Mapping 'Compromised Insider' Use Case to the MITRE ATT&CK Data Source & Technique
Published: 29th June
If this is one of your use cases, Cyberseer would work with your environment to ensure we have the right data sources to provide visibility of the MITRE techniques.
Hover over each tactic heading to reveal data source & technique:
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.
DATA SOURCES
• Application Log Content
• File Creation
• Network Connection Creation
• Network Traffic Content
• Process Creation
• Application Log Content
• Network Traffic Flow
• Logon Session Creation
• User Account Authentication
MITRE Techniques
•T1566 Phishing
•T1078 Valid Accounts
Execution consists of techniques that result in adversary-controlled code running on a local or remote system.
DATA SOURCES
- Application Log Content
- Command Execution
- Container Creation
- Container Start
- File Creation
- File Modification
- Image Creation
- Instance Creation
- Instance Start
- Module Load
- Network Connection Creation
- Network Traffic Content
- Process Creation
- Scheduled Job Creation
- Script Execution
MITRE Techniques
- T1059 Command and Scripting Interpreter
- T1053 Scheduled Task/Job
- T1204 User Execution
- T1047 Windows Management Instrumentation
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.
DATA SOURCES
- Active Directory Object Modification
- Command Execution
- Container Creation
- File Creation
- File Metadata
- File Modification
- Module Load
- OS API Execution
- Process Access
- Process Creation
- Process Metadata
- Scheduled Job Creation
- User Account Metadata
- WMI Creation
- Windows Registry Key
MITRE Techniques
- T1134 Access Token Manipulation
- T1068 Exploitation for Privilege Escalation
- T1055 Process Injection
- T1053 Scheduled Task/Job
- T1078 Valid Accounts
Credential Access consists of techniques for stealing credentials like account names and passwords.
DATA SOURCES
- Application Log Content
- User Account Authentication
- Active Directory Object Access
- Command Execution
- File Access
- Network Traffic Content
- Network Traffic Flow
- OS API Execution
- Process Access
- Process Creation
- Windows Registry Key Access
MITRE Techniques
- T1110 Brute Force
- T1555 Credentials from Password Stores
- T1557 Man-in-the-Middle
- T1003 OS Credential Dumping
- T1558 Steal or Forge Kerberos Tickets
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.
DATA SOURCES
- Asset logon and access
- Authentication and access management
- VPN and zero trust network access
- Application Activity
- Privileged access management and activity
- File monitoring
- Remote logon activity
- DLP alerts
- Web activity
MITRE Techniques
- T1087 Account Discovery
- T1135 Network Share Discovery
- T1040 Network Sniffing
- T1057 Process Discovery
- T1518 Software Discovery
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.
DATA SOURCES
- Command Execution
- File Access
- Firewall Enumeration
- Firewall Metadata
- OS API Execution
- Process Creation
- User Account Metadata
MITRE Techniques
- T1534 Internal Spear phishing
- T1563 Remote Service Session Hijacking
- T1021 Remote Services
Exfiltration consists of techniques that adversaries may use to steal data from your network.
DATA SOURCES
- Cloud Storage Creation
- Cloud Storage Modification
- Command Execution
- File Access
- Network Connection Creation
- Network Traffic Content
- Network Traffic Flow
- Script Execution
- Snapshot Creation
- Snapshot Modification
MITRE Techniques
- T1048 Exfiltration Over Alternative Protocol
- T1041 Exfiltration Over C2 Channel
- T1052 Exfiltration Over Physical Medium
- T1567 Exfiltration Over Web Service
- T1537 Transfer Data to Cloud Account
Latest blogs
Securing the Cloud Infrastructure: Native vs Cloud Control
