MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Mapping To Defense Evasion

For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.

Details
ATT&CK ID: TA0005

ATT&CK Technique Opportunity Space AD Technique Use Case
T1006 - Direct Volume Access There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can use API calls associated with direct volume access to either see what activity and data is being passed through, or to influence how that API call functions.
T1014 - Rootkit There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0001 - Admin Access A defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit.
T1014 - Rootkit In an adversary engagement scenario, there is an opportunity to implement security controls to allow an adversary to accomplish a task and extend an engagement. DTE0032 - Security Controls In an adversary engagement scenario, a defender could ensure security controls allow untrusted code to execute on a system.
T1027 - Obfuscated Files or Information In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. DTE0017 - Decoy System A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.
T1036 - Masquerading There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.
T1055 - Process Injection In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. DTE0032 - Security Controls A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events.
T1070 - Indicator Removal on Host In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. DTE0001 - Admin Access A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system.
T1070 - Indicator Removal on Host There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.
T1078 - Valid Accounts There is an opportunity to introduce user accounts that are used to make a system look more realistic. DTE0010 - Decoy Account A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.
T1078 - Valid Accounts There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0012 - Decoy Credentials A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
T1078 - Valid Accounts There is an opportunity to prepare user accounts so they look used and authentic. DTE0008 - Burn-In A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate.
T1112 - Modify Registry There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes. DTE0006 - Baseline A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline.
T1112 - Modify Registry There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0034 - System Activity Monitoring A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry.
T1127 - Trusted Developer Utilities Proxy Execution There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1134 - Access Token Manipulation There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender could feed or redirect requests for credentials with false data that can be used to direct an adversary into a decoy network or system.
T1134 - Access Token Manipulation There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions.
T1140 - Deobfuscate/Decode Files or Information There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1197 - BITS Jobs There is an opportunity to use security controls on systems in order to affect the success of an adversary. DTE0032 - Security Controls A defender could use host-based tool to detect common persistence mechanisms and prevent the process from executing successfully.
T1197 - BITS Jobs There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. DTE0034 - System Activity Monitoring By collecting system logs, a defender can implement detections that identify abnormal BITS usage.
T1202 - Indirect Command Execution There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can implement behavior analytics which would indicate activity on a system executing commands in non-standard ways. This could indicate malicious activity.
T1205 - Traffic Signaling There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1207 - Rogue Domain Controller There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can implement behavioral analytics which would indicate activity on or against a domain controller. Activity which is out of sync with scheduled domain tasks, or results in an uptick in traffic with a particular system on the network could indicate malicious activity.
T1211 - Exploitation for Defense Evasion There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. DTE0004 - Application Diversity A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction.
T1216 - Signed Script Proxy Execution There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.
T1218 - Signed Binary Proxy Execution There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0036 - Software Manipulation A defender can monitor operating system functions calls to look for adversary use and/or abuse.
T1218 - Signed Binary Proxy Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes.
T1218 - Signed Binary Proxy Execution There is an opportunity to create a detection with a moderately high probability of success. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1220 - XSL Script Processing There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics The defender can use behavioral analytics detect an XSL process doing something abnormal.
T1221 - Template Injection There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can have decoy systems that are easy to gain access to and have Office installed. The decoy system can be monitored to see if an adversary attempts to inject anything malicious into Office templates.
T1222 - File and Directory Permissions Modification In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can seed content interesting files to an adversary, but lock the permissions down. The goal would be to force the adversary to expose their TTPs for circumventing the restrictions.
T1480 - Execution Guardrails There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender could develop behavioral analytics to detect the examination of commonly used guardrails such as inspection of VM artifacts, enumeration of connected storage and/or devices, domain information, etc.
T1480 - Execution Guardrails There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. DTE0004 - Application Diversity A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction.
T1484 - Group Policy Modification There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0034 - System Activity Monitoring A defender could monitor for directory service changes using Windows event logs. This can alert to the presence of an adversary in the network.
T1497 - Virtualization/Sandbox Evasion There is an opportunity to deploy virtual decoy systems and see if an adversary discovers or reacts to the virtualization. DTE0017 - Decoy System A defender can deploy a virtual decoy system to see if the adversary recognizes the virtualization and reacts.
T1497 - Virtualization/Sandbox Evasion There is an opportunity to seed decoy content to make non-virtual systems look like virtual systems to see how an adversary reacts. DTE0011 - Decoy Content A defender can plant files, registry entries, software, processes, etc. to make a system look like a VM when it is not.
T1535 - Unused/Unsupported Cloud Regions There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics A defender can detect adversaries leveraging unused cloud regions. By implementing behavioral analytics for cloud hosts interacting with the network from regions that are not normal, one can detect potential malicious activity.
T1542 - Pre-OS Boot There is an opportunity to use security controls on systems in order to affect the success of an adversary. DTE0032 - Security Controls A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised.
T1548 - Abuse Elevation Control Mechanism There is an opportunity to use security controls on systems in order to affect the success of an adversary. DTE0032 - Security Controls A defender could use a host-based tool in order to have an effect on the success of an adversary abusing elevation control mechanisms.
T1550 - Use Alternate Authentication Material There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. DTE0007 - Behavioral Analytics Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent.
T1553 - Subvert Trust Controls There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. DTE0032 - Security Controls In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack.
T1553 - Subvert Trust Controls There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0003 - API Monitoring A defender can monitor and analyze operating system functions calls for detection and alerting.
T1556 - Modify Authentication Process There is an opportunity to use security controls on systems in order to affect the success of an adversary. DTE0032 - Security Controls A defender could implement security controls to force an adversary to modify the authentication process if they want to collect or utilize credentials on a system.
T1556 - Modify Authentication Process There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. DTE0034 - System Activity Monitoring A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system.
T1562 - Impair Defenses There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0004 - Application Diversity A defender can plant AV or monitoring tools which are easy for an adversary to remove. If an adversary removes these, they may be enticed to act more openly believing they have removed monitoring from the system.
T1562 - Impair Defenses There is an opportunity to create a detection with a moderately high probability of success. DTE0034 - System Activity Monitoring A defender can monitor for signs that security tools and other controls are being tampered with by an adversary.
T1562 - Impair Defenses There is an opportunity to create a detection with a moderately high probability of success. DTE0033 - Standard Operating Procedure A defender can define operating procedures for modifying GPOs and alert when they are not followed.
T1564 - Hide Artifacts There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. DTE0036 - Software Manipulation A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would.
T1564 - Hide Artifacts There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0034 - System Activity Monitoring A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts.
T1574 - Hijack Execution Flow There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can block execution of untrusted software.
T1599 - Network Boundary Bridging There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack.
T1599 - Network Boundary Bridging There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1600 - Weaken Encryption There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring A defender can monitor network traffic for anomalies associated with known MiTM behavior.
T1600 - Weaken Encryption There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use.
T1600 - Weaken Encryption There is an opportunity to use security controls to stop or allow an adversary's activity. DTE0032 - Security Controls A defender can block execution of untrusted software.
T1601 - Modify System Image There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0017 - Decoy System A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system.
T1601 - Modify System Image There is an opportunity to use tools and controls to stop an adversary's activity. DTE0006 - Baseline A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.
T1601 - Modify System Image There is an opportunity to discover who or what is being targeting by an adversary. DTE0013 - Decoy Diversity A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use.
T1601 - Modify System Image There is an opportunity to use security controls on systems in order to affect the success of an adversary. DTE0032 - Security Controls A defender can block execution of untrusted software.