Back from the ATT&CK jungle…

So there was a pandemic, the whole world was under lockdown, and I got a bit depressed.
I needed something new in my life, so I decided to take my favorite dog out for a walk in the ATT&CK jungle to check out the newly added sub-techniques…

If you’re not familiar with ATT&CK and are wondering what this is all about, no worries…
ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge.
It’s a treasure trove of information about real-life offensive tradecraft.
I like to see it as an open-source encyclopedia of corporate post-exploitation.
There is a growing community around the project and more info keeps being added to it.
[Check out this post by @LikeTheCoins if you want to know more]

In this post, I just want to share my excitement about the new sub-techniques that are being added to the data to better structure it. [it’s a jungle out there…]

Still in beta, but I think it’s pretty cool, so I took some pictures for you. Check it out…

First, a quick look at all the different tactics [aka attack phases]…

Now, a look at the various techniques and the new branching for each phase…

TA0001 – Initial Access

TA0002 – Execution

TA0003 – Persistence

TA0004 – Privilege Escalation

TA0005 – Defense Evasion

TA0006 – Credential Access

TA0007 – Discovery

TA0008 – Lateral Movement

TA0009 – Collection

TA0010 – Exfiltration

TA0011 – Command & Control

TA0040 – Impact

Gorgeous isn’t it…

Looking at all this is like reading the menu in front of the restaurant, and now that your mouth is watering, you probably want to explore all of this by yourself…

If you like, I’ll share the little PowerShell tool I use to manipulate ATT&CK from the command line.

[Updated for sub-techniques. Beta too. Code can be found here]

And if you wonder how it works, or how to push ATT&CK data to BloodHound [just for fun],
you can check out this video of my [Sunday morning] talk at DerbyCon last year…

That’s about it for today. Hope you enjoyed it.
Ping me on the BloodHound Slack if you have any questions or remarks…