BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Initial Access
  • Execution
  • Persistence
  • Privilege Execution
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command & Control
  • Exfiltration
  • Impact
  1. 13_MITRE ATT&CK

MITRE ATT&CK Coverage by Tactic

Initial Access

External Remote Services, Hardware Additions, Spearphishing via Service, Supply Chain Compromise, Trusted Relationship, Valid Accounts, Drive-by Compromise, Exploit Public-Facing Application, Replication Through Removable Media, Spearphishing Attachment, Spearphishing Link

Execution

Compiled HTML File, Exploitation for Client Execution, Graphical User Interface, Third-party Software, User Execution, XSL Script Processing, CMSTP, Command-Line Interface, Control Panel Items, Dynamic Data Exchange, Execution through API, Execution through Module Load, InstallUtil, LSASS Driver, Mshta, PowerShell, Regsvcs/Regasm, Regsvr32, Rundll32, Scheduled Task, Scripting, Service Execution, Signed Binary Proxy Execution, Signed Script Proxy Execution, Trusted Developer Utilities, Windows Management Instrumentation, Windows Remote Management

Persistence

Component Object Model Hijacking, DLL Search Order Hijacking, External Remote Services, File System Permissions Weakness, Hypervisor, Valid Accounts, Accessibility Features, Account Manipulation, AppCert DLLs, AppInit DLLs, Application Shimming, Authentication Package, BITS Jobs, Bootkit, Browser Extensions, Change Default File Association, Create Account, Hidden Files and Directories, Hooking, Image File Execution Options Injection, Logon Scripts, LSASS Driver, Modify Existing Service, New Service, Office Application Startup, Path Interception, Port Monitors, Registry Run Keys / Startup Folder, Scheduled Task, Screensaver, Security Support Provider, Web Shell, Windows Management Instrumentation Event Subscription, Winlogon Helper DLL

Privilege Execution

DLL Search Order Hijacking, Extra Window Memory Injection, Valid Accounts,Access Token Manipulation, Accessibility Features, AppCert DLLs, AppInit DLLs, Application Shimming, Bypass User Account Control, Exploitation for Privilege Escalation, Hooking, Image File Execution Options Injection, New Service, Path Interception, Port Monitors, Process Injection, Scheduled Task, Web Shell

Defense Evasion

Binary Padding, Code Signing, Compile After Delivery, Compiled HTML File, Component Firmware, Component Object Model Hijacking,DLL Search Order Hijacking, Execution Guardrails, Exploitation for Defense Evasion, Extra Window Memory Injection, File Permissions Modification, File System Logical Offsets, Group Policy Modification, Access Token Manipulation, BITS Jobs, Bypass User Account Control, CMSTP, Control Panel Items, DCShadow, Deobfuscate/Decode Files or Information, Disabling Security Tools, DLL Side-Loading, File Deletion, Hidden Files and Directories, Image File Execution Options Injection, Indicator Blocking, Indicator Removal on Host, Indirect Command Execution, Install Root Certificate, InstallUtil, Masquerading, Modify Registry, Mshta, Network Share Connection Removal, NTFS File Attributes, Obfuscated Files or Information, Process Injection, Regsvcs/Regasm, Regsvr32, Rundll32,Scripting, Signed Binary Proxy Execution, Signed Script Proxy Execution, Timestomp, Trusted Developer Utilities, Web Service

Credential Access

Brute Force,Credentials in Files,Exploitation for Credential Access,Input Prompt,Kerberoasting,Network Sniffing,Password Filter DLL,Private Keys,Two-Factor Authentication Interception,Account Manipulation,Credential Dumping,Credentials in Registry,Forced Authentication,Hooking,Input Capture,LLMNR/NBT-NS Poisoning and Relay

Discovery

Domain Trust Discovery,Network Sniffing,Permission Groups Discovery,Virtualization/Sandbox Evasion,Account Discovery,Application Window Discovery,File and Directory Discovery,Network Service Scanning,Network Share Discovery,Password Policy Discovery,Peripheral Device Discovery,Process Discovery,Query Registry,Remote System Discovery,Security Software Discovery,System Information Discovery,System Network Configuration Discovery,System Network Connections Discovery,System Owner/User Discovery,System Service Discovery,System Time Discovery

Lateral Movement

Shared Webroot, Taint Shared Content, Third-party Software, Exploitation of Remote Services, Logon Scripts, Pass the Hash, Pass the Ticket, Remote Desktop Protocol, Remote File Copy, Remote Services, Replication Through Removable Media, Windows Admin Shares, Windows Remote Management

Collection

Audio Capture,Automated Collection,Data from Information Repositories,Data from Local System,Data from Network Shared Drive,Data from Removable Media,Data Staged,Email Collection,Man in the Browser,Screen Capture,Video Capture,Clipboard Data,Input Capture

Command & Control

Commonly Used Port,Connection Proxy,Custom Cryptographic Protocol,Data Encoding,Data Obfuscation,Domain Fronting,Domain Generation Algorithms,Fallback Channels,Multi-hop Proxy,Multi-Stage Channels,Multiband Communication,Multilayer Encryption,Standard Application Layer Protocol,Standard Cryptographic Protocol,Uncommonly Used Port,Communication Through Removable Media,Custom Command and Control Protocol,Remote Access Tools,Remote File Copy,Standard Non-Application Layer Protocol,Web Service

Exfiltration

Data Compressed,Data Transfer Size Limits,Exfiltration Over Alternative Protocol,Exfiltration Over Command and Control Channel,Exfiltration Over Other Network Medium,Exfiltration Over Physical Medium,Scheduled Transfer

Impact

Data Destruction,Data Encrypted for Impact,Defacement,Disk Content Wipe,Disk Structure Wipe,Endpoint Denial of Service,Firmware Corruption,Inhibit System Recovery,Network Denial of Service,Resource Hijacking,Runtime Data Manipulation,Service Stop,Stored Data Manipulation

Previous13_MITRE ATT&CKNextMITRE ATT&CK Coverage by Technique

Last updated 4 years ago