Home - veramine/Detections GitHub Wiki

The MITRE ATT&CK Matrixβ„’ is a categorized overview of attacker tactics and techniques. You can learn more about the ATT&CK model at https://attack.mitre.org/wiki/Main_Page. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span more than one tactic because they can be used for different purposes.

At Veramine we found this matrix to be a helpful way for defenders to think about defense and coverage of visibility. This wiki makes an effort to describe Veramine's detection and response capabilities in the context of the ATT&CK matrix. We have started by populating the first three topics (Persistence, Privilege Escalation, and Defense Evasion) and plan to add the other seven categories in the future.

Persistence Privilege Escalation Defense Evasion
Accessibility Features βœ… Accessibility Features βœ… Binary Padding βœ…
AppInit DLLs βœ… AppInit DLLs βœ… Bypass User Account Control βœ…
Authentication Package βœ… Bypass User Account Control βœ… Code Signing βœ…
Basic Input/Output System ❌ DLL Injection βœ… Component Firmware ❌
Bootkit ❌ DLL Search Order Hijacking βœ… Component Object Model Hijacking βœ…
Change Default File Association βœ… Exploitation of Vulnerability βœ… DLL Injection βœ…
Component Firmware ❌ File System Permissions Weakness βœ… DLL Search Order Hijacking βœ…
Component Object Model Hijacking βœ… Legitimate Credentials ❌ DLL Side-Loading βœ…
DLL Search Order Hijacking βœ… Local Port Monitor βœ… Disabling Security Tools βœ…
External Remote Services ❌ New Service βœ… Exploitation of Vulnerability βœ…
File System Permissions Weakness βœ… Path Interception ❌ File Deletion βœ…
Hypervisor ❌ Scheduled Task [⏳](COMING SOON) File System Logical Offsets ❌
Legitimate Credentials ❌ Service Registry Permissions Weakness βœ… Indicator Blocking βœ…
Local Port Monitor βœ… Web Shell ❌ Indicator Removal from Tools βœ…
Logon Scripts βœ… Indicator Removal on Host βœ…
Modify Existing Service βœ… Install Root Certificate ❌
Netsh Helper DLL βœ… InstallUtil βœ…
New Service βœ… Legitimate Credentials ❌
Path Interception ❌ MSBuild βœ…
Redundant Access ❌ Masquerading ❌
Registry Run Keys / Start Folder βœ… Modify Registry ❌
Scheduled Task [⏳](COMING SOON) NTFS Extended Attributes ❌
Security Support Provider βœ… Network Share Connection Removal βœ…
Service Registry Permissions Weakness βœ… Obfuscated Files or Information βœ…
Shortcut Modification ❌ Process Hollowing [⏳](COMING SOON)
Web Shell ❌ Redundant Access ❌
Windows Management Instrumentation Event Subscription ❌ Regsvcs/Regasm βœ…
Winlogon Helper DLL βœ… Regsvr32 βœ…
Rootkit ❌
Rundll32 βœ…
Scripting ❌
Software Packing ❌
Timestomp ❌