MITRE
2024-03-19 18:00:19 1 举报AI智能生成
MITRE
作者其他创作
大纲/内容
T1531\tAccount Access Removal
T1485\tData Destruction
T1486\tData Encrypted for Impact
T1565\tData Manipulation
T1491\tDefacement
T1561\tDisk Wipe
T1499\tEndpoint Denial of Service
T1495\tFirmware Corruption
T1490\tInhibit System Recovery
T1498\tNetwork Denial of Service
T1496\tResource Hijacking
T1489\tService Stop
T1529\tSystem Shutdown/Reboot
TA0040\tImpact
T1020\tAutomated Exfiltration
T1030\tData Transfer Size Limits
T1048\tExfiltration Over Alternative Protocol
T1041\tExfiltration Over C2 Channel
T1011\tExfiltration Over Other Network Medium
T1052\tExfiltration Over Physical Medium
T1567\tExfiltration Over Web Service
T1029\tScheduled Transfer
T1537\tTransfer Data to Cloud Account
TA0010\tExfiltration
T1071\tApplication Layer Protocol
T1092\tCommunication Through Removable Media
T1132\tData Encoding
T1001\tData Obfuscation
T1568\tDynamic Resolution
T1573\tEncrypted Channel
T1008\t\tFallback Channels
T1105\t\tIngress Tool Transfer
T1104\t\tMulti-Stage Channels
T1095\t\tNon-Application Layer Protocol
T1571\t\tNon-Standard Port
T1572\t\tProtocol Tunneling
T1090\t\tProxy
T1219\tRemote Access Software
T1205\tTraffic Signaling
T1102\tWeb Service
TA0011\tCommand and Control
T1560\tArchive Collected Data
T1123\t\tAudio Capture
T1119\t\tAutomated Collection
T1115\t\tClipboard Data
T1530\t\tData from Cloud Storage Object
T1602\t\tData from Configuration Repository
T1213\tData from Information Repositories
T1005\t\tData from Local System\t
T1039\t\tData from Network Shared Drive\t
T1025\t\tData from Removable Media\t
T1074\t\tData Staged\t
T1114\tEmail Collection
T1056\tInput Capture
T1185\tMan in the Browser
T1557\tMan-in-the-Middle
T1113\tScreen Capture
T1125\tVideo Capture
TA0009\tCollection
M1048\tApplication Isolation and Sandboxing
M1042\tDisable or Remove Feature or Program
M1050\tExploit Protection
M1030\tNetwork Segmentation
M1026\tPrivileged Account Management
M1019\tThreat Intelligence Program
M1051\tUpdate Software
M1016\tVulnerability Scanning
Mitigrations
Detection
T1210\t\tExploitation of Remote Services
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Mitigations
T1534\t\tInternal Spearphishing
M1037\tFilter Network Traffic
M1031\tNetwork Intrusion Prevention
Monitor for file creation and files transferred within a network using protocols such as SMB. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts
T1570\t\tLateral Tool Transfer
T1563.001\tSSH Hijacking
T1563.002\tRDP Hijacking
Sub-techniques (2)
M1018\tUser Account Management
T1563\t\tRemote Service Session Hijacking
T1021.001\tRemote Desktop Protocol
T1021.002\tSMB/Windows Admin Shares
T1021.003\tDistributed Component Object Model
T1021.004\tSSH
T1021.005\tVNC
T1021.006\tWindows Remote Management
Sub-techniques (6)
M1032\tMulti-factor Authentication
Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.
T1021\tRemote Services
M1034\tLimit Hardware Installation
T1091\t\tReplication Through Removable Media
M1015\tActive Directory Configuration
M1027\tPassword Policies
M1029\tRemote Data Storage
M1017\tUser Training
T1072\t\tSoftware Deployment Tools
M1038\tExecution Prevention
M1022\tRestrict File and Directory Permissions
T1080\t\tTaint Shared Content
T1550.001\tApplication Access Token
T1550.002\tPass the Hash
T1550.003\tPass the Ticket
T1550.004\tWeb Session Cookie
Sub-techniques (4)
T1550\t\tUse Alternate Authentication Material
TA0008\tLateral Movement
T1087.001\tLocal Account
T1087.002\tDomain Account
T1087.003\tEmail Account
T1087.004\tCloud Account
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation. [3]
M1028\tOperating System Configuration
T1087\tAccount Discovery
T1010\t\tApplication Window Discovery
T1217\t\tBrowser Bookmark Discovery
Limit permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has a
M1018\tUser Account Management\t
T1580\t\tCloud Infrastructure Discovery
Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account.
T1538\t\tCloud Service Dashboard
T1526\t\tCloud Service Discovery
T1613\t\tContainer and Resource Discovery
T1482\t\tDomain Trust Discovery
T1083\t\tFile and Directory Discovery
T1046\t\tNetwork Service Scanning
T1135\t\tNetwork Share Discovery
T1040\t\tNetwork Sniffing
T1201\t\tPassword Policy Discovery
T1120\t\tPeripheral Device Discovery
T1069\t\tPermission Groups Discovery
T1057\tProcess Discovery
T1012\tQuery Registry
T1018\tRemote System Discovery
T1518\tSoftware Discovery
T1049\t\tSystem Network Connections Discovery
T1033\t\tSystem Owner/User Discovery
T1007\t\tSystem Service Discovery
T1124\t\tSystem Time Discovery
T1497\tVirtualization/Sandbox Evasion
TA0007\tDiscovery
T1110\tBrute Force
T1555\tCredentials from Password Stores
T1212\tExploitation for Credential Access
T1187\tForced Authentication
T1606\tForge Web Credentials
T1556\tModify Authentication Process
T1040\tNetwork Sniffing
T1003\tOS Credential Dumping
T1528\tSteal Application Access Token
T1558\tSteal or Forge Kerberos Tickets
T1539\tSteal Web Session Cookie
T1111\tTwo-Factor Authentication Interception
T1552\tUnsecured Credentials
TA0006\tCredential Access
T1595.001\tScanning IP Blocks
T1595.002\tVulnerability Scanning
Sub-techniques
M1056\tPre-compromise\tThis technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
M1056 Mitigations
T1595\tActive Scanning
T1592.001\tHardware
T1592.002\tSoftware
T1592.003\tFirmware
T1592.004\tClient Configurations
T1592\tGather Victim Host Information
T1589.001\tCredentials
T1589.002\tEmail Addresses
T1589.003\tEmployee Names
Sub-techniques (3)
T1589\tGather Victim Identity Information
T1590.001\tDomain Properties
T1590.002\tDNS
T1590.003\tNetwork Trust Dependencies
T1590.004\tNetwork Topology
T1590.005\tIP Addresses
T1590.006\tNetwork Security Appliances
T1590\tGather Victim Network Information
T1591.001\tDetermine Physical Locations
T1591.002\tBusiness Relationships
T1591.003\tIdentify Business Tempo
T1591.004\tIdentify Roles
T1591\tGather Victim Org Information
T1598.001\tSpearphishing Service
T1598.002\tSpearphishing Attachment
T1598.003\tSpearphishing Link
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.
M1054\tSoftware Configuration
Users can be trained to identify social engineering techniques and spearphishing attempts.
T1598\tPhishing for Information
T1597.001\tThreat Intel Vendors
T1597.002\tPurchase Technical Data
T1597\tSearch Closed Sources
T1596.001\tDNS/Passive DNS
T1596.002\tWHOIS
T1596.003\tDigital Certificates
T1596.004\tCDNs
T1596.005\tScan Databases
Sub-techniques (5)
T1596\tSearch Open Technical Databases
T1593.001\tSocial Media
T1593.002\tSearch Engines
T1593\tSearch Open Websites/Domains
T1594\tSearch Victim-Owned Websites
TA0043 Reconnaissance
T1583.001\tDomains
T1583.002\tDNS Server
T1583.003\tVirtual Private Server
T1583.004\tServer
T1583.005\tBotnet
T1583.006\tWeb Services
T1583\tAcquire Infrastructure
T1586.001\tSocial Media Accounts
T1586.002\tEmail Accounts
T1586\tCompromise Accounts
T1584.001\tDomains
T1584.002\tDNS Server
T1584.003\tVirtual Private Server
T1584.004\tServer
T1584.005\tBotnet
T1584.006\tWeb Services
T1584\tCompromise Infrastructure
T1587.001\tMalware
T1587.002\tCode Signing Certificates
T1587.003\tDigital Certificates
T1587.004\tExploits
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
M1056\tPre-compromise\t
T1587\tDevelop Capabilities
T1585.001\tSocial Media Accounts
T1585.002\tEmail Accounts
T1585\tEstablish Accounts
T1588.001\tMalware
T1588.002\tTool
T1588.003\tCode Signing Certificates
T1588.004\tDigital Certificates
T1588.005\tExploits
T1588.006\tVulnerabilities
T1588\tObtain Capabilities
T1608.001\tUpload Malware
T1608.002\tUpload Tool
T1608.003\tInstall Digital Certificate
T1608.004\tDrive-by Target
T1608.005\tLink Target
T1608\tStage Capabilities
TA0042 Resource Development
T1189\tDrive-by Compromise
T1190\tExploit Public-Facing Application
T1133\tExternal Remote Services
T1200\tHardware Additions
T1566\tPhishing
T1091\tReplication Through Removable Media
T1195\tSupply Chain Compromise\t
T1199\tTrusted Relationship
T1078\tValid Accounts
TA0001 Initial Access
T1059\tCommand and Scripting Interpreter
T1609\tContainer Administration Command
T1610\tDeploy Container
T1203\tExploitation for Client Execution
T1559\tInter-Process Communication
T1106\tNative API
T1053\tScheduled Task/Job
T1129\tShared Modules
T1072\tSoftware Deployment Tools
T1569\tSystem Services
T1204\tUser Execution
T1047\tWindows Management Instrumentation
TA0002\tExecution
T1098\tAccount Manipulation
T1197\tBITS Jobs
T1547\tBoot or Logon Autostart Execution
T1037\tBoot or Logon Initialization Scripts
T1176\tBrowser Extensions
T1554\tCompromise Client Software Binary
T1136\tCreate Account
T1543\tCreate or Modify System Process
T1546\tEvent Triggered Execution
T1574\tHijack Execution Flow
T1525\tImplant Internal Image
T1137\tOffice Application Startup
T1542\tPre-OS Boot
T1505\tServer Software Component
TA0003\tPersistence
T1548.001\tSetuid and Setgid
T1548.002\tBypass User Account Control
T1548.003\tSudo and Sudo Caching
T1548.004\tElevated Execution with Prompt
Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriat
M1047\tAudit
System settings can prevent applications from running that haven't been downloaded from legitimate repositories which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk.
The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.
M1052\tUser Account Control
T1548\tAbuse Elevation Control Mechanism
T1134.001\tToken Impersonation/Theft
T1134.002\tCreate Process with Token
T1134.003\tMake and Impersonate Token
T1134.004\tParent PID Spoofing
T1134.005\tSID-History Injection
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [14] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require
T1134\tAccess Token Manipulation
T1547.001\tRegistry Run Keys / Startup Folder
T1547.002\tAuthentication Package
T1547.003\tTime Providers
T1547.004\tWinlogon Helper DLL
T1547.005\tSecurity Support Provider
T1547.006\tKernel Modules and Extensions
T1547.007\tRe-opened Applications
T1547.008\tLSASS Driver
T1547.009\tShortcut Modification
T1547.010\tPort Monitors
T1547.011\tPlist Modification
T1547.012\tPrint Processors
T1547.013\tXDG Autostart Entries
T1547.014\tActive Setup
Sub-techniques (14)
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features
T1037.001\tLogon Script (Windows)
T1037.002\tLogon Script (Mac)
T1037.003\tNetwork Logon Script
T1037.004\tRC Scripts
T1037.005\tStartup Items
Restrict write access to logon scripts to specific administrators.
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
M1024\tRestrict Registry Permissions
Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.
T1543.001\tLaunch Agent
T1543.002\tSystemd Service
T1543.003\tWindows Service
T1543.004\tLaunch Daemon
Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.
Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
M1033\tLimit Software Installation
Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services.
Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.
T1484.001\tGroup Policy Modification
T1484.002\tDomain Trust Modification
Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later)[5].
Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges.
Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.[2][6][7]
T1484\tDomain Policy Modification
Use read-only containers and minimal images when possible to prevent the running of commands.
Ensure containers are not running as root by default.
T1611\tEscape to Host
T1546.001\tChange Default File Association
T1546.002\tScreensaver
T1546.003\tWindows Management Instrumentation Event Subscription
T1546.004\tUnix Shell Configuration Modification
T1546.005\tTrap
T1546.006\tLC_LOAD_DYLIB Addition
T1546.007\tNetsh Helper DLL
T1546.008\tAccessibility Features
T1546.009\tAppCert DLLs
T1546.010\tAppInit DLLs
T1546.011\tApplication Shimming
T1546.012\tImage File Execution Options Injection
T1546.013\tPowerShell Profile
T1546.014\tEmond
T1546.015\tComponent Object Model Hijacking
Sub-techniques (15)
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.
Consider blocking the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [29] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [30] Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation.
Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.
Update software regularly by employing patch management for internal enterprise endpoints and servers.
T1068\tExploitation for Privilege Escalation
T1574.001\tDLL Search Order Hijacking
T1574.002\tDLL Side-Loading
T1574.004\tDylib Hijacking
T1574.005\tExecutable Installer File Permissions Weakness
T1574.006\tDynamic Linker Hijacking
T1574.007\tPath Interception by PATH Environment Variable
T1574.008\tPath Interception by Search Order Hijacking
T1574.009\tPath Interception by Unquoted Path
T1574.010\tServices File Permissions Weakness
T1574.011\tServices Registry Permissions Weakness
T1574.012\tCOR_PROFILER
Sub-techniques (11)
M1013\tApplication Developer Guidance
M1044\tRestrict Library Loading
T1055.001\tDynamic-link Library Injection
T1055.002\tPortable Executable Injection
T1055.003\tThread Execution Hijacking
T1055.004\tAsynchronous Procedure Call
T1055.005\tThread Local Storage
T1055.008\tPtrace System Calls
T1055.009\tProc Memory
T1055.011\tExtra Window Memory Injection
T1055.012\tProcess Hollowing
T1055.013\tProcess Doppelgänging
T1055.014\tVDSO Hijacking
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
M1040\tBehavior Prevention on Endpoint
T1055\tProcess Injection
T1053.001\tAt (Linux)
T1053.002\tAt (Windows)
T1053.003\tCron
T1053.004\tLaunchd
T1053.005\tScheduled Task
T1053.006\tSystemd Timers
T1053.007\tContainer Orchestration Job
Sub-techniques (7)
T1078.001\tDefault Accounts
T1078.002\tDomain Accounts
T1078.003\tLocal Accounts
T1078.004\tCloud Accounts
TA0004\tPrivilege Escalation
T1612\tBuild Image on Host
T1140\tDeobfuscate/Decode Files or Information
T1006\tDirect Volume Access
T1480\tExecution Guardrails
T1211\tExploitation for Defense Evasion
T1222\tFile and Directory Permissions Modification
T1564\tHide Artifacts
T1562\tImpair Defenses
T1070\tIndicator Removal on Host
T1202\tIndirect Command Execution
T1036\tMasquerading
T1578\tModify Cloud Compute Infrastructure
T1112\tModify Registry
T1601\tModify System Image
T1599\tNetwork Boundary Bridging
T1027\tObfuscated Files or Information
T1207\tRogue Domain Controller
T1014\tRootkit
T1218\tSigned Binary Proxy Execution
T1216\tSigned Script Proxy Execution
T1553\tSubvert Trust Controls
T1221\tTemplate Injection
T1127\tTrusted Developer Utilities Proxy Execution
T1535\tUnused/Unsupported Cloud Regions
T1550\tUse Alternate Authentication Material
T1600\tWeaken Encryption
T1220\tXSL Script Processing
TA0005\tDefense Evasion
网络流量监控(1)
设备启动项监控
配置文件监控
文件访问监控
运行进程监控
系统服务监控
用户账号监控
用户行为监控(4)
用户培训
软件配置
日志综合监控
Detection分类
M1049\tAntivirus/Antimalware\tUse signatures or heuristics to detect malicious software.
M1013\tApplication Developer Guidance\tThis mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.
M1048\tApplication Isolation and Sandboxing\tRestrict execution of code to a virtual environment on or in transit to an endpoint system.
M1046\tBoot Integrity\tUse secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.
M1045\tCode Signing\tEnforce binary and application integrity with digital signature verification to prevent untrusted code from executing.
M1043\tCredential Access Protection\tUse capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.
M1053\tData Backup\tTake and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.
M1042\tDisable or Remove Feature or Program\tRemove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
M1055\tDo Not Mitigate\tThis category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.
M1041\tEncrypt Sensitive Information\tProtect sensitive information with strong encryption.
M1039\tEnvironment Variable Permissions\tPrevent modification of environment variables by unauthorized users and groups.
M1050\tExploit Protection\tUse capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
M1037\tFilter Network Traffic\tUse network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
M1033\tLimit Software Installation\tBlock users or groups from installing unapproved software.
M1032\tMulti-factor Authentication\tUse two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
M1031\tNetwork Intrusion Prevention\tUse intrusion detection signatures to block traffic at network boundaries.
M1028\tOperating System Configuration\tMake configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
M1027\tPassword Policies\tSet and enforce secure password policies for accounts.
M1029\tRemote Data Storage\tUse remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.
M1022\tRestrict File and Directory Permissions\tRestrict access by setting directory and file permissions that are not specific to users or privileged accounts.
M1044\tRestrict Library Loading\tPrevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.
M1024\tRestrict Registry Permissions\tRestrict the ability to modify certain hives or keys in the Windows Registry.
M1054\tSoftware Configuration\tImplement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.
M1020\tSSL/TLS Inspection\tBreak and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.
M1019\tThreat Intelligence Program\tA threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.
M1051\tUpdate Software\tPerform regular software updates to mitigate exploitation risk.
M1052\tUser Account Control\tConfigure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.
M1016\tVulnerability Scanning\tVulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.
Mitigation分类
MITRE
0 条评论
下一页
