Recoinnassance techniques ( Reconnaissance  [TA0443]) are those activities conducted by the adversary to obtain information with the aim of planning a cyber attack.

“Initial Access” techniques ( Initial Access [TA0001] ) consist of activities conducted by criminals to access the Company network.

Sending emails containing malicious links or attachments. This allows the criminal to access the system or a service (mail).

Initiation of offensive activity to exploit a vulnerability present on a perimeter system. Citrix, Microsoft Exchange, Log4j among the most used ones.

“Execution” techniques ( Execution [TA0002] ) are those activities conducted by the adversary to execute malicious code. In this way adversaries gain control of the system or a modification to it.

Execution of malicious commands or scripts. Often abused: Powershell, Windows Command, Unix Shell, Javascript, etc…

Execution of malicious code through interaction with the victim user.

“Persistence” techniques ( Persistence [TA0003] ) consist of activities conducted by criminals to maintain persistent access to the system, infrastructure or service (email).

Use of Scheduled Tasks (Windows and Linux) to launch malicious code upon system reboot or at specific times.

Use of valid credentials to access the system (Active Directory Domain account), the Network (access via VPN) or the service (email access).

“Privilege Escalation” techniques ( Privilege Escalation [TA0004] ) are those activities conducted by the adversary to increase their privileges in the system or network. This way they gain greater control and freedom of movement.

Adversaries can manipulate access tokens to make a running process appear to be the child of a different process. In this case the process also takes on the security context associated with the new token.

Adversaries can exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a vulnerability occurs when an adversary exploits a programming flaw to execute adversary-controlled code.

“Defence Evasion” techniques ( Defence Evasion [TA0005] ) consist of activities conducted by criminals to evade system or network defense tools.

Adversaries can modify access tokens to operate in a different system or user security context to perform actions and bypass access controls.

Adversaries can execute their own malicious payloads by hijacking how operating systems run programs.

“Credential Access” techniques ( Credential Access [TA0006] ) are those activities conducted by the adversary to obtain access credentials to the system or service (username; password; token; etc.) in order to obtain legitimate access.

Adversaries can use brute force techniques to access accounts when passwords are unknown or when password hashes are obtained.

Adversaries can exfiltrate credentials after a system is compromised, obtaining hashes or plaintext information. Technique used to perform lateral movements.

“Discovery” techniques ( Discovery [TA0007] ) are those activities conducted by the adversary to obtain information about the IT environment. These are usually post-compromise activities performed by the adversary to understand how to move within the network.

Adversaries often conduct post-compromise network scanning activities. In this way they identify new target systems for internal movements.

Adversaries perform Active Directory environment enumeration tasks. In this way they can exploit AD logics to perform further movements.

“Lateral Movement” techniques ( Lateral Movement [TA0008] ) are those activities conducted by the adversary post-compromise to move within the company network with internal pivoting activities. Typically the criminal’s goal is to gain access to more critical servers and maintain persistent access to the infrastructure.

Adversaries can use alternative authentication methods, such as password hashes, to move laterally within an environment and bypass normal system access controls.

Adversaries can use Valid Accounts to access a service that accepts remote connections (telnet, SSH and VNC, SMB). The adversary can then perform actions as the logged in user.

“Collection” techniques ( Collection [TA0009] ) are those activities conducted by the adversary for the collection of information and data. Activities carried out post-compromise to obtain information (passwords, strategic data, etc.).

Opponents perform Screen Capture to obtain screenshots of the screen. Technique used to spy on the victim’s operations.

Adversaries perform audio recording of the victim’s device to listen to conversations.

“Command & Control” techniques ( Command & Control [TA0011] ) concern the communication methods implemented by the adversary for remote control of the compromised system. In this way the adversary transmits commands to the victim system.

Adversaries exploit legitimate third-party software for remote access (Team Viewer, LogMeIn, AmmyyAdmin, etc.).

Adversaries use application protocols for transmitting commands to the victim system such as Web, MAIL, and DNS protocols.

“Exfiltration” techniques ( Exfiltration [TA0010] ) are those activities conducted by the adversary to extract data or information from the victim system.

Exfiltration consists of techniques that adversaries can use to steal data from the network. Techniques for extracting data from a target network include transfer through the command and control channel.

Adversaries exfiltrate information using the same communication channel used to send commands to the system (Command and Control).

Adversaries exfiltrate data through the use of cloud accounts and services.

“Impact” techniques ( Impact [TA0040] ) are those activities carried out by adversaries to manipulate, interrupt or destroy systems or data (as in the Ransomware case).

Adversaries can encrypt data on target systems to disrupt the availability of system and network resources.

Adversaries can modify the visual content available internally or externally to a corporate network (typically websites and hacktivism).