CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • COMING SOON (more details on Mitre Attack)
  • Methodology for Using MITRE ATT&CK in a Pentest
  • 1. Preparation and Planning
  • 2. Mapping Threats and Techniques
  • 3. Creating a Testing Plan
  • 4. Execution
  • 5. Detection and Response
  • 6. Analysis and Reporting
  • 7. Review and Lessons Learned
  • RESOURCES
  1. Ethical Hacking - General Methodology

MITRE ATT&CK

PreviousPost-EngagementNextExternal Pentest

Last updated 10 months ago

The MITRE ATT&CK framework is a global and continuously updated tool designed to provide detailed descriptions of the tactics, techniques, and procedures (TTPs) used by attackers against computer systems. Developed by MITRE, a U.S.-based nonprofit organization, this reference framework is used by defenders to better understand threats and improve their security strategies, as well as by offensive security professionals to enhance their attack strategies.

The MITRE ATT&CK framework consists of different elements:

Structure: The framework is structured around matrices for different environments, such as Windows, macOS, Linux, mobile networks, and cloud infrastructures. Each matrix is divided into tactics that represent the attackers' objectives (e.g., Initial Access, Execution, Persistence).

Techniques and Sub-techniques: Each tactic is subdivided into techniques and sub-techniques that detail how the objectives can be achieved. These techniques are accompanied by concrete examples of security incidents where they have been used, as well as advice on how to detect and mitigate them.

Usage: Cybersecurity professionals use ATT&CK for training, developing defense strategies, configuring their security tools, and simulating attacks to assess the robustness of their defenses.

Community and Updates: The framework is supported by a large community of security professionals and is regularly updated to reflect the changing threat landscape, including new techniques and tactics used by attackers. For example, it is currently at version 15.

It's also worth noting that recently MITRE created MITRE Atlas, which is the equivalent of MITRE ATT&CK but for artificial intelligence. You can

COMING SOON (more details on Mitre Attack)

Methodology for Using MITRE ATT&CK in a Pentest

1. Preparation and Planning

  • Understand the Scope: Determine the scope of the pentest, including the target environment and any specific rules of engagement.

  • Identify Objectives: Clarify the primary objectives of the pentest, such as finding vulnerabilities, assessing security controls, or mimicking a specific threat actor.

2. Mapping Threats and Techniques

  • Select Relevant Tactics and Techniques: Use the MITRE ATT&CK framework to identify tactics and techniques relevant to the target environment and the objectives of the pentest. Focus on techniques used by threat actors that would realistically target the organization.

  • Threat Intelligence Integration: Incorporate threat intelligence to understand which adversaries are most likely to target the organization and their preferred tactics, techniques, and procedures (TTPs).

3. Creating a Testing Plan

  • Build Attack Scenarios: Create attack scenarios that mimic real-world adversary behavior using the selected techniques from the ATT&CK framework.

  • Develop Test Cases: For each technique, develop specific test cases that describe how the technique will be executed during the pentest.

4. Execution

  • Initial Access: Use ATT&CK techniques to gain initial access to the target environment, such as phishing or exploiting vulnerabilities.

  • Persistence and Escalation: Apply techniques for maintaining access and escalating privileges within the environment.

  • Lateral Movement: Test techniques for moving laterally within the network to simulate the spread of an attack.

  • Collection and Exfiltration: Execute techniques to gather and exfiltrate data, mimicking the actions of an adversary attempting to steal sensitive information.

5. Detection and Response

It could be interesting to do during a pentest, it is not mandatory and it depends of the scope that you were assigned and the requirements.

  • Log and Monitor: Monitor the environment for detection and response activities. Document whether security controls and monitoring systems successfully detect and respond to the simulated attacks.

  • Evasion Techniques: Use ATT&CK techniques to test the ability of security controls to detect and prevent evasion tactics.

6. Analysis and Reporting

This is nice to add in your reporting phase methodology

  • Analyze Findings: Analyze the results of the pentest to identify strengths and weaknesses in the target environment's defenses.

  • Map Findings to ATT&CK: Map discovered vulnerabilities and exploited techniques back to the ATT&CK framework to provide context and actionable insights.

  • Recommendations: Provide recommendations for mitigating identified weaknesses and improving overall security posture based on the techniques used and observed deficiencies.

7. Review and Lessons Learned

Usually when you will provide the report you will do the debriefing. Then take some time to do the Update methodologies part as it is really worth it to keep your skills up to date or upgrade them.

  • Debriefing: Conduct a debriefing session with relevant stakeholders to review the pentest findings and discuss the implications.

  • Update Methodologies: Update pentesting methodologies and threat models based on the lessons learned and any new insights gained from the engagement.

RESOURCES

MITRE ATT&CK
find my page about MITRE ATLAS here
Coming soon