Use MITRE ATT&CK® to Improve Security

See how Lastline Defender offers the most comprehensive coverage of MITRE ATT&CK.

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a security model for organizations that can assist in mapping key events in intrusions. The goal in using this framework is to allow companies to find gaps in their existing security stack and better protect their endpoint devices. While MITRE ATT&CK was initially designed to work with and evaluation the capabilities of endpoint security products, there is much value in extending many portions of MITRE ATT&CK to the network level. Lastline Defender provides extensive coverage of MITRE ATT&CK and provides network prevention, detection, response, and threat hunting capabilities to the vast majority of the 314 techniques, thereby presenting some of the broadest coverage in the industry.

 

Why Use MITRE ATT&CK at the Network Level

There’s a lot of traffic moving throughout your organization’s network. Using MITRE ATT&CK at the network level can bring a new depth of anomalous and malicious detection to your security operations. You may not always be able to see an initial compromise or breach, but Network Detection and Response (NDR) combined with MITRE ATT&CK will detect threats as they attempt to leave a compromised endpoint and do things like call home or move laterally inside your network.

What We Cover

See for yourself: Lastline maps to more tactics and techniques than any of our competitors. Lastline Defender detects the techniques shown in green in the lists below, in total 80% of all techniques.

I am trying to get into your network and on your endpoints…

Tactic:

Initial
Access

Techniques:

Drive-by Compromise
Exploit Public-Facing Application
External Remote Services (Partial)
Hardware Additions (Partial)

Replication Through Removable Media  (Partial)
Spearphishing Attachment
Spearphishing Link

Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts

…to run malicious code:

Tactic:

Execution

Techniques:

AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil

 

Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution

Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management Instrumentation
Windows Remote Management
XSL Script Processing

 

…to gain a foothold:

Tactic:

Persistence

Techniques:

.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model
Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions Weakness
Hidden Files and Directories
Hooking

Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common

Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL

 

…to escalate privileges:

Tactic:

Privilege Escalation

Techniques:

Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege
Escalation

Extra Window Memory Injection
File System Permissions Weakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors

Process Injection
Scheduled Task
Service Registry Permissions Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell

to avoid detection:

Tactic:

Defense
Evasion

Techniques:

Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model
Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification

 

File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certicate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification

 

Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing

 

…to steal credentials:

Tactic:

Credential
Access

Techniques:

Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access

Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning and Relay

Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication Interception

…to better surveil your environment:

Tactic:

Discovery

Techniques:

Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Sniffing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery

 

Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery

System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion

… to move through your environment:

Tactic:

Lateral
Movement

Techniques:

AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash

Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot

SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management

…to collect your data:

Tactic:

Collection

Techniques:

Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System

Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture

Man in the Browser
Screen Capture
Video Capture

…to communicate with the dark side:

Tactic:

Command
and Control

Techniques:

Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding

Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption

Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer Protocol
Uncommonly Used Port
Web Service

…to steal your data:

Tactic:

Exfiltration

Techniques:

Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative
Protocol

Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical
Medium
Scheduled Transfer

…to destroy your systems and data:

Tactic:

Impact

Techniques:

Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative
Protocol

Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop

Stored Data Manipulation
Transmitted Data Manipulation

Our recent blog post explains in more detail how our NDR platform, Lastline Defender, maps to MITRE ATT&CK.