MITRE ATT&CK Enterprise Framework

Inial Access

Execuon

Persistence

Privilege Escalaon

Defense Evasion

Drive-by Compromise

AppleScript

.bash_profile and .bashrc

Access Token Manipulaon Access Token Manipulaon

Exploit Public-Facing Applicaon

CMSTP

Accessibility Features

Accessibility Features

Binary Padding

External Remote Services

Command-Line Interface

Account Manipulaon

AppCert DLLs

BITS Jobs

Hardware Addions

Compiled HTML File

AppCert DLLs

AppInit DLLs

Bypass User Account Control

Replicaon Through Removable Media Spearphishing Aachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relaonship

Valid Accounts

Component Object Model and Distributed COM

Control Panel Items Dynamic Data Exchange Execuon through API

Execuon through Module Load Exploitaon for

Client Execuon Graphical User Interface

InstallUl Launchctl Local Job Scheduling LSASS Driver

Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripng Service Execuon Signed Binary Proxy Execuon Signed Script Proxy Execuon

Source Space aer Filename Third-party Soware

Trap Trusted Developer Ulies

User Execuon Windows Management

Instrumentaon Windows Remote

Management XSL Script Processing

AppInit DLLs

Applicaon Shimming

Applicaon Shimming

Bypass User Account Control

Authencaon Package

DLL Search Order Hijacking

BITS Jobs

Dylib Hijacking

Bootkit

Elevated Execuon with Prompt

Browser Extensions

Emond

Change Default File Associaon Component Firmware

Component Object Model Hijacking

Create Account DLL Search Order Hijacking

Dylib Hijacking Emond

Exploitaon for Privilege Escalaon

Extra Window Memory Injecon

File System Permissions Weakness

Hooking

Image File Execuon Opons Injecon

External Remote Services

Launch Daemon

File System Permissions Weakness

Hidden Files and Directories Hooking

Hypervisor Image File Execuon Opons

Injecon Kernel Modules and Extensions

Launch Agent Launch Daemon

Launchctl LC_LOAD_DYLIB Addion

Local Job Scheduling Login Item

Logon Scripts LSASS Driver Modify Exisng Service Netsh Helper DLL

New Service Parent PID Spoofing

Path Intercepon Plist Modificaon

Port Monitors PowerShell Profile Process Injecon

Scheduled Task Service Registry Permissions

Weakness Setuid and Setgid SID-History Injecon

Startup Items Sudo

Sudo Caching Valid Accounts

Web Shell

New Service

Office Applicaon Startup

Path Intercepon

Plist Modificaon

Port Knocking

Port Monitors

PowerShell Profile

mon

Re-opened Applicaons

Clear Command History CMSTP

Code Signing Compile Aer Delivery

Compiled HTML File Component Firmware

Component Object Model Hijacking Connecon Proxy

Control Panel Items

DCShadow Deobfuscate/Decode Files

or Informaon Disabling Security Tools

DLL Search Order Hijacking

DLL Side-Loading

Execuon Guardrails Exploitaon for Defense Evasion Extra Window

Memory Injecon File and Directory Permissions Modificaon

File Deleon File System Logical Offsets

Gatekeeper Bypass Group Policy Modificaon Hidden Files and Directories

Hidden Users Hidden Window HISTCONTROL Image File Execuon Opons

Injecon Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execuon Install Root Cerficate

InstallUl Launchctl LC_MAIN Hijacking Masquerading Modify Registry

Redundant Access

Registry Run Keys / Startup Folder

Scheduled Task

Mshta

Network Share Connecon Removal

NTFS File Aributes

Screensaver

Obfuscated Files or Informaon

Security Support Provider

Server Soware Component

Service Registry Permissions Weakness

Setuid and Setgid

Shortcut Modificaon

SIP and Trust Provider Hijacking

Parent PID Spoofing Plist Modificaon

Port Knocking Process Doppelg?nging

Process Hollowing Process Injecon Redundant Access Regsvcs/Regasm

Startup Items

Regsvr32

System Firmware

Rootkit

Systemd Service

Rundll32

Time Providers

Scripng

Trap

Signed Binary Proxy Execuon

Valid Accounts

Signed Script Proxy Execuon

Web Shell

Windows Management Instrumentaon Event

Subscripon

Winlogon Helper DLL

SIP and Trust Provider Hijacking Soware Packing

Space aer Filename Template Injecon

Timestomp

Trusted Developer Ulies

Valid Accounts

Virtualizaon/Sandbox Evasion

Web Service

SOLVING PROBLEMS FOR A SAFER WORLD

XSL Script Processing

Credenal Access

Account Manipulaon Bash History Brute Force

Credenal Dumping Credenals from Web Browsers Credenals in Files

Credenals in Registry Exploitaon for Credenal Access

Forced Authencaon Hooking

Input Capture Input Prompt Kerberoasng

Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL

Private Keys Securityd Memory Steal Web Session Cookie Two-Factor Authencaon

Intercepon

Discovery

Account Discovery Applicaon Window

Discovery Browser Bookmark

Discovery Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing Password Policy

Discovery Peripheral Device

Discovery Permission Groups

Discovery Process Discovery

Query Registry Remote System

Discovery Security Soware

Discovery Soware Discovery System Informaon

Discovery System Network Configuraon Discovery System Network Connecons Discovery System Owner/User Discovery

System Service Discovery

System Time Discovery Virtualizaon/Sandbox

Evasion

Lateral Movement

AppleScript Applicaon Deployment Soware Component Object Model and Distributed COM Exploitaon of Remote

Services Internal Spearphishing

Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replicaon Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Soware Windows Admin Shares Windows Remote Management

Collecon

Audio Capture Automated Collecon

Clipboard Data Data from Informaon

Repositories Data from Local System

Data from Network Shared Drive Data from

Removable Media Data Staged

Email Collecon Input Capture Man in the Browser Screen Capture Video Capture

Command and Control

Commonly Used Port Communicaon Through

Removable Media Connecon Proxy Custom Command and Control Protocol Custom Cryptographic

Protocol Data Encoding Data Obfuscaon Domain Fronng Domain Generaon

Algorithms Fallback Channels Mul-hop Proxy Mul-Stage Channels Mulband Communicaon Mullayer Encrypon

Port Knocking Remote Access Tools

Remote File Copy Standard Applicaon

Layer Protocol Standard Cryptographic Protocol

Standard Non-Applicaon Layer Protocol

Uncommonly Used Port Web Service

Exfiltraon

Automated Exfiltraon

Data Compressed

Data Encrypted

Data Transfer Size Limits Exfiltraon Over

Alternave Protocol Exfiltraon Over Command

and Control Channel Exfiltraon Over

Other Network Medium Exfiltraon Over Physical Medium

Scheduled Transfer

Impact

Account Access Removal Data Destrucon

Data Encrypted for Impact Defacement

Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corrupon Inhibit System Recovery Network Denial of Service Resource Hijacking Runme Data Manipulaon

Service Stop System Shutdown/Reboot Stored Data Manipulaon

Transmied Data Manipulaon

MITRE ATT&CK? Enterprise Framework

attack.

? 2020 MITRE Matrix current as of February 2020

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download