MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Mapping To Privilege Escalation

For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.

Details
ATT&CK ID: TA0004

ATT&CK Technique Opportunity Space AD Technique Use Case
T1037 - Boot or Logon Initialization Scripts There is an opportunity to utilize confirmed good copies of login scripts and restoring on a frequent basis to prevent an adversary from using them to launch malware on a recurring basis. DTE0006 - Baseline A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.
T1053 - Scheduled Task/Job There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0001 - Admin Access A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools.
T1053 - Scheduled Task/Job There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware.
T1053 - Scheduled Task/Job There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks.
T1055 - Process Injection In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. DTE0032 - Security Controls A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events.
T1068 - Exploitation for Privilege Escalation There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0001 - Admin Access A defender can configure system users to not have admin access in order to ensure privilege escalation requires exploitation.
T1078 - Valid Accounts There is an opportunity to introduce user accounts that are used to make a system look more realistic. DTE0010 - Decoy Account A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.
T1078 - Valid Accounts There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0012 - Decoy Credentials A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
T1078 - Valid Accounts There is an opportunity to prepare user accounts so they look used and authentic. DTE0008 - Burn-In A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate.
T1134 - Access Token Manipulation There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender could feed or redirect requests for credentials with false data that can be used to direct an adversary into a decoy network or system.
T1134 - Access Token Manipulation There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions.
T1484 - Group Policy Modification There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0034 - System Activity Monitoring A defender could monitor for directory service changes using Windows event logs. This can alert to the presence of an adversary in the network.
T1543 - Create or Modify System Process There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.
T1546 - Event Triggered Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.
T1546 - Event Triggered Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0001 - Admin Access A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution.
T1547 - Boot or Logon Autostart Execution There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.
T1548 - Abuse Elevation Control Mechanism There is an opportunity to use security controls on systems in order to affect the success of an adversary. DTE0032 - Security Controls A defender could use a host-based tool in order to have an effect on the success of an adversary abusing elevation control mechanisms.
T1574 - Hijack Execution Flow There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can block execution of untrusted software.