attack.mitre.org
Using Adversary Behavior to
Strengthen Cyber Defense
No matter how strong your patching, compliance and security software,
a determined cyber adversary can typically find a way into your network.
But how did the attacker get in? How are they moving around? And how
can you use that knowledge to detect, mitigate and prevent future
attacks? The MITRE ATT&CK™ framework answers those questions by
providing a globally accessible knowledge base of adversary tactics and
techniques that are based on real-world observations of adversaries’
operations against computer networks. Armed with this knowledge,
organizations and security vendors can work toward improving detection
and prevention methods.
Get Started with ATT&CK
Use ATT&CK for Cyber Threat Intelligence
Use ATT&CK for Adversary Emulation and Red Teaming
Cyber threat intelligence comes from many sources, including knowledge
of past incidents, commercial threat feeds, information-sharing groups,
government threat-sharing programs, and more. ATT&CK gives analysts
a common language to communicate across reports and organizations,
providing a way to structure, compare, and analyze threat intelligence.
The best defense is a well-tested defense. ATT&CK provides a common
adversary behavior framework based on threat intelligence that red teams
can use to emulate specific threats. This helps cyber defenders find gaps in
visibility, defensive tools and processes—and then fix them.
Comparing APT 28 to Deep Panda
Join the ATT&CK Community
Pioneering with the Cyber Community for
Collaborative Defense
ATT&CK was first created by a MITRE internal research program using
our own data and operations. Now based on published, open source
threat information, MITRE provides the framework as a resource to the
cyber community. Anyone is free to leverage it, and everyone is free to
use and contribute to ATT&CK.
By making the ATT&CK knowledge base globally accessible, MITRE
supports a growing community that is fostering innovation in open
source tools, products and services based on the framework. ATT&CK is
experiencing significant growth across the cybersecurity community, with
wide adoption from industry, government and security vendors including
organizations like Microsoft, IBM, USAA, JPMorgan Chase, and Palo Alto.
With the creation of ATT&CK, MITRE is partnering with the cyber
community to fulfill its mission to solve problems for a safer world.
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop
analytics that detect the techniques used by an adversary. Based on
threat intelligence included in ATT&CK or provided by analysts, cyber
defenders can create a comprehensive set of analytics to detect threats.
Finding Gaps in Defense
MITRE encourages other researchers, analysts and cyber defenders to join
our community and contribute new techniques and information.
MITRE ATT&CK Resources
attack.mitre.org
•
•
•
•
Access ATT&CK technical information
Contribute to ATT&CK
Follow our blog
Watch ATT&CK presentations
@MITREattack
Follow us on Twitter for the latest news.
Ini�al Access
Valid Accounts
Trusted Rela�onship
Supply Chain Compromise
Spearphishing via Service
Spearphishing Link
Spearphishing A�achment
Replica�on Through
Removable Media
Exploit Public-Facing
Applica�on
Hardware Addi�ons
Drive-by Compromise
Execu�on
Persistence
Privilege Escala�on
Defense Evasion
Scheduled Task
Trap
LSASS Driver
Local Job Scheduling
Launchctl
XSL Script Processing
Windows Remote
Management
User Execu�on
Trusted Developer U�li�es
Third-party So�ware
Space a�er Filename
Source
Signed Script
Proxy Execu�on
Service Execu�on
Scrip�ng
Rundll32
Regsvr32
Regsvcs/Regasm
PowerShell
Mshta
InstallU�l
Graphical User Interface
Exploita�on for
Client Execu�on
Execu�on through API
Dynamic Data Exchange
Control Panel Items
Compiled HTML File
Command-Line Interface
CMSTP
AppleScript
Windows Management
Instrumenta�on
Signed Binary
Proxy Execu�on
Execu�on through
Module Load
XSL Script Processing
Process Injec�on
Extra Window Memory Injec�on
Bypass User Account Control
Access Token Manipula�on
Valid Accounts
Plist Modifica�on
Image File Execu�on Op�ons Injec�on
DLL Search Order Hijacking
Web Shell
Web Service
Startup Items
Trusted Developer U�li�es
Setuid and Setgid
Timestomp
Service Registry Permissions Weakness
Template Injec�on
Port Monitors
Space a�er Filename
Path Intercep�on
So�ware Packing
New Service
SIP and Trust
Launch Daemon
Provider Hijacking
Hooking
Signed Binary
Proxy Execu�on
File System Permissions Weakness
Dylib Hijacking
Rundll32
Applica�on Shimming
Rootkit
AppInit DLLs
Regsvr32
AppCert DLLs
Regsvcs/Regasm
Accessibility Features
Redundant Access
Winlogon Helper DLL
Sudo Caching
Process Hollowing
Sudo
Process Doppelganging
Windows Management
SID-History Injec�on
Port Knocking
Instrumenta�on
Event Subscrip�on
Exploita�on for
Obfuscated Files
Privilege Escala�on
or Informa�on
SIP and Trust Provider
Hijacking
Network Share
Security Support Provider
Connec�on Removal
Screensaver
Modify Registry
Masquerading
Registry Run
Keys / Startup Folder
LC_MAIN Hijacking
Re-opened Applica�ons
Launchctl
Rc.common
InstallU�l
Port Knocking
Install Root Cer�ficate
Office Applica�on Startup
Indirect Command Execu�on
Netsh Helper DLL
Component Firmware
Modify Exis�ng Service
Indicator Removal from Tools
Logon Scripts
Indicator Blocking
Login Item
HISTCONTROL
LC_LOAD_DYLIB Addi�on
Hidden Window
Launch Agent
Hidden Users
Hidden Files and Directories
Kernel Modules
and Extensions
Gatekeeper Bypass
Hidden Files and Directories
File System Logical Offsets
External Remote Services
File Permissions Modifica�on
Create Account
File Dele�on
Component Object Model
Hijacking
Change Default
File Associa�on
Bootkit
BITS Jobs
Authen�ca�on Package
Account Manipula�on
.bash_profile and .bashrc
Time Providers
System Firmware
Shortcut Modifica�on
Redundant Access
Hypervisor
Component Firmware
Browser Extensions
Exploita�on for
Defense Evasion
Disabling Security Tools
Deobfuscate/Decode Files
or Informa�on
Control Panel Items
Component Object
Model Hijacking
Compiled HTML File
Code Signing
CMSTP
Clear Command History
BITS Jobs
Signed Script Proxy Execu�on
Scrip�ng
NTFS File A�ributes
Mshta
Indicator Removal on Host
DLL Side-Loading
DCShadow
Creden�alAccess
Discovery
Network Sniffing
System Time Discovery
System Service Discovery
Two-Factor Authen�ca�on
Intercep�on
Private Keys
Password Filter DLL
LLMNR/NBT-NS Poisoning
Keychain
Kerberoas�ng
Input Prompt
Input Capture
Hooking
Forced Authen�ca�on
Exploita�on for
Creden�al Access
Creden�als in Files
Creden�al Dumping
Brute Force
Bash History
Account Manipula�on
Securityd Memory
Creden�als in Registry
System Owner/User
Discovery
System Network
Configura�on Discovery
Security So�ware Discovery
Remote System Discovery
Query Registry
Process Discovery
Permission Groups Discovery
Peripheral Device Discovery
Password Policy Discovery
Network Share Discovery
Network Service Scanning
File and Directory Discovery
Browser Bookmark Discovery
Applica�on Window
Discovery
System Network
Connec�ons Discovery
Lateral Movement
Collec�on
Exfiltra�on
Command and Control
Windows Remote
Management
Third-party So�ware
Taint Shared Content
SSH Hijacking
Shared Webroot
Video Capture
Screen Capture
Man in the Browser
Input Capture
Email Collec�on
Data Staged
Data from Removable Media
Scheduled Transfer
Web Service
Uncommonly Used Port
Replica�on Through
Removable Media
Remote File Copy
Remote Desktop Protocol
Pass the Ticket
Pass the Hash
Logon Scripts
Exploita�on of
Remote Services
Data from Network
Shared Drive
Data from Informa�on
Repositories
Automated Collec�on
Audio Capture
Data from Local System
Clipboard Data
Exfiltra�on Over
Physical Medium
Exfiltra�on Over Command
and Control Channel
Data Transfer Size Limits
Data Encrypted
Data Compressed
Automated Exfiltra�on
Exfiltra�on Over Other
Network Medium
Exfiltra�on Over
Alterna�ve Protocol
Applica�on Deployment
So�ware
Windows Admin Shares
Remote Services
Distributed Component
Object Model
AppleScript
System Informa�on
Discovery
Account Discovery
The MITRE ATT&CK™
Enterprise Framework
attack.mitre.org
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288.
Standard Non-Applica�on
Layer Protocol
Standard Applica�on
Layer Protocol
Remote Access Tools
Port Knocking
Mul�layer Encryp�on
Mul�band Communica�on
Mul�-Stage Channels
Mul�-hop Proxy
Fallback Channels
Domain Fron�ng
Data Obfusca�on
Data Encoding
Custom Cryptographic
Protocol
Connec�on Proxy
Communica�on Through
Removable Media
Standard Cryptographic
Protocol
Remote File Copy
Custom Command and
Control Protocol
Commonly Used Port