Top techniques

In addition to the top 10, read our analysis of these six featured techniques:

• T1112: Modify Registry

• T1553.001: Gatekeeper Bypass

• T1553.005: Mark-of-the-Web Bypass

• T1548.001: Setuid and Setgid

• T1021.002: SMB/Windows Admin Shares

• T1621: Multi-Factor Authentication Request Generation

What’s included in this section?

We’ve written extensive analyses of 16 ATT&CK techniques and sub-techniques. Each technique-specific section includes:

• analysis of how and why adversaries leverage a given technique
• descriptions of data sources that offer visibility into the technique
• guidance on the tooling or logs that will enable you to collect those data sources
• specific examples of how you can use that telemetry to detect adversaries abusing the technique
• individual tests for emulating how adversaries abuse the technique to validate that you can observe or detect it
• mitigation advice for limiting an adversary’s ability to abuse the technique

How to use our analysis

Implementing the guidance in this report will help security teams improve their defense-in-depth against the adversary actions that often lead to a serious incident. Readers will gain a better understanding of common adversary actions and what’s likely to occur if an adversary gains access to your environment. You’ll learn what malicious looks like in the form of telemetry and the many places you can look to find that telemetry. You’ll gain familiarity with the principles of detection engineering by studying our detection opportunities. At a bare minimum, you and your team will be armed with hyper-relevant and easy-to-use Atomic Red Team tests that you can leverage to ensure that your existing security tooling does what you think it’s supposed to do. More strategically, this report can help you identify gaps as you develop a road map for improving coverage, and you can assess your existing sources of collection against the ones listed in this report to inform your investments in new tools and personnel.