MITRE ATT&CK Framework


MITRE ATT&CK is a computer security knowledge base that defines methods for an attacker to infiltrate computer systems on a network and take control of these systems, as well as tactics and techniques for attacks on the network. This knowledge base catalogs various attack techniques that adversaries could employ and provides defense strategies to counter these techniques. ATT&CK guides cybersecurity experts in creating and improving defense strategies.

The MITRE ATT&CK Framework categorizes the attack tactics and techniques used by adversaries and defines defense strategies against these tactics. It consists of two main sections:

Tactics: These express the general objectives of attacks, such as initiation, execution, persistence, privilege escalation, among others.

Techniques: They represent specific attack methods that form each tactic. For instance, under the “Execution” tactic, techniques like “Command-Line Interface” or “Scripting” can be found.

MITRE ATT&CK Framework catalogs the methods used by cyber adversaries and provides guidance to cybersecurity experts in the process of developing defense strategies.

TACTICS

Initial Access: This tactic signifies the stage where attackers gain the first access to a target network or systems, often by initially exploiting vulnerabilities or weaknesses.

Tools: Metasploit, Cobalt Strike, Social Engineering Toolkit (SET)
Examples: Spear phishing, Exploit Public-Facing Application

Execution: This stage encompasses methods for attackers to run malicious code or perform actions on systems. Attackers typically operate using command-line tools or scripting languages.

Tools: PowerShell, Command Prompt, Shell Scripting
Examples: Command-Line Interface, Scripting

Persistence: Attackers employ various techniques to maintain access to a system they have breached, ensuring continued access after system restarts or updates.

Tools: Windows Registry, Windows Task Scheduler, Cron
Examples: Registry Run Keys/Startup Folder, Scheduled Task

Privilege Escalation: Attackers seek methods to elevate their low-level access rights to higher-level privileges, often done to gain more control over a system or network.

Tools: Mimikatz, Windows Credential Editor, PowerUp
Examples: Exploitation of Vulnerability, Access Token Manipulation

Defense Evasion: Attackers attempt to bypass defense mechanisms to avoid detection or prevention efforts. This includes various techniques to evade monitoring, detection, or blocking.

Tools: Process Hacker, ProcDump, Process Explorer
Examples: File Deletion, Process Injection

Credential Access: Attackers use methods to obtain user credentials (e.g., passwords or login data), either by directly stealing them or accessing stored credentials.

Tools: Mimikatz, LaZagne, Keystroke Logging Software
Examples: Credential Dumping, Keylogging

Discovery: Attackers engage in information gathering to explore and work within a target network or systems. This involves obtaining information such as system configurations, network topology, or user details.

Tools: Nmap, Windows Management Instrumentation (WMI), Bloodhound
Examples: Query Registry, System Information Discovery

Lateral Movement: Attackers strive to move from one system to another or within a network after gaining initial access to a system. This encompasses efforts to spread from one accessed system to another.

Tools: PsExec, Bloodhound, CrackMapExec (CME)
Examples: Remote Desktop Protocol, SMB/Windows Admin Shares

Collection: Attackers employ various methods to gather data or information from target systems or networks, including collecting sensitive or useful information.

Tools: FTK Imager, Wireshark, Snort
Examples: Data from Local System, Data from Network Shared Drive

Exfiltration: Attackers use methods to remove collected data from the target system or network, involving transferring stolen data to an external server.

Tools: FTP, DNS Tunneling, HTTP/S
Examples: Exfiltration Over Command and Control Channel, Exfiltration Over Alternative Protocol

Impact: Attackers may use various methods to cause damage to systems or networks, disrupting services, often accomplished through the use of malicious software.

Tools: SDelete, Diskpart, rm (Unix/Linux)
Examples: Data Destruction, Disk Wipe


TECHNIQUES

Command and Scripting Interpreter: Attackers operate by using tools that can execute commands or scripts on systems. This can be achieved through the use of command-line tools or scripting languages.

Tools: PowerSploit, Empire, Covenant
Examples: PowerShell, Command Prompt (cmd), Python

Resource Development: Attackers create resources to develop their own malicious software or tools. This encompasses creating items like custom exploits, malicious software, or backdoors.

Tools: Metasploit Framework, Veil, Cobalt Strike
Examples: Custom exploits, malicious software, backdoors

Credential Access: Attackers employ various techniques to obtain user credentials. This involves methods such as stealing passwords, hashes, or login information.

Tools: Mimikatz, LaZagne, Evilginx
Examples: Pass-the-Hash, Phishing, Keylogging

Discovery: Attackers use various techniques to explore information within a target system or network. This includes obtaining information like system configurations, network topology, or user details.

Tools: Nmap, Bloodhound, Windows Management Instrumentation (WMI)
Examples: Network Scanning, System Information Discovery

Lateral Movement: Attackers attempt to move from one system to another or within a network after gaining initial access to a system. This involves various techniques used to spread from one system to another.

Tools: CrackMapExec (CME), PsExec, Bloodhound
Examples: Remote Desktop Protocol (RDP) Hacking, SMB Relay

Collection: Attackers use various methods to gather data or information from a target system or network. This includes collecting sensitive or useful information.

Tools: FTK Imager, USB Rubber Ducky, Wireshark
Examples: Data from Local System, Data from Removable Media

Command and Control: Attackers use command and control mechanisms to control or direct target systems. This includes controlling malicious software or sending attack commands.

Tools: Meterpreter, Cobalt Strike, Empire
Examples: Remote Access Trojans (RATs), Command-Line Interface

Exfiltration: Attackers use methods to export collected data from the target system or network. This involves transferring stolen data to an external server.

Tools: FTP, DNS Tunneling, HTTP/S
Examples: Data Compressed, Exfiltration Over Command and Control Channel

Impact: Attackers may employ various methods to damage systems or networks, often achieved through the use of malicious software.

Tools: SDelete, Diskpart, rm (Unix/Linux)
Examples: Data Destruction, Disk Wipe

Leave a Reply

Your email address will not be published. Required fields are marked *