return to main
From MITRE ATT&CK Model ----------------------------->   https://attack.mitre.org/matrices/enterprise/                              
Enterprise Tactics [From Cyber Kill Chain, Modified by MITRE]       SUB-TECHNIQUES                          
1 Reconnaissance gather information for use in future operations.   Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
2 Resource Development establish resources they can use to support operations.                  
3 Initial Access get into the network. Total Techniques 10 6 9 10 18 12 37 14 25 9 17 16 9 13 205
4 Execution run malicious code.    sub techniques 2 6 3                      
5 Persistence maintain a foothold. " 4 2 3 14                    
6 Priviledge Escalation gain higher-level permissions. " 3 6 4 25                    
7 Defensive Evasion avoid being detected. " 6 4 0 9                    
8 Credential Access   " 4 2 0 17                    
9 Discovery   " 3 6 0 16                    
10 Lateral Movement   " 2   0 9                    
11 Collection  gather data of interest to a goal. " 5   0 13                    
12 Command & Control   " 1                          
13 Exfiltration   "                            
14 Impact   "                            
      "                            
Enterprise Techniques/IOCs [MITRE as of Dec 2020 has itemized 177 Techniques and 348 Sub-Techniques]      Total Sub-techniques 30 26 10 103 0 0 0 0 0 0 0 0 0 0
Reconnaissance (10) [back to MITRE ATT&CK top]            
1 Active Scanning (2)              
2 Gather Victim Host Information (4)              
3 Gather Victim Identity Information (3)              
4 Gather Victim Network Information (6)  
5 Gather Victim Org Information (4)  
6 Phishing for Information (3) Spearphishing; Attachment; Link
7 Search Closed Sources (2)  
8 Search Open Technical Databases (5)  
9 Search Open Websites/Domains (2)  
10 Search Victim-Owned Websites  
Resource Development (6) [back to MITRE ATT&CK top]
1 Acquire Infrastructure (6)  
2 Compromise Accounts (2)  
3 Compromise Infrastructure (6)  
4 Develop Capabilities (4)  
5 Establish Accounts (2)  
6 Obtain Capabilities (6)  
Initial Access (9) [back to MITRE ATT&CK top]
1 Drive-by Compromise  
2 Exploit Public-Facing Application  
3 External Remote Services  
4 Hardware Additions  
5 Phishing (3)  
6 Replication Through Removable Media  
7 Supply Chain Compromise (3)  
8 Trusted Relationship  
9 Valid Accounts (4)  
Execution (10) [back to MITRE ATT&CK top]
  Command and Scripting Interpreter (8)  
  Exploitation for Client Execution  
  Inter-Process Communication (2)  
  Native API  
  Scheduled Task/Job (6)  
  Shared Modules  
  Software Deployment Tools  
  System Services (2)  
  User Execution (2)  
  Windows Management Instrumentation  
Persistence (18) [back to MITRE ATT&CK top]
1 Account Manipulation (4)  
2 BITS Jobs  
3 Boot or Logon Autostart Execution (12)  
4 Boot or Logon Initialization Scripts (5)  
5 Browser Extensions  
6 Compromise Client Software Binary  
7 Create Account (3)  
8 Create or Modify System Process (4)  
9 Event Triggered Execution (15)  
10 External Remote Services  
11 Hijack Execution Flow (11)  
12 Implant Container Image  
13 Office Application Startup (6)  
14 Pre-OS Boot (5)  
15 Scheduled Task/Job (6)  
16 Server Software Component (3)  
17 Traffic Signaling (1)  
18 Valid Accounts (4)  
Privilege Escalation (12) [back to MITRE ATT&CK top]
1 Abuse Elevation Control Mechanism (4)  
2 Access Token Manipulation (5)  
3 Boot or Logon Autostart Execution (12)  
4 Boot or Logon Initialization Scripts (5)  
5 Create or Modify System Process (4)  
6 Event Triggered Execution (15)  
7 Exploitation for Privilege Escalation  
8 Group Policy Modification  
9 Hijack Execution Flow (11)  
10 Process Injection (11)  
11 Scheduled Task/Job (6)  
12 Valid Accounts (4)  
Defense Evasion (37) [back to MITRE ATT&CK top]
1 Abuse Elevation Control Mechanism (4)  
2 Access Token Manipulation (5)  
3 BITS Jobs  
4 Deobfuscate/Decode Files or Information  
5 Direct Volume Access  
6 Execution Guardrails (1)  
7 Exploitation for Defense Evasion  
8 File and Directory Permissions Modification (2)  
9 Group Policy Modification  
10 Hide Artifacts (7)  
11 Hijack Execution Flow (11)  
12 Impair Defenses (7)  
13 Indicator Removal on Host (6)  
14 Indirect Command Execution  
15 Masquerading (6)  
16 Modify Authentication Process (4)  
17 Modify Cloud Compute Infrastructure (4)  
18 Modify Registry  
19 Modify System Image (2)  
20 Network Boundary Bridging (1)  
21 Obfuscated Files or Information (5)  
22 Pre-OS Boot (5)  
23 Process Injection (11)  
24 Rogue Domain Controller  
25 Rootkit  
26 Signed Binary Proxy Execution (11)  
27 Signed Script Proxy Execution (1)  
28 Subvert Trust Controls (4)  
29 Template Injection  
30 Traffic Signaling (1)  
31 Trusted Developer Utilities Proxy Execution (1)  
32 Unused/Unsupported Cloud Regions  
33 Use Alternate Authentication Material (4)  
34 Valid Accounts (4)  
35 Virtualization/Sandbox Evasion (3)  
36 Weaken Encryption (2)  
37 XSL Script Processing  
Credential Access (14) [back to MITRE ATT&CK top]
1 Brute Force (4)  
2 Credentials from Password Stores (3)  
3 Exploitation for Credential Access  
4 Forced Authentication  
5 Input Capture (4)  
6 Man-in-the-Middle (2)  
7 Modify Authentication Process (4)  
8 Network Sniffing  
9 OS Credential Dumping (8)  
10 Steal Application Access Token  
11 Steal or Forge Kerberos Tickets (4)  
12 Steal Web Session Cookie  
13 Two-Factor Authentication Interception  
14 Unsecured Credentials (6)  
Discovery [back to MITRE ATT&CK top]
1 Account Discovery (4)  
2 Application Window Discovery  
3 Browser Bookmark Discovery  
4 Cloud Infrastructure Discovery  
5 Cloud Service Dashboard  
6 Cloud Service Discovery  
7 Domain Trust Discovery  
8 File and Directory Discovery  
9 Network Service Scanning  
10 Network Share Discovery  
11 Network Sniffing  
12 Password Policy Discovery  
13 Peripheral Device Discovery  
14 Permission Groups Discovery (3)  
15 Process Discovery  
16 Query Registry  
17 Remote System Discovery  
18 Software Discovery (1)  
19 System Information Discovery  
20 System Network Configuration Discovery  
21 System Network Connections Discovery  
22 System Owner/User Discovery  
23 System Service Discovery  
24 System Time Discovery  
25 Virtualization/Sandbox Evasion (3)  
Lateral Movement [back to MITRE ATT&CK top]
1 Exploitation of Remote Services  
2 Internal Spearphishing  
3 Lateral Tool Transfer  
4 Remote Service Session Hijacking (2)  
5 Remote Services (6)  
6 Replication Through Removable Media  
7 Software Deployment Tools  
8 Taint Shared Content  
9 Use Alternate Authentication Material (4)  
Collection [back to MITRE ATT&CK top]
1 Archive Collected Data (3)  
2 Audio Capture  
3 Automated Collection  
4 Clipboard Data  
5 Data from Cloud Storage Object  
6 Data from Configuration Repository (2)  
7 Data from Information Repositories (2)  
8 Data from Local System  
9 Data from Network Shared Drive  
10 Data from Removable Media  
11 Data Staged (2)  
12 Email Collection (3)  
13 Input Capture (4)  
14 Man in the Browser  
15 Man-in-the-Middle (2)  
16 Screen Capture  
17 Video Capture  
Command and Control [back to MITRE ATT&CK top]
1 Application Layer Protocol (4)  
2 Communication Through Removable Media  
3 Data Encoding (2)  
4 Data Obfuscation (3)  
5 Dynamic Resolution (3)  
6 Encrypted Channel (2)  
7 Fallback Channels  
8 Ingress Tool Transfer  
9 Multi-Stage Channels  
10 Non-Application Layer Protocol  
11 Non-Standard Port  
12 Protocol Tunneling  
13 Proxy (4)  
14 Remote Access Software  
15 Traffic Signaling (1)  
16 Web Service (3)  
Exfiltration [back to MITRE ATT&CK top]
1 Automated Exfiltration (1)  
2 Data Transfer Size Limits  
3 Exfiltration Over Alternative Protocol (3)  
4 Exfiltration Over C2 Channel  
5 Exfiltration Over Other Network Medium (1)  
6 Exfiltration Over Physical Medium (1)  
7 Exfiltration Over Web Service (2)  
8 Scheduled Transfer  
9 Transfer Data to Cloud Account  
Impact [back to MITRE ATT&CK top]
1 Account Access Removal  
2 Data Destruction  
3 Data Encrypted for Impact  
4 Data Manipulation (3)  
5 Defacement (2)  
6 Disk Wipe (2)  
7 Endpoint Denial of Service (4)  
8 Firmware Corruption  
9 Inhibit System Recovery  
10 Network Denial of Service (2)  
11 Resource Hijacking  
12 Service Stop  
13 System Shutdown/Reboot