cover image for ATT&CK

ATT&CK

R

The following is a curated list of tactics sourced from MITRE ATT&CK

You should familiarize yourself with these attack vectors, while preparing for your campaign.

Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.

ATT&CK Win Command and Control

Application Layer Protocol (4)

Communication Through Removable Media

Data Encoding (2)

Data Obfuscation (3)

Dynamic Resolution (3)

Encrypted Channel (2)

Fallback Channels

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

Proxy (4)

Remote Access Software

Traffic Signaling (1)

Web Service (3)

ATT&CK Windows Matrix Collection

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

ATT&CK Win Credentials

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

Adversary-in-the-Middle (2)

Brute Force (4)

Credentials from Password Stores (3)

Exploitation for Credential Access

Forced Authentication

Forge Web Credentials (2)

Input Capture (4)

Modify Authentication Process (2)

Network Sniffing

OS Credential Dumping (6)

Steal or Forge Kerberos Tickets (4)

Steal Web Session Cookie

Two-Factor Authentication Interception

Unsecured Credentials (4)

ATT&CK Win Discovery

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

Account Discovery (3)

Application Window Discovery

Browser Bookmark Discovery

Domain Trust Discovery

File and Directory Discovery

Group Policy Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery (2)

Process Discovery

Query Registry

Remote System Discovery

Software Discovery (1)

System Information Discovery

System Location Discovery (1)

System Network Configuration Discovery (1)

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion (3)

ATT&CK Win Evasion

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

Abuse Elevation Control Mechanism (1)

Access Token Manipulation (5)

BITS Jobs

Deobfuscate/Decode Files or Information

Direct Volume Access

Domain Policy Modification (2)

Execution Guardrails (1)

Exploitation for Defense Evasion

File and Directory Permissions Modification (1)

Hide Artifacts (8)

Hijack Execution Flow (9)

Impair Defenses (7)

Indicator Removal on Host (5)

Indirect Command Execution

Masquerading (6)

Modify Authentication Process (2)

Modify Registry

Obfuscated Files or Information (6)

Pre-OS Boot (3)

Process Injection (8)

Reflective Code Loading

Rogue Domain Controller

Rootkit

Signed Binary Proxy Execution (13)

Signed Script Proxy Execution (1)

Subvert Trust Controls (5)

Template Injection

Traffic Signaling (1)

Trusted Developer Utilities Proxy Execution (1)

Use Alternate Authentication Material (2)

Valid Accounts (3)

Virtualization/Sandbox Evasion (3)

XSL Script Processing

ATT&CK Win Execution

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Command and Scripting Interpreter (5)

Exploitation for Client Execution

Inter-Process Communication (2)

Native API

Scheduled Task/Job (2)

Shared Modules

Software Deployment Tools

System Services (1)

User Execution (2)

Windows Management Instrumentation

ATT&CK Win Exfiltration

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

Automated Exfiltration

Data Transfer Size Limits

Exfiltration Over Alternative Protocol (3)

Exfiltration Over C2 Channel

Exfiltration Over Other Network Medium (1)

Exfiltration Over Physical Medium (1)

Exfiltration Over Web Service (2)

Scheduled Transfer

ATT&CK Win Impact

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

Account Access Removal

Data Destruction

Data Encrypted for Impact

Data Manipulation (3)

Defacement (2)

Disk Wipe (2)

Endpoint Denial of Service (4)

Firmware Corruption

Inhibit System Recovery

Network Denial of Service (2)

Resource Hijacking

Service Stop

System Shutdown/Reboot

ATT&CK Win Initial Access

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Phishing (3)

Replication Through Removable Media

Supply Chain Compromise (3)

Trusted Relationship

Valid Accounts (3)

ATT&CK Win Lateral Movement

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

Remote Service Session Hijacking (1)

Remote Services (5)

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

Use Alternate Authentication Material (2)

ATT&CK Win Persistence

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

Account Manipulation (1)

BITS Jobs

Boot or Logon Autostart Execution (10)

Boot or Logon Initialization Scripts (2)

Browser Extensions

Compromise Client Software Binary

Create Account (2)

Create or Modify System Process (1)

Event Triggered Execution (11)

External Remote Services

Hijack Execution Flow (9)

Modify Authentication Process (2)

Office Application Startup (6)

Pre-OS Boot (3)

Scheduled Task/Job (2)

Server Software Component (4)

Traffic Signaling (1)

Valid Accounts (3)

ATT&CK Win Privilege Escalation

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:

  1. SYSTEM/root level
  2. local administrator
  3. user account with admin-like access
  4. user accounts with access to specific system or perform specific function

These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

Abuse Elevation Control Mechanism (1)

Access Token Manipulation (5)

Boot or Logon Autostart Execution (10)

Boot or Logon Initialization Scripts (2)

Create or Modify System Process (1)

Domain Policy Modification (2)

Escape to Host

Event Triggered Execution (11)

Exploitation for Privilege Escalation

Hijack Execution Flow (9)

Process Injection (8)

Scheduled Task/Job (2)

Valid Accounts (3)