Document toolboxDocument toolbox

MITRE ATTACK

Owned by Gary Leicht
Last updated: Sept 06, 2024
4 min read

MITRE ATT&CK™ is a globally accessible knowledge base of adversarial tactics and techniques based on real-world observations, MITRE ATT&CK provides a powerful means of classifying and studying your adversary's techniques and intentions. Only MITRE ATT&CK tools relevant to the current search are displayed. You can use MITRE ATT&CK to enhance, analyze, and test your threat hunting and detection efforts. All content © 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of the MITRE Corporation.

The MITRE ATT&CK report provides comprehensive information on the threat indicator currently being searched. The MITRE ATT&CK report includes the following information:

  • Initial Access: The technique or techniques used to gain an initial foothold within your network.

  • Execution: The technique or techniques used, resulting in malicious code running on a system residing in your network.

  • Persistence: The technique or techniques used to maintain access to systems during systems restarts, credential changes, and other service interruptions which would cut off access to systems in your network.

  • Privilege Escalation: The technique or techniques used to gain higher-level permission levels on your system running in your network.

  • Defense Evasion: The technique or techniques used to avoid detection and compromise of a system residing in your network.

  • Credential Access: The technique or techniques used to steal credentials such as account names and passwords for systems residing in your network.

  • Discovery: The technique or techniques used to gain information and intelligence about a system in your network.

  • Lateral Movement: The technique or techniques used to enter and control a system residing on your network. Controlling a system often involves pivoting through multiple systems and accounts to gain access.

  • Collection: The technique or techniques used to gather data after gaining access to a system in your network. Frequently, the next goal after collecting the data is to steal (exfiltrate) the data. 

  • Command and Control: The technique or techniques used to communicate with other compromised systems in your network.

  • Exfiltration: The technique or techniques used to steal data from your system or network.

  • Impact: The technique or techniques used to manipulate, interrupt, or destroy your systems and data residing on your network.

Click the title of any section within the report to view the report details specific to that section of the report in the  details pane. For example, in the report below, clicking on the T-link (T1043) in the Commonly Used Port section of the report to display the details pane. Or, click theT-link associated with a section title to view threat information directly on the MITRE website.


 

Image: Sample MITRE ATT&CK report


The Dossier MITRE ATT&CK report contains the following features:

Search Field

The search field is located at the top of the page and is used to search for threat indicators. You can run a search based on domain name, IP address, hostname, URL, email, or hash value. 

Resources

Click Resources located on the top right-hand side of the Summary page to display a drop-down list of additional Dossier and TIDE resources.

Dossier resources include the following: 

  • Dossier & TIDE Quick Start Guide
  • Dossier API Calls Reference
  • Dossier Source Descriptions
  • Dossier User Guide
  • Threat Classification Guide

Task Navigation Menu

Click on one of the icons to perform a task.


Image: The navigation menu. 

You can do the following, by clicking on the appropriate icon:

Reload Page

Click the reload icon to reload the Timeline Report page. 

Add to Custom List 

To add a domain or IP address, complete the following:

  1. On the Dossier Timeline report page, click the Add to Custom list icon located at the top, right-hand side of the Action bar.
  2. On the Add to Custom List page, select what custom list or lists from among the list of available custom lists to add the domain or IP address by clicking the blue arrowthe right-pointing arrow icon associated with the custom list. If you cannot locate the custom list you want to add the domain or IP address to, you can use the search feature to search for the custom list. Alternatively, you can clickthe double, right-pointing arrows icon to add the domain or IP address to all custom lists. If you inadvertently add the domain or IP address, in the Selected column of custom lists, you can click the blue arrow associated with the custom list to remove the domain or IP address from it.
  3. Once you have added the domain or IP address to your custom list or lists, you can save your configuration by clicking Add.
  4. You should now see the name of the custom list or lists where the domain or IP address has been added populating the Custom Lists section of the Timeline report page.

For information on custom lists, see Creating Custom Lists.  

Generate API Request

Click the generate API icon to generate an API request. A pop-up window populated with the API information will be displayed.

The Generate API Request window.
Image: The Generate API Request window. 

Copy the information from the pop-up window. Click Full API Guide to view the Swagger Dossier API documentation. Click Close to close the window.

Feedback on Results


Click the load webform icon to load a webform where you can provide comments and feedback on results you obtained from Dossier. For details, see Dossier Threat Research Feedback.

Image: The Feedback on Results pane. 

Export

Click the Export Dossier Report icon to export the Dossier Report file. You can choose to include any or all of the report sections by placing a check in the box associated with a specific section of the report. You can choose from among the following sections:

  • Summary
  • Impacted Devices
  • Current DNS
  • Related Domains
  • Related URLs
  • Related IPs
  • Related File Samples
  • Related Contacts
  • Reports
  • Timeline
  • Threat Actor
  • MITRE ATT&CK
  • WHOIS Record
  • Raw Whois

When you have finished selecting what sections of the report to export, click Export in the bottom right-hand corner of the dialogue box. Your report will be exported in PDF format. 


You can also do the following on the page: 

  • Background Tasks: Click the hourglass icon to open the side panel to view a list of all running background tasks. 

  • Global Search: Click the search icon in the Search text box, then enter your search criterion. Alternatively, select the criterion if it appears under Recent Searches, which shows tool information, console messages, and other information used in recent searches. The Infoblox Portal will show all records that match the search criterion. 

Click here to return to the main Dossier Threat Indicator Report page.