
DLL
Software Packing Space after Filename
Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts
Launchctl Local Job Scheduling LSASS Driver Trap
AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange
Access Token Manipulation Bypass User Account Control Extra Window Memory Injection Process Injection
Virtualization/Sandbox Web Service
XSL Script Processing
Execution t
igning
Module Load Exploitation for Client Execution
Dylib Hijacking
File System Permissions Weakness Hooking
Compiled HTML File
RegsvrA32
Setuird aond Svetgid DisablinlgySecsurity Tsools
Rundll
din
32 Scripting
hrough
S c h e d u l e d T a s k
Template Injection Timestomp
Trusted Developer Utilit
B i n a r y P a d d i n V ga l i d A c c o u n t s
TT&CK or p
ided by an
,c
DLL Search Order Hijacking Image File Execution Options Injection Plist Modification
Valid Accounts
Accessibility Features AppCert DLLs
BITS Jobs
Clear Command History
Use ATT&CK to Build You
Execution through API AppInit DLLs CMSTP
A
pplica
Sta
analytics to detect threats.
tion Sh
rtu
p Ite
imming
Code S
ATT&CK includes resources design
Graphical User Interface Launch Daemon Hijacking
C
nel Mshta Path Interception DCShadow
InstallU
ew
Ser
vice
til
N
ol Pa
s
detect the techniques used by an a
PowerShell Port Monitors Deobfuscate/Decode Files
Regsvcs/Regasm Service Registry Permissions Weakness or Information
ms
D
Exploitation for Defense Evasion File Deletion
Privilege EscalatFioinle PermissionDesfense Evasio Access Token ManipulationModificationAccess Token Manipul AccessibilityFeialteuresSystem LogicalBOinarfyfPsaeddtinsg AppCert DLLs Gatekeeper BypBaITSsJsobs
AppInit DLLs Group Policy ModifBiycpasstiUosenr Account ApplicationHShiimdmdingen Files and DirCelecartComrmieansd Histor Bypass User Account ConHtrolidden UsersCMSTP
LL
Web Shell Execution Guardrails
Component Firmware Component Object Model
ontr
S
g
ide-
Loa
Item
Service Execution .bash_profile and .bashrc Exploitation for
Signed B
n Authentication Package
y Proxy Execution
SID-History Injection Persistence Sudo
.bash_profiSle aund.boashCrc aching Accessibility Features
Account Manipulation AppCert DLLs AppInit DLLs Application Shimming
inar
Signed SIncitriiapl tAccess Proxy ExeDcrivue-tbiyoCnompromise
SourcEexploit Public-Facing Application Space after FExitleernanl RaemoteServices
Third-party SHaordfwtawre aAdrdeitions Trusted DeveloRMpepdeliacratiUon tTihlriotuigeh sRemovable
Spearphishing Attachment
EBxIeTcuStioJnobs
AppBleSocriopt tkit BrowCsMeSTrP Extensions ChCaomnmganed-LDineeIntfearfaucelt FileComApisledsHoTMcLiaFilteion CompControel PnantelFIteimrsmware Dynamic Data Exchange
A
n
ccou
nt M
an
ipulatio
P
rivi
lege
Es
cala
tio
ies
Evasion Account Manipulation Bash History
Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking
AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts
Pass the Hash Pass the Ticket Remote Desktop Protocol
Audio Capture Automated Collection Clipboard Data
Data from Information Repositories
Data from Local System Data from Network Shared Drive
Data from Removable Media Data Staged
Email Collection
Input Capture
Man in the Browser Screen Capture
Video Capture
Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol
Data Encoding
Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy
Automated Exfiltration Data Compressed Data Encrypted
Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact Defacement
Disk Content Wipe
Disk Structure Wipe Endpoint Denial of Service
Data Destruction Data Encrypted for Impact Defacement
Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation
Transmitted Data Manipulation
Pass
nt
Network Sniffing
Account Discovery Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery
r Defensive Platform
Input Capture Peripheral Device Discovery Remote File Copy
Inpu
pt
R
Se
t Prom
Perm
emote
rvices
Kerberoasting Keychain LLMNR/NBT-NS Poisoning
Process Discovery Query Discovery Remote System Discovery
Replication Through Removable Media Shared Webroot
is
sion
Disco
Groups
y
ver
and Relay Security Software Discovery SSH Hijacking Multilayer Encryption ed to help cyber defenders develop analytics that
M
C
ls Private Keys Discovery Third-party Software Port Knocking
wo
rd Filt
er D
LL
Syst
onf
igu
em
Infor
ratio
mati
n Disc
on
Tain
t Sh
are
Securityd Memory System Network Windows Admin Shares Remote Access Tools dversary. Based on threat intelligence included in
over
y
Two-Factor Authentication Windows Remote Remote File Copy
dC
Interception System Network Management Standard Application Layer
Connections Discovery Protocol yber defenders can create a comprehensive set of
n Credential Access
ation Account Manipulation Bash History
Brute Force
Control Credential Dumping y Credentials in Files
Credentials in Registry
System Owner/User Discovery System Service Discovery System Time Discovery VirDtuisacolivzearytion/Sandbox
Account DEiscvovaersy ion Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery
File and Directory Discovery Network Service Scanning
Lateral Movement
AppleScript
Application Deployment Software DMiosdtreibluted Component Object Exploitation of Remote Services Logon Scripts
Pass the Hash
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories Data from Local System
Data from Network Shared Drive
Command And Control
Commonly Used Port CRoemmovuanbilceaMtioendiTahrough Connection Proxy CPruosttocmolCommand and Control Custom Cryptographic Protocol Data Encoding
Standard Cryptographic Protocol Standard Non-Application Layer Protocol UncommExofilntralytioUn sed Port WAeutbomaStedeErxfviltriactioen
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol ECxofniltroaltiConhaOnvnerl Command and
onte
ul
ti-St
age C
ha
nne
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task Obfuscated Files or Information
NRetmwovrkalShare Connection
SpearphishingLink Spearphishing via Service Supply Chain Compromise Trusted Relationship
Valid Accounts
ExecutionthroughAPI Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
AuthenticationPackage
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association Component Firmware
Component Object Model Hijacking Create Account
DLL Search Order Hijacking Dylib Hijacking
DLLSearchOrderHijacking
Dylib Hijacking
Exploitation for Privilege Escalation Extra Window Memory Injection
File System Permissions W eakness Hooking
Image File Execution Options Injection
Launch Daemon
New Service
Path Interception
CodeSigning
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking Control Panel Items
DCShadow
Deobfuscate/Decode Files or Information
Disabling Security Tools
DLL Search Order Hijacking
ExploitationforCredential Access Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and Relay
Network Snif fing Password Filter DLL
NetworkShareDiscovery Network Snif fing
Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery
Query Registry
Remote System Discovery Security Software Discovery System Information Discovery
PasstheTicket
Remote Desktop Protocol Remote File Copy
Remote Services
RMepdliacation Through Removable Shared W ebroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
DatafromRemovableMedia Data Staged
Email Collection
Input Capture
Man in the Browser Screen Capture Video Capture
DataObfuscation
Domain Fronting
Domain Generation Algorithms Fallback Channels
Multi-hop Proxy
Multi-Stage Channels Multiband Communication Multilayer Encryption
Port Knocking
Remote Access Tools
EMxefdiltiruamtionOverOtherNetwork Exfiltration Over Physical Medium Scheduled Transfer
FirmwareCorruption
Inhibit System Recovery Network Denial of Service Resource Hijacking
Runtime Data Manipulation Service Stop
Stored Data Manipulation Transmitted Data Manipulation
NTFS File Attributes
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Screensaver Plist Modification
Security Support Provider Service Registry Permissions Weakness
Setuid and Setgid
Port Knocking
Process Doppelgänging
Process Hollowing
cmstp
account manipulation
bits jobs
rootkit
kernel modules and extensions
y
keychain
exploitation for client execution
hypervisor
w
i
n
d
bypass user account control
o
w
s
e
v
browser extensions
en
tl
application shimming
og
s
applescript
s
s
t
e
m
c
a
l
l
s
web service
spearphishing via service
s
spearphishing link
s
l
/
t
l
s
i
n
s
p
e
c
t
i
o
n
obfuscated files or information
ob
install root certificate
n
e
s
y
o
cti
e
t
e
ds
n
o
i
endpoint denial of service
u
s
t
r
t
i
m
k
r
standard cryptographic protocol
sta
o
w
t
e
n
drive-by compromise
s
g
domain fronting
n
o
l
e
c
i
v
e
d
k
r
e
o
s
w
r
t
template injection
e
e
n
v
e
r
e
r
a
w
l
standard non-application layer protocol
a
spearphishing attachment
m
remote access tools
obfuscated files or information
network denial of service
endpoint denial of service
-by compromise
protocol
ATT&CK and CTI
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Threat Intelligence – How ATT&CK Can Help
▪Use knowledge of adversary behaviors to inform defenders
▪ Structuring threat intelligence with ATT&CK allows us to… – Compare behaviors
▪ Groups to each other ▪ Groups over time
▪ Groups to defenses
– Communicate in a common language
| 21 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Communicate to Defenders
THIS is what the adversary is doing! The Run key is AdobeUpdater.
Registry Run Keys / Startup Folder (T1060)
Oh, we have Registry data, we can detect that!
CTI Analyst
Defender
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Communicate Across the Community
Company A
APT1337 is using autorun
Registry Run Keys / Startup Folder (T1060)
Oh, you mean T1060!
CTI Consumer
Company B
FUZZYDUCK used a Run key
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Module 1
Map data to ATT&CK
Module 2 Module 3
Store & analyze ATT&CK-mapped data
Module 4
Make defensive recommendations from ATT&CK- mapped data
Module 5
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
End of Module 1
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.