View on GitHub

TTmapping

Mapping common adversarial TTP's against Detections & Atomics

CTI

MITRE ATT&CK® Techniques and Tactics mapper

Tactic	Technique + Sigma rules	ID	Atomics
Initial Access	Valid accounts	T1078	Valid accounts: Default Valid accounts: Local Valid accounts: Cloud
	Exploit public-facing application	T1190
	External Remote Services	T1133	External remote services
Execution	Command and Scripting Interpreter	T1059	Command and Scripting Interpreter: Powershell Command and Scripting Interpreter: CMD Command and Scripting Interpreter: Bash Command and Scripting Interpreter: VB Command and Scripting Interpreter: Python Command and Scripting Interpreter: Javascript
	User Execution: Malicious File	T1204.002	User Execution: Malicious File
	Windows Management Instrumentation	T1047	WMI
Persistence	Create or Modify System Process: Windows Service	T1543.003	Atomics: Persistence
	Boot or Logon Autostart Execution	T1547
	Boot or Logon Initialization Scripts	T1037
	Scheduled Task/Job	T1053
	BITS Jobs	T1197
Privilege Escalation	Access Token Manipulation	T1134	Atomics: Privesc
	Exploitation for Privilege Escalation	T1068
	Bypass User Account Control	T1548.002
	Account Manipulation	T1098
	Process Injection	T1055
Defense Evasion	Impair Defenses	T1562	Atomics: Defense Evasion
	Indicator Removal	T1070
	Obfuscated Files or Information	T1027
	Deobfuscate/Decode Files or Information	T1140
	System Binary Proxy Execution	T1218
	Masquerading	T1036
Credential Access	Brute Force	T1110	Atomics: Credential access
	Steal Application Access Token	T1528
	Credentials from Web Browsers	T1555.003
	Steal Web Session Cookie	T1539
	OS Credential Dumping	T1003
Discovery	Account Discovery	T1087	Atomics: Discovery
	Network Share Discovery	T1135
	File and Directory Discovery	T1083
	Process Discovery	T1057
	Remote System Discovery	T1018
	System Information Discovery	T1082
	System Network Connections Discovery	T1049
	System Owner/User Discovery	T1033
Lateral Movement	Remote Services	T1021	Atomics: Lateral movement
	Lateral Tool transfer	T1570
Command and Control	Application Layer Protocol	T1071	Atomics: C2
	Ingress Tool Transfer	T1105
	Proxy	T1090
Exfiltration	Exfiltration Over C2 Channel	T1041	Atomics: Exfiltration
	Exfiltration to Cloud Storage	T1567.002
Impact	Inhibit System Recovery	T1490	Atomics: Impact
	Service stop	T1489
	Data Encrypted for Impact	T1486
	Network Denial of Service	T1498