MITRE ATT&CK® Techniques and Tactics mapper
Tactic | Technique + Sigma rules | ID | Atomics |
---|---|---|---|
Initial Access | Valid accounts | T1078 | Valid accounts: Default Valid accounts: Local Valid accounts: Cloud |
Exploit public-facing application | T1190 | ||
External Remote Services | T1133 |
External remote services |
|
Execution | Command and Scripting Interpreter | T1059 | Command and Scripting Interpreter: Powershell Command and Scripting Interpreter: CMD Command and Scripting Interpreter: Bash Command and Scripting Interpreter: VB Command and Scripting Interpreter: Python Command and Scripting Interpreter: Javascript |
User Execution: Malicious File | T1204.002 | User Execution: Malicious File | |
Windows Management Instrumentation | T1047 |
WMI |
|
Persistence | Create or Modify System Process: Windows Service | T1543.003 |
Atomics: Persistence |
Boot or Logon Autostart Execution | T1547 | ||
Boot or Logon Initialization Scripts | T1037 | ||
Scheduled Task/Job | T1053 | ||
BITS Jobs | T1197 | ||
Privilege Escalation | Access Token Manipulation | T1134 |
Atomics: Privesc |
Exploitation for Privilege Escalation | T1068 | ||
Bypass User Account Control | T1548.002 | ||
Account Manipulation | T1098 | ||
Process Injection | T1055 | ||
Defense Evasion | Impair Defenses | T1562 |
Atomics: Defense Evasion |
Indicator Removal | T1070 | ||
Obfuscated Files or Information | T1027 | ||
Deobfuscate/Decode Files or Information | T1140 | ||
System Binary Proxy Execution | T1218 | ||
Masquerading | T1036 | ||
Credential Access | Brute Force | T1110 |
Atomics: Credential access |
Steal Application Access Token | T1528 | ||
Credentials from Web Browsers | T1555.003 | ||
Steal Web Session Cookie | T1539 | ||
OS Credential Dumping | T1003 | ||
Discovery | Account Discovery | T1087 |
Atomics: Discovery |
Network Share Discovery | T1135 | ||
File and Directory Discovery | T1083 | ||
Process Discovery | T1057 | ||
Remote System Discovery | T1018 | ||
System Information Discovery | T1082 | ||
System Network Connections Discovery | T1049 | ||
System Owner/User Discovery | T1033 | ||
Lateral Movement | Remote Services | T1021 |
Atomics: Lateral movement |
Lateral Tool transfer | T1570 | ||
Command and Control | Application Layer Protocol | T1071 |
Atomics: C2 |
Ingress Tool Transfer | T1105 | ||
Proxy | T1090 | ||
Exfiltration | Exfiltration Over C2 Channel | T1041 |
Atomics: Exfiltration |
Exfiltration to Cloud Storage | T1567.002 | ||
Impact | Inhibit System Recovery | T1490 |
Atomics: Impact |
Service stop | T1489 | ||
Data Encrypted for Impact | T1486 | ||
Network Denial of Service | T1498 |