MITRE ATT&CK AI Classification in ThreatConnect
- 17 Oct 2024
- 5 Minutes to read
-
Print
-
DarkLight
MITRE ATT&CK AI Classification in ThreatConnect
- Updated on 17 Oct 2024
- 5 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Overview
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework is a knowledge base that uses metadata codes to standardize and classify adversary goals (tactics) and offensive actions (techniques). ThreatConnect® leverages the MITRE ATT&CK® framework in various areas across the platform to optimize the way you use your threat intelligence to understand adversaries, automate workflows, and mitigate threats.
Before You Start
User Roles
- To view and pivot on ATT&CK Tags, your user account can have any Organization role.
Prerequisites
- Activate the CAL Automated Threat Library Source to view Tags applied to Report Groups in this Source (must be a System Administrator to perform this action).
- To leverage ATT&CK Tags in ThreatConnect Intelligence Anywhere, enable CAL on your ThreatConnect instance (must be a System Administrator to perform this action) and in your Organization (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).
- Verify your ThreatConnect instance can receive data from cal.threatconnect.com (if using an On-Premises instance).
How MITRE ATT&CK AI Classification Works
ThreatConnect uses a proprietary artificial intelligence (AI) classification model to read unstructured text from documents like reports and blogs attached to Report Groups in the CAL Automated Threat Library (ATL) Source and assess the content for relevant context clues to related techniques and sub-techniques in the MITRE ATT&CK framework. The MITRE ATT&CK AI classification model can identify 121 techniques and sub-techniques at a 95% confidence level. It returns these techniques and sub-techniques as system-level ATT&CK Tags associated to the Report Group containing the unstructured-text file. You can use these ATT&CK Tags as “at-a-glance” reference points, enabling you to quickly assess and pivot through large amounts of information in CAL™ ATL Reports, as well as any threat intelligence object to which you or another user has manually applied an ATT&CK Tag.
The model is monitored for accuracy and updated to support the latest version of the MITRE ATT&CK framework. When new techniques and sub-techniques are added to the framework, the model is trained to identify and “understand” them. Once the updates to the model meet ThreatConnect’s quality standards, the techniques and sub-techniques are released for use by the model.
Using MITRE ATT&CK AI Classification
You can leverage ATT&CK Tags, including those applied automatically to CAL ATL Reports by the MITRE ATT&CK AI classification model, in a number of places in ThreatConnect, including the following:
- the Browse screen
- the Search screen
- Intelligence Requirements
- the ThreatConnect ATT&CK Visualizer
- Threat Graph
You can leverage MITRE ATT&CK AI classification directly in ThreatConnect Intelligence Anywhere (ThreatConnect’s browser extension), the Doc Analysis Import feature, and the ThreatConnect Doc Analysis Playbook App. In addition, the CAL Automated Threat Library Source contains all ATT&CK Tags, including the ATT&CK Tags that are included in the MITRE ATT&CK AI classification model. You can also use ThreatConnect Query Language (TQL) to query for ATT&CK Tags on the Browse screen.
Techniques and Sub-Techniques in the MITRE ATT&CK AI Classification Model
| Technique | Sub-Technique(s) |
|---|---|
| T1003 - OS Credential Dumping | T1003.008 - OS Credential Dumping: /etc/passwd and /etc/shadow |
| T1005 - Data from Local System | |
| T1007 - System Service Discovery | |
| T1008 - Fallback Channels | |
| T1010 - Application Window Discovery | |
| T1012 - Query Registry | |
| T1018 - Remote System Discovery | |
| T1021 - Remote Services | T1021.001 - Remote Services: Remote Desktop Protocol |
| T1021.002 - Remote Services: SMB/Windows Admin Shares | |
| T1021.006 - Remote Services: Windows Remote Management | |
| T1025 - Data from Removable Media | |
| T1027 - Obfuscated Files or Information | T1027.001 - Obfuscated Files or Information: Binary Padding |
| T1027.002 - Obfuscated Files or Information: Software Packing | |
| T1027.010 - Obfuscated Files or Information: Command Obfuscation | |
| T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File | |
| T1033 - System Owner/User Discovery | |
| T1036 - Masquerading | T1036.004 - Masquerading: Masquerade Task or Service |
| T1036.005 - Masquerading: Match Legitimate Name or Location | |
| T1041 - Exfiltration Over C2 Channel | |
| T1046 - Network Service Discovery | |
| T1047 - Windows Management Instrumentation | |
| T1049 - System Network Connections Discovery | |
| T1053 - Scheduled Task/Job | T1053.005 - Scheduled Task/Job: Scheduled Task |
| T1055 - Process Injection | T1055.001 - Process Injection: Dynamic-link Library Injection |
| T1055.012 - Process Injection: Process Hollowing | |
| T1056 - Input Capture | T1056.001 - Input Capture: Keylogging |
| T1057 - Process Discovery | |
| T1059 - Command and Scripting Interpreter | T1059.001 - Command and Scripting Interpreter: PowerShell |
| T1059.003 - Command and Scripting Interpreter: Windows Command Shell | |
| T1059.005 - Command and Scripting Interpreter: Visual Basic | |
| T1059.006 - Command and Scripting Interpreter: Python | |
| T1059.007 - Command and Scripting Interpreter: JavaScript | |
| T1068 - Exploitation for Privilege Escalation | |
| T1070 - Indicator Removal | T1070.004 - Indicator Removal: File Deletion |
| T1070.006 - Indicator Removal: Timestomp | |
| T1071 - Application Layer Protocol | T1071.001 - Application Layer Protocol: Web Protocols |
| T1071.004 - Application Layer Protocol: DNS | |
| T1074 - Data Staged | T1074.001 - Data Staged: Local Data Staging |
| T1082 - System Information Discovery | |
| T1083 - File and Directory Discovery | |
| T1087 - Account Discovery | T1087.002 - Account Discovery: Domain Account |
| T1091 - Replication Through Removable Media | |
| T1095 - Non-Application Layer Protocol | |
| T1104 - Multi-Stage Channels | |
| T1105 - Ingress Tool Transfer | |
| T1106 - Native API | |
| T1112 - Modify Registry | |
| T1113 - Screen Capture | |
| T1115 - Clipboard Data | |
| T1119 - Automated Collection | |
| T1120 - Peripheral Device Discovery | |
| T1123 - Audio Capture | |
| T1124 - System Time Discovery | |
| T1125 - Video Capture | |
| T1133 - External Remote Services | |
| T1135 - Network Share Discovery | |
| T1140 - Deobfuscate/Decode Files or Information | |
| T1190 - Exploit Public-Facing Application | |
| T1195 - Supply Chain Compromise | T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain |
| T1203 - Exploitation for Client Execution | |
| T1204 - User Execution | T1204.001 - User Execution: Malicious Link |
| T1204.002 - User Execution: Malicious File | |
| T1210 - Exploitation of Remote Services | |
| T1218 - System Binary Proxy Execution | T1218.002 - System Binary Proxy Execution: Control Panel |
| T1218.010 - System Binary Proxy Execution: Regsvr32 | |
| T1218.011 - System Binary Proxy Execution: Rundll32 | |
| T1486 - Data Encrypted for Impact | |
| T1505 - Server Software Component | T1505.003 - Server Software Component: Web Shell |
| T1518 - Software Discovery | T1518.001 - Software Discovery: Security Software Discovery |
| T1543 - Create or Modify System Process | T1543.003 - Create or Modify System Process: Windows Service |
| T1546 - Event Triggered Execution | T1546.013 - Event Triggered Execution: PowerShell Profile |
| T1547 - Boot or Logon Autostart Execution | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| T1548 - Abuse Elevation Control Mechanism | T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control |
| T1555 - Credentials from Password Stores | T1555.003 - Credentials from Password Stores: Credentials from Web Browsers |
| T1560 - Archive Collected Data | T1560.001 - Archive Collected Data: Archive via Utility |
| T1560.003 - Archive Collected Data: Archive via Custom Method | |
| T1562 - Impair Defenses | T1562.001 - Impair Defenses: Disable or Modify Tools |
| T1564 - Hide Artifacts | T1564.001 - Hide Artifacts: Hidden Files and Directories |
| T1564.003 - Hide Artifacts: Hidden Window | |
| T1566 - Phishing | T1566.001 - Phishing: Spearphishing Attachment |
| T1566.002 - Phishing: Spearphishing Link | |
| T1569 - System Services | T1569.002 - System Services: Service Execution |
| T1570 - Lateral Tool Transfer | |
| T1571 - Non-Standard Port | |
| T1573 - Encrypted Channel | T1573.001 - Encrypted Channel: Symmetric Cryptography |
| T1573.002 - Encrypted Channel: Asymmetric Cryptography | |
| T1574 - Hijack Execution Flow | T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking |
| T1574.002 - Hijack Execution Flow: DLL Side-Loading | |
| T1583 - Acquire Infrastructure | T1583.001 - Acquire Infrastructure: Domains |
| T1588 - Obtain Capabilities | T1588.002 - Obtain Capabilities: Tool |
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
20166-01 v.01.A
Was this article helpful?
