The document outlines various tactics and techniques involved in cyber threats, categorized using the MITRE ATT&CK framework. It emphasizes methods of initial access, credential access, privilege escalation, and data exfiltration, along with preventive measures such as application whitelisting, multi-factor authentication, and user training. Additionally, it highlights the importance of monitoring tools like EDR and SIEM in detecting threats and malicious behavior within systems.

1. 3. Persistence
7. Discovery
9. Collection
Mitre ATT&CK Stage Tactic GRU
1. Initial Access
6. Credential Access
5. Defense Evasion
4. Privilege Escalation
!
2. Execution
8. Lateral Movement
10. Exfiltration
11. Command & Control
Spearphishing
attachment
Application
whitelisting
Drive-by
Compromise
Spearphishing
link
Exploit
Public-Facing
Application
User
Execution
Valid Accounts
Exploitation
for Client
Execution
Trusted
Relationship
Spearphishing
via Service
Bootkit
Valid Accounts
Login Item
Launch Agent
Application
Shimming
Modify
Existing
Service
Web Shell
Obfuscated
Files or
Information
Clear
Command
History
Masquerading
Exploitation
for Defense
Evasion
Input Capture
Exploitation
for Credential
Access
Remote
Services
Credentials in
Files
Network
Service
Scanning
Private Keys
Remote
System
Discovery
Hooking
Windows
Admin Shares
Data from Local
System / Network
Shared Drive
Data Staged
Input Capture
Email
Collection
Screen
Capture
Data
Encrypted
Data
Compressed
Automated Col-
lection
Custom
Cryptographic
Protocol
Commonly
Used Port
Data Encoding
Custom
Command and
Control Protocol
Remote File
Copy
Multi-hop
Proxy
ASD Essential 8 and Mitre ATT&CK
Exploitation
for Privilege
Escalation
Data from
Information Re-
positories
FIN7 FSB
Hidden
COBRA ASD Essential 8 Digital Shadows Advice
Patch applications,
Patch operating
systems
Multi-factor
authentication
Restrict
administrative priv-
ileges
Patch applications
User application
hardening, Configure
Microsoft Office
macro settings
Restrict
administrative
privileges, Patch
Operating Systems
Restrict
administrative
privileges
Patch Operating
Systems
Multi-factor
authentication
Patch Operating
Systems
Patch User
Applications
Patch User
Applications
Application
Whitelisting
Application
Whitelisting
Multi-factor
authentication
Restrict
administrative
privileges
Restrict
administrative
privileges
Restrict
administrative
privileges
Monitoring for the creation of phishing
domains
Monitoring for persistence mechanisms via
KnockKnock or for launch file creation via
other file monitoring solutions such as EDR
Example: Monitoring for PowerShell scripts
via the Anti Malware Script Interface (AMSI) in
Windows 10 reveals the deobfuscated
commands
Monitoring for user authentications, via SSH
for example, which do not correspond to
changes in a user’s command history may
indicate attempts to evade detection
EDR systems may be able to detect
attempts to install hook procedures
Procedural controls such as training,
awareness and regular reviews can be used
to educate users to the dangers of leaving
valid credentials in files
EDR and/or SIEM solutions can detect port
scanning activities
EDR and/or SIEM solutions can detect
remote system discovery activities
Malicious behavior can be cross-correlated
with the accessing of remote services to
track an adversary through an environment
EDR and/or SIEM solutions can be used to
detect data being gather from local and
remote systems
EDR and/or SIEM solutions can be used to
detect data being automatically collected
especially when scripts or command line
tools are used
User Behavior Analytics (UBA) may detect
anomalous collection patterns. Logs of
activity for information repository access
should be kept
EDR and/or SIEM solutions can be used to
detect email being collected especially when
scripts or command line tools are
used against APIs
EDR and/or SIEM solutions can be used to
detect data being staged especially when
scripts or command line tools are used
Network monitoring can be used to detect
the usage of protocols typically not present
in an environment, such as FTP, as well as
anomalous file transfers via other mediums
Network monitoring can detect the usage
of, for example, base64 encoding in network
traffic
Network monitoring for encrypted
communications which do not follow
standards such as TLS/SSL may detect the
usage of custom cryptographic protocols
Network logs can be used to detect anom-
alous network traffic using protocols such
as DNS in previously unseen ways
Network logs can be used to detect anom-
alous network traffic, e.g., from previously
unseen applications
Monitoring for the creation of phishing
domains
Monitoring for the creation of phishing
domains