The table below shows the mapping of ATT&CK® Techniques from all ATT&CK® Tactics to Active Defense Opportunities, Techniques, and Use Cases.
ATT&CK Technique | Opportunity Space | AD Technique | Use Case |
---|---|---|---|
T1001 - Data Obfuscation | There is an opportunity to detect adversary activity that uses obfuscated communication. | DTE0028 - PCAP Collection | A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation. |
T1001 - Data Obfuscation | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
T1003 - OS Credential Dumping | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system. |
T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
T1006 - Direct Volume Access | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can use API calls associated with direct volume access to either see what activity and data is being passed through, or to influence how that API call functions. |
T1007 - System Service Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
T1007 - System Service Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender could manipulate the command to display services an adversary would expect to see on a system, or to shown them unexpected services. |
T1008 - Fallback Channels | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender can identify and block specific adversary Command and Control (C2) traffic to see how an adversary responds, possibly exposing additional C2 information. |
T1010 - Application Window Discovery | There is an opportunity to provide a variety of applications to an adversary so they see a full set of information when performing discovery tasks. | DTE0004 - Application Diversity | During an adversary engagement operation, a defender can open and use any particular subset of applications installed on a system to control what is presented to the adversary at any point in time. |
T1011 - Exfiltration Over Other Network Medium | In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. | DTE0032 - Security Controls | A defender can prevent an adversary from enabling Wi-Fi or Bluetooth interfaces which could be connected to surrounding access points or devices and used for exfiltration. |
T1012 - Query Registry | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0011 - Decoy Content | A defender can create decoy registry objects and monitor access to them using Windows Registry Auditing. |
T1014 - Rootkit | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0001 - Admin Access | A defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit. |
T1014 - Rootkit | In an adversary engagement scenario, there is an opportunity to implement security controls to allow an adversary to accomplish a task and extend an engagement. | DTE0032 - Security Controls | In an adversary engagement scenario, a defender could ensure security controls allow untrusted code to execute on a system. |
T1016 - System Network Configuration Discovery | There is an opportunity to influence an adversary to move toward systems you want them to engage with. | DTE0011 - Decoy Content | A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services. |
T1018 - Remote System Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with. |
T1018 - Remote System Discovery | In an adversary engagement situation, there is an opportunity to add legitimacy by ensuring decoy systems are fully populated with information an adversary would expect to see during this recon process. | DTE0011 - Decoy Content | A defender can create entries in a decoy system's ARP cache, hosts file, etc. to add to the legitimacy of the device. |
T1020 - Automated Exfiltration | There is an opportunity to collect network data and analyze the adversary activity it contains. | DTE0028 - PCAP Collection | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
T1020 - Automated Exfiltration | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
T1021 - Remote Services | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1021 - Remote Services | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service. |
T1025 - Data from Removable Media | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
T1025 - Data from Removable Media | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
T1027 - Obfuscated Files or Information | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information. |
T1029 - Scheduled Transfer | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1030 - Data Transfer Size Limits | There is an opportunity to collect network data and analyze the adversary activity it contains. | DTE0028 - PCAP Collection | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
T1030 - Data Transfer Size Limits | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0031 - Protocol Decoder | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
T1033 - System Owner/User Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can impact an adversary's activity by manipulating or replacing the commands commonly used to display users on a system. |
T1036 - Masquerading | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections. |
T1037 - Boot or Logon Initialization Scripts | There is an opportunity to utilize confirmed good copies of login scripts and restoring on a frequent basis to prevent an adversary from using them to launch malware on a recurring basis. | DTE0006 - Baseline | A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms. |
T1039 - Data from Network Shared Drive | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
T1039 - Data from Network Shared Drive | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
T1040 - Network Sniffing | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | By changing the output of network sniffing utilities normally found on a system, you can prevent adversaries from seeing particular content or making use of the results at all. |
T1040 - Network Sniffing | There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. | DTE0016 - Decoy Process | The defender can run processes on legitimate systems that create network artifacts for an adversary to collect. These artifacts may contain data such as credentials, hostnames, etc., that would lead an adversary to target decoy systems and networks. |
T1040 - Network Sniffing | There is an opportunity to entice the adversary to expose additional TTPs. | DTE0025 - Network Diversity | The defender can add unique endpoints, servers, routers, and other devices to give the adversary a broader attack surface. This can cause the adversary to expose additional capabilities. |
T1041 - Exfiltration Over C2 Channel | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. | DTE0026 - Network Manipulation | A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols. |
T1041 - Exfiltration Over C2 Channel | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. | DTE0026 - Network Manipulation | A defender can restrict network traffic making adversary exfiltration slow or unreliable. |
T1046 - Network Service Scanning | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with. |
T1046 - Network Service Scanning | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use. |
T1047 - Windows Management Instrumentation | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. | DTE0001 - Admin Access | A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI. |
T1047 - Windows Management Instrumentation | There is an opportunity to implement security controls which will prevent an adversary from using Windows Management Instrumentation (WMI), in order to entice them to reveal new TTPs. | DTE0032 - Security Controls | A defender can harden accounts which have admin access and also restrict any users from being able to connect remotely using WMI. |
T1048 - Exfiltration Over Alternative Protocol | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. | DTE0026 - Network Manipulation | A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols. |
T1049 - System Network Connections Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can manipulate the output of commands commonly used to enumerate a system's network connections. They could seed this output with decoy systems and/or networks or remove legitimate systems from the output in order to direct an adversary away from legitimate systems. |
T1052 - Exfiltration Over Physical Medium | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0029 - Peripheral Management | A defender could use decoy peripherals, such as external Wi-Fi adapters, USB devices, etc. to determine if adversaries attempt to use them for exfiltration purposes. |
T1053 - Scheduled Task/Job | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0001 - Admin Access | A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools. |
T1053 - Scheduled Task/Job | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware. |
T1053 - Scheduled Task/Job | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks. |
T1055 - Process Injection | In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. | DTE0032 - Security Controls | A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events. |
T1056 - Input Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter. |
T1057 - Process Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify commands such that the true list of running processes is not revealed, hiding necessary active defense processes from the adversary. |
T1057 - Process Discovery | There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. | DTE0016 - Decoy Process | A defender can run decoy processes on a system to entice an adversary. |
T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity. |
T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted. |
T1059 - Command and Scripting Interpreter | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0034 - System Activity Monitoring | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
T1068 - Exploitation for Privilege Escalation | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0001 - Admin Access | A defender can configure system users to not have admin access in order to ensure privilege escalation requires exploitation. |
T1069 - Permission Groups Discovery | In an adversary engagement operation, there is an opportunity to impact what an adversary sees when they execute commands on a system. | DTE0036 - Software Manipulation | A defender could manipulate a system's software to alter the results of an adversary enumerating permission group information. |
T1070 - Indicator Removal on Host | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. | DTE0001 - Admin Access | A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system. |
T1070 - Indicator Removal on Host | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity. |
T1071 - Application Layer Protocol | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1072 - Software Deployment Tools | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can deploy a decoy software deployment tool within an adversary engagement environment to see how the adversary attempts to use the device during their activity. |
T1074 - Data Staged | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network. |
T1078 - Valid Accounts | There is an opportunity to introduce user accounts that are used to make a system look more realistic. | DTE0010 - Decoy Account | A defender can create decoy user accounts which are used to make a decoy system or network look more realistic. |
T1078 - Valid Accounts | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
T1078 - Valid Accounts | There is an opportunity to prepare user accounts so they look used and authentic. | DTE0008 - Burn-In | A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate. |
T1080 - Taint Shared Content | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0011 - Decoy Content | A defender could seed decoy network shares within an adversary engagement network to see if an adversary uses them for payload delivery or lateral movement. |
T1082 - System Information Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery. |
T1083 - File and Directory Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can utilize decoy files and directories to provide content that could be used by the adversary. |
T1087 - Account Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender could alter the output from account enumeration commands to hide accounts or show the presence of accounts which do not exist. |
T1087 - Account Discovery | In an adversary engagement operation, there is an opportunity to present decoy accounts to the adversary during the enumeration process. | DTE0010 - Decoy Account | During an adversary engagement operation, a defender can utilize decoy accounts to provide content to an adversary and encourage additional activity. |
T1087 - Account Discovery | There is an opportunity to use decoy accounts of varying types to see what an adversary is most interested in. | DTE0013 - Decoy Diversity | A defender can make a variety of decoy accounts and see if the adversary seems to be drawn to accounts of a specific type, with specific permissions, group access, etc. |
T1090 - Proxy | There is an opportunity to block an adversary that is seeking to use a proxied connection. | DTE0026 - Network Manipulation | A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists. |
T1091 - Replication Through Removable Media | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender can monitor systems for the use of removeable media. |
T1091 - Replication Through Removable Media | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can disable Autorun to prevent malware from automatically executing when removeable media is plugged into a system. |
T1091 - Replication Through Removable Media | There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network. | DTE0023 - Migrate Attack Vector | A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled. |
T1091 - Replication Through Removable Media | There is an opportunity to prevent an adversary from using removable media to compromise disconnected or air-gapped systems. | DTE0022 - Isolation | A defender can setup protections so removeable media cannot be mounted until an isolated review process has cleared the drive. |
T1092 - Communication Through Removable Media | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0029 - Peripheral Management | A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do. |
T1092 - Communication Through Removable Media | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0023 - Migrate Attack Vector | A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do. |
T1095 - Non-Application Layer Protocol | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can detect the use of non-standard protocols. By implementing behavior analytics specific to a rise in protocol traffic to a system or set of systems, one might be able to detect malicious communications from an adversary. |
T1098 - Account Manipulation | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc. |
T1098 - Account Manipulation | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0010 - Decoy Account | A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation. |
T1098 - Account Manipulation | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can enforce strong authentication requirements such as password changes, two factor authentication, etc. to impact or disrupt an adversary's activity. |
T1102 - Web Service | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic. |
T1104 - Multi-Stage Channels | There is an opportunity to detect an unknown process that is being used for command and control and disrupt it. | DTE0022 - Isolation | A defender can isolate unknown processes that are being used for command and control and prevent them from being able to access the internet. |
T1104 - Multi-Stage Channels | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender could implement a protocol aware IPS to limit systems communicating to unknown locations on the internet. |
T1105 - Ingress Tool Transfer | There is an opportunity to collect network data and analyze the adversary activity it contains. | DTE0028 - PCAP Collection | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
T1106 - Native API | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc. |
T1106 - Native API | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0003 - API Monitoring | A defender can monitor operating system functions calls to look for adversary use and/or abuse. |
T1110 - Brute Force | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques. |
T1111 - Two-Factor Authentication Interception | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0032 - Security Controls | In an adversary engagement operation, a defender can intentionally increase the time window that a token is valid to see if the adversary is able to acquire and leverage the token. |
T1111 - Two-Factor Authentication Interception | There is an opportunity to detect an adversary's activity if they are unable to follow a company's documented standard operating procedures. | DTE0033 - Standard Operating Procedure | A defender can implement a standard operating procedure which restricts users from using 2FA or MFA more than once without another process being invoked. |
T1112 - Modify Registry | There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes. | DTE0006 - Baseline | A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline. |
T1112 - Modify Registry | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0034 - System Activity Monitoring | A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry. |
T1113 - Screen Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can display decoy content on the screen which may be of interest to an adversary in an attempt to elicit further engagement. |
T1114 - Email Collection | There is an opportunity to influence an adversary to move toward systems you want them to engage with. | DTE0011 - Decoy Content | A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems. |
T1115 - Clipboard Data | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can insert into a system's clipboard decoy content for the adversary to find. |
T1119 - Automated Collection | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner. |
T1120 - Peripheral Device Discovery | There is an opportunity to gauge an adversary's interest in connected peripheral devices. | DTE0029 - Peripheral Management | A defender can connect one or more peripheral devices to a decoy system to see if an adversary has any interest in them. |
T1120 - Peripheral Device Discovery | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0029 - Peripheral Management | A defender can plug in a USB drive and see how quickly the adversary notices and inspects it. |
T1123 - Audio Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can introduce decoy audio content designed to make the adversary believe that their audio capture efforts are working. |
T1123 - Audio Capture | There is an opportunity to alter the system to prevent an adversary from capturing audio content. | DTE0020 - Hardware Manipulation | A defender can physically remove or disable a system's microphone and web camera so that audio capture is not possible. |
T1124 - System Time Discovery | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | If the defender knows the specific regions an adversary is targeting, they can alter the output of commands which return systems times to return data consistent with what an adversary would want to see. |
T1125 - Video Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can introduce video content designed to make the adversary believe that their capture efforts are working. |
T1125 - Video Capture | There is an opportunity to alter the system to prevent an adversary from capturing video content. | DTE0020 - Hardware Manipulation | A defender can physically remove or disable a system's web camera and remove any video capture applications so that video capture is not possible. |
T1127 - Trusted Developer Utilities Proxy Execution | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
T1129 - Shared Modules | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc. |
T1132 - Data Encoding | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
T1133 - External Remote Services | There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services. | DTE0017 - Decoy System | A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it. |
T1134 - Access Token Manipulation | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender could feed or redirect requests for credentials with false data that can be used to direct an adversary into a decoy network or system. |
T1134 - Access Token Manipulation | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions. |
T1135 - Network Share Discovery | In an adversary engagement scenario, there is an opportunity to introduce decoy content to entice additional engagement activity. | DTE0011 - Decoy Content | A defender can utilize decoy network shares to provide content that could be used by the adversary. |
T1135 - Network Share Discovery | There is an opportunity to supply a variety of different decoy network shares to an adversary to see what they are drawn to look at and use. | DTE0013 - Decoy Diversity | A defender can make a variety of decoy network shares available to an adversary and see if the adversary seems to be drawn to shares with specific names, permissions, etc. |
T1136 - Create Account | There is an opportunity to create a detection with a moderately high probability of success. | DTE0033 - Standard Operating Procedure | A defender can detect user accounts created outside the acceptable process. |
T1137 - Office Application Startup | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can collect system process information and look for abnormal activity tied to Office processes. |
T1140 - Deobfuscate/Decode Files or Information | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
T1176 - Browser Extensions | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0006 - Baseline | A defender can force the removal of browser extensions that are not allowed by a corporate policy. |
T1185 - Man in the Browser | In an adversary engagement scenario, there is an opportunity to prepare a user's browser data (sessions, cookies, etc.) so it looks authentic and fully populated. | DTE0008 - Burn-In | A defender can perform web browsing tasks on a decoy system over time to give the adversary a robust set of browser data that looks realistic and could potentially be used during adversary engagement. |
T1187 - Forced Authentication | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can use adversary attempts at forced authentication exploits to seed adversary servers with decoy credentials. |
T1187 - Forced Authentication | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender could allow or deny outbound SMB requests from a network to affect the success of forced authentication. Alternative a defender could redirect outbound SMB requests to a decoy system to thwart attempted credential theft |
T1189 - Drive-by Compromise | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.). |
T1189 - Drive-by Compromise | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0013 - Decoy Diversity | A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it. |
T1189 - Drive-by Compromise | There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs. | DTE0014 - Decoy Network | A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise. |
T1190 - Exploit Public-Facing Application | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0017 - Decoy System | A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs. |
T1190 - Exploit Public-Facing Application | There is an opportunity to present several public-facing application options to see what application(s) the adversary targets. | DTE0013 - Decoy Diversity | A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit. |
T1195 - Supply Chain Compromise | Hardware and/or software additions can be tested and verified in controlled environments prior to deployment. | DTE0014 - Decoy Network | A defender can install any suspect hardware or software on an isolated system or network and monitor for non-standard behaviors. |
T1197 - BITS Jobs | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender could use host-based tool to detect common persistence mechanisms and prevent the process from executing successfully. |
T1197 - BITS Jobs | There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. | DTE0034 - System Activity Monitoring | By collecting system logs, a defender can implement detections that identify abnormal BITS usage. |
T1199 - Trusted Relationship | When authorized behavior is defined and limited for trusted partners, adversaries exploiting trust relationships are easier to detect. | DTE0034 - System Activity Monitoring | Defenders can monitor trusted partner access, detecting unauthorized activity. |
T1200 - Hardware Additions | There is an opportunity to test hardware additions in an isolated environment and ensure they can't be used by an adversary. | DTE0022 - Isolation | A defender can install any suspect hardware on an isolated system and monitor for non-standard behaviors. |
T1201 - Password Policy Discovery | In an adversary engagement operation, there is an opportunity to impact what an adversary sees when they execute commands on a system. | DTE0036 - Software Manipulation | A defender can alter the output of the password policy description so the adversary is unsure of exactly what the requirements are. |
T1202 - Indirect Command Execution | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can implement behavior analytics which would indicate activity on a system executing commands in non-standard ways. This could indicate malicious activity. |
T1203 - Exploitation for Client Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system. |
T1203 - Exploitation for Client Execution | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0004 - Application Diversity | A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications. |
T1204 - User Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence. |
T1205 - Traffic Signaling | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1207 - Rogue Domain Controller | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can implement behavioral analytics which would indicate activity on or against a domain controller. Activity which is out of sync with scheduled domain tasks, or results in an uptick in traffic with a particular system on the network could indicate malicious activity. |
T1210 - Exploitation of Remote Services | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. | DTE0004 - Application Diversity | A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction. |
T1211 - Exploitation for Defense Evasion | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. | DTE0004 - Application Diversity | A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction. |
T1212 - Exploitation for Credential Access | In an adversary engagement scenario, there is an opportunity to use a variety of applications on a system to see what an adversary tries to exploit in order to acquire credentials. | DTE0004 - Application Diversity | A defender can use a variety of applications on a decoy system or in a decoy network to see what an adversary tries to exploit in order to acquire credentials. |
T1213 - Data from Information Repositories | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
T1213 - Data from Information Repositories | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
T1216 - Signed Script Proxy Execution | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity. |
T1217 - Browser Bookmark Discovery | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can use decoy content to give the false impression about the nature of the system in order to entice an adversary to continue engagement. |
T1218 - Signed Binary Proxy Execution | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can monitor operating system functions calls to look for adversary use and/or abuse. |
T1218 - Signed Binary Proxy Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes. |
T1218 - Signed Binary Proxy Execution | There is an opportunity to create a detection with a moderately high probability of success. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
T1219 - Remote Access Software | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can install remote access tools on decoy systems across the network to see if the adversary uses these tools for command and control. |
T1220 - XSL Script Processing | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | The defender can use behavioral analytics detect an XSL process doing something abnormal. |
T1221 - Template Injection | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can have decoy systems that are easy to gain access to and have Office installed. The decoy system can be monitored to see if an adversary attempts to inject anything malicious into Office templates. |
T1222 - File and Directory Permissions Modification | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can seed content interesting files to an adversary, but lock the permissions down. The goal would be to force the adversary to expose their TTPs for circumventing the restrictions. |
T1480 - Execution Guardrails | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender could develop behavioral analytics to detect the examination of commonly used guardrails such as inspection of VM artifacts, enumeration of connected storage and/or devices, domain information, etc. |
T1480 - Execution Guardrails | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. | DTE0004 - Application Diversity | A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction. |
T1482 - Domain Trust Discovery | There is an opportunity to extend an adversary's engagement period by creating a decoy network that systems can discover when performing trust discovery. | DTE0014 - Decoy Network | A defender can create a decoy network that contains systems which are easily discoverable and appealing to an adversary. |
T1482 - Domain Trust Discovery | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |
T1484 - Group Policy Modification | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender could monitor for directory service changes using Windows event logs. This can alert to the presence of an adversary in the network. |
T1485 - Data Destruction | There is an opportunity to test what an adversary might do if destroyed data is selectively replaced by the defender. | DTE0005 - Backup and Recovery | A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts. |
T1485 - Data Destruction | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can manipulate commands on systems so an adversary is unable delete data in ways they normally would. |
T1485 - Data Destruction | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can use process monitoring to look for the execution of utilities commonly used for data destruction, such as SDelete. |
T1486 - Data Encrypted for Impact | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can use process monitoring to look for the execution of utilities commonly used for ransomware and other data encryption. |
T1486 - Data Encrypted for Impact | There is an opportunity to test what an adversary might do if encrypted data is selectively replaced by the defender. | DTE0005 - Backup and Recovery | A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts. |
T1489 - Service Stop | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | By looking for anomalies in system service states and alerting on suspect situations, the defender can detect potential malicious activity and triage the system to re-enable the services that have been stopped. |
T1490 - Inhibit System Recovery | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can use process monitoring to look for command execution and command line parameters commonly used to inhibit system recovery. |
T1491 - Defacement | There is an opportunity to detect an adversary who modifies website content (internally or externally) by monitoring for unauthorized changes to websites. | DTE0034 - System Activity Monitoring | A defender can monitor websites for unplanned content changes and generate alerts when activity is detected. |
T1491 - Defacement | There is an opportunity to disrupt an adversary's defacement activity by quickly restoring altered content. | DTE0005 - Backup and Recovery | A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts. |
T1495 - Firmware Corruption | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can collect system activity and detect commands that interact with firmware. This can speed up the recovery of a system. |
T1496 - Resource Hijacking | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | By looking for anomalies in host resource consumption and alerting on suspect activity, the defender can detect the use of system resources at odd times or at odd levels. |
T1497 - Virtualization/Sandbox Evasion | There is an opportunity to deploy virtual decoy systems and see if an adversary discovers or reacts to the virtualization. | DTE0017 - Decoy System | A defender can deploy a virtual decoy system to see if the adversary recognizes the virtualization and reacts. |
T1497 - Virtualization/Sandbox Evasion | There is an opportunity to seed decoy content to make non-virtual systems look like virtual systems to see how an adversary reacts. | DTE0011 - Decoy Content | A defender can plant files, registry entries, software, processes, etc. to make a system look like a VM when it is not. |
T1498 - Network Denial of Service | There is an opportunity to alter the network configuration in order to disrupt an adversary who is trying to saturate the network or a system via denial of service. | DTE0026 - Network Manipulation | A defender can configure network devices to analyze network traffic, detect a potential DoS attack, and make appropriate adjustments to mitigate the situation. |
T1499 - Endpoint Denial of Service | There is an opportunity to alter the network configuration in order to disrupt an adversary who is trying to saturate the network or a system via denial of service. | DTE0026 - Network Manipulation | A defender can configure network devices to analyze network traffic, detect a potential DoS attack, and make appropriate adjustments to mitigate the situation. |
T1499 - Endpoint Denial of Service | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0032 - Security Controls | A defender can configure systems to block any system with a number of authentication failures in a certain window of time. |
T1505 - Server Software Component | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0004 - Application Diversity | A defender can install decoy services that have extensible capabilities. |
T1518 - Software Discovery | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. | DTE0004 - Application Diversity | A defender can install an array of various software packages on a system to make it look used and populated. This will give an adversary a collection of software to interact with and possibly expose additional techniques. |
T1525 - Implant Container Image | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can monitor user interactions with images and containers to identify ones that are added or altered anomalously. |
T1526 - Cloud Service Discovery | There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them. | DTE0014 - Decoy Network | A defender can use a decoy network and seed it with cloud services to see how an adversary might exploit those resources. |
T1528 - Steal Application Access Token | Users trained and encouraged to report unsolicited application authorization requests can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train users on how to recognize and report third-party applications requesting authorization can create "Human Sensors" that help detect application token theft. |
T1529 - System Shutdown/Reboot | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can deploy a decoy system to see if an adversary attempts to shutdown or reboot the device. |
T1530 - Data from Cloud Storage Object | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
T1530 - Data from Cloud Storage Object | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
T1531 - Account Access Removal | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc. |
T1534 - Internal Spearphishing | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0035 - User Training | A program to train users to report emails that they did not send but appear in their sent folder. |
T1535 - Unused/Unsupported Cloud Regions | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can detect adversaries leveraging unused cloud regions. By implementing behavioral analytics for cloud hosts interacting with the network from regions that are not normal, one can detect potential malicious activity. |
T1602 - Data from Configuration Repository | There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. | DTE0034 - System Activity Monitoring | A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system. |
T1537 - Transfer Data to Cloud Account | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | Defenders can detect adversaries attempting to exfiltrate to a cloud account. This can detect a system connecting to these cloud providers that it might not normally connect to, not using an account that it normally does, or during a time when it normally doesn't do so. |
T1538 - Cloud Service Dashboard | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |
T1539 - Steal Web Session Cookie | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can harden authentication mechanisms to ensure having just a session cookie is not enough to authenticate with another system. |
T1539 - Steal Web Session Cookie | There is an opportunity to seed systems with decoy cookies that will lead adversaries to decoy targets. | DTE0008 - Burn-In | A defender can authenticate to a collection of decoy sites (as a decoy user) to give the adversary a set of session cookies to harvest and potentially use during adversary engagement. |
T1542 - Pre-OS Boot | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised. |
T1543 - Create or Modify System Process | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes. |
T1602 - Data from Configuration Repository | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | Defenders can detect adversaries attempting to open a port by analyzing incoming network connections. By looking for anomalies in what network traffic comes in, as well as patterns that might indicate intentional sequences, one can potentially identify malicious traffic. One can also look at anomalies in services suddenly listening on ports that were not being used before. |
T1546 - Event Triggered Execution | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0006 - Baseline | A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms. |
T1546 - Event Triggered Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0001 - Admin Access | A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution. |
T1547 - Boot or Logon Autostart Execution | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0006 - Baseline | A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup. |
T1548 - Abuse Elevation Control Mechanism | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender could use a host-based tool in order to have an effect on the success of an adversary abusing elevation control mechanisms. |
T1550 - Use Alternate Authentication Material | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent. |
T1602 - Data from Configuration Repository | Although adversaries may attempt to delete or change important artifacts, there may be a window of time to retrieve them before that happens. | DTE0005 - Backup and Recovery | A defender can backup system information on a regular basis and send it to an alternate location for storage. |
T1552 - Unsecured Credentials | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |
T1553 - Subvert Trust Controls | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0032 - Security Controls | In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack. |
T1553 - Subvert Trust Controls | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
T1554 - Compromise Client Software Binary | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender could monitor for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections. |
T1555 - Credentials from Password Stores | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |
T1556 - Modify Authentication Process | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender could implement security controls to force an adversary to modify the authentication process if they want to collect or utilize credentials on a system. |
T1556 - Modify Authentication Process | There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. | DTE0034 - System Activity Monitoring | A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system. |
T1557 - Man-in-the-Middle | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | A defender can monitor network traffic for anomalies associated with known MiTM behavior. |
T1558 - Steal or Forge Kerberos Tickets | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0025 - Network Diversity | A defender can setup networks that use Kerberos authentication and systems that authenticate using it. This gives you a chance to see if an adversary has the capacity to steal or forge Kerberos tickets for lateral movement. |
T1558 - Steal or Forge Kerberos Tickets | In an adversary engagement scenario, there is an opportunity to test whether an adversary has the capability to steal or forge Kerberos tickets. | DTE0032 - Security Controls | A defender can secure Kerberos in order to prevent an adversary from leveraging the tickets to authenticate or move laterally. This may result in the adversary exposing additional TTPs. |
T1559 - Inter-Process Communication | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc. |
T1560 - Archive Collected Data | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable. |
T1561 - Disk Wipe | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands that are used to delete files or format drives so they fail when used in a specific manner. |
T1562 - Impair Defenses | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0004 - Application Diversity | A defender can plant AV or monitoring tools which are easy for an adversary to remove. If an adversary removes these, they may be enticed to act more openly believing they have removed monitoring from the system. |
T1562 - Impair Defenses | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can monitor for signs that security tools and other controls are being tampered with by an adversary. |
T1562 - Impair Defenses | There is an opportunity to create a detection with a moderately high probability of success. | DTE0033 - Standard Operating Procedure | A defender can define operating procedures for modifying GPOs and alert when they are not followed. |
T1563 - Remote Service Session Hijacking | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for anomalies in accounts being active with other services/systems during hours they are normally not active. This can indicate malicious activity. |
T1564 - Hide Artifacts | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can manipulate commands on system so that an adversary is unable to hide artifacts in ways they normally would. |
T1564 - Hide Artifacts | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts. |
T1565 - Data Manipulation | In an adversary engagement scenario, there is an opportunity to observe how an adversary might manipulate data on a system. | DTE0011 - Decoy Content | A defender can deploy decoy content to see if an adversary attempts to manipulate data on the system or connected storage devices. |
T1566 - Phishing | A phishing email can be detected and blocked from arriving at the intended recipient. | DTE0019 - Email Manipulation | A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target. |
T1566 - Phishing | A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. | DTE0023 - Migrate Attack Vector | A defender can move suspicious emails to a decoy system prior to opening and examining the email. |
T1566 - Phishing | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
T1566 - Phishing | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
T1567 - Exfiltration Over Web Service | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | Defenders can detect adversaries attempting to exfiltrate over web services by implementing behavioral analytics. This can detect a system connecting to these web services that it might not normally connect to, or during a time when it normally doesn't do so. |
T1568 - Dynamic Resolution | If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools. | DTE0021 - Hunting | A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner. |
T1568 - Dynamic Resolution | An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure. | DTE0026 - Network Manipulation | A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure. |
T1569 - System Services | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0003 - API Monitoring | A defender can monitor and analyze operating system functions calls for detection and alerting. |
T1569 - System Services | There is an opportunity to create a detection with a moderately high probability of success. | DTE0033 - Standard Operating Procedure | A defender can define operating procedures for adding services and alert when they are not followed. |
T1570 - Lateral Tool Transfer | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1570 - Lateral Tool Transfer | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender can block certain adversary used protocols used between systems in order to prevent lateral tool transfer. |
T1571 - Non-Standard Port | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1572 - Protocol Tunneling | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | A defender can monitor for systems establishing connections using encapsulated protocols not commonly used together such as RDP tunneled over TCP. |
T1573 - Encrypted Channel | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can reverse engineer malware and develop protocol decoders that can decrypt and expose adversary communications |
T1574 - Hijack Execution Flow | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can block execution of untrusted software. |
T1580 - Cloud Infrastructure Discovery | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0017 - Decoy System | A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity. |
T1580 - Cloud Infrastructure Discovery | There is an opportunity to detect an adversary's activity if they are unable to follow a company's documented standard operating procedures. | DTE0033 - Standard Operating Procedure | A defender can define operating procedures for interacting with cloud services and alert when they are not followed. |
T1583 - Acquire Infrastructure | There is an opportunity to gain visibility into newly created or previously unknown adversary infrastructure | DTE0021 - Hunting | A defender could use information about an adversary's TTPs in order to monitor for new adversary infrastructure and files. |
T1585 - Establish Accounts | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
T1586 - Compromise Accounts | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
T1589 - Gather Victim Identity Information | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0010 - Decoy Account | A defender can create decoy user accounts which are used to make a decoy system or network look more realistic. |
T1589 - Gather Victim Identity Information | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
T1589 - Gather Victim Identity Information | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1590 - Gather Victim Network Information | There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them. | DTE0014 - Decoy Network | A defender can create a decoy network that contains systems which are easily discoverable and appealing to an adversary. |
T1590 - Gather Victim Network Information | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can seed decoy content into network service configuration files which may be consumed during an adversary's recon activity. |
T1590 - Gather Victim Network Information | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1591 - Gather Victim Org Information | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can expose decoy information about their organization to try and influence an adversary's future activity. |
T1591 - Gather Victim Org Information | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
T1592 - Gather Victim Host Information | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery. |
T1592 - Gather Victim Host Information | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0017 - Decoy System | A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity. |
T1593 - Search Open Websites/Domains | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can deploy a decoy website to support a deception operation or piece of the organization's deception strategy. |
T1594 - Search Victim-Owned Websites | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
T1594 - Search Victim-Owned Websites | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can utilize decoy files and directories to provide content that could be used by the adversary. |
T1595 - Active Scanning | There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them. | DTE0016 - Decoy Process | A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity. |
T1595 - Active Scanning | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0017 - Decoy System | A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity. |
T1595 - Active Scanning | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1596 - Search Open Technical Databases | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure. |
T1596 - Search Open Technical Databases | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can insert decoy content into external sources or resources that adversaries may leverage for intelligence gathering. |
T1596 - Search Open Technical Databases | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0021 - Hunting | A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure. |
T1597 - Search Closed Sources | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure. |
T1597 - Search Closed Sources | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can insert decoy content into external sources or resources that adversaries may leverage for intelligence gathering. |
T1597 - Search Closed Sources | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0021 - Hunting | A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure. |
T1598 - Phishing for Information | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
T1598 - Phishing for Information | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0010 - Decoy Account | A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation. |
T1599 - Network Boundary Bridging | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack. |
T1599 - Network Boundary Bridging | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1600 - Weaken Encryption | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | A defender can monitor network traffic for anomalies associated with known MiTM behavior. |
T1600 - Weaken Encryption | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use. |
T1600 - Weaken Encryption | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can block execution of untrusted software. |
T1601 - Modify System Image | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system. |
T1601 - Modify System Image | There is an opportunity to use tools and controls to stop an adversary's activity. | DTE0006 - Baseline | A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms. |
T1601 - Modify System Image | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0013 - Decoy Diversity | A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use. |
T1601 - Modify System Image | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender can block execution of untrusted software. |
T1602 - Data from Configuration Repository | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |