The document discusses changes made to the PRE-ATT&CK framework. It introduced two new pre-compromise tactics - Reconnaissance and Resource Development. Reconnaissance covers techniques for actively or passively gathering victim information. Resource Development covers techniques for building, buying, or compromising resources that can be used in targeting. The document encourages feedback and contributions to further improve PRE-ATT&CK.
Call On 6297143586 Yerwada Call Girls In All Pune 24/7 Provide Call With Bes...
ATT&CK Framework Explained for Enterprise Defense
1. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Mike Hartley
@thecookiewanter
PUTTING THE INTO ATT&CK
Jamie Williams
@jamieantisocial
@MITREattack
2. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Active Scanning Acquire Infrastructure Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other
Network Medium
Data Destruction
Gather Victim Host Information Compromise Accounts
Replication Through
Removable Media
Windows
Management
Instrumentation
Valid Accounts Network Sniffing
Software Deployment
Tools
Data from Removable
Media
Fallback Channels Data Encrypted for Impact
Gather Victim Identity Information Compromise Infrastructure Hijack Execution Flow OS Credential Dumping Application Window
Discovery
Application Layer Protocol Scheduled Transfer Service Stop
Gather Victim Network Information Develop Capabilities Trusted Relationship Software
Deployment
Tools
Boot or Logon Initialization Scripts Direct Volume Access Input Capture
Replication Through
Removable Media
Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery
Gather Victim Org Information Establish Accounts Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network
Configuration Discovery
Data Staged Communication Through
Removable Media
Exfiltration Over
C2 Channel
Defacement
Phishing for Information Obtain Capabilities Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or
Information
Two-Factor Authentication
Interception
Internal Spearphishing Screen Capture Firmware Corruption
Search Closed Sources Exploit Public-Facing
Application
User Execution Boot or Logon Autostart Execution System Owner/User
Discovery
Use Alternate
Authentication Material
Email Collection Web Service Exfiltration Over
Physical Medium
Resource Hijacking
Search Open Technical Databases Exploitation for
Client
Execution
Account Manipulation Process Injection
Exploitation for Credential
Access
Clipboard Data Multi-Stage Channels Network Denial of Service
Search Open Websites/Domains Phishing External Remote Services Access Token Manipulation System Network
Connections Discovery
Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over
Web Service
Endpoint Denial of Service
Search Victim-Owned Websites External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot
Drive-by Compromise Command and
Scripting
Interpreter
Create Account Abuse Elevation Control Mechanism Unsecured Credentials
Permission Groups
Discovery
Exploitation of Remote
Services
Video Capture Traffic Signaling Automated Exfiltration Account Access Removal
Browser Extensions
Exploitation for
Privilege
Escalation
Indicator Removal on Host Credentials from
Password Stores
Man in the Browser Remote Access Software Exfiltration Over
Alternative Protocol
Disk Wipe
Native API Traffic Signaling Modify Registry File and Directory
Discovery
Remote Service Session
Hijacking
Data from
Information Repositories
Dynamic Resolution Data Manipulation
Inter-Process
Communication
BITS Jobs Trusted Developer Utilities
Proxy Execution
Steal or Forge Kerberos
Tickets
Non-Standard Port Transfer Data to
Cloud AccountServer Software
Component
Peripheral Device
Discovery
Man-in-the-Middle Protocol Tunneling
Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel
Pre-OS Boot Signed Script Proxy
Execution
Steal Application Access
Token
Network Share Discovery Data from
Network Shared Drive
Non-Application
Layer ProtocolCompromise Client
Software Binary
Password Policy Discovery
Rogue Domain Controller Man-in-the-Middle Browser Bookmark
Discovery
Data from
Cloud Storage ObjectImplant Container Image Indirect Command
Execution Virtualization/Sandbox
EvasionBITS Jobs
XSL Script Processing Cloud Service Dashboard
Template Injection Software Discovery
File and Directory
Permissions Modification
Query Registry
Remote System Discovery
Virtualization/Sandbox
Evasion
Network Service Scanning
Process Discovery
Unused/Unsupported
Cloud Regions
System Information
Discovery
Use Alternate
Authentication Material
Account Discovery
System Time Discovery
Impair Defenses Domain Trust Discovery
Hide Artifacts Cloud Service Discovery
Masquerading Cloud Infrastructure Discovery
Deobfuscate/Decode Files
or Information
Signed Binary Proxy
Execution
Exploitation for
Defense Evasion
Execution Guardrails
Modify Cloud Compute
Infrastructure
Pre-OS Boot
Subvert Trust Controls
Source:
http://gph.is/1cEuQWX
3. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
4. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
History of PRE-ATT&CK
Initially released in 2017
Separate matrix w/ 17 Tactics
Adversary behaviors leading
to compromise
Example use cases:
Are there signs that an
adversary might be
targeting you?
Prioritize open-source
intelligence gathering / sharing
5. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
The Long Con
In 2018 (v2) the Launch and Compromise Tactics were refactored
into Initial Access
6. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Final Merge
Deprecated PRE-ATT&CK matrix
for PRE Enterprise platform
2 new Tactics
Criteria for inclusion:
1. Technical
2. Visible to some defenders
3. Evidence of adversary use
7. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Reconnaissance
Actively or passively gathering
information that can be used to
support targeting.
10 Techniques & 31 Sub-techniques
Split into what & how
8. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Resource Development
Building, buying, or compromising
resources that can be used during
targeting
Infrastructure
Accounts
Capabilities
6 Techniques & 26 Sub-techniques
9. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Technique Metadata
New PRE platform
New Pre-compromise Mitigation
ex: This technique cannot be easily
mitigated with preventive controls
since it is based on behaviors
performed outside of the scope of
enterprise defenses and controls.
Efforts should focus on...
Data sources and Detections relevant
to potential Enterprise artifacts
Source: https://i.pinimg.com/originals/71/6a/5b/716a5b5b8847470b77dde4a4b67f2a2b.gif
10. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Why?
Promote more adoption and contributions
More integration across spectrum of adversary behaviors
Source:
https://gph.is/g/Z5K7bQE
11. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Gone But Not Forgotten
Previous versions (< v8) will retain the full matrix
as well as individual techniques
12. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
How Can You Help?
Feedback and contributions!
New techniques + scoping of
existing techniques
Documentation of potential
detections and mitigations
Reported instances of adversary
procedure examples
Source:
http://gph.is/2colVQl
13. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Special Thanks