This document discusses MITRE ATT&CK, which is a knowledge base of adversary behavior techniques based on real-world observations. It is free, open, and globally accessible. The document explains how ATT&CK can be used for threat intelligence, detection, adversary emulation, and assessment/engineering. It provides examples of techniques like spearphishing attachments and profiles of adversary groups like APT29. It also describes how ATT&CK can help find gaps in an organization's defenses through red team testing.

1. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
Turning Intelligence into Action with
MITRE ATT&CK™
Katie Nickels @likethecoins
Adam Pennington @_whatshisface
MITRE ATT&CK @MITREattack
| 1 |

2. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
What is
?
A knowledge base of
adversary behavior
Ø Based on real-world observations
Ø Free, open, and globally accessible
Ø A common language
Ø Community-driven

3. Summiting the Pyramid
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s Pyramid of Pain
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
TTPs
Tools
Network/
Host Artifacts
Domain Names
IP Addresses
Hash Values
•Tough!
•Challenging
•Annoying
•Simple
•Easy
•Trivial

4. Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data
Manipulation
Command and Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and
Control Protocol
Custom Cryptographic
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation
Algorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer
Protocol
Standard Cryptographic
Protocol
Standard Non-Application
Layer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Other
Network Medium
Exfiltration Over Command
and Control Channel
Exfiltration Over Alternative
Protocol
Exfiltration Over
Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information
Repositories
Data from Local System
Data from Network
Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment
Software
Distributed Component
Object Model
Exploitation of
Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through
Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote
Management
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application Window
DiscoveryBrute Force
Credential Dumping Browser Bookmark
DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation for
Credential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNR/NBT-NS Poisoning
and Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System Information
DiscoveryPrivate Keys
Securityd Memory System Network
Configuration Discovery
Two-Factor Authentication
Interception
System Network
Connections Discovery
System Owner/User
Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox
Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through
Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for
Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object Model
HijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors Deobfuscate/Decode Files
or InformationRegsvcs/Regasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution .bash_profile and .bashrc Exploitation for
Privilege Escalation
Exploitation for
Defense Evasion
Signed Binary
Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script
Proxy Execution
BITS Jobs Sudo File Permissions
ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default
File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote
Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removal
from ToolsXSL Script Processing Hypervisor
Kernel Modules
and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Initial Access
Drive-by Compromise
Exploit Public-Facing
Application
External Remote Services
Hardware Additions
Replication Through
Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Breaking Down ATT&CK
Tactics: the adversary’s technical goals
Techniques:howthegoalsare
achieved
| 4 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
Procedures: Specific technique implementation

5. Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
| 5 |

6. Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
| 6 |

7. Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
| 7 |

8. Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
| 8 |

9. Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
| 9 |

10. Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
| 10 |

11. Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
| 11 |

12. ATT&CK Use Cases
| 12 |
Threat Intelligence
processes = search Process:Create
reg = filter processes where (exe == "reg.exe" and parent_exe
== "cmd.exe")
cmd = filter processes where (exe == "cmd.exe" and
parent_exe != "explorer.exe"")
reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and
reg.hostname == cmd.hostname)
output reg_and_cmd
Detection
Adversary Emulation
Assessment and Engineering
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary
behavior framework based on threat intelligence that red teams can use to emulate
specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and
processes—and then fix them.
Legend
Low Priority
High Priority
Finding Gaps in Defense
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions Weakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions Weakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning and
Relay
Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScript
Application Deployment
Software
Distributed Component
Object Model
Exploitation of
Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through
Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote
Management
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and
Control Protocol
Custom Cryptographic
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation
Algorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer
Protocol
Standard Cryptographic
Protocol
Standard Non-Application
Layer Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Other
Network Medium
Exfiltration Over Command
and Control Channel
Exfiltration Over Alternative
Protocol
Exfiltration Over
Physical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data
Manipulation
Audio Capture
Automated Collection
Clipboard Data
Data from Information
Repositories
Data from Local System
Data from Network
Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Drive-by Compromise
Exploit Public-Facing
Application
External Remote Services
Hardware Additions
Replication Through
Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through
Module Load
Exploitation for
Client Execution
Graphical User Interface
InstallUtil
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scripting
Service Execution
Signed Binary
Proxy Execution
Signed Script
Proxy Execution
Source
Space after Filename
Third-party Software
Trusted Developer Utilities
DLL Search Order Hijacking
Image File Execution Options Injection
Plist Modification
Valid Accounts
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Dylib Hijacking
File System Permissions Weakness
Hooking
Launch Daemon
New Service
Path Interception
Port Monitors
Service Registry Permissions Weakness
Setuid and Setgid
Startup Items
Web Shell
.bash_profile and .bashrc
Account Manipulation
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default
File Association
Component Firmware
BITS Jobs
Clear Command History
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Component Object Model
Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files
or Information
Disabling Security Tools
DLL Side-Loading
Execution Guardrails
Exploitation for
Defense Evasion
File Deletion
File Permissions
Modification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Exploitation for
Privilege Escalation
SID-History Injection
Sudo
Sudo Caching
Scheduled Task Binary Padding Network Sniffing
Launchctl
Local Job Scheduling
LSASS Driver
Trap
Access Token Manipulation
Bypass User Account Control
Extra Window Memory Injection
Process Injection
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for
Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning
and Relay
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Account Discovery
Application Window
Discovery
Browser Bookmark
Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Discovery
Remote System Discovery
Security Software Discovery
System Information
Discovery
System Network
Configuration Discovery
System Network
Connections Discovery
System Owner/User
Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox
Evasion
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, information-sharing groups, government threat-sharing programs,
and more. ATT&CK gives analysts a common language to communicate across reports and
organizations, providing a way to structure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop analytics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analytics to detect threats.
Get Started with ATT&CK
Legend
APT28
APT29
Both
Comparing APT28 to APT29
we've chosen 12 of those data sources to show the techniques each of them might be able to detect with the right colle
analytics. Check out our website at attack.mitre.org for more information on how each technique can be detected, and
adversary examples you can use to start detecting adversary behavior with ATT&CK.
You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ATT
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK conten
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions Weakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions Weakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning and
Relay
Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions Weakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning and
Relay
Network Sniffing
Password Filter DLL
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
ob
stan
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop analytics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analytics to detect threats.
Legend
APT28
APT29
Both
Legend
Low Priority
High Priority
Comparing APT28 to APT29
Finding Gaps in Defense
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions Weakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions Weakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning and
Relay
Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions Weakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions Weakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning and
Relay
Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
malwarerever
net
work device logs
network intrusion detection system
ssl/tls inspection
system
calls
windowseventlogs
ocol
compromise
point denial of service
network denial of service
obfuscated files or information
remote access tools
spearphishing attachment
standard non-application layer protocoltemplate injection
domain fronting
drive-by compromise
endpoint denial of service
install root certificate
obfuscated files or information
spearphishing link
spearphishing via service
standard cryptographic protocol
web service
applescript
application shimming
browser extensions
bypass user account control
exploitation for client execution
hypervisor
kernel modules and extensions
keychain
rootkit
account manipulation
bits jobs
cm
stp
em
s

13. ATT&CK Threat Intelligence Use Cases
§ Structuring threat intelligence with ATT&CK allows us to
– Compare behaviors
– Communicate in a common language
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 5 |

14. Compare Groups to Each Other
| 6 |
*from open source
reporting we’ve mapped
APT28*
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

15. Compare Groups to Each Other
| 7 |
APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

16. Compare Groups to Each Other
| 8 |
APT28
APT29
Both groups Prioritize!
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

17. Compare Groups to Defenses
| 9 |
Overlay known defensive gaps
APT28
APT29
Both groups
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

18. Compare Groups Over Time
| 10 |
Notional group in 2018
Same group in 2019…why did
we not see these techniques?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

19. Communicate to Defenders
| 11 |
CTI
Analyst Defender
Registry Run Keys
/ Startup Folder
(T1060)
THIS is what the
adversary is doing!
The Run key is
AdobeUpdater.
Oh, we have
Registry data, we
can detect that!
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

20. Communicate Across the Community
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 12 |
CTI Consumer
Registry Run Keys
/ Startup Folder
(T1060)
Oh, you
mean T1060!
APT1337 is
using autorun
FUZZYDUCK
used a Run key
Company
A
Company
B

21. ...but how do I structure intel in ATT&CK so
I can apply it to these use cases?
| 21 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

22. Process of Mapping to ATT&CK
0. Understand ATT&CK
1. Find the behavior
2. Research the behavior
3. Translate the behavior into a tactic
4. Figure out what technique applies to the behavior
5. Compare your results to other analysts
Two key sources for where you get information:
1. Finished reporting
2. Raw data
| 22 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

23. 0. Understand ATT&CK
§ You need to know what to look for before you can do this
§ To get analysts started:
– Watch an ATT&CK presentation
– Read the Philosophy Paper and Getting Started page
– Read ATT&CK 101 Blog Post
– Read the Tactic descriptions
– Skim the Technique list (there are 252+…)
§ Encourage ongoing learning and discussion
– Have analysts present a technique a week in your team training
| 23 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

24. 1. Find the Behavior
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
§ Different mindset from looking for indicators
§ Look for what the adversary or software does
§ Focus on initial compromise and post-compromise details
– Info that may not be useful for ATT&CK mapping:
§ Static malware analysis
§ Infrastructure registration information
§ Industry/victim targeting information

25. 1. Find the Behavior
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
Tactic? Technique? Tactic? Technique?

26. 2. Research the Behavior
| 26 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
§ CTI analysts may not be familiar with adversary/software behavior
§ Encourage them to do additional research:
– Of your own team or organization (defenders/red teamers)
– Of external resources
§ Time-consuming, but builds better analysts
§ Understanding of core behavior helps with next steps

27. 2. Research the Behavior
| 27 |
https://en.wikipedia.org/wiki/SOCKS
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

28. 2. Research the Behavior
| 28 |
https://www.speedguide.net/port.php?port=1913?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

29. 3. Translate the Behavior into a Tactic
§ What is the adversary trying to accomplish?
§ Often requires domain expertise
– Finished intel can give you context
| 29 |
§ Only 12 options:
– Initial Access
– Execution
– Persistence
– Privilege Escalation
– Defense Evasion
– Credential Access
– Discovery
– Lateral Movement
– Collection
– Command and Control
– Exfiltration
– Impact
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

30. 3. Translate the Behavior into a Tactic
§ “When executed, the malware first establishes a SOCKS5
connection to 192.157.198.103 using TCP port 1913. … Once
the connection to the server is established, the malware
expects a message containing at least three bytes from the
server. These first three bytes are the command identifier. The
following commands are supported by the malware … “
– A connection in order to command the malware to do something
à Command and Control
| 30 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

31. 4. Figure Out What Technique Applies
§ Often the toughest part
§ Not every behavior is necessarily a technique
§ Key strategies:
1. Look at the list of Techniques for the identified Tactic
2. Search attack.mitre.org
§ Try key words
§ Try “procedure”-level detail
§ Try specific command strings
| 31 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

32. 4. Figure Out What Technique Applies
| 32 |
Protocol vs.
Port
à 2 techniques?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

33. 4. Figure Out What Technique Applies
| 33 |
“the malware first establishes a SOCKS5 connection”
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

34. 4. Figure Out What Technique Applies
| 34 |
“establishes a SOCKS5 connection to
192.157.198.103 using TCP port 1913”
“CTRL+ F” FTW
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

35. Rinse and Repeat
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
Privilege Escalation - Exploitation for Privilege Escalation (T1068)
Execution - Command-Line Interface (T1059)
Discovery - System Owner/User Discovery (T1033)
Persistence – Scheduled Task (T1053)
Command and Control - Standard Non-Application Layer Protocol (T1095)
Command and Control -
Uncommonly Used Port (T1065)

36. Technique Mapping Work Available from ATT&CK
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 14 |
“Procedure Examples” for Techniques
“Techniques Used” for Software and Groups
5 years of reviewing and mapping
~400 report sources
Only freely-available public reporting

37. Biases in ATT&CK’s Mapped Data
§ Important to understand and state our biases in CTI
§ Two kinds of bias in technique examples in ATT&CK
– Bias introduced by us
– Bias inherent in the sources we use
§ Understanding these is the first step in properly leveraging this data
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 15 |

38. Security
Vendors
92%
Press
Reports
5%
Publicly-
available
Government
Reports
3%
Our Biases: Sources We Select
| 16 |
From reports used
for technique examples
in ATT&CK Groups
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

39. Our Biases: Availability Bias
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 17 |
All Possible
Techniques
Techniques
We
Remember

40. Our Biases: Novelty Bias
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 18 |
Yet another
FUZZYDUCK
using Powershell
report
APT1337
Using
Transmitted
Data
Manipulation

41. Source Biases: Availability Bias
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 19 |
All Possible
Behaviors/
Groups
Familiar
Behaviors/
Groups

42. Source Biases: Novelty Bias
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 20 |
Another APT1337
Report
APT1338
Report!!!

43. Source Biases: Victim Bias
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 21 |
Victim 4
Victim 5Victim 3
Victim 2
Victim 1

44. Source Biases: Visibility Bias
| 22 |
Visible
Disk
Forensics
Network
Flows
Process
Execution
Powershell
Registry
Monitoring
Decoded
C2
Not Seen
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

45. Source Biases: Production Bias
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 23 |
Operation Snakepit
APT1337 Report
Operation Brown Fox
APT1338 Report
Ducks in the Wild
FUZZYDUCK Report
Source 1 Source 2

46. How Do We Deal With These Biases?
§ Know that they exist
– Once you know them, you can
better determine what is real
data vs. your biases
§ Be honest and explain them
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 24|
Tenor.com

47. Hedging Our Biases
§ Work together
– Diversity of thought makes for stronger teams
§ Adjust and calibrate your data sources
§ Add different data sources (including your own)
§ Remember we’re prioritizing the known over the unknown
– As opposed to absolute comparison
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 25 |

48. Now that you know those biases, here’s
your imperfect data!
| 26 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

49. 1. Remote File Copy
2. Standard App Layer Protocol
3. System Information Discovery
4. Command-Line Interface
5. Obfuscated Files or Information
6. File and Directory Discovery
7. Registry Run Key/Startup Folder
8. File Deletion
9. Process Discovery
10. System Network Config Discovery
11. Scripting
12. Screen Capture
13. System Owner/User Discovery
14. Input Capture
15. Credential Dumping
16. Commonly Used Port
17. PowerShell
18. Standard Crypto Protocol
19. Masquerading
20. Scheduled Task
Top 20 Techniques from ATT&CK Group/Software Data
Why are certain techniques listed? --> Calibrate by source
| 27 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
Where is Spearphishing? Know your biases + work with others

50. Process for Making Recommendations from Techniques
| 29 |
5. Make recommendations
4. Determine what tradeoffs are for org on specific options
3. Research organizational capability/constraints
2. Research defensive options related to technique
1. Research how techniques are being used
0. Determine priority techniques
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.

51. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing
Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment
Software
Automated Collection Communication Through
Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application Window
Discovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component
Object Model
Data from Information
Repositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark
Discovery
Custom Command and
Control Protocol
Exfiltration Over Other
Network Medium
Disk Structure Wipe
Replication Through
Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation of
Remote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network
Shared Drive
Custom Cryptographic
Protocol
Exfiltration Over Command
and Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for
Credential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative
Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over
Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation
Algorithms
Service Stop
Valid Accounts Execution through
Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through
Removable Media
Screen Capture Fallback Channels Transmitted Data
ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object Model
Hijacking
LLMNR/NBT-NS Poisoning
and Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System Information
Discovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Files
or Information
Securityd Memory System Network
Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor Authentication
Interception
Windows Remote
Management
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network
Connections Discovery
Standard Application Layer
ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/User
Discovery
Standard Cryptographic
ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege Escalation
Exploitation for
Defense EvasionSigned Binary
Proxy Execution
Account Manipulation System Service Discovery Standard Non-Application
Layer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script
Proxy Execution
BITS Jobs Sudo File Permissions
Modification
Virtualization/Sandbox
Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default
File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote
Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removal
from ToolsXSL Script Processing Hypervisor
Kernel Modules
and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share Connection
RemovalRc.common
Redundant Access NTFS File Attributes
Registry Run
Keys / Startup Folder
Obfuscated Files
or Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust Provider
Hijacking
Regsvcs/Regasm
Regsvr32
Many Types of Recommendations
Legend
High Confidence of Detection
Some Confidence of Detection
Low Confidence of Detection
© 2019 The MITRE Corporation. All rights reserved.
Prioritized Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
We’ll tackle Spearphishing Attachment and
Spearphishing Link via new user training
Supply Chain Compromise and Component Firmware
are beyond our capability and resources to stop or detect,
so we’ll accept the risk
None of our existing tools have visibility into
Command-Line Interface so we’ll need to
obtain something new

52. Takeaways
§ Use ATT&CK for cyber threat intelligence to help you…
– Compare behaviors
– Communicate in a common language
§ Know the biases involved with mapping CTI reporting to ATT&CK
§ Hedge those biases and use ATT&CK-mapped CTI to improve defenses
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
| 30 |

53. | 31 |
https://attack.mitre.org
attack@mitre.org
@MITREattack
Adam Pennington
@_whatshisface
Katie Nickels
@likethecoins
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-10.
These slides available at: http://bit.ly/kcnagp-d19