Home

The MITRE ATT&CK Matrix™ is a categorized overview of attacker tactics and techniques. You can learn more about the ATT&CK model at https://attack.mitre.org/wiki/Main_Page. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span more than one tactic because they can be used for different purposes.

At Veramine we found this matrix to be a helpful way for defenders to think about defense and coverage of visibility. This wiki makes an effort to describe Veramine's detection and response capabilities in the context of the ATT&CK matrix. We have started by populating the first three topics (Persistence, Privilege Escalation, and Defense Evasion) and plan to add the other seven categories in the future.

Persistence	Privilege Escalation	Defense Evasion
Accessibility Features ✅	Accessibility Features ✅	Binary Padding ✅
AppInit DLLs ✅	AppInit DLLs ✅	Bypass User Account Control ✅
Authentication Package ✅	Bypass User Account Control ✅	Code Signing ✅
Basic Input/Output System ❌	DLL Injection ✅	Component Firmware ❌
Bootkit ❌	DLL Search Order Hijacking ✅	Component Object Model Hijacking ✅
Change Default File Association ✅	Exploitation of Vulnerability ✅	DLL Injection ✅
Component Firmware ❌	File System Permissions Weakness ✅	DLL Search Order Hijacking ✅
Component Object Model Hijacking ✅	Legitimate Credentials ❌	DLL Side-Loading ✅
DLL Search Order Hijacking ✅	Local Port Monitor ✅	Disabling Security Tools ✅
External Remote Services ❌	New Service ✅	Exploitation of Vulnerability ✅
File System Permissions Weakness ✅	Path Interception ❌	File Deletion ✅
Hypervisor ❌	Scheduled Task [⏳](COMING SOON)	File System Logical Offsets ❌
Legitimate Credentials ❌	Service Registry Permissions Weakness ✅	Indicator Blocking ✅
Local Port Monitor ✅	Web Shell ❌	Indicator Removal from Tools ✅
Logon Scripts ✅		Indicator Removal on Host ✅
Modify Existing Service ✅		Install Root Certificate ❌
Netsh Helper DLL ✅		InstallUtil ✅
New Service ✅		Legitimate Credentials ❌
Path Interception ❌		MSBuild ✅
Redundant Access ❌		Masquerading ❌
Registry Run Keys / Start Folder ✅		Modify Registry ❌
Scheduled Task [⏳](COMING SOON)		NTFS Extended Attributes ❌
Security Support Provider ✅		Network Share Connection Removal ✅
Service Registry Permissions Weakness ✅		Obfuscated Files or Information ✅
Shortcut Modification ❌		Process Hollowing [⏳](COMING SOON)
Web Shell ❌		Redundant Access ❌
Windows Management Instrumentation Event Subscription ❌		Regsvcs/Regasm ✅
Winlogon Helper DLL ✅		Regsvr32 ✅
		Rootkit ❌
		Rundll32 ✅
		Scripting ❌
		Software Packing ❌
		Timestomp ❌

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Home

Clone this wiki locally