return to main
From MI
TRE ATT&CK Model ----------------------------->
https://attack.mitre.org/matrices/enterprise/
Enterpris
e Tactics
[From Cyber Kill Chain, Modified by MITRE]
SUB-TECHNIQ
UES
1
Reconnaissance
gather information for use in future operations.
Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
2
Resource Development
establish resources they can use to support operations.
3
Initial Access
get into the network.
Total Techniques
10
6
9
10
18
12
37
14
25
9
17
16
9
13
205
4
Execution
run malicious code.
sub techniques
2
6
3
5
Persistence
maintain a foothold.
"
4
2
3
14
6
Priviledge Escalation
gain higher-level permissions.
"
3
6
4
25
7
Defensive Evasion
avoid being detected.
"
6
4
0
9
8
Credential Access
"
4
2
0
17
9
Discovery
"
3
6
0
16
10
Lateral Movement
"
2
0
9
11
Collection
gather data of interest to a goal.
"
5
0
13
12
Command & Control
"
1
13
Exfiltration
"
14
Impact
"
"
Enterpris
e Techniques/IOCs
[MITRE as of Dec 2020 has itemized 177 Techniques and 348 Sub-Techniques]
Total Sub-techniques
30
26
10
103
0
0
0
0
0
0
0
0
0
0
Reconnaissance (10)
[back to MITRE ATT&CK top]
1
Active Scanning (2)
2
Gather Victim Host Information (4)
3
Gather Victim Identity Information (3)
4
Gather Victim Network Information (6)
5
Gather Victim Org Information (4)
6
Phishing for Information (3)
Spearphishing; Attachment; Link
7
Search Closed Sources (2)
8
Search Open Technical Databases (5)
9
Search Open Websites/Domains (2)
10
Search Victim-Owned Websites
Resource Development (6)
[back to MITRE ATT&CK top]
1
Acquire Infrastructure (6)
2
Compromise Accounts (2)
3
Compromise Infrastructure (6)
4
Develop Capabilities (4)
5
Establish Accounts (2)
6
Obtain Capabilities (6)
Initial Access (9)
[back to MITRE ATT&CK top]
1
Drive-by Compromise
2
Exploit Public-Facing Application
3
External Remote Services
4
Hardware Additions
5
Phishing (3)
6
Replication Through Removable Media
7
Supply Chain Compromise (3)
8
Trusted Relationship
9
Valid Accounts (4)
Execution (10)
[back to MITRE ATT&CK top]
Command and Scripting Interpreter (8)
Exploitation for Client Execution
Inter-Process Communication (2)
Native API
Scheduled Task/Job (6)
Shared Modules
Software Deployment Tools
System Services (2)
User Execution (2)
Windows Management Instrumentation
Persistence (18)
[back to MITRE ATT&CK top]
1
Account Manipulation (4)
2
BITS Jobs
3
Boot or Logon Autostart Execution (12)
4
Boot or Logon Initialization Scripts (5)
5
Browser Extensions
6
Compromise Client Software Binary
7
Create Account (3)
8
Create or Modify System Process (4)
9
Event Triggered Execution (15)
10
External Remote Services
11
Hijack Execution Flow (11)
12
Implant Container Image
13
Office Application Startup (6)
14
Pre-OS Boot (5)
15
Scheduled Task/Job (6)
16
Server Software Component (3)
17
Traffic Signaling (1)
18
Valid Accounts (4)
Privilege Escalation (12)
[back to MITRE ATT&CK top]
1
Abuse Elevation Control Mechanism (4)
2
Access Token Manipulation (5)
3
Boot or Logon Autostart Execution (12)
4
Boot or Logon Initialization Scripts (5)
5
Create or Modify System Process (4)
6
Event Triggered Execution (15)
7
Exploitation for Privilege Escalation
8
Group Policy Modification
9
Hijack Execution Flow (11)
10
Process Injection (11)
11
Scheduled Task/Job (6)
12
Valid Accounts (4)
Defense Evasion (37)
[back to MITRE ATT&CK top]
1
Abuse Elevation Control Mechanism (4)
2
Access Token Manipulation (5)
3
BITS Jobs
4
Deobfuscate/Decode Files or Information
5
Direct Volume Access
6
Execution Guardrails (1)
7
Exploitation for Defense Evasion
8
File and Directory Permissions Modification (2)
9
Group Policy Modification
10
Hide Artifacts (7)
11
Hijack Execution Flow (11)
12
Impair Defenses (7)
13
Indicator Removal on Host (6)
14
Indirect Command Execution
15
Masquerading (6)
16
Modify Authentication Process (4)
17
Modify Cloud Compute Infrastructure (4)
18
Modify Registry
19
Modify System Image (2)
20
Network Boundary Bridging (1)
21
Obfuscated Files or Information (5)
22
Pre-OS Boot (5)
23
Process Injection (11)
24
Rogue Domain Controller
25
Rootkit
26
Signed Binary Proxy Execution (11)
27
Signed Script Proxy Execution (1)
28
Subvert Trust Controls (4)
29
Template Injection
30
Traffic Signaling (1)
31
Trusted Developer Utilities Proxy Execution (1)
32
Unused/Unsupported Cloud Regions
33
Use Alternate Authentication Material (4)
34
Valid Accounts (4)
35
Virtualization/Sandbox Evasion (3)
36
Weaken Encryption (2)
37
XSL Script Processing
Credential Access (14)
[back to MITRE ATT&CK top]
1
Brute Force (4)
2
Credentials from Password Stores (3)
3
Exploitation for Credential Access
4
Forced Authentication
5
Input Capture (4)
6
Man-in-the-Middle (2)
7
Modify Authentication Process (4)
8
Network Sniffing
9
OS Credential Dumping (8)
10
Steal Application Access Token
11
Steal or Forge Kerberos Tickets (4)
12
Steal Web Session Cookie
13
Two-Factor Authentication Interception
14
Unsecured Credentials (6)
Discovery
[back to MITRE ATT&CK top]
1
Account Discovery (4)
2
Application Window Discovery
3
Browser Bookmark Discovery
4
Cloud Infrastructure Discovery
5
Cloud Service Dashboard
6
Cloud Service Discovery
7
Domain Trust Discovery
8
File and Directory Discovery
9
Network Service Scanning
10
Network Share Discovery
11
Network Sniffing
12
Password Policy Discovery
13
Peripheral Device Discovery
14
Permission Groups Discovery (3)
15
Process Discovery
16
Query Registry
17
Remote System Discovery
18
Software Discovery (1)
19
System Information Discovery
20
System Network Configuration Discovery
21
System Network Connections Discovery
22
System Owner/User Discovery
23
System Service Discovery
24
System Time Discovery
25
Virtualization/Sandbox Evasion (3)
Lateral Movement
[back to MITRE ATT&CK top]
1
Exploitation of Remote Services
2
Internal Spearphishing
3
Lateral Tool Transfer
4
Remote Service Session Hijacking (2)
5
Remote Services (6)
6
Replication Through Removable Media
7
Software Deployment Tools
8
Taint Shared Content
9
Use Alternate Authentication Material (4)
Collection
[back to MITRE ATT&CK top]
1
Archive Collected Data (3)
2
Audio Capture
3
Automated Collection
4
Clipboard Data
5
Data from Cloud Storage Object
6
Data from Configuration Repository (2)
7
Data from Information Repositories (2)
8
Data from Local System
9
Data from Network Shared Drive
10
Data from Removable Media
11
Data Staged (2)
12
Email Collection (3)
13
Input Capture (4)
14
Man in the Browser
15
Man-in-the-Middle (2)
16
Screen Capture
17
Video Capture
Command and Control
[back to MITRE ATT&CK top]
1
Application Layer Protocol (4)
2
Communication Through Removable Media
3
Data Encoding (2)
4
Data Obfuscation (3)
5
Dynamic Resolution (3)
6
Encrypted Channel (2)
7
Fallback Channels
8
Ingress Tool Transfer
9
Multi-Stage Channels
10
Non-Application Layer Protocol
11
Non-Standard Port
12
Protocol Tunneling
13
Proxy (4)
14
Remote Access Software
15
Traffic Signaling (1)
16
Web Service (3)
Exfiltration
[back to MITRE ATT&CK top]
1
Automated Exfiltration (1)
2
Data Transfer Size Limits
3
Exfiltration Over Alternative Protocol (3)
4
Exfiltration Over C2 Channel
5
Exfiltration Over Other Network Medium (1)
6
Exfiltration Over Physical Medium (1)
7
Exfiltration Over Web Service (2)
8
Scheduled Transfer
9
Transfer Data to Cloud Account
Impact
[back to MITRE ATT&CK top]
1
Account Access Removal
2
Data Destruction
3
Data Encrypted for Impact
4
Data Manipulation (3)
5
Defacement (2)
6
Disk Wipe (2)
7
Endpoint Denial of Service (4)
8
Firmware Corruption
9
Inhibit System Recovery
10
Network Denial of Service (2)
11
Resource Hijacking
12
Service Stop
13
System Shutdown/Reboot