FrameworksMITRE ATT&CK
threat intelligencevv15Published
MITRE ATT&CK Enterprise
MITRE ATT&CK
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Issuing Body
MITRE Corporation
Version
v15
Published
2024-10-31
Controls
17
Mapped Laws
—
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| ATTACK-TA0001 | Initial Access The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. | — | managed |
| ATTACK-TA0002 | Execution The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals. | — | managed |
| ATTACK-TA0003 | Persistence The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. | — | managed |
| ATTACK-TA0004 | Privilege Escalation The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. | — | managed |
| ATTACK-TA0005 | Defense Evasion The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. | — | managed |
| ATTACK-TA0006 | Credential Access The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. | — | managed |
| ATTACK-TA0007 | Discovery The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. | — | managed |
| ATTACK-TA0008 | Lateral Movement The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. | — | managed |
| ATTACK-TA0009 | Collection The adversary is trying to gather data of interest to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. | — | managed |
| ATTACK-TA0010 | Exfiltration The adversary is trying to steal data. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they have collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. | — | managed |
| ATTACK-TA0011 | Command and Control The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. | — | managed |
| ATTACK-TA0040 | Impact The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. | — | managed |
| ATTACK-T1566 | Phishing Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. | — | managed |
| ATTACK-T1190 | Exploit Public-Facing Application Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. | — | managed |
| ATTACK-T1078 | Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network. | — | managed |
| ATTACK-T1486 | Data Encrypted for Impact Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. | — | managed |
| ATTACK-T1059 | Command and Scripting Interpreter Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. | — | managed |