attack.mitre.
org
Using Adversary Behavior to
Strengthen Cyber Defense
No matter how strong your patching, compliance and security software,
a determined cyber adversary can typically find a way into your network.
But how did the attacker get in? How are they moving around? And how
can you use that knowledge to detect, mitigate and prevent future
attacks? The MITRE ATT&CK™ framework answers those questions by
providing a globally accessible knowledge base of adversary tactics and
techniques that are based on real-world observations of adversaries’
operations against computer networks. Armed with this knowledge,
organizations and security vendors can work toward improving detection
and prevention methods.
Pioneering with the Cyber Community for
Collaborative Defense
ATT&CK was first created by a MITRE internal research program using
our own data and operations. Now based on published, open source
threat information, MITRE provides the framework as a resource to the
cyber community. Anyone is free to leverage it, and everyone is free to
use and contribute to ATT&CK.
By making the ATT&CK knowledge base globally accessible, MITRE
supports a growing community that is fostering innovation in open
source tools, products and services based on the framework. ATT&CK is
experiencing significant growth across the cybersecurity community, with
wide adoption from industry, government and security vendors including
organizations like Microsoft, IBM, USAA, JPMorgan Chase, and Palo Alto.
With the creation of ATT&CK, MITRE is partnering with the cyber
community to fulfill its mission to solve problems for a safer world.
Get Started with ATT&CK
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge
of past incidents, commercial threat feeds, information-sharing groups,
government threat-sharing programs, and more. ATT&CK gives analysts
a common language to communicate across reports and organizations,
providing a way to structure, compare, and analyze threat intelligence.
Comparing APT 28 to Deep Panda
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop
analytics that detect the techniques used by an adversary. Based on
threat intelligence included in ATT&CK or provided by analysts, cyber
defenders can create a comprehensive set of analytics to detect threats.
Finding Gaps in Defense
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common
adversary behavior framework based on threat intelligence that red teams
can use to emulate specific threats. This helps cyber defenders find gaps in
visibility, defensive tools and processes—and then fix them.
Join the ATT&CK Community
MITRE encourages other researchers, analysts and cyber defenders to join
our community and contribute new techniques and information.
MITRE ATT&CK Resources
attack.mitre.org
• Access ATT&CK technical information
• Contribute to ATT&CK
• Follow our blog
• Watch ATT&CK presentations
@MITREattack
Follow us on Twitter for the latest news.
 Ini�al Access Execu�on
Valid Accounts
Trusted Rela�onship Trap
Supply Chain Compromise LSASS Driver
Spearphishing via Service Local Job Scheduling
Spearphishing Link Launchctl
Spearphishing A�achment XSL Script Processing
Replica�on Through Windows Remote
Removable Media Management
Exploit Public-Facing User Execu�on
Applica�on Trusted Developer U�li�es
Hardware Addi�ons Third-party So�ware
Drive-by Compromise Space a�er Filename
Source
Signed Script
Proxy Execu�on
Service Execu�on
Scrip�ng
Rundll32
Regsvr32
Regsvcs/Regasm
PowerShell
Mshta
InstallU�l
Graphical User Interface
Exploita�on for
Client Execu�on
Execu�on through API
Dynamic Data Exchange
Control Panel Items
Compiled HTML File
Command-Line Interface
CMSTP
AppleScript
Windows Management
Instrumenta�on
Signed Binary
Proxy Execu�on
Execu�on through
Module Load
Hidden Files and Directories
Persistence Privilege Escala�on Defense Evasion Creden�alAccess Discovery Lateral Movement Collec�on Exfiltra�on Command and Control
Scheduled Task XSL Script Processing Network Sniffing Windows Remote Video Capture Scheduled Transfer Web Service
Process Injec�on Two-Factor Authen�ca�on System Time Discovery Management Screen Capture Exfiltra�on Over Uncommonly Used Port
Extra Window Memory Injec�on Intercep�on System Service Discovery Third-party So�ware Man in the Browser Physical Medium Standard Non-Applica�on
Bypass User Account Control Private Keys System Owner/User Taint Shared Content Input Capture Exfiltra�on Over Command Layer Protocol
Access Token Manipula�on Password Filter DLL Discovery SSH Hijacking Email Collec�on and Control Channel Standard Applica�on
Valid Accounts LLMNR/NBT-NS Poisoning System Network Shared Webroot Data Staged Data Transfer Size Limits Layer Protocol
Plist Modifica�on Keychain Configura�on Discovery Replica�on Through Data from Removable Media Data Encrypted Remote Access Tools
Image File Execu�on Op�ons Injec�on Kerberoas�ng Security So�ware Discovery Removable Media Data from Network Data Compressed Port Knocking
DLL Search Order Hijacking Input Prompt Remote System Discovery Remote File Copy Shared Drive Automated Exfiltra�on Mul�layer Encryp�on
Web Shell Web Service Input Capture Query Registry Remote Desktop Protocol Data from Informa�on Exfiltra�on Over Other Mul�band Communica�on
Startup Items Trusted Developer U�li�es Hooking Process Discovery Pass the Ticket Repositories Network Medium Mul�-Stage Channels
Setuid and Setgid Timestomp Forced Authen�ca�on Permission Groups Discovery Pass the Hash Automated Collec�on Exfiltra�on Over Mul�-hop Proxy
Service Registry Permissions Weakness Template Injec�on Exploita�on for Peripheral Device Discovery Logon Scripts Audio Capture Alterna�ve Protocol Fallback Channels
Port Monitors Space a�er Filename Creden�al Access Password Policy Discovery Exploita�on of Data from Local System Domain Fron�ng
Path Intercep�on So�ware Packing Creden�als in Files Network Share Discovery Remote Services Clipboard Data Data Obfusca�on
New Service SIP and Trust Creden�al Dumping Network Service Scanning Applica�on Deployment Data Encoding
Launch Daemon Provider Hijacking Brute Force File and Directory Discovery So�ware Custom Cryptographic
Hooking Signed Binary Bash History Browser Bookmark Discovery Windows Admin Shares Protocol
File System Permissions Weakness Proxy Execu�on Account Manipula�on Applica�on Window Remote Services Connec�on Proxy
Dylib Hijacking Rundll32 Securityd Memory Discovery Distributed Component Communica�on Through
Applica�on Shimming Rootkit Creden�als in Registry System Network Object Model Removable Media
AppInit DLLs Regsvr32 Connec�ons Discovery AppleScript Standard Cryptographic
AppCert DLLs Regsvcs/Regasm System Informa�on Protocol
Accessibility Features Redundant Access Discovery Remote File Copy
Winlogon Helper DLL Sudo Caching Process Hollowing Account Discovery Custom Command and
Windows Management Sudo Process Doppelganging Control Protocol
Instrumenta�on SID-History Injec�on Port Knocking Commonly Used Port
Event Subscrip�on Exploita�on for Obfuscated Files
SIP and Trust Provider Privilege Escala�on or Informa�on
Hijacking Network Share
Security Support Provider Connec�on Removal
Screensaver Modify Registry
Registry Run Masquerading
Keys / Startup Folder LC_MAIN Hijacking
Re-opened Applica�ons Launchctl
Rc.common InstallU�l
Port Knocking Install Root Cer�ficate
Office Applica�on Startup Indirect Command Execu�on
Netsh Helper DLL Component Firmware
Modify Exis�ng Service Indicator Removal from Tools
The MITRE ATT&CK™
Logon Scripts Indicator Blocking
Login Item HISTCONTROL
LC_LOAD_DYLIB Addi�on Hidden Window
Launch Agent Hidden Users
Enterprise Framework
Kernel Modules Hidden Files and Directories
and Extensions Gatekeeper Bypass
File System Logical Offsets
External Remote Services File Permissions Modifica�on
Create Account File Dele�on
Component Object Model Exploita�on for
Hijacking Defense Evasion
Change Default
File Associa�on
Disabling Security Tools
Deobfuscate/Decode Files
attack.mitre.org
Bootkit or Informa�on
BITS Jobs Control Panel Items
Authen�ca�on Package Component Object
Account Manipula�on Model Hijacking
.bash_profile and .bashrc Compiled HTML File
Time Providers Code Signing
System Firmware CMSTP
Shortcut Modifica�on Clear Command History
Redundant Access BITS Jobs
Hypervisor Signed Script Proxy Execu�on
Component Firmware Scrip�ng
Browser Extensions NTFS File A�ributes
Mshta
Indicator Removal on Host
DLL Side-Loading
DCShadow © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288.