Adversarial Tactics,
Techniques and Common
Knowledge (ATT&CK™)
Blake Strom
August 2015
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
© 2015 The MITRE Corporation. All rights reserved.
|2|
Cyber Attack Lifecycle
Recon
Deliver
Weaponize
Control
Exploit
Maintain
Execute
Traditional CND
ATT&CK
Better understand tactics used by the adversary already
operating within a network
© 2015 The MITRE Corporation. All rights reserved.
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
|3|
Threat Based Modeling
• Cyber threat
analysis
• Research
• Industry reports
Adversary
Behavior
© 2015 The MITRE Corporation. All rights reserved.
ATT&CK
• Adversary
model
• Post-access
techniques
• Data sources
• Analytics
• Prioritization
Enterprise
Defense
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
|4|
Cyber Attack Lifecycle – Enhanced
Persistence
 Privilege Escalation
 Credential Access
 Host Enumeration
 Defense Evasion
 Lateral Movement
 Execution
 Command and Control
 Exfiltration

Threat data informed adversary model
Higher fidelity on right-of-exploit, post-access phases
Describes behavior sans adversary tools
© 2015 The MITRE Corporation. All rights reserved.
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
|5|
ATT&CK Adversary Model
 Consists of:
1. Decomposed post-exploit
phases of Cyber Attack
Lifecycle
2. List of techniques available to
adversaries for each phase
3. Possible methods of detection
and mitigation
4. Apply documented adversary
use of techniques
 Publically available adversary
information is a problem
– Not granular enough
– Insufficient volume
© 2015 The MITRE Corporation. All rights reserved.
Image source: www.mrpotatohead.net
Mr. Potato Head is a registered trademark of Hasbro Inc.
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
|6|
Use of Public Adversary Information
 Publicly reported adversary group and tool coverage:
– 16 groups and counting
 Examples: APT28, APT30, DarkHotel, Hurricane Panda, Ke3chang,
Cleaver, Axiom
– 30 tools and counting
 Examples: Mimikatz, PsExec, dsquery, Hikit, PlugX, Poison Ivy
© 2015 The MITRE Corporation. All rights reserved.
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
|7|
Technique Details
Persistence –New Service
– Description: Installation of a new service. May use service name
from previous or newer OS or create entirely new service name.
– Platform: Windows
– Permissions required: Administrator, SYSTEM
– Effective permissions: SYSTEM
– Use: Part of initial infection vector or used during operation to
locally or remotely execute persistent malware.
– Detection: Monitor new service creation. Look for out of the
ordinary service names and activity that does not correlate with
known-good software, patches, etc. New services may show up as
outlier processes that have not been seen before when compared
against historical data.
– Data Sources: Windows Registry, process information
© 2015 The MITRE Corporation. All rights reserved.
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
|8|
ATT&CK: The Tactics and Techniques
Persistence
Privilege
Escalation
Defense
Evasion
Legitimate Credentials
Binary
Accessibility Features
Padding
AddMonitor
DLL SideDLL Search Order Hijack
Loading
Disabling
Edit Default File Handlers
Security
New Service
Tools
Path Interception
File System
Scheduled Task
Logical
Service File Permission
Offsets
Weakness
Process
Hollowing
Shortcut Modification
Rootkit
Web shell
Bypass
UAC
BIOS
DLL Injection
Hypervisor
Indicator
Exploitation
Rootkit
blocking
on
of
host
Logon Scripts
Vulnerability
Indicator
Master Boot
removal from
Record
tools
Indicator
Mod. Exist’g
removal from
Service
host
Registry Run
MasqueradKeys
ing
NTFS
Serv. Reg. Perm.
Extended
Weakness
Attributes
Windows Mgmt
Obfuscated
Instr. Event
Payload
Subsc.
Rundll32
Winlogon Helper
Scripting
DLL
Software
Packing
Timestomp
© 2015 The MITRE Corporation. All rights reserved.
Credential
Access
Host
Enumeration
Lateral
Movement
Credential
Dumping
Credentials
in Files
Network
Sniffing
User
Interaction
Credential
manipulation
Account
enumeration
File system
enumeration
Application
deployment
software
Exploitation
of
Vulnerability
Logon
scripts
Pass the
hash
Pass the
ticket
Peer
connections
Remote
Desktop
Protocol
Group
permission
enumeration
Local
network
connection
enumeration
Local
networking
enumeration
Operating
system
enumeration
Owner/User
enumeration
Process
enumeration
Security
software
enumeration
Service
enumeration
Window
enumeration
Execution
Command
Line
File Access
PowerShell
Process
Hollowing
Registry
Rundll32
Scheduled
Task
Service
Manipulation
Third Party
Software
Windows management
instrumentation
Windows remote
management
Remote
Services
Replication
through
removable
media
Shared
webroot
Taint shared
content
Windows
admin
shares
C2
Exfiltration
Commonly
used port
Comm
through
removable
media
Custom
application
layer
protocol
Custom
encryption
cipher
Data
obfuscation
Fallback
channels
Multiband
comm
Multilayer
encryption
Peer
connections
Standard app
layer
protocol
Standard
non-app
layer
protocol
Standard
encryption
cipher
Uncommonly
used port
Automated
or scripted
exfiltration
Data
compressed
Data
encrypted
Data size
limits
Data staged
Exfil over C2
channel
Exfil over
alternate
channel to
C2 network
Exfil over
other
network
medium
Exfil over
physical
medium
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
From local
system
From
network
resource
From
removable
media
Scheduled
transfer
|9|
Applications
 Gap analysis with current defenses
 Prioritize detection/mitigation of heavily used techniques
 Information sharing
 Track a specific adversary’s set of techniques
 Simulations, exercises
 New technologies, research
© 2015 The MITRE Corporation. All rights reserved.
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 10 |
Tactic Breakdown
Persistence
Privilege
Escalation
Credential
Access
Host
Enumeration
Defense
Evasion
20
14
5
11
Lateral
Movement
Execution
Command
and Control
Exfiltration
14
11
13
13
19
© 2015 The MITRE Corporation. All rights reserved.
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 11 |
Publicly Known Adversary Use
Persistence
Privilege
Escalation
Credential
Access
Host
Enumeration
Defense
Evasion
20
14
5
Lateral
Movement
5
Execution
4
Command
and Control
3
Exfiltration
11
8
19
12
© 2015 The MITRE Corporation. All rights reserved.
14
6
11
5
13
10
13
4
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 12 |
Publically Reported Technique Use
Persistence
Privilege
Escalation
Defense
Evasion
Legitimate Credentials
Binary
Accessibility Features
Padding
AddMonitor
DLL SideDLL Search Order Hijack
Loading
Disabling
Edit Default File Handlers
Security
New Service
Tools
Path Interception
File System
Scheduled Task
Logical
Service File Permission
Offsets
Weakness
Process
Hollowing
Shortcut Modification
Rootkit
Web shell
Bypass
UAC
BIOS
DLL Injection
Hypervisor
Indicator
Exploitation
Rootkit
blocking
on
of
host
Logon Scripts
Vulnerability
Indicator
Master Boot
removal from
Record
tools
Indicator
Mod. Exist’g
removal from
Service
host
Registry Run
MasqueradKeys
ing
NTFS
Serv. Reg. Perm.
Extended
Weakness
Attributes
Windows Mgmt
Obfuscated
Instr. Event
Payload
Subsc.
Rundll32
Winlogon Helper
Scripting
DLL
Software
Packing
Timestomp
© 2015 The MITRE Corporation. All rights reserved.
Credential
Access
Host
Enumeration
Lateral
Movement
Credential
Dumping
Credentials
in Files
Network
Sniffing
User
Interaction
Credential
manipulation
Account
enumeration
File system
enumeration
Application
deployment
software
Exploitation
of
Vulnerability
Logon
scripts
Pass the
hash
Pass the
ticket
Peer
connections
Remote
Desktop
Protocol
Group
permission
enumeration
Local
network
connection
enumeration
Local
networking
enumeration
Operating
system
enumeration
Owner/User
enumeration
Process
enumeration
Security
software
enumeration
Service
enumeration
Window
enumeration
Execution
Command
Line
File Access
PowerShell
Process
Hollowing
Registry
Rundll32
Scheduled
Task
Service
Manipulation
Third Party
Software
Windows management
instrumentation
Windows remote
management
Remote
Services
Replication
through
removable
media
Shared
webroot
Taint shared
content
Windows
admin
shares
C2
Exfiltration
Commonly
used port
Comm
through
removable
media
Custom
application
layer
protocol
Custom
encryption
cipher
Data
obfuscation
Fallback
channels
Multiband
comm
Multilayer
encryption
Peer
connections
Standard app
layer
protocol
Standard
non-app
layer
protocol
Standard
encryption
cipher
Uncommonly
used port
Automated
or scripted
exfiltration
Data
compressed
Data
encrypted
Data size
limits
Data staged
Exfil over C2
channel
Exfil over
alternate
channel to
C2 network
Exfil over
other
network
medium
Exfil over
physical
medium
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
From local
system
From
network
resource
From
removable
media
Scheduled
transfer
| 13 |
Notional Defense Gaps
Persistence
Privilege
Escalation
Defense
Evasion
Legitimate Credentials
Binary
Accessibility Features
Padding
AddMonitor
DLL SideDLL Search Order Hijack
Loading
Disabling
Edit Default File Handlers
Security
New Service
Tools
Path Interception
File System
Scheduled Task
Logical
Service File Permission
Offsets
Weakness
Process
Hollowing
Shortcut Modification
Rootkit
Web shell
Bypass
UAC
BIOS
DLL Injection
Hypervisor
Indicator
Exploitation
Rootkit
blocking
on
of
host
Logon Scripts
Vulnerability
Indicator
Master Boot
removal from
Record
tools
Indicator
Mod. Exist’g
removal from
Service
host
Registry Run
MasqueradKeys
ing
NTFS
Serv. Reg. Perm.
Extended
Weakness
Attributes
Windows Mgmt
Obfuscated
Instr. Event
Payload
Subsc.
Rundll32
Winlogon Helper
Scripting
DLL
Software
Packing
Timestomp
© 2015
The MITRE Corporation.
All Detect
rights reserved.
Detect
Partially
Credential
Access
Host
Enumeration
Lateral
Movement
Credential
Dumping
Credentials
in Files
Network
Sniffing
User
Interaction
Credential
manipulation
Account
enumeration
File system
enumeration
Application
deployment
software
Exploitation
of
Vulnerability
Logon
scripts
Pass the
hash
Pass the
ticket
Peer
connections
Remote
Desktop
Protocol
No Detect
Group
permission
enumeration
Local
network
connection
enumeration
Local
networking
enumeration
Operating
system
enumeration
Owner/User
enumeration
Process
enumeration
Security
software
enumeration
Service
enumeration
Window
enumeration
Execution
Command
Line
File Access
PowerShell
Process
Hollowing
Registry
Rundll32
Scheduled
Task
Service
Manipulation
Third Party
Software
Windows management
instrumentation
Windows remote
management
Remote
Services
Replication
through
removable
media
Shared
webroot
Taint shared
content
Windows
admin
shares
C2
Exfiltration
Commonly
used port
Comm
through
removable
media
Custom
application
layer
protocol
Custom
encryption
cipher
Data
obfuscation
Fallback
channels
Multiband
comm
Multilayer
encryption
Peer
connections
Standard app
layer
protocol
Standard
non-app
layer
protocol
Standard
encryption
cipher
Uncommonly
used port
Automated
or scripted
exfiltration
Data
compressed
Data
encrypted
Data size
limits
Data staged
Exfil over C2
channel
Exfil over
alternate
channel to
C2 network
Exfil over
other
network
medium
Exfil over
physical
medium
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
From local
system
From
network
resource
From
removable
media
Scheduled
transfer
| 14 |
Adversary Visibility at the Perimeter
Persistence
Privilege
Escalation
Defense
Evasion
Legitimate Credentials
Binary
Accessibility Features
Padding
AddMonitor
DLL SideDLL Search Order Hijack
Loading
Disabling
Edit Default File Handlers
Security
New Service
Tools
Path Interception
File System
Scheduled Task
Logical
Service File Permission
Offsets
Weakness
Process
Hollowing
Shortcut Modification
Rootkit
Web shell
Bypass
UAC
BIOS
DLL Injection
Hypervisor
Indicator
Exploitation
Rootkit
blocking
on
of
host
Logon Scripts
Vulnerability
Indicator
Master Boot
removal from
Record
tools
Indicator
Mod. Exist’g
removal from
Service
host
Registry Run
MasqueradKeys
ing
NTFS
Serv. Reg. Perm.
Extended
Weakness
Attributes
Windows Mgmt
Obfuscated
Instr. Event
Payload
Subsc.
Rundll32
Winlogon Helper
Scripting
DLL
Software
Packing
Timestomp
Credential
Access
Host
Enumeration
Lateral
Movement
Credential
Dumping
Credentials
in Files
Network
Sniffing
User
Interaction
Credential
manipulation
Account
enumeration
File system
enumeration
Application
deployment
software
Exploitation
of
Vulnerability
Logon
scripts
Pass the
hash
Pass the
ticket
Peer
connections
Remote
Desktop
Protocol
© 2015
The MITRE Corporation.
rights reserved. No Visibility
Full
Visibility
PartiallyAllVisibility
Group
permission
enumeration
Local
network
connection
enumeration
Local
networking
enumeration
Operating
system
enumeration
Owner/User
enumeration
Process
enumeration
Security
software
enumeration
Service
enumeration
Window
enumeration
Execution
Command
Line
File Access
PowerShell
Process
Hollowing
Registry
Rundll32
Scheduled
Task
Service
Manipulation
Third Party
Software
Windows management
instrumentation
Windows remote
management
Remote
Services
Replication
through
removable
media
Shared
webroot
Taint shared
content
Windows
admin
shares
C2
Exfiltration
Commonly
used port
Comm
through
removable
media
Custom
application
layer
protocol
Custom
encryption
cipher
Data
obfuscation
Fallback
channels
Multiband
comm
Multilayer
encryption
Peer
connections
Standard app
layer
protocol
Standard
non-app
layer
protocol
Standard
encryption
cipher
Uncommonly
used port
Automated
or scripted
exfiltration
Data
compressed
Data
encrypted
Data size
limits
Data staged
Exfil over C2
channel
Exfil over
alternate
channel to
C2 network
Exfil over
other
network
medium
Exfil over
physical
medium
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
From local
system
From
network
resource
From
removable
media
Scheduled
transfer
| 15 |
Adversary Visibility at the Perimeter
 Adversary has the most latitude for
variation at the network level
 Firewall, IDS/IPS, netflow, proxy, mail
gateway, WCF, SSL MitM, protocol
decoders, anomaly detection etc…
 All partial solutions
 Don’t add up to a complete one
 Often require specific prior knowledge
– IPs, domains, malware changed easily
 Sector, organization specific infrastructure
 Frequently modify tools
 Use legitimate channels
 Better coverage with host sensing
Visibility
Partially
©Full
2015
The MITRE Corporation.
All Visibility
rights reserved.
No Visibility
Defense
Evasion
Legit. Cred.
Binary
Padding
DLL SideLoading
Disabling
Security
Tools
File System
Logical
Offsets
Process
Hollowing
Rootkit
Bypass UAC
DLL Injection
Indicator
blocking on
host
Indicator
removal from
tools
Indicator
removal from
host
Masquerading
NTFS
Extended
Attributes
Obfuscated
Payload
Rundll32
Scripting
Software
Packing
Timestomp
C2
Exfiltration
Commonly
used port
Comm
through
removable
media
Custom
application
layer
protocol
Custom
encryption
cipher
Data
obfuscation
Fallback
channels
Multiband
comm
Multilayer
encryption
Peer
connections
Standard app
layer
protocol
Standard
non-app
layer
protocol
Standard
encryption
cipher
Uncommonly
used port
Automated
or scripted
exfiltration
Data
compressed
Data
encrypted
Data size
limits
Data staged
Exfil over C2
channel
Exfil over
alternate
channel to
C2 network
Exfil over
other
network
medium
Exfil over
physical
medium
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
From local
system
From
network
resource
From
removable
media
Scheduled
transfer
| 16 |
Public Website – attack.mitre.org
© 2015 The MITRE Corporation. All rights reserved.
Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 17 |
Questions?
More information:
attack.mitre.org
Questions and contributions:
[email protected]
Twitter:
@MITREattack
© 2015 The MITRE Corporation. All rights reserved.
Approved for Public Release; Distribution Unlimited. Case Number 15-1288