Document toolboxDocument toolbox

Mitre content packs TA0001-0009

Owned by Borja Moro Moreno
Last updated: Jul 08, 2024
6 min read
[ 1 TA0001 ] [ 2 TA0002 ] [ 3 TA0003 ] [ 4 TA0004 ] [ 5 TA0005 ] [ 6 TA0006 ] [ 7 TA0007 ] [ 8 TA0008 ] [ 9 TA0009 ]

TA0001

Initial Access

Purpose

The adversary is trying to get into your network.

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Included content

Mitre alert packs

  1. T1078: Valid Accounts

  2. T1133: External Remote Services

  3. T1189: Drive-by Compromise

  4. T1190: Exploit Public-Facing Application

  5. T1566: Phishing

Prerequisites

LOOKUPS

TA0002

Execution

Purpose

The adversary is trying to run malicious code.

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Included content

Mitre alert packs

  1. T1047: Windows Management Instrumentation

  2. T1053: Scheduled Task Job

  3. T1059: Command and Scripting Interpreter

  4. T1072: Software Deployment Tools

  5. T1203: Exploitation for Client Execution

  6. T1204: User Execution

  7. T1569: System Services

Prerequisites

LOOKUPS

TA0003

Persistence

Purpose

The adversary is trying to maintain their foothold.

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

Included content

Mitre alert packs

  1. T1037: Boot or Logon Initialization Scripts

  2. T1053: Scheduled Task Job

  3. T1078: Valid Accounts

  4. T1098: Account Manipulation

  5. T1133: External Remote Services

  6. T1136: Create Account

  7. T1205: Traffic Signaling

  8. T1505: Server Software Component

  9. T1525: Implant Internal Image

  10. T1543: Create or Modify System Process

  11. T1546: Event Triggered Execution

  12. T1547: Boot or Logon Autostart Execution

  13. T1556: Modify Authentication Process

  14. T1574: Hijack Execution Flow

Prerequisites

LOOKUPS

TA0004

Privilege Escalation

Purpose

The adversary is trying to gain higher-level permissions.

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:

  • SYSTEM/root level.

  • Local administrator.

  • User account with admin-like access.

  • User accounts with access to specific system or perform specific function.

These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

Included content

Mitre alert packs

  1. T1037: Boot or Logon Initialization Scripts

  2. T1053: Scheduled Task Job

  3. T1055: Process Injection

  4. T1068: Exploitation for Privilege Escalation

  5. T1078: Valid Accounts

  6. T1134: Access Token Manipulation

  7. T1484: Domain Policy Modification

  8. T1543: Create or Modify System Process

  9. T1546: Event Triggered Execution

  10. T1547: Boot or Logon Autostart Execution

  11. T1548: Abuse Elevation Control Mechanism

  12. T1574: Highjack Execution Flow

Prerequisites

LOOKUPS

TA0005

Defense Evasion

Purpose

The adversary is trying to avoid being detected.

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

Included content

mitre alert packs

  1. T1027: Obfuscated Files or Information

  2. T1036: Masquerading

  3. T1055: Process Injection

  4. T1070: Indicator Removal on Host

  5. T1078: Valid Accounts

  6. T1112: Modify Registry

  7. T1134: Access Token Manipulation

  8. T1140: Deobfuscate-Decode Files or Information

  9. T1205: Traffic Signaling

  10. T1207: Rogue Domain Controller

  11. T1211: Exploitation for Defense Evasion

  12. T1218: System Binary Proxy Execution

  13. T1222: File and Directory Permissions Modification

  14. T1484: Domain Policy Modification

  15. T1548: Abuse Elevation Control Mechanism

  16. T1550: Use Alternate Authentication Material

  17. T1553: Subvert Trust Controls

  18. T1556: Modify Authentication Process

  19. T1562: Impair Defenses

  20. T1564: Hide Artifacts

  21. T1574: Hijack Execution Flow

  22. T1578: Modify Cloud Compute Infrastructure

  23. T1599: Network Boundary Bridging

Prerequisites

LOOKUPS

TA0006

Credential Access

Purpose

The adversary is trying to steal account names and passwords.

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

Included content

mitre alert packs

  1. T1003: OS Credential Dumping

  2. T1110: Brute Force

  3. T1528: Steal Application Access Token

  4. T1539: Steal Web Session Cookie

  5. T1552: Unsecured Credentials

  6. T1555: Credentials from Password Stores

  7. T1556: Modify Authentication Process

  8. T1558: Steal or Forge Kerberos Tickets

  9. T1606: Forge Web Credentials

Prerequisites

LOOKUPS

TA0007

Discovery

Purpose

The adversary is trying to figure out your environment.

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

Included content

mitre alert packs

  1. T1012: Query Registry

  2. T1018: Remote System Discovery

  3. T1033: System Owner/User Discovery

  4. T1046: Network Service Discovery

  5. T1057: Process Discovery

  6. T1069: Permission Groups Discovery

  7. T1082: System Information Discovery

  8. T1083: File and Directory Discovery

  9. T1087: Account Discovery

  10. T1482: Domain Trust Discovery

  11. T1526: Cloud Service Discovery

  12. T1580: Cloud Infrastructure Discovery

  13. T1614: System Location Discovery

  14. T1619: Cloud Storage Object Discovery

Prerequisites

LOOKUPS

TA0008

Lateral Movement

Purpose

The adversary is trying to move through your environment.

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

Included content

mitre alert packs

  1. T1021: Remote Services

  2. T1550: Use Alternate Authentication Material

  3. T1563: Remote Service Session Hijacking

Prerequisites

LOOKUPS

TA0009

Collection

Purpose

The adversary is trying to gather data of interest to their goal.

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

Included content

mitre alert packs

  1. T1005: Data from Local System

  2. T1025: Data from Removable Media

  3. T1074: Data Staged

  4. T1114: Email Collection

  5. T1115: Clipboard Data

  6. T1119: Automated Collection

  7. T1123: Audio Capture

  8. T1530: Data from Cloud Storage Object

  9. T1560: Archive Collected Data

Prerequisites

LOOKUPS

Â