MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Mapping To Persistence

For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.

Details
ATT&CK ID: TA0003

ATT&CK Technique Opportunity Space AD Technique Use Case
T1037 - Boot or Logon Initialization Scripts There is an opportunity to utilize confirmed good copies of login scripts and restoring on a frequent basis to prevent an adversary from using them to launch malware on a recurring basis. DTE0006 - Baseline A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.
T1053 - Scheduled Task/Job There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0001 - Admin Access A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools.
T1053 - Scheduled Task/Job There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware.
T1053 - Scheduled Task/Job There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks.
T1078 - Valid Accounts There is an opportunity to introduce user accounts that are used to make a system look more realistic. DTE0010 - Decoy Account A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.
T1078 - Valid Accounts There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0012 - Decoy Credentials A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
T1078 - Valid Accounts There is an opportunity to prepare user accounts so they look used and authentic. DTE0008 - Burn-In A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate.
T1098 - Account Manipulation There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc.
T1098 - Account Manipulation There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0010 - Decoy Account A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation.
T1098 - Account Manipulation There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can enforce strong authentication requirements such as password changes, two factor authentication, etc. to impact or disrupt an adversary's activity.
T1133 - External Remote Services There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services. DTE0017 - Decoy System A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it.
T1136 - Create Account There is an opportunity to create a detection with a moderately high probability of success. DTE0033 - Standard Operating Procedure A defender can detect user accounts created outside the acceptable process.
T1137 - Office Application Startup There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can collect system process information and look for abnormal activity tied to Office processes.
T1176 - Browser Extensions There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can force the removal of browser extensions that are not allowed by a corporate policy.
T1197 - BITS Jobs There is an opportunity to use security controls on systems in order to affect the success of an adversary. DTE0032 - Security Controls A defender could use host-based tool to detect common persistence mechanisms and prevent the process from executing successfully.
T1197 - BITS Jobs There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. DTE0034 - System Activity Monitoring By collecting system logs, a defender can implement detections that identify abnormal BITS usage.
T1205 - Traffic Signaling There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1505 - Server Software Component There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0004 - Application Diversity A defender can install decoy services that have extensible capabilities.
T1525 - Implant Container Image There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can monitor user interactions with images and containers to identify ones that are added or altered anomalously.
T1542 - Pre-OS Boot There is an opportunity to use security controls on systems in order to affect the success of an adversary. DTE0032 - Security Controls A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised.
T1543 - Create or Modify System Process There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.
T1546 - Event Triggered Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.
T1546 - Event Triggered Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0001 - Admin Access A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution.
T1547 - Boot or Logon Autostart Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.
T1554 - Compromise Client Software Binary There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender could monitor for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.
T1574 - Hijack Execution Flow There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can block execution of untrusted software.