MITRE matrix

MITRE is a well-known organization which is monitoring modern cyber-security threats and issuing recommendations on detection and protection techniques

On this page we will try to summarize which part of the MITRE Enterprise Threats matrix can be covered by InTrust monitoring

Legend:

Research pending

Significant noise reduction

Detection

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Drive-by compromise	AppleScript	.bash_profile and .bashrc	Access Token Manipulation	Access Token Manipulation	Account Manipulation	Account Discovery	AppleScript	Audio Capture	Automated Exfiltration	Commonly Used Port
Exploit Public-Facing Application	CMSTP	Accessibility Features	Accessibility Features	BITS Jobs	Bash History	Application Window Discovery	Application Deployment Software	Automated Collection	Data Compressed	Communication Through Removable Media
Hardware Additions	Command-Line Interface	Account Manipulation	AppCert DLLs	Binary Padding	Brute Force	Browser Bookmark Discovery	Distributed Component Object Model	Clipboard Data	Data Encrypted	Connection Proxy
Replication Through Removable Media	Compiled HTML File	AppCert DLLs	AppInit DLLs	Bypass User Account Control	Credential Dumping	File and Directory Discovery	Exploitation of Remote Services	Data Staged	Data Transfer Size Limits	Custom Command and Control Protocol
Spearphishing Attachment	Control Panel Items	AppInit DLLs	Application Shimming	CMSTP	Credentials in Files	Network Service Scanning	Logon Scripts	Data from Information Repositories	Exfiltration Over Alternative Protocol	Custom Cryptographic Protocol
Spearphishing Link	Dynamic Data Exchange	Application Shimming	Bypass User Account Control	Clear Command History	Credentials in Registry	Network Share Discovery	Pass the Hash	Data from Local System	Exfiltration Over Command and Control Channel	Data Encoding
Spearphishing via Service	Execution through API	Authentication Package	DLL Search Order Hijacking	Code Signing	Exploitation for Credential Access	Network Sniffing	Pass the Ticket	Data from Network Shared Drive	Exfiltration Over Other Network Medium	Data Obfuscation
Supply Chain Compromise	Execution through Module Load	BITS Jobs	Dylib Hijacking	Compiled HTML File	Forced Authentication	Password Policy Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Physical Medium	Domain Fronting
Trusted Relationship	Exploitation for Client Execution	Bootkit	Exploitation for Privilege Escalation	Component Firmware	Hooking	Peripheral Device Discovery	Remote File Copy	Email Collection	Scheduled Transfer	Fallback Channels
Valid Accounts	Graphical User Interface	Browser Extensions	Extra Window Memory Injection	Component Object Model Hijacking	Input Capture	Permission Groups Discovery	Remote Services	Input Capture		Multi-Stage Channels
	InstallUtil	Change Default File Association	File System Permissions Weakness	Control Panel Items	Input Prompt	Process Discovery	Replication Through Removable Media	Man in the Browser		Multi-hop Proxy
	LSASS Driver	Component Firmware	Hooking	DCShadow	Kerberoasting	Query Registry	SSH Hijacking	Screen Capture		Multiband Communication
	Launchctl	Component Object Model Hijacking	Image File Execution Options Injection	DLL Search Order Hijacking	Keychain	Remote System Discovery	Shared Webroot	Video Capture		Multilayer Encryption
	Local Job Scheduling	Create Account	Launch Daemon	DLL Side-Loading	LLMNR/NBT-NS Poisoning	Security Software Discovery	Taint Shared Content			Port Knocking
	Mshta	DLL Search Order Hijacking	New Service	Deobfuscate/Decode Files or Information	Network Sniffing	System Information Discovery	Third-party Software			Remote Access Tools
	PowerShell	Dylib Hijacking	Path Interception	Disabling Security Tools	Password Filter DLL	System Network Configuration Discovery	Windows Admin Shares			Remote File Copy
	Regsvcs/Regasm	External Remote Services	Plist Modification	Exploitation for Defense Evasion	Private Keys	System Network Connections Discovery	Windows Remote Management			Standard Application Layer Protocol
	Regsvr32	File System Permissions Weakness	Port Monitors	Extra Window Memory Injection	Securityd Memory	System Owner/User Discovery				Standard Cryptographic Protocol
	Rundll32	Hidden Files and Directories	Process Injection	File Deletion	Two-Factor Authentication Interception	System Service Discovery				Standard Non-Application Layer Protocol
	Scheduled Task	Hooking	SID-History Injection	File Permissions Modification		System Time Discovery				Uncommonly Used Port
	Scripting	Hypervisor	Scheduled Task	File System Logical Offsets						Web Service
	Service Execution	Image File Execution Options Injection	Service Registry Permissions Weakness	Gatekeeper Bypass
	Signed Binary Proxy Execution	Kernel Modules and Extensions	Setuid and Setgid	HISTCONTROL
	Signed Script Proxy Execution	LC_LOAD_DYLIB Addition	Startup Items	Hidden Files and Directories
	Source	LSASS Driver	Sudo Caching	Hidden Users
	Space after Filename	Launch Agent	Sudo	Hidden Window
	Third-party Software	Launch Daemon	Valid Accounts	Image File Execution Options Injection
	Trap	Launchctl	Web Shell	Indicator Blocking
	Trusted Developer Utilities	Local Job Scheduling		Indicator Removal from Tools
	User Execution	Login Item		Indicator Removal on Host
	Windows Management Instrumentation	Logon Scripts		Indirect Command Execution
	Windows Remote Management	Modify Existing Service		Install Root Certificate
	XSL Script Processing	Netsh Helper DLL		InstallUtil
		New Service		LC_MAIN Hijacking
		Office Application Startup		Launchctl
		Path Interception		Masquerading
		Plist Modification		Modify Registry
		Port Knocking		Mshta
		Port Monitors		NTFS File Attributes
		Rc.common		Network Share Connection Removal
		Re-opened Applications		Obfuscated Files or Information
		Redundant Access		Plist Modification
		Registry Run Keys / Startup Folder		Port Knocking
		SIP and Trust Provider Hijacking		Process Doppelgänging
		Scheduled Task		Process Hollowing
		Screensaver		Process Injection
		Security Support Provider		Redundant Access
		Service Registry Permissions Weakness		Regsvcs/Regasm
		Setuid and Setgid		Regsvr32
		Shortcut Modification		Rootkit
		Startup Items		Rundll32
		System Firmware		SIP and Trust Provider Hijacking
		Time Providers		Scripting
		Trap		Signed Binary Proxy Execution
		Valid Accounts		Signed Script Proxy Execution
		Web Shell		Software Packing
		Windows Management Instrumentation Event Subscription		Space after Filename
		Winlogon Helper DLL		Template Injection
				Timestomp
				Trusted Developer Utilities
				Valid Accounts
				Web Service
				XSL Script Processing