Skip to main content
blackhat.ie

MITRE ATT&CK Matrix

Observed techniques mapped to the MITRE ATT&CK framework over the last 30 days

Initial Access
2100 hits
Execution
421 hits
Persistence
21 hits
Privilege Escalation
125 hits
Defense Evasion
53 hits
Credential Access
232 hits
Discovery
1 hits
Lateral Movement
6 hits
Command & Control
24 hits
Exfiltration
8 hits
Impact
222 hits
T11901899
Exploit Public-Facing App
Deploy WAF rules, patch public-facing apps within 48h of CVE disclosure, segment DMZ from internal networks, and run authenticated vulnerability scans weekly.
T1059361
Command & Scripting Interpreter
Disable unused scripting interpreters, enforce PowerShell Constrained Language Mode, log all script block execution via ScriptBlockLogging.
T154717
Boot or Logon Autostart
Monitor Run/RunOnce registry keys and startup folders for changes, restrict registry write permissions, and use application whitelisting to block unsigned autostart entries.
T1078270
Valid Accounts
Enforce MFA on all accounts, implement conditional access policies, audit privileged accounts quarterly, and monitor for impossible-travel logins.
T10369
Masquerading
Enforce code-signing policies via WDAC/AppLocker, monitor for executables in unusual paths (e.g., user temp dirs), and alert on renamed system binaries.
T100315
OS Credential Dumping
Enable Credential Guard on all Windows endpoints, restrict access to LSASS (RunAsPPL), deploy LAPS for local admin passwords, and alert on Mimikatz signatures.
T15801
Cloud Infra Discovery
T1021.0043
Remote Services
Disable RDP on internet-facing hosts, enforce MFA on all remote access, use bastion/jump hosts, and monitor lateral movement via remote service logs.
T107124
Application Layer Protocol
Inspect TLS traffic at the proxy (break-and-inspect), deploy network IDS/IPS signatures for known C2 frameworks, and baseline normal DNS/HTTP patterns.
T156713
Exfil Over Web Service
Deploy DLP policies on cloud storage uploads, block unauthorised file-sharing services at the proxy, and alert on anomalous outbound data volumes.
T1498189
Network DoS
Deploy upstream DDoS mitigation (Cloudflare/AWS Shield), configure rate limiting on public endpoints, and maintain a DDoS response runbook.
T1078270
Valid Accounts
Enforce MFA on all accounts, implement conditional access policies, audit privileged accounts quarterly, and monitor for impossible-travel logins.
T120448
User Execution
Block execution of downloaded files via Mark-of-the-Web + SmartScreen, train users on social engineering, and sandbox browser downloads.
T10531
Scheduled Task/Job
Audit scheduled task creation events (Event ID 4698), restrict task scheduler permissions to admins, and alert on tasks running from temp or user-writable directories.
T1078.00120
Valid Accounts
Enforce MFA on all accounts, implement conditional access policies, audit privileged accounts quarterly, and monitor for impossible-travel logins.
T15627
Impair Defenses
Enable tamper protection on EDR/AV, monitor for security service stop/disable events, alert on firewall rule modifications, and enforce audit log forwarding to SIEM.
T111010
Brute Force
Enforce account lockout after 5 failed attempts, require MFA, adopt NIST 800-63B password guidelines (length over complexity), and block known-breached passwords.
T10212
Remote Services
Disable RDP on internet-facing hosts, enforce MFA on all remote access, use bastion/jump hosts, and monitor lateral movement via remote service logs.
T11051
Ingress Tool Transfer
Block known LOLBin download utilities (certutil, bitsadmin) via policy, monitor for file downloads from uncommon external hosts, and inspect outbound traffic for tool staging.
T148619
Data Encrypted for Impact
Maintain offline/immutable backups tested monthly, enable ASR rules against ransomware, and deploy behavioural detection for mass file encryption patterns.
T1566.00244
Phishing
Enable Safe Links / URL rewriting in email, block newly registered domains at the proxy, and train users to verify URLs before entering credentials.
T1059.00714
Command & Scripting Interpreter
Disable unused scripting interpreters, enforce PowerShell Constrained Language Mode, log all script block execution via ScriptBlockLogging.
T1078.00317
Valid Accounts
Enforce MFA on all accounts, implement conditional access policies, audit privileged accounts quarterly, and monitor for impossible-travel logins.
T10276
Obfuscated Files or Info
Enable AMSI for real-time script deobfuscation, deploy EDR with ML-based detection for packed/encrypted payloads, and flag high-entropy files in email and downloads.
T15701
Lateral Tool Transfer
T14905
Inhibit System Recovery
Protect Volume Shadow Copies via ACLs, store backups in immutable/air-gapped storage, and alert on vssadmin/bcdedit/wbadmin deletion commands.
T1195.00138
Supply Chain Compromise
Lock dependency versions with lockfiles, run SBOM scanning in CI/CD, validate package signatures, and monitor for dependency confusion attacks.
T1059.00411
Command & Scripting Interpreter
Disable unused scripting interpreters, enforce PowerShell Constrained Language Mode, log all script block execution via ScriptBlockLogging.
T1078.00413
Valid Accounts
Enforce phishing-resistant MFA (FIDO2/passkeys) for all cloud admin accounts, apply conditional access blocking legacy auth, and enable continuous access evaluation.
T12181
System Binary Proxy Exec
Block LOLBins (mshta, regsvr32, rundll32, cmstp) via WDAC/AppLocker where not business-required, and monitor their execution with command-line logging.
T1566.00323
Phishing
Enforce DMARC (p=reject), SPF, and DKIM on all domains; block executable attachments at the mail gateway; conduct quarterly phishing simulations.
T1059.0068
Command & Scripting Interpreter
Disable unused scripting interpreters, enforce PowerShell Constrained Language Mode, log all script block execution via ScriptBlockLogging.
T1078.00210
Valid Accounts
Enforce MFA on all accounts, implement conditional access policies, audit privileged accounts quarterly, and monitor for impossible-travel logins.
T10551
Process Injection
Enable EDR memory-injection detection, enforce Credential Guard, restrict debug privileges (SeDebugPrivilege) to admin accounts only.
T1195.00221
Supply Chain Compromise
Pin and hash all software dependencies, verify publisher signatures before deployment, scan third-party software with SBOM tools, and isolate build pipelines.
T1059.0016
Command & Scripting Interpreter
Enable PowerShell ScriptBlockLogging and Transcription, enforce Constrained Language Mode via AppLocker/WDAC, remove PowerShell v2 from all endpoints.
T1078.00120
Valid Accounts
Enforce MFA on all accounts, implement conditional access policies, audit privileged accounts quarterly, and monitor for impossible-travel logins.
T1059.0032
Command & Scripting Interpreter
Disable unused scripting interpreters, enforce PowerShell Constrained Language Mode, log all script block execution via ScriptBlockLogging.
T1566.00120
Phishing
Block macros in Office docs from the internet (ASR rules), detonate attachments in a sandbox before delivery, and strip active content from inbound email.
T1059.0021
Command & Scripting Interpreter
Disable unused scripting interpreters, enforce PowerShell Constrained Language Mode, log all script block execution via ScriptBlockLogging.
T156618
Phishing
Enforce DMARC (p=reject), SPF, and DKIM on all domains; block executable attachments at the mail gateway; conduct quarterly phishing simulations.
T10531
Scheduled Task/Job
Audit scheduled task creation events (Event ID 4698), restrict task scheduler permissions to admins, and alert on tasks running from temp or user-writable directories.
T1078.00317
Valid Accounts
Enforce MFA on all accounts, implement conditional access policies, audit privileged accounts quarterly, and monitor for impossible-travel logins.
T1078.00413
Valid Accounts
Enforce phishing-resistant MFA (FIDO2/passkeys) for all cloud admin accounts, apply conditional access blocking legacy auth, and enable continuous access evaluation.
T1078.00210
Valid Accounts
Enforce MFA on all accounts, implement conditional access policies, audit privileged accounts quarterly, and monitor for impossible-travel logins.
T11952
Supply Chain Compromise
Lock dependency versions with lockfiles, run SBOM scanning in CI/CD, validate package signatures, and monitor for dependency confusion attacks.

Other Observed Techniques(8)

T106836T14997T12032T15572T1574.0011T15951T1552.0011T15391

Tactic Breakdown

initial access2100
execution421
credential access232
impact222
privilege escalation125
defense evasion53
command and control24
persistence21
collection10
exfiltration8
lateral movement6
discovery1
reconnaissance1
resource development1

Compliance Mapping(15 frameworks)

NIS2-Art21-2e3084

related alerts in last 30 days

NIS2-Art21-2b276

related alerts in last 30 days

DORA-Art17-23188

related alerts in last 30 days

NIS2-Art21-2d52

related alerts in last 30 days

GDPR-Breach19

related alerts in last 30 days

DORA-Art28-449

related alerts in last 30 days

DORA-Art5-169

related alerts in last 30 days

NIS2-Art21-2a8

related alerts in last 30 days

NIS2-Art21-2i6

related alerts in last 30 days

NIS2-Art21-2h5

related alerts in last 30 days

NIS2-Art21-2k4

related alerts in last 30 days

NIS2-Art21-2g2

related alerts in last 30 days

NIS2-Art232

related alerts in last 30 days

NIS2-Art21-2f1

related alerts in last 30 days

NIS2-Art21-2c1

related alerts in last 30 days