Professional Documents
Culture Documents
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Using MITRE ATT&CK™
for Cyber Threat Intelligence
Training
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Introduction to ATT&CK
and Applying it to CTI
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
|8|
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
|9|
What is
?
A knowledge base of
adversary behavior
➢ Based on real-world observations
➢ Free, open, and globally accessible
➢ A common language
➢ Community-driven
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
The Difficult Task of Detecting TTPs
TTPs •Tough!
Tools •Challenging
Network/
Host Artifacts •Annoying
Domain Names •Simple
IP Addresses •Easy
Hash Values •Trivial
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact
Application Local Job Scheduling Bypass User Account Control Bash History Software Clipboard Data Removable Media Data Encrypted Defacement
Application Window
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Connection Proxy Data Transfer Size Limits Disk Content Wipe
Distributed Component Data from Information
Hardware Additions Trap Process Injection Credential Dumping Object Model Repositories Disk Structure Wipe
Browser Bookmark Custom Command and Exfiltration Over Other
AppleScript DLL Search Order Hijacking Credentials in Files Discovery Data from Local System Control Protocol Network Medium Endpoint Denial of Service
Replication Through Exploitation of
Removable Media CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Remote Services Firmware Corruption
Data from Network Custom Cryptographic Exfiltration Over Command
Spearphishing Attachment Command-Line Interface Plist Modification File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery
Exploitation for
Spearphishing Link Compiled HTML File Valid Accounts Credential Access Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Network Denial of Service
Exfiltration Over Alternative
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Protocol Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Physical Medium Service Stop
Domain Generation
Valid Accounts Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Algorithms Scheduled Transfer Stored Data Manipulation
Execution through
Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Screen Capture Fallback Channels
Replication Through Transmitted Data
File System Permissions Weakness Component Firmware Keychain Query Registry Removable Media Video Capture Multiband Communication Manipulation
Exploitation for
Client Execution Hooking Remote System Discovery Shared Webroot Multi-hop Proxy
Component Object Model LLMNR/NBT-NS Poisoning
Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System Information Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking
PowerShell Port Monitors Securityd Memory Windows Admin Shares Remote Access Tools
Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port
Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default Gatekeeper Bypass
Third-party Software File Association Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object Hidden Users
Model Hijacking Hidden Window
Windows Management
Instrumentation Create Account HISTCONTROL
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
em
Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection
Communication Through
Data Compressed Data Encrypted for Impact Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access
s Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation
Exfiltration Over Other Network
Firmware Corruption
cmtack.mitre.org for more information on how each t echnique can be det ected, and
Removable Media Medium
External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery
Distributed Component Object
Model
Clipboard Data Connection Proxy
Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories
Protocol
Data Transfer Size Limits Disk Content Wipe
Supply Chain Compromise Exploitation for Client Execution
co Bootkit
st Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service
t s
Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service
Control Channel
Replication Through Removable
Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation
Exfiltration Over Other Network
Medium
Firmware Corruption
Valid Accounts InstallUtil
Launchctl
Change Default File Association
Component Firmware
File System Permissions W eakness
Hooking
ma Component Object Model Hijacking
Kerberoasting
Permission Groups Discovery
Process Discovery
Media
Shared W ebroot
Man in the Browser
Screen Capture
Multi-hop Proxy
Multi-Stage Channels
Runtime Data Manipulation
Service Stop
nip
Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery
Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service Local Job Scheduling Component Object Model Hijacking
Image File Execution Options
DCShadow s Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation
Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking
LSASS Driver You can visualize how your ow
ulan data sources map to adversary behavior w it h ATT&CK. Read our blog post at bit.ly/ ATT
Create Account
Injection
Launch Daemon
Deobfuscate/Decode Files or
Information
LLMNR/NBT -NS Poisoning and
Relay
Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation
tio
Replication Through Removable
Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation
Media
Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking
Launchctl
DCShadow
Kerberoasting
Keychain
Process Discovery
Query Registry
Shared W ebroot
SSH Hijacking
Screen Capture
Video Capture
Multi-Stage Channels
Multiband Communication
Service Stop
ke r
Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy Standard Non-Application Layer
Discovery
roo
Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery
System Network Connections Protocol
Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol
Two-Factor Authentication
Discovery
Scripting
nel Hypervisor
Service Registry Permissions
Weakness
t ki
File Deletion System Time Discovery Uncommonly Used Port
Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery
Standard Non-Application Layer
Protocol
Service Execution
mo
Image File Execution Options
Injection
Setuid and Setgid
t
File Permissions Modification Virtualization/Sandbox Evasion Web Service
Scripting Hypervisor
Service Registry Permissions
File Deletion System Time Discovery Uncommonly Used Port Signed Binary Proxy Execution
dul
Kernel Modules and Extensions SID-History Injection
ke File System Logical Of fsets
ych
Weakness
Service Execution
Image File Execution Options
Injection
Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service Signed Script Proxy Execution Launch Agent
es Startup Items Gatekeeper Bypass
Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets
Source Launch Daemon and Sudo ain Group Policy Modification
Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass
Space after Filename Launchctl
ex
Sudo Caching Hidden Files and Directories
Use ATT&CKtenfor
Source Launch Daemon Sudo Group Policy Modification
e xp
Trusted Developer Utilities
n Local Job Scheduling
Login Item
Web Shell
s
Hidden Window
Windows Management
Logon Scripts
Injection Windows Management
Instrumentation
fo rvis LSASS Driver Indicator Blocking
Legend or
com mr ercial
APT29
win
LSASS Driver Indicator Blocking
Instrumentation
clie
Windows Remote Management Modify Existing Service Indicator Removal from Tools
nt et hreat feeds, inform at ion-sharing groups, governm ent t hreat -sharing program s,
Detection Threat Intelligence
Windows Remote Management Modify Existing Service Indicator Removal from Tools
Both byp x ec
New Service Indirect Command Execution
assand m ore. A TT&CK New Service Indirect Command Execution
dow
Office Application Startup Install Root Certificate
use utio gives analyst s a com m on language t o com m unicat e across report s and
Office Application Startup Install Root Certificate
organizat couions, providing a w ay t o st ruct ure, com pare, and analyze t hreat int elligence.
Plist Modification Launchctl
se
Port Knocking LC_MAIN Hijacking
Port Knocking LC_MAIN Hijacking
Port Monitors Masquerading
ntro
Rc.common Modify Registry
brow
Port Monitors
l Masquerading
ven
Re-opened Applications Mshta
xten
Redundant Access Communication Through
Removal Re-opened
Exploit Public-Facing Application Applications
CMSTP Accessibility Features Mshta
Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact
Removable Media
Registry Run Keys / Startup Folder NTFS File Attributes
External Remote Services Redundant Access
sion
Command-Line Interface Account Manipulation AppCertNetwork
DLLs
Removal
Share Connection BITS Jobs Brute Force Browser Bookmark Discovery
Distributed Component Object
Model
Clipboard Data Connection Proxy Data Encrypted Defacement
t lo
appli Registry Run Keys / Startup Folder NTFS File Attributes Protocol
Screensaver Plist Modification Replication Through Removable
Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe
catio
Media
Scheduled Task Obfuscated Files or Information Exfiltration Over Command and
Security Support Provider Port Knocking Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service
gs
Weakness Medium
ming
== "cmd.exe")
Setuid and Setgid Process Hollowing Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery
Security Support Provider Port Knocking
Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service
Shortcut Modification Process Injection Service Registry Permissions
Process Doppelgänging
Trusted Relationship Weakness Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking
SIP and Trust Provider Hijacking Redundant Access
Valid Accounts
Setuid and SetgidInstallUtil Change Default File Association
Process Hollowing
File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery
Replication Through Removable
Man in the Browser Multi-hop Proxy Runtime Data Manipulation
Media
apples
Startup Items Regsvcs/Regasm
cript
System Firmware Regsvr32
Image File Execution Options
Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation
SIP and Trust Provider Hijacking InjectionRedundant Access
Systemd Service Rootkit
Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and
LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation
Information Relay
Time Providers Rundll32 Startup Items Regsvcs/Regasm
Trap Scripting
Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking
sys
parent_exe != "explorer.exe"")
System FirmwarePowerShell Dylib Hijacking Regsvr32
Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools
Valid Accounts
Web Shell
Windows Management
Signed Binary Proxy Execution
Time Providers
Regsvcs/Regasm
Regsvr32
External Remote Services
Execution Guardrails
Private Keys
Securityd Memory
Two-Factor Authentication
System Network Configuration
Discovery
System Network Connections
Discovery
Windows Remote Management Remote File Copy
tem
Standard Application Layer Protocol
ca
SIP and Trust Provider Hijacking Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol
Instrumentation Event Subscription Interception
lls
Protocol
Service Registry Permissions
Space after Filename Valid Accounts Scripting Hypervisor Signed Binary Proxy Execution File Deletion System Time Discovery Uncommonly Used Port
Weakness
Template Injection
web servic Web Shell
Service Execution
Image File Execution Options
Injection
Setuid and Setgid
Signed Script Proxy Execution
File Permissions Modification Virtualization/Sandbox Evasion Web Service
Timestomp
e Windows Management
Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection
SIP and Trust Provider Hijacking
File System Logical Of fsets
reg.hostname == cmd.hostname)
Instrumentation Event
SignedSubscription
Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass
Trusted Developer Utilities
Winlogon Helper Source
DLL Launch Daemon Sudo Software Packing Group Policy Modification
standard crypto
Valid Accounts
Space after Filename Launchctl Sudo Caching Hidden Files and Directories
Space after Filename
Virtualization/Sandbox Evasion
Web Service
graphic protocol Third-party Software LC_LOAD_DYLIB Addition Valid Accounts
Template Injection
Hidden Users
output reg_and_cmd
Trap Local Job Scheduling Web Shell Hidden Window
User Execution
Login Item
APT29
LSASS Driver Indicator Blocking
Instrumentation Valid Accounts
ssl/tls insp
ectio
Port Knocking LC_MAIN Hijacking
Use ATT&CK
ted files or informafor
tion Adversary Emulation and Red Teaming
Network Share Connection
Redundant Access
A TT&CK includ es resources d esig ned t o help cyb er d efend ers d evelop analyt ics t hat
Removal
obfusca
Registry Run Keys / Startup Folder NTFS File Attributes
d et ect t he t echniq ues used b y an ad versary. Based on t hreat int ellig ence includ ed in
Assessment and Engineering
Security Support Provider Port Knocking
isatae
Service Registry Permissions
The b estinsta
d efense
w ell-t est ed d efense. A TT&CK p rovid es a com m on ad versary
Process Doppelgänging
ll root certific
Weakness
A TT&CK or p rovid ed b y analyst s, cyb er d efend ers can creat e a com p rehensive set of
Setuid and Setgid Process Hollowing
analyt ics t o d et ect t hreat s. b ehavior fram ew ork be ased on t hreat int ellig ence t hat red t eam s can use t o em ulat e Startup Items Regsvcs/Regasm
l of serv ic em
tection syst
System Firmware Regsvr32
int denias. This help s cyb er d efend ers fi nd g ap s in visib ilit y, d efensive t ools, and
Systemd Service Rootkit
sp ecifiencdpo
t hreat usion de
Adversary Emulation
Time Providers Rundll32
r
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact
t
Trap Scripting
in
work
Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Valid Accounts Signed Binary Proxy Execution
e
promisfi x t hem .
Communication Through
p rocesses—and t hen
Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact
Removable Media Web Shell Signed Script Proxy Execution
c om net
Distributed Component Object Windows Management
External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement SIP and Trust Provider Hijacking
rive-by
Model Instrumentation Event Subscription
Custom Command and Control
Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe Winlogon Helper DLL Software Packing
d
Protocol
Replication Through Removable
Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe Space after Filename
Media
Exfiltration Over Command and
nting
Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service Template Injection
Control Channel
ain fro
Exfiltration Over Other Network Timestomp
s
Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption
Medium
og
Trusted Developer Utilities
d om
Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
el
sta
Valid Accounts
Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service
Exploit Public-Facing Launchctl Access Token Manipulation Virtualization/Sandbox Evasion
Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact
Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking Application Local Job Scheduling Bypass User Account Control Bash History Application Window Software Clipboard Data Removable Media Data Encrypted Defacement
vic
Web Service
Replication Through Removable
Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery
Media
Man in the Browser Multi-hop Proxy Runtime Data Manipulation External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe
XSL Script Processing
Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared W ebroot Screen Capture Multi-Stage Channels Service Stop Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Object Model Repositories Custom Command and Exfiltration Over Other Disk Structure Wipe
Local Job Scheduling Component Object Model Hijacking
Image File Execution Options
Injection
DCShadow
Deobfuscate/Decode Files or
Keychain
rk
LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation
Information Relay
ction
Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery
o
Spearphishing Link Compiled HTML File Valid Accounts Credential Access Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service
inje
PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Obfuscation Protocol Resource Hijacking
plate
Data Staged
w
System Network Configuration
Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy
Discovery
System Network Connections Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation
tem ATT&CK
Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol
e
Use olto Build Your Defensive Platform
Physical Medium
t
Discovery
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Service Stop
ne
Two-Factor Authentication
Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol
otoc
Algorithms
rev
Interception
Standard Non-Application Layer
Valid Accounts Execution through Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery
Module Load
r pr
Protocol Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data
Service Registry Permissions
Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port
File System Permissions Weakness Component Firmware Keychain Query Discovery Removable Media Video Capture Multiband Communication Manipulation
laye
Weakness Exploitation for
Image File Execution Options
Service Execution
Injection
Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service Client Execution Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy
n includ es resources
atio ent
are
Hijacking
A TT&CK
Graphical User Interface
d esig ned t o help cyb er d efend ers d evelop analyt ics t hat
Launch Daemon and Relay Security Software Discovery SSH Hijacking Multilayer Encryption
Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets
plic ob
InstallUtil New Service Control Panel Items Password Filter DLL Taint Shared Content Multi-Stage Channels
hm
Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass
System Information
o n PowerShell
t ues used b y an ad versary. Based on t hreat int ellig ence includ ed in
Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools
malw
Space after Filename Launchctl Sudo Caching Hidden Files and Directories
r d n i ng
Regsvcs/Regasm
s
Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy
da hish or p rovid ool b y analyst s, cyb er d efend ers can creat e a com p rehensive set of
Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer
Low Priority
arp
Rundll32 Startup Items DLL Side-Loading Connections Discovery Protocol
ss
Trusted Developer Utilities Login Item HISTCONTROL
Legend
spe cceect t hreat
Image File Execution Options Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic
User Execution Logon Scripts
atio
Signed Binary Standard Non-Application
Windows Remote Management Modify Existing Service Indicator Removal from Tools
o
Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol
re m rm
XSL Script Processing Netsh Helper DLL Indicator Removal on Host
Signed Script
Initial Access BITS Jobs
Execution Persistence Sudo File
Privilege Escalation PermissionsDefense Evasion Credential Access Virtualization/Sandbox
Discovery Lateral Movement Collection Command And Control Uncommonly Used Port
Exfiltration Impact
New Service Indirect Command Execution Proxy Execution
f o Bootkit Sudo Caching ModificationAccess Token Manipulation Evasion Web Service
r in
Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
ce
Office Application Startup Install Root Certificate
Source Browser
CMSTP Extensions File System LogicalBinary Offsets Communication Through
so
Exploit Public-Facing Application Accessibility Features Accessibility Features Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact
rv i
Removable Media
Path Interception InstallUtil Space after Filename
External Remote Services Change Default
Command-Line Interface Account Manipulation AppCert DLLs Gatekeeper Bypass BITS Jobs Brute Force Browser Bookmark Discovery
Distributed Component Object
Clipboard Data Connection Proxy Data Encrypted Defacement
file
Model
se
Plist Modification Launchctl Third-party Software
Hardware Additions
FileCompiled
Association
HTML File AppCert DLLs AppInit DLLs Group Policy Modification
Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories
Custom Command and Control
Data Transfer Size Limits Disk Content Wipe
e d
Trusted Developer Utilities
Replication
f
Through Removable
o
Component
Control Panel Firmware
Items AppInit DLLs Application Hidden
Shimming Files and Directories
Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe
c at
Media
l ice
Hidden UsersCMSTP Exfiltration Over Command and
ni a
Port Monitors Masquerading Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service
Control Channel
f us
Exfiltration Over Other Network
e rv
Rc.common Modify Registry Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption
de
Medium
ob
Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery
Re-opened Applications Mshta
Redundant Access
Network Share Connection
Removal
o rk ofs
Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service
tw ial ise
Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking
Registry Run Keys / Startup Folder NTFS File Attributes
ne
Replication Through Removable
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation
en om
Media
Scheduled Task Obfuscated Files or Information
Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared W ebroot Screen Capture Multi-Stage Channels Service Stop
td pr
Screensaver Plist Modification
Image File Execution Options
Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation
ol
Injection
Security Support Provider Port Knocking
po
Information Relay
co oc
Service Registry Permissions
Process Doppelgänging
Weakness Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
| 21 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Communicate to Defenders
CTI
Analyst Defender
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Communicate Across the Community
APT1337 is FUZZYDUCK
using autorun used a Run key
Oh, you
mean T1060!
CTI Consumer
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
End of Module 1
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 2:
Mapping to ATT&CK from a Finished Report
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Why is it Difficult to Map CTI to ATT&CK?
▪ Requires a shift in analyst thinking
– Indicators → behaviors
▪ Volume of ATT&CK techniques
▪ “Technical” detail of some ATT&CK techniques
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Mapping to ATT&CK
0. Understand ATT&CK
1. Find the behavior
2. Research the behavior
3. Translate the behavior into a tactic
4. Figure out what technique applies to the behavior
5. Compare your results to other analysts
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
0. Understand ATT&CK
▪ You need to know what to look for before you can do this
▪ To get analysts started:
– Watch an ATT&CK presentation like Sp4rkcon
– Read the Philosophy Paper and items from our Getting Started page
– Read the Tactic descriptions
– Skim the Technique list
▪ Encourage ongoing learning and discussion
– Have analysts present a technique a week in your team training
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
1. Find the Behavior
▪ Different mindset from looking for indicators
▪ Look for what the adversary or software does
▪ Focus on initial compromise and post-compromise details
– Info that may not be useful for ATT&CK mapping:
▪ Static malware analysis
▪ Infrastructure registration information
▪ Industry/victim targeting information
1. Find the Behavior
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
2. Research the Behavior
▪ CTI analysts may not be familiar with adversary/software behavior
▪ Encourage them to do additional research:
– Of your own team or organization (defenders/red teamers)
– Of external resources
▪ Time-consuming, but builds better analysts
▪ Understanding of core behavior helps with next steps
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
https://en.wikipedia.org/wiki/SOCKS
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
? https://www.speedguide.net/port.php?port=1913
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Translate the Behavior into a Tactic
▪ What is the adversary trying to accomplish?
▪ Often requires domain expertise
– Finished intel can give you context
▪ Only 12 options:
– Initial Access – Discovery
– Execution – Lateral Movement
– Persistence – Collection
– Privilege Escalation – Command and Control
– Defense Evasion – Exfiltration
– Credential Access – Impact
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Translate the Behavior into a Tactic
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies
▪ Often the toughest part
▪ Not every behavior is necessarily a technique
▪ Key strategies:
1. Look at the list of Techniques for the identified Tactic
2. Search attack.mitre.org
▪ Try key words
▪ Try “procedure”-level detail
▪ Try specific command strings
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies
Protocol vs.
Port
→ 2 techniques?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies
“CTRL+ F” FTW
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Rinse and Repeat
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
Exercise 2: Cybereason Cobalt Kitty Report
▪ Analyze a threat report to find the Enterprise ATT&CK techniques
– 22 highlighted techniques in the Cybereason Cobalt Kitty report
▪ Choose a PDF from attack.mitre.org/training/cti under Exercise 2
– Choose your own adventure: start with “highlights only” or “tactic hints”
▪ Use the PDF or a text document/piece of paper to record your results
▪ Write down the ATT&CK tactic and technique you think applies to each
highlight
▪ Tips:
– Do keyword searches of our website: https://attack.mitre.org
– Remember that you don’t have to be perfect
– Use this as a chance to dive into ATT&CK
▪ Please pause. We suggest giving yourself 30 minutes for this exercise.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 2 Optional Bonus Step:
Compare your results to other analysts
▪ Step 5 of the process: Compare your results to other analysts
▪ Helps hedge against analyst biases
– More likely to identify techniques you’ve previously identified
Analyst 1 Analyst 2
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over the Exercise – Cybereason Report
▪ Think about:
– What were the easiest & hardest techniques to identify?
– How did you identify each technique?
– What challenges did you have? How did you address them?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Cybereason Cobalt Kitty Report
5.
9.
https://cybr.ly/cobaltkitty
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Cybereason Cobalt Kitty Report
https://cybr.ly/cobaltkitty
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Cybereason Cobalt Kitty Report
https://cybr.ly/cobaltkitty
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Optional Exercise 2 Bonus Report
▪ If you’d like more practice mapping finished reporting to ATT&CK, work
through the FireEye APT39 report in the same manner. The PDF is
available at attack.mitre.org/training/cti under Exercise 2. (No tactic hints
option this time!)
▪ Answers are provided in a separate PDF.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Skipping Steps in the Process
Once you’re experienced, you maybe able to skip steps
…but this increases your bias
…and it won’t work every time
0. Understand ATT&CK
1. Find the behavior
2. Research the behavior
3. Translate the behavior into a tactic Sometimes
4. Figure out what technique applies to the behavior we jump
5. Compare your results to other analysts directly here
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
End of Module 2
Module 3:
Mapping to ATT&CK from Raw Data
Process of Applying ATT&CK to CTI
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Mapping to ATT&CK from Raw Data
▪ So far, working from intel where activity has already been analyzed
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Mapping to ATT&CK
0. Understand ATT&CK
1. Find the behavior
2. Research the behavior
3. Translate the behavior into a tactic
4. Figure out what technique applies to the behavior
5. Compare your results to other analysts
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
1. Find the Behavior
ipconfig /all
sc.exe \\ln334656-pc create
.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old
C:\$Recycle.Bin\Shockwave_network.vsdx
Commands captured by Sysmon being run interactively via cmd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Netsh
New reg keys during an incident
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
▪ Can be similar to analysis of finished reporting for raw data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old
C:\$Recycle.Bin\Shockwave_network.vsdx
– Can make some educated guesses, but not enough context
File analysis:
When recycler.exe is executed, it gives the following output:
C:\recycler.exe
RAR 3.70 Copyright (c) 1993-2007 Alexander Roshal 22 May 2007
Shareware version Type RAR -? for help
– Aha! Based on the analysis we can Google the flags to RAR and
determine that it is being used to compress and encrypt the file
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior
.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old
C:\$Recycle.Bin\Shockwave_network.vsdx
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Translate the Behavior into a Tactic
ipconfig /all
– Specific procedure only mapped to System Network Configuration Discovery
– System Network Configuration Discovery -> Discovery ✅
– Seen being run via Sysmon -> Execution
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies
▪ Similar to working with finished reporting we may jump straight here
– Procedure may map directly to Technique/Tactic
– May have enough experience to compress steps
ipconfig /all
– Specific procedure in System Network Configuration Discovery (T1016)
– Also Command-Line Interface (T1059)
.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old
C:\$Recycle.Bin\Shockwave_network.vsdx
– We figured out researching this that “a –hp” compresses/encrypts
– Appears to be Data Compressed (T1002) and Data Encrypted (T1022)
– Also Command-Line Interface (T1059)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Concurrent Techniques
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Different Types of Techniques
Analyst 1 Analyst 2
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Pros/cons of Mapping from the Two Different Sources
Step Raw Finished
Find the behavior Nearly everything may be a May be buried amongst prose, IOCs, etc
behavior (not all ATT&CK)
Research the behavior May need to look at multiple May have more info/context, may also
sources, data types. May also have lost detail in writing
be a known procedure
Translate the behavior into a Have to map to adversary Often intent has been postulated by report
tactic intent, need domain author
knowledge/expertise
Figure out what technique May have a procedure that May be as simple as a text match to
applies to the behavior maps straight to technique, or description/procedure, or may be too
may require deep vague to tell
understanding to understand
how accomplished
Compare your results to other May need multiple analysts to More likely in a form where other analysts
analysts cover all data sources needed for coverage/hedge against bias
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 3: Working with raw data
▪ You’re going to be examining two tickets from a simulated incident
▪ Ticket 473822
– Series of commands interactively executed via cmd.exe on an end system
▪ Ticket 473845
– Pieces of a malware analysis of the primary RAT used in the incident
▪ Both tickets are at https://attack.mitre.org/training/cti under Exercise 3
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over Exercise 3 (Ticket 473822)
ipconfig /all System Network Configuration Discovery (T1016)
arp -a System Network Configuration Discovery (T1016)
echo %USERDOMAIN%\%USERNAME% System Owner / User Discovery (T1033)
tasklist /v Process Discovery (T1057)
Discovery
sc query System Service Discovery (T1007)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Finished Reporting Examples
During operation Tangerine Yellow, the actors used Pineapple RAT to execute
‘ipconfig /all1’ via the Windows command shell2.
1. Discovery – System Network Configuration Discovery (T1016)
2. Execution – Command-Line Interface (T1059)
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
End of Module 3
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 4:
Storing and Analyzing ATT&CK-Mapped Data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Considerations When Storing ATT&CK-Mapped Intel
▪ Who’s consuming it?
– Human or machine?
– Requirements?
▪ How will you provide context? The community is still
– Include full text? figuring this out!
▪ How detailed will it be?
– Just a Technique, or a Procedure?
– How will you capture that detail? (Free text?)
▪ How will you link it to other intel?
– Incident, group, campaign, indicator…
▪ How will you import and export data?
– Format?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Store and Display ATT&CK-Mapped Intel
¯\_(ツ)_/¯
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Store and Display ATT&CK-Mapped Intel
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Store and Display ATT&CK-Mapped Intel
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Express and Store ATT&CK-Mapped Intel
Techniques at the
end of a report https://www.anomali.com/blog/weekly-threat-briefing-google-
spots-attacks-exploiting-ios-zero-day-flaws
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Express and Store ATT&CK-Mapped Intel
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-
operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Express and Store ATT&CK-Mapped Intel
Techniques at the
beginning of a report https://www.crowdstrike.com/resources/reports/2018-crowdstrike-global-
threat-report-blurring-the-lines-between-statecraft-and-tradecraft/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Express and Store ATT&CK-Mapped Intel
Adding additional
info to an ATT&CK
technique
https://www.digitalshadows.com/blog-and-research/mitre-attck-
and-the-mueller-gru-indictment-lessons-for-organizations/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Express and Store ATT&CK-Mapped Intel
With
timestamps
https://www.recordedfuture.com/mitre-attack-framework/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Express and Store ATT&CK-Mapped Intel
Machine readable
https://pan-unit42.github.io/playbook_viewer/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Express and Store ATT&CK-Mapped Intel
https://attack.mitre.org/groups/G0007/
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-
is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
APT28 Techniques*
Initial Privilege Defense Credential Lateral Command
Execution Persistence Escalation Evasion Access
Discovery
Movement
Collection Exfiltration
and Control
Access
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command And Control
rive by Compromise Apple cript .bash profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account iscovery Apple cript Audio Capture Automated xfiltration Commonly sed ort
xploit ublic acing CM T Accessibility eatures Accessibility eatures inary adding ash istory Application Window Application eployment Automated Collection ata Compressed Communication Through
Application iscovery oftware Removable Media
ardware Additions Command ine Interface AppCert s AppCert s IT obs rute orce rowser ookmark iscovery istributed
b ect Model
Component Clipboard ata ata ncrypted Connection roxy
Replication Through Control anel Items AppInit s AppInit s ypass ser Account ControlCredential umping ile and irectory iscovery xploitation of Remote ata from Information ata Transfer i e imits Custom Command and
Removable Media ervices Repositories Control rotocol
pearphishing Attachment ynamic ata xchange Application himming Application himming Clear Command istory Credentials in iles Network ervice canning ogon cripts ata from ocal ystem xfiltration ver Alternative Custom Cryptographic
rotocol rotocol
pearphishing ink xecution through A I Authentication ackage ypass ser Account ControlCM T Credentials in Registry Network hare iscovery ass the ash ata from Network hared xfiltration ver Command ata ncoding
rive and Control Channel
pearphishing via ervice xecution through Module IT obs earch rder i acking Code igning xploitation for Credential assword olicy iscovery ass the Ticket xfiltration ver ther
ata from Removable Media Network ata bfuscation
oad Access Medium
upply Chain Compromise xploitation for Client ootkit ylib i acking Component irmware orced Authentication eripheral evice iscovery Remote esktop rotocol ata taged xfiltration ver hysical omain ronting
xecution Medium
Trusted Relationship raphical ser Interface rowser xtensions xploitation for rivilege Component b ect Model ooking ermission roups iscoveryRemote ile Copy mail Collection cheduled Transfer allback Channels
scalation i acking
alid Accounts Install til Change efault ile xtra Window Memory Control anel Items Input Capture rocess iscovery Remote ervices Input Capture Multi hop roxy
Association In ection
aunchctl Component irmware ile ystem ermissions C hadow Input rompt uery Registry Replication Through Man in the rowser Multi tage Channels
Weakness Removable Media
ocal ob cheduling Component b ect Model ooking eobfuscate ecode iles or erberoasting Remote ystem iscovery hared Webroot creen Capture Multiband Communication
i acking Information
A river Create Account Image ile xecution ptions isabling ecurity Tools eychain ecurity oftware iscovery i acking ideo Capture Multilayer ncryption
In ection
Mshta earch rder i acking aunch aemon earch rder i acking MNR N T N oisoning ystem Information iscoveryTaint hared Content ort nocking
ower hell ylib i acking New ervice ide oading Network niffing ystem Network Third party oftware Remote Access Tools
Configuration iscovery
Regsvcs Regasm xternal Remote ervices ath Interception xploitation for efense assword ilter ystem Network ConnectionsWindows Admin hares Remote ile Copy
vasion iscovery
Regsvr ile ystem ermissions list Modification xtra Window Memory rivate eys ystem wner ser Windows Remote tandard Application ayer
Weakness In ection iscovery Management rotocol
Rundll idden iles and irectories ort Monitors ile eletion Replication Through ystem ervice iscovery tandard Cryptographic
Removable Media rotocol
cheduled Task ooking rocess In ection ile ystem ogical ffsets ecurityd Memory ystem Time iscovery tandard Non Application
ayer rotocol
cripting ypervisor cheduled Task atekeeper ypass Two actor Authentication ncommonly sed ort
Interception
ervice xecution Image ile xecution ptions ervice Registry ermissions idden iles and irectories Web ervice
In ection Weakness
igned inary roxy ernel Modules and etuid and etgid idden sers
xecution xtensions
igned cript roxy aunch Agent I istory In ection idden Window
xecution
ource aunch aemon tartup Items I TC NTR
pace after ilename aunchctl udo Image ile xecution ptions
In ection
Third party oftware C A I Addition udo Caching Indicator locking
Trap ocal ob cheduling alid Accounts Indicator Removal from Tools
Trusted eveloper tilities ogin Item Web hell Indicator Removal on ost
ser xecution ogon cripts Indirect Command xecution
Windows Management A river Install Root Certificate
APT28
Netsh elper aunchctl
New ervice C MAIN i acking
ffice Application
ath Interception
list Modification
tartup Masquerading
Modify Registry
Mshta
APT29
ort nocking Network hare Connection
Removal
ort Monitors
Rc.common
Re opened Applications
NT ile Attributes
bfuscated iles or
Information
list Modification
Both groups
Redundant Access ort nocking
Registry Run eys tart rocess oppelg nging
older
cheduled Task rocess ollowing
creensaver rocess In ection
ATT&CK Navigator
▪ One option for getting started with storing and analyzing in a simple way
▪ Open source (JSON), so you can customize it
▪ Allows you you visualize data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
ATT&CK Navigator Demo Video
Exercise 4: Comparing Layers in ATT&CK Navigator
▪ Docs you will need are at attack.mitre.org/training/cti under Exercise 4
– Step-by-step instructions are in the “Comparing ayers in Navigator”
– Techniques are listed in the “A T 9 and Cobalt itty techniques”
I Addition
udo
udo Caching
alid Accounts
idden Window
I TC NTR
Image ile xecution ptions
APT39
In ection
Trap ocal ob cheduling Web hell Indicator locking
Trusted
ser xecution
eveloper tilities
Windows Management
ogin Item
ogon cripts
Indicator Removal from Tools
Indicator Removal on ost
OceanLotus
Instrumentation A river Indirect Command xecution
Windows Remote Modify xisting ervice Install Root Certificate
Management
cript rocessing Netsh
New ervice
elper Install til
aunchctl
Both groups
ffice Application tartup C MAIN i acking
ath Interception Masquerading
list Modification Modify Registry
ort nocking Mshta
ort Monitors Network hare Connection
Removal
Rc.common NT ile Attributes
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
bfuscated iles or
Re opened Applications Information
Exercise 4: Comparing Layers in ATT&CK Navigator
▪ Here are the overlapping techniques:
1. Spearphishing Attachment
2. Spearphishing Link
3. Scheduled Task
4. Scripting
5. User Execution
6. Registry Run Keys/Startup Folder
7. Network Service Scanning
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
End of Module 4
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Module 5:
Making Defensive Recommendations from
ATT&CK-Mapped Data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Applying Technique Intelligence to Defense
▪ We’ve now seen a few ways to identify techniques seen in the wild
– Extracted from finished reporting
– Extracted from raw/incident data
– Leveraging data already mapped by ATT&CK team
▪ Can identify techniques used by multiple groups we care about
– May be our highest priority starting point
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process for Making Recommendations from Techniques
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
0. Determine Priority Techniques
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
0. Determine Priority Techniques
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
1. Research How Techniques Are Being Used
▪ What specific procedures are being used for a given technique?
– Important that our defensive response overlaps with activity
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
1. Research How Techniques Are Being Used
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
▪ Further research shows that for Windows to generate event 4688 multiple
Execution,Lateral Movement
Windows Remote
4663
File monitor
4688
T1028 Process
4688
Process
5156
Windows
5140/5145
Net Shares
Management
GPO changes are required and it is very noisy CMD Line Execution Firewall
4688
▪ Similar information can be gathered via Sysmon with better filtering
Execution,Persistence LSASS Driver T1177 Process
Execution
4663
File monitoring
DLL
monitoring
Loaded DLLs
Sysmon - ID
Kernel drive
4688 4688
Execution,Persistence,Privileg 4663 Windows event
Scheduled Task T1053 Process Process
e Escalation File monitoring logs
CMD Line Execution
4688 4688 5156
Automated
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4663
Exfiltration T1020 Process Process CMD Windows
2. Research Defensive Options Related to Technique
▪ ATT&CK:
– https://attack.mitre.org
▪ Cyber Analytics Repository:
– https://car.mitre.org/
▪ Threat Hunter Playbook
– https://github.com/hunters-forge/ThreatHunter-Playbook
▪ Windows ATT&CK Logging Cheatsheet
– https://www.malwarearchaeology.com/cheat-sheets
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research Defensive Options Related to Technique
▪ User training
▪ Application whitelisting
▪ Block unknown files in transit
▪ NIPS
▪ File detonation systems
▪ Monitor command-line arguments
– Windows Event Log 4688
– Sysmon
▪ Anti-Virus
▪ Endpoint sensing
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Research Organizational Capabilities/Constraints
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Research Organizational Capabilities/Constraints
▪ Notional Capabilities
– Windows Events already collected to SIEM (but not process info)
– Evaluating application whitelisting tools
– Highly technical workforce
– Already have an email file detonation appliance
– Already have anti-virus on all endpoints
▪ Notional Constraints
– SIEM at close to license limit, increase would be prohibitive
– Large portion of user population developers, run arbitrary binaries
– Files in transit usually encrypted passing by NIPS
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Determine What Tradeoffs Are for Org on Specific Options
▪ Example Positives
– Leveraging existing strengths/tools/data sources
– Close fit with specific threat
▪ Example Negatives
– Cost not commiserate with risk averted
– Poor cultural fit with organization
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Determine What Tradeoffs Are for Org on Specific Options
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
5. Make Recommendations
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
5. Make Recommendations
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact
Application Local Job Scheduling Bypass User Account Control Bash History Application Window Software Clipboard Data Removable Media Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Object Model Repositories Custom Command and Exfiltration Over Other Disk Structure Wipe
Replication Through AppleScript DLL Search Order Hijacking Credentials in Files Discovery Exploitation of Data from Local System Control Protocol Network Medium Endpoint Denial of Service
Removable Media CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Remote Services Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Credential Access Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Protocol Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Physical Medium Service Stop
Valid Accounts Execution through Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Algorithms Scheduled Transfer Stored Data Manipulation
Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data
Exploitation for File System Permissions Weakness Component Firmware Keychain Query Registry Removable Media Video Capture Multiband Communication Manipulation
Client Execution Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System Information Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer
Rundll32 Startup Items DLL Side-Loading Connections Discovery Protocol
Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic
Service Execution .bash_profile and .bashrc Exploitation for Exploitation for Discovery Protocol
Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application
Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol
Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port
Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename
Third-party Software
Trusted Developer Utilities
None of our existing tools have visibility into
Change Default
File Association
Component Firmware
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
User Execution
Windows Management
Instrumentation
We’ll tackle
Command-Line
Component Object
Model Hijacking
Create Account Interface
External Remote Services
so we’ll need
Spearphishing to
Attachment and Hidden Users
Hidden Window
HISTCONTROL
Indicator Blocking
Windows Remote
Management
XSL Script Processing HypervisorSpearphishing
obtain
Kernel Modules
and Extensions
something Link
Hidden Files and Directories
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 5: Defensive Recommendations
Worksheet in attack.mitre.org/training/cti under Exercise 5
“Making Defensive Recommendations Guided Exercise”
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
0. Determine Priority Techniques
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
1. Research How Techniques Are Being Used
From the Cobalt Kitty Report
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Research Organizational Capabilities/Constraints
▪ For this exercise, assume that you have Windows Event Log Collection
going to a SIEM, but no ability to collect process execution logging.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Determine What Tradeoffs Are for Org on Specific Options
Monitor scheduled task creation Would allow us to collect detailed Organization has no ability to collect
from common utilities using information on how task added. process execution logging.
command-line invocation
Configure event logging for Fits well into existing Windows Increases collected log volumes.
scheduled task creation and Event Log collection system, would
changes be simple to implement enterprise
wide.
Sysinternals Autoruns may also be Would collect on other persistence Not currently installed, would need to
used techniques as well. Tool is free. be added to all systems along with data
collection and analytics of results.
Monitor processes and command- Would allow us to collect detailed Organization has no ability to collect
line arguments information on how task added. process execution logging.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
5. Make Recommendations
Given the limitations and sources we pointed at, likely answers similar to:
Possibly
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
In Closing
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
https://attack.mitre.org
attack@mitre.org
@MITREattack
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
End of Module 5
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.