MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.


Establish or maintain awareness into what an adversary is doing.

Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools.

ID: DTA0004


DTE0003 - API Monitoring Monitor local APIs that might be used by adversary tools and activity.
DTE0004 - Application Diversity Present the adversary with a variety of installed applications and services.
DTE0006 - Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
DTE0007 - Behavioral Analytics Deploy tools that detect unusual system or user behavior.
DTE0010 - Decoy Account Create an account that is used for active defense purposes.
DTE0011 - Decoy Content Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.
DTE0012 - Decoy Credentials Create user credentials that are used for active defense purposes.
DTE0013 - Decoy Diversity Deploy a set of decoy systems with different OS and software configurations.
DTE0014 - Decoy Network Create a target network with a set of target systems, for the purpose of active defense.
DTE0015 - Decoy Persona Develop personal information (aka a backstory) about a user and plant data to support that backstory.
DTE0017 - Decoy System Configure a computing system to serve as an attack target or experimental environment.
DTE0019 - Email Manipulation Modify the flow or contents of email.
DTE0021 - Hunting Search for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc.
DTE0022 - Isolation Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.
DTE0026 - Network Manipulation Make changes to network properties and functions to achieve a desired effect.
DTE0027 - Network Monitoring Monitor network traffic in order to detect adversary activity.
DTE0028 - PCAP Collection Collect full network traffic for future research and analysis.
DTE0030 - Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
DTE0031 - Protocol Decoder Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.
DTE0033 - Standard Operating Procedure Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.
DTE0034 - System Activity Monitoring Collect system activity logs which can reveal adversary activity.
DTE0035 - User Training Train users to detect malicious intent or activity, how to report it, etc.
DTE0036 - Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.