Skip to main content

MITRE ATT&CK Tactics

This article outlines the MITRE ATT&CK tactics and techniques that Lacework can detect, which are frequently used by cyber adversaries throughout different stages of a cyberattack.

When viewing the Alert page, you can filter the alert list to display only alerts that employed the same MITRE ATT&CK tactics and techniques. For more information, refer to Built-in Filters.

Initial Access Tactic

This tactic involves techniques that utilize different entry vectors to gain an initial foothold within a network. These techniques include targeted spearphishing and exploiting weaknesses in public-facing web servers. Footholds gained through initial access may permit continued access, such as using valid accounts and external remote services, or may be limited-use due to changing passwords.

For the list of common techniques used by adversaries, refer to Initial Access Tactic.

Execution Tactic

This tactic involves techniques that can run adversary-controlled code on local or remote systems. These techniques are combined with other tactics to achieve broader goals, like network exploration or data theft. For instance, using a remote access tool to execute a PowerShell script for remote system discovery.

For the list of common techniques used by adversaries, refer to Execution Tactic.

Persistence Tactic

This tactic involves techniques that can enable adversaries to maintain system access despite restarts, credential changes, or interruptions. This involves actions like replacing legitimate code or adding startup code to retain their foothold on the system.

For the list of common techniques used by adversaries, refer to Persistence Tactic.

Privilege Escalation Tactic

This tactic imvolves techniques that empower adversaries to acquire higher-level permissions on a system or network. While they may initially enter and explore with unprivileged access, elevated permissions are essential to achieve their objectives. Common approaches involve exploiting system weaknesses, misconfigurations, and vulnerabilities.

Examples of elevated access include:

  • SYSTEM/root level
  • local administrator
  • user account with admin-like access
  • user accounts with specific system or functional access

These techniques may overlap with persistence techniques, as OS features allowing persistence can execute with elevated privileges.

For the list of common techniques used by adversaries, refer to Privilege Escalation Tactic.

Defense Evasion Tactic

This tactic involves techniques that are used to avoid detection during compromise. Methods include disabling security software, obfuscating data/scripts, and leveraging trusted processes to hide malware. Other tactics' techniques are cross-listed if they aid in subverting defenses.

For the list of common techniques used by adversaries, refer to Defense Evasion Tactic.

Credential Access Tactic

This tactic involves techniques that are for stealing credentials like account names and passwords, using methods such as keylogging or credential dumping. Legitimate credentials provide adversaries access, increased stealth, and the ability to create more accounts to achieve their goals.

For the list of common techniques used by adversaries, refer to Credential Access Tactic.

Discovery Tactic

This tactic involves techniques that can be used to enable adversaries to gain knowledge about the system and network. They observe and orient themselves before deciding their actions and explore controllable elements for potential benefits. Native OS tools are often used for post-compromise information gathering.

For the list of common techniques used by adversaries, refer to Discovery Tactic.

Lateral Movement Tactic

This tactic involves techniques that are used to enable adversaries to control remote systems on a network, exploring and pivoting to reach their objectives. They may use remote access tools or legitimate credentials with native network and OS tools for stealthier movement.

For the list of common techniques used by adversaries, refer to Lateral Movement Tactic.

Collection Tactic

This tactic involves techniques that adversaries use to gather relevant information to advance their objectives. Typically, the next step is data exfiltration. Common target sources include drives, browsers, audio, video, and email. Methods include capturing screenshots and keyboard input.

For the list of common techniques used by adversaries, refer to Collection Tactic.

Exfiltration Tactic

This tactic involves techniques that adversaries use to steal data from your network. After collecting data, they package it to avoid detection, often using compression and encryption. Data is transferred via their command and control channel or an alternate one, sometimes with size limits on transmission.

For the list of common techniques used by adversaries, refer to Exfiltration Tactic.

Command and Control Tactic

This tactic involves techniques that adversaries use to communicate with controlled systems within a victim network. They often mimic normal traffic to evade detection, adapting their approach based on the network structure and defenses.

For the list of common techniques used by adversaries, refer to Command and Control Tactic.

Impact Tactic

This tactic involves techniques that is aimed to disrupt availability and compromise integrity by manipulating business and operational processes. Methods can involve data destruction or tampering. In some cases, altered processes may appear normal but serve the adversaries' goals. These techniques may be used to achieve their objectives or conceal a confidentiality breach.

For the list of common techniques used by adversaries, refer to Impact Tactic.

Resource Development Tactic

This tactic involves techniques that adversaries use to create, purchase, or compromise resources to support targeting. These resources include infrastructure, accounts, or capabilities, and they aid various phases of the adversary lifecycle, such as command and control with purchased domains, initial access through email accounts, or defense evasion with stolen code signing certificates.

For the list of common techniques used by adversaries, refer to Resource Development Tactic.

Reconnaissance Tactic

This tactic involves techniques where adversaries gather information actively or passively to support targeting. This includes details of the victim organization, infrastructure, or personnel. The information is leveraged in different phases of the adversary lifecycle, such as planning initial access, prioritizing post-compromise objectives, and driving further reconnaissance efforts.

For the list of common techniques used by adversaries, refer to Reconnaissance Development Tactic.