MITRE ATT&CK

Our Contributions to MITRE ATT&CK™

Praetorian has made over 30 net-new TTP contributions to the MITRE ATT&CK™ framework – a testament to our adversarial security expertise.

ATT&CK Matrix for Enterprise

As the leading offensive security team, Praetorian has made 32 contributions (and counting) to the MITRE ATT&CK framework.

Reconnaissance 10 techniques	Resource Development 8 techniques	Initial Access 10 techniques	Execution 14 techniques	Persistence 20 techniques	Privilege Escalation 14 techniques	Defense Evasion 44 techniques	Credential Access 17 techniques	Discovery 32 techniques	Lateral Movement 9 techniques	Collection 17 techniques	Command and Control 18 techniques	Exfiltration 9 techniques	Impact 14 techniques
Active Scanning Gather Victim Host Information Gather Victim Identity Information Gather Victim Network Information Gather Victim Org Information Phishing for Information Search Closed Sources Search Open Technical Databases Search Open Websites/Domains Search Victim-Owned Websites	Acquire Access Acquire Infrastructure Compromise Accounts Compromise Infrastructure Develop Capabilities Establish Accounts Obtain Capabilities Stage Capabilities	Content Injection Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Phishing Replication Through Removable Media Supply Chain Compromise Trusted Relationship Valid Accounts	Cloud Administration Command Command and Scripting Interpreter Container Administration Command Deploy Container Exploitation for Client Execution Inter-Process Communication Native API Scheduled Task/Job Serverless Execution Shared Modules Software Deployment Tools System Services User Execution Windows Management Instrumentation	Account Manipulation BITS Jobs Boot or Logon Autostart Execution Boot or Logon Initialization Scripts Browser Extensions Compromise Host Software Binary Create Account Create or Modify System Process Event Triggered Execution External Remote Services Hijack Execution Flow Implant Internal Image Modify Authentication Process Office Application Startup Power Settings Pre-OS Boot Scheduled Task/Job Server Software Component Traffic Signaling Valid Accounts	Abuse Elevation Control Mechanism Access Token Manipulation Account Manipulation Boot or Logon Autostart Execution Boot or Logon Initialization Scripts Create or Modify System Process Domain or Tenant Policy Modification Escape to Host Exploitation for Privilege Escalation Hijack Execution Flow Process Injection Scheduled Task/Job Valid Accounts	Abuse Elevation Control Mechanism Access Token Manipulation BITS Jobs Build Image on Host Debugger Evasion Deobfuscate/Decode Files or Information Deploy Container Direct Volume Access Domain or Tenant Policy Modification Execution Guardrails Exploitation for Defense Evasion File and Directory Permissions Modification Hide Artifacts Hijack Execution Flow Impair Defenses Impersonation Indicator Removal Indirect Command Execution Masquerading Modify Authentication Process Modify Cloud Compute Infrastructure Modify Cloud Resource Hierarchy Modify Registry Modify System Image Network Boundary Bridging Obfuscated Files or Information Plist File Modification Pre-OS Boot Process Injection Reflective Code Loading Rogue Domain Controller Rootkit Subvert Trust Controls System Binary Proxy Execution System Script Proxy Execution Template Injection Traffic Signaling Trusted Developer Utilities Proxy Execution Unused/Unsupported Cloud Regions Use Alternate Authentication Material Valid Accounts Virtualization/Sandbox Evasion Weaken Encryption XSL Script Processing	Adversary-in-the-Middle Brute Force Credentials from Password Stores Exploitation for Credential Access Forced Authentication Forge Web Credentials Input Capture Modify Authentication Process Multi-Factor Authentication Interception Multi-Factor Authentication Request Generation Network Sniffing OS Credential Dumping Steal Application Access Token Steal or Forge Authentication Certificates Steal or Forge Kerberos Tickets Steal Web Session Cookie Unsecured Credentials	Account Discovery Application Window Discovery Browser Information Discovery Cloud Infrastructure Discovery Cloud Service Dashboard Cloud Service Discovery Cloud Storage Object Discovery Container and Resource Discovery Debugger Evasion Device Driver Discovery Domain Trust Discovery File and Directory Discovery Group Policy Discovery Log Enumeration Network Service Discovery Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Software Discovery System Information Discovery System Location Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion	Exploitation of Remote Services Internal Spearphishing Lateral Tool Transfer Remote Service Session Hijacking Remote Services Replication Through Removable Media Software Deployment Tools Taint Shared Content Use Alternate Authentication Material	Adversary-in-the-Middle Archive Collected Data Audio Capture Automated Collection Browser Session Hijacking Clipboard Data Data from Cloud Storage Data from Configuration Repository Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Screen Capture Video Capture	Application Layer Protocol Communication Through Removable Media Content Injection Data Encoding Data Obfuscation Dynamic Resolution Encrypted Channel Fallback Channels Hide Infrastructure Ingress Tool Transfer Multi-Stage Channels Non-Application Layer Protocol Non-Standard Port Protocol Tunneling Proxy Remote Access Software Traffic Signaling Web Service	Automated Exfiltration Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over C2 Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Exfiltration Over Web Service Scheduled Transfer Transfer Data to Cloud Account	Account Access Removal Data Destruction Data Encrypted for Impact Data Manipulation Defacement Disk Wipe Endpoint Denial of Service Financial Theft Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Service Stop System Shutdown/Reboot

Praetorian's Contributions

T1027.004 - Obfuscated Files or Information: Compile After Delivery, Sub-technique

Created: 16 March 2020

Tactic: Defense Evasion

T1046 - Network Service Scanning, Technique

Created: 31 May 2017

Tactic: Discovery

T1049 - System Network Connections Discovery, Technique

Created: 31 May 2017

Tactic: Discovery

T1059.001 - Command and Scripting Interpreter: PowerShell, Sub-technique

Created: 09 March 2020

Tactic: Execution

T1074 - Data Staged, Technique

Created: 31 May 2017

Tactic: Collection

T1074.002 - Data Staged: Remote Data Staging, Sub-technique

Created: 13 March 2020

Tactic: Collection

T1078 - Valid Accounts, Technique

Created: 31 May 2017

Tactic: Defense Evasion, Persistence, Privilege Escalation, Initial Access

T1082 - System Information Discovery, Technique

Created: 31 May 2017

Tactic: Discovery

T1098 - Account Manipulation, Technique

Created: 31 May 2017

Tactic: Persistence

T1125 - Video Capture, Technique

Created: 31 May 2017

Tactic: Collection

T1135 - Network Share Discovery, Technique

Created: 14 December 2017

Tactic: Discovery

T1136 - Create Account, Technique

Created: 14 December 2017

Tactic: Persistence

T1136.003 - Create Account: Cloud Account, Sub-technique

Created: 29 January 2020

Tactic: Persistence

T1137 - Office Application Startup, Technique

Created: 14 December 2017

Tactic: Persistence

T1087.004 - Account Discovery: Cloud Account, Sub-technique

Created: 21 February 2020

Tactic: Discovery

T1190 - Exploit Public-Facing Application, Technique

Created: 18 April 2018

Tactic: Initial Access

T1199 - Trusted Relationship, Technique

Created: 18 April 2018

Tactic: Initial Access

T1213 - Data from Information Repositories, Technique

Created: 18 April 2018

Tactic: Collection

T1216 - Signed Script Proxy Execution, Technique

Created: 18 April 2018

Tactic: Collection

T1218 - Signed Binary Proxy Execution, Technique

Created: 18 April 2018

Tactic: Defense Evasion

T1220 - XSL Script Processing, Technique

Created: 17 October 2018

Tactic: Defense Evasion

T1525 - Implant Internal Image, Technique

Created: 04 September 2019

Tactic: Persistence

T1526 - Cloud Service Discovery, Technique

Created: 30 August 2019

Tactic: Discovery

T1530 - Data from Cloud Storage Object, Technique

Created: 30 August 2019

Tactic: Collection

T1537 - Transfer Data to Cloud Account, Technique

Created: 30 August 2019

Tactic: Exfiltration

T1538 - Cloud Service Dashboard, Technique

Created: 30 August 2019

Tactic: Discovery

T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL, Sub-technique

Created: 24 January 2020

Tactic: Persistence, Privilege Escalation

T1552.005 - Unsecured Credentials: Cloud Instance Metadata API, Sub-technique

Created: 11 February 2020

Tactic: Credential Access

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting, Sub-technique

Created: 11 February 2020

Tactic: Credential Access

T1562.010 - Impair Defenses: Downgrade Attack, Sub-technique

Created: 08 October 2021

Tactic: Defense Evasion

T1578.001 - Modify Cloud Compute Infrastructure: Create Snapshot, Sub-technique

Created: 09 June 2020

Tactic: Defense Evasion

T1580 - Cloud Infrastructure Discovery, Technique

Created: 20 August 2020

Tactic: Discovery

Ready to Discuss Application
Penetration Testing Initiative?

Praetorian’s Offense Security Experts are Ready to Answer Your Questions

Resources Recommended for You

Continuous Offensive Security: Partner to Proactively Protect the Digital Frontier

Download Now

Unveiling the Invisible: Challenges with Detecting Exploitable Vulnerabilities in Large Environments

Watch Now

External Attack Surface Management: What’s Lurking Beneath the Surface

Download Now

Platform

Penetration Testing Services

Advanced Offensive Security

Managed Services

Customer Case Studies

Resources

Use Cases

About Praetorian

Join Praetorian

MITRE ATT&CK

Our Contributions to MITRE ATT&CK™

ATT&CK Matrix for Enterprise

Praetorian's Contributions

T1027.004 - Obfuscated Files or Information: Compile After Delivery, Sub-technique​

T1046 - Network Service Scanning, Technique

T1049 - System Network Connections Discovery, Technique

T1059.001 - Command and Scripting Interpreter: PowerShell, Sub-technique

T1074 - Data Staged, Technique

T1074.002 - Data Staged: Remote Data Staging, Sub-technique

T1078 - Valid Accounts, Technique

T1082 - System Information Discovery, Technique

T1098 - Account Manipulation, Technique

T1125 - Video Capture, Technique

T1135 - Network Share Discovery, Technique

T1136 - Create Account, Technique

T1136.003 - Create Account: Cloud Account, Sub-technique

T1137 - Office Application Startup, Technique

T1087.004 - Account Discovery: Cloud Account, Sub-technique

T1190 - Exploit Public-Facing Application, Technique

T1199 - Trusted Relationship, Technique

T1213 - Data from Information Repositories, Technique

T1216 - Signed Script Proxy Execution, Technique

T1218 - Signed Binary Proxy Execution, Technique

T1220 - XSL Script Processing, Technique

T1525 - Implant Internal Image, Technique

T1526 - Cloud Service Discovery, Technique

T1530 - Data from Cloud Storage Object, Technique

T1537 - Transfer Data to Cloud Account, Technique

T1538 - Cloud Service Dashboard, Technique

T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL, Sub-technique

T1552.005 - Unsecured Credentials: Cloud Instance Metadata API, Sub-technique

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting, Sub-technique

T1562.010 - Impair Defenses: Downgrade Attack, Sub-technique

T1578.001 - Modify Cloud Compute Infrastructure: Create Snapshot, Sub-technique

T1580 - Cloud Infrastructure Discovery, Technique

Ready to Discuss Application Penetration Testing Initiative?

Resources Recommended for You​

Continuous Offensive Security: Partner to Proactively Protect the Digital Frontier

Unveiling the Invisible: Challenges with Detecting Exploitable Vulnerabilities in Large Environments

External Attack Surface Management: What’s Lurking Beneath the Surface

Continuous Threat Exposure Management

Professional Services

Use Cases

Company

Subscribe to our Newsletter

T1027.004 - Obfuscated Files or Information: Compile After Delivery, Sub-technique

Ready to Discuss Application
Penetration Testing Initiative?

Resources Recommended for You