search

mitre / cti

Cyber Threat Intelligence Repository expressed in STIX 2.0
Other
1.71k stars 410 forks source link

Number of Enterprise Techniques? #119

Closed ghost closed 3 years ago

ghost commented 3 years ago

Hello, The number of enterprise techniques displayed here https://attack.mitre.org/techniques/enterprise/ is 177 techniques and 348 sub-techniques. The number of enterprise techniques in the enterprise-attack JSON file in this repository is 174 techniques and 348 sub-techniques. What explains this discrepancy and how can i get the correct and complete list of att&ck objects? Thank you

grimlock81 commented 3 years ago

I think your count is wrong, I count 177 techniques in the enterprise-attack JSON file (latest version 8)

See if the following information helps you find where the error is.

There are 14 tactics
There are 665 techniques
There are 525 techniques that are neither revoked nor deprecated. Of those there are
    177 main techniques
    348 subtechniques
Tactic Reconnaissance [TA0043] has 41 techniques
    10 main techniques=[Gather Victim Identity Information [T1589], Gather Victim Network Information [T1590], Gather Victim Org Information [T1591], Gather Victim Host Information [T1592], Search Open Websites/Domains [T1593], Search Victim-Owned Websites [T1594], Active Scanning [T1595], Search Open Technical Databases [T1596], Search Closed Sources [T1597], Phishing for Information [T1598]]
    31 subtechniques=[Credentials [T1589.001], Email Addresses [T1589.002], Employee Names [T1589.003], Domain Properties [T1590.001], DNS [T1590.002], Network Trust Dependencies [T1590.003], Network Topology [T1590.004], IP Addresses [T1590.005], Network Security Appliances [T1590.006], Determine Physical Locations [T1591.001], Business Relationships [T1591.002], Identify Business Tempo [T1591.003], Identify Roles [T1591.004], Hardware [T1592.001], Software [T1592.002], Firmware [T1592.003], Client Configurations [T1592.004], Social Media [T1593.001], Search Engines [T1593.002], Scanning IP Blocks [T1595.001], Vulnerability Scanning [T1595.002], DNS/Passive DNS [T1596.001], WHOIS [T1596.002], Digital Certificates [T1596.003], CDNs [T1596.004], Scan Databases [T1596.005], Threat Intel Vendors [T1597.001], Purchase Technical Data [T1597.002], Spearphishing Service [T1598.001], Spearphishing Attachment [T1598.002], Spearphishing Link [T1598.003]]
Tactic Resource Development [TA0042] has 32 techniques
    6 main techniques=[Acquire Infrastructure [T1583], Compromise Infrastructure [T1584], Establish Accounts [T1585], Compromise Accounts [T1586], Develop Capabilities [T1587], Obtain Capabilities [T1588]]
    26 subtechniques=[Domains [T1583.001], DNS Server [T1583.002], Virtual Private Server [T1583.003], Server [T1583.004], Botnet [T1583.005], Web Services [T1583.006], Domains [T1584.001], DNS Server [T1584.002], Virtual Private Server [T1584.003], Server [T1584.004], Botnet [T1584.005], Web Services [T1584.006], Social Media Accounts [T1585.001], Email Accounts [T1585.002], Social Media Accounts [T1586.001], Email Accounts [T1586.002], Malware [T1587.001], Code Signing Certificates [T1587.002], Digital Certificates [T1587.003], Exploits [T1587.004], Malware [T1588.001], Tool [T1588.002], Code Signing Certificates [T1588.003], Digital Certificates [T1588.004], Exploits [T1588.005], Vulnerabilities [T1588.006]]
Tactic Initial Access [TA0001] has 19 techniques
    9 main techniques=[Valid Accounts [T1078], Replication Through Removable Media [T1091], External Remote Services [T1133], Drive-by Compromise [T1189], Exploit Public-Facing Application [T1190], Supply Chain Compromise [T1195], Trusted Relationship [T1199], Hardware Additions [T1200], Phishing [T1566]]
    10 subtechniques=[Default Accounts [T1078.001], Domain Accounts [T1078.002], Local Accounts [T1078.003], Cloud Accounts [T1078.004], Compromise Software Dependencies and Development Tools [T1195.001], Compromise Software Supply Chain [T1195.002], Compromise Hardware Supply Chain [T1195.003], Spearphishing Attachment [T1566.001], Spearphishing Link [T1566.002], Spearphishing via Service [T1566.003]]
Tactic Execution [TA0002] has 30 techniques
    10 main techniques=[Windows Management Instrumentation [T1047], Scheduled Task/Job [T1053], Command and Scripting Interpreter [T1059], Software Deployment Tools [T1072], Native API [T1106], Shared Modules [T1129], Exploitation for Client Execution [T1203], User Execution [T1204], Inter-Process Communication [T1559], System Services [T1569]]
    20 subtechniques=[At (Linux) [T1053.001], At (Windows) [T1053.002], Cron [T1053.003], Launchd [T1053.004], Scheduled Task [T1053.005], Systemd Timers [T1053.006], PowerShell [T1059.001], AppleScript [T1059.002], Windows Command Shell [T1059.003], Unix Shell [T1059.004], Visual Basic [T1059.005], Python [T1059.006], JavaScript/JScript [T1059.007], Network Device CLI [T1059.008], Malicious Link [T1204.001], Malicious File [T1204.002], Component Object Model [T1559.001], Dynamic Data Exchange [T1559.002], Launchctl [T1569.001], Service Execution [T1569.002]]
Tactic Persistence [TA0003] has 97 techniques
    18 main techniques=[Boot or Logon Initialization Scripts [T1037], Scheduled Task/Job [T1053], Valid Accounts [T1078], Account Manipulation [T1098], External Remote Services [T1133], Create Account [T1136], Office Application Startup [T1137], Browser Extensions [T1176], BITS Jobs [T1197], Traffic Signaling [T1205], Server Software Component [T1505], Implant Container Image [T1525], Pre-OS Boot [T1542], Create or Modify System Process [T1543], Event Triggered Execution [T1546], Boot or Logon Autostart Execution [T1547], Compromise Client Software Binary [T1554], Hijack Execution Flow [T1574]]
    79 subtechniques=[Logon Script (Windows) [T1037.001], Logon Script (Mac) [T1037.002], Network Logon Script [T1037.003], Rc.common [T1037.004], Startup Items [T1037.005], At (Linux) [T1053.001], At (Windows) [T1053.002], Cron [T1053.003], Launchd [T1053.004], Scheduled Task [T1053.005], Systemd Timers [T1053.006], Default Accounts [T1078.001], Domain Accounts [T1078.002], Local Accounts [T1078.003], Cloud Accounts [T1078.004], Additional Cloud Credentials [T1098.001], Exchange Email Delegate Permissions [T1098.002], Add Office 365 Global Administrator Role [T1098.003], SSH Authorized Keys [T1098.004], Local Account [T1136.001], Domain Account [T1136.002], Cloud Account [T1136.003], Office Template Macros [T1137.001], Office Test [T1137.002], Outlook Forms [T1137.003], Outlook Home Page [T1137.004], Outlook Rules [T1137.005], Add-ins [T1137.006], Port Knocking [T1205.001], SQL Stored Procedures [T1505.001], Transport Agent [T1505.002], Web Shell [T1505.003], System Firmware [T1542.001], Component Firmware [T1542.002], Bootkit [T1542.003], ROMMONkit [T1542.004], TFTP Boot [T1542.005], Launch Agent [T1543.001], Systemd Service [T1543.002], Windows Service [T1543.003], Launch Daemon [T1543.004], Change Default File Association [T1546.001], Screensaver [T1546.002], Windows Management Instrumentation Event Subscription [T1546.003], .bash_profile and .bashrc [T1546.004], Trap [T1546.005], LC_LOAD_DYLIB Addition [T1546.006], Netsh Helper DLL [T1546.007], Accessibility Features [T1546.008], AppCert DLLs [T1546.009], AppInit DLLs [T1546.010], Application Shimming [T1546.011], Image File Execution Options Injection [T1546.012], PowerShell Profile [T1546.013], Emond [T1546.014], Component Object Model Hijacking [T1546.015], Registry Run Keys / Startup Folder [T1547.001], Authentication Package [T1547.002], Time Providers [T1547.003], Winlogon Helper DLL [T1547.004], Security Support Provider [T1547.005], Kernel Modules and Extensions [T1547.006], Re-opened Applications [T1547.007], LSASS Driver [T1547.008], Shortcut Modification [T1547.009], Port Monitors [T1547.010], Plist Modification [T1547.011], Print Processors [T1547.012], DLL Search Order Hijacking [T1574.001], DLL Side-Loading [T1574.002], Dylib Hijacking [T1574.004], Executable Installer File Permissions Weakness [T1574.005], LD_PRELOAD [T1574.006], Path Interception by PATH Environment Variable [T1574.007], Path Interception by Search Order Hijacking [T1574.008], Path Interception by Unquoted Path [T1574.009], Services File Permissions Weakness [T1574.010], Services Registry Permissions Weakness [T1574.011], COR_PROFILER [T1574.012]]
Tactic Privilege Escalation [TA0004] has 89 techniques
    12 main techniques=[Boot or Logon Initialization Scripts [T1037], Scheduled Task/Job [T1053], Process Injection [T1055], Exploitation for Privilege Escalation [T1068], Valid Accounts [T1078], Access Token Manipulation [T1134], Group Policy Modification [T1484], Create or Modify System Process [T1543], Event Triggered Execution [T1546], Boot or Logon Autostart Execution [T1547], Abuse Elevation Control Mechanism [T1548], Hijack Execution Flow [T1574]]
    77 subtechniques=[Logon Script (Windows) [T1037.001], Logon Script (Mac) [T1037.002], Network Logon Script [T1037.003], Rc.common [T1037.004], Startup Items [T1037.005], At (Linux) [T1053.001], At (Windows) [T1053.002], Cron [T1053.003], Launchd [T1053.004], Scheduled Task [T1053.005], Systemd Timers [T1053.006], Dynamic-link Library Injection [T1055.001], Portable Executable Injection [T1055.002], Thread Execution Hijacking [T1055.003], Asynchronous Procedure Call [T1055.004], Thread Local Storage [T1055.005], Ptrace System Calls [T1055.008], Proc Memory [T1055.009], Extra Window Memory Injection [T1055.011], Process Hollowing [T1055.012], Process Doppelgänging [T1055.013], VDSO Hijacking [T1055.014], Default Accounts [T1078.001], Domain Accounts [T1078.002], Local Accounts [T1078.003], Cloud Accounts [T1078.004], Token Impersonation/Theft [T1134.001], Create Process with Token [T1134.002], Make and Impersonate Token [T1134.003], Parent PID Spoofing [T1134.004], SID-History Injection [T1134.005], Launch Agent [T1543.001], Systemd Service [T1543.002], Windows Service [T1543.003], Launch Daemon [T1543.004], Change Default File Association [T1546.001], Screensaver [T1546.002], Windows Management Instrumentation Event Subscription [T1546.003], .bash_profile and .bashrc [T1546.004], Trap [T1546.005], LC_LOAD_DYLIB Addition [T1546.006], Netsh Helper DLL [T1546.007], Accessibility Features [T1546.008], AppCert DLLs [T1546.009], AppInit DLLs [T1546.010], Application Shimming [T1546.011], Image File Execution Options Injection [T1546.012], PowerShell Profile [T1546.013], Emond [T1546.014], Component Object Model Hijacking [T1546.015], Registry Run Keys / Startup Folder [T1547.001], Authentication Package [T1547.002], Time Providers [T1547.003], Winlogon Helper DLL [T1547.004], Security Support Provider [T1547.005], Kernel Modules and Extensions [T1547.006], Re-opened Applications [T1547.007], LSASS Driver [T1547.008], Shortcut Modification [T1547.009], Port Monitors [T1547.010], Plist Modification [T1547.011], Print Processors [T1547.012], Setuid and Setgid [T1548.001], Bypass User Account Control [T1548.002], Sudo and Sudo Caching [T1548.003], Elevated Execution with Prompt [T1548.004], DLL Search Order Hijacking [T1574.001], DLL Side-Loading [T1574.002], Dylib Hijacking [T1574.004], Executable Installer File Permissions Weakness [T1574.005], LD_PRELOAD [T1574.006], Path Interception by PATH Environment Variable [T1574.007], Path Interception by Search Order Hijacking [T1574.008], Path Interception by Unquoted Path [T1574.009], Services File Permissions Weakness [T1574.010], Services Registry Permissions Weakness [T1574.011], COR_PROFILER [T1574.012]]
Tactic Defense Evasion [TA0005] has 149 techniques
    37 main techniques=[Direct Volume Access [T1006], Rootkit [T1014], Obfuscated Files or Information [T1027], Masquerading [T1036], Process Injection [T1055], Indicator Removal on Host [T1070], Valid Accounts [T1078], Modify Registry [T1112], Trusted Developer Utilities Proxy Execution [T1127], Access Token Manipulation [T1134], Deobfuscate/Decode Files or Information [T1140], BITS Jobs [T1197], Indirect Command Execution [T1202], Traffic Signaling [T1205], Rogue Domain Controller [T1207], Exploitation for Defense Evasion [T1211], Signed Script Proxy Execution [T1216], Signed Binary Proxy Execution [T1218], XSL Script Processing [T1220], Template Injection [T1221], File and Directory Permissions Modification [T1222], Execution Guardrails [T1480], Group Policy Modification [T1484], Virtualization/Sandbox Evasion [T1497], Unused/Unsupported Cloud Regions [T1535], Pre-OS Boot [T1542], Abuse Elevation Control Mechanism [T1548], Use Alternate Authentication Material [T1550], Subvert Trust Controls [T1553], Modify Authentication Process [T1556], Impair Defenses [T1562], Hide Artifacts [T1564], Hijack Execution Flow [T1574], Modify Cloud Compute Infrastructure [T1578], Network Boundary Bridging [T1599], Weaken Encryption [T1600], Modify System Image [T1601]]
    112 subtechniques=[Binary Padding [T1027.001], Software Packing [T1027.002], Steganography [T1027.003], Compile After Delivery [T1027.004], Indicator Removal from Tools [T1027.005], Invalid Code Signature [T1036.001], Right-to-Left Override [T1036.002], Rename System Utilities [T1036.003], Masquerade Task or Service [T1036.004], Match Legitimate Name or Location [T1036.005], Space after Filename [T1036.006], Dynamic-link Library Injection [T1055.001], Portable Executable Injection [T1055.002], Thread Execution Hijacking [T1055.003], Asynchronous Procedure Call [T1055.004], Thread Local Storage [T1055.005], Ptrace System Calls [T1055.008], Proc Memory [T1055.009], Extra Window Memory Injection [T1055.011], Process Hollowing [T1055.012], Process Doppelgänging [T1055.013], VDSO Hijacking [T1055.014], Clear Windows Event Logs [T1070.001], Clear Linux or Mac System Logs [T1070.002], Clear Command History [T1070.003], File Deletion [T1070.004], Network Share Connection Removal [T1070.005], Timestomp [T1070.006], Default Accounts [T1078.001], Domain Accounts [T1078.002], Local Accounts [T1078.003], Cloud Accounts [T1078.004], MSBuild [T1127.001], Token Impersonation/Theft [T1134.001], Create Process with Token [T1134.002], Make and Impersonate Token [T1134.003], Parent PID Spoofing [T1134.004], SID-History Injection [T1134.005], Port Knocking [T1205.001], PubPrn [T1216.001], Compiled HTML File [T1218.001], Control Panel [T1218.002], CMSTP [T1218.003], InstallUtil [T1218.004], Mshta [T1218.005], Msiexec [T1218.007], Odbcconf [T1218.008], Regsvcs/Regasm [T1218.009], Regsvr32 [T1218.010], Rundll32 [T1218.011], Verclsid [T1218.012], Windows File and Directory Permissions Modification [T1222.001], Linux and Mac File and Directory Permissions Modification [T1222.002], Environmental Keying [T1480.001], System Checks [T1497.001], User Activity Based Checks [T1497.002], Time Based Evasion [T1497.003], System Firmware [T1542.001], Component Firmware [T1542.002], Bootkit [T1542.003], ROMMONkit [T1542.004], TFTP Boot [T1542.005], Setuid and Setgid [T1548.001], Bypass User Account Control [T1548.002], Sudo and Sudo Caching [T1548.003], Elevated Execution with Prompt [T1548.004], Application Access Token [T1550.001], Pass the Hash [T1550.002], Pass the Ticket [T1550.003], Web Session Cookie [T1550.004], Gatekeeper Bypass [T1553.001], Code Signing [T1553.002], SIP and Trust Provider Hijacking [T1553.003], Install Root Certificate [T1553.004], Domain Controller Authentication [T1556.001], Password Filter DLL [T1556.002], Pluggable Authentication Modules [T1556.003], Network Device Authentication [T1556.004], Disable or Modify Tools [T1562.001], Disable Windows Event Logging [T1562.002], Impair Command History Logging [T1562.003], Disable or Modify System Firewall [T1562.004], Indicator Blocking [T1562.006], Disable or Modify Cloud Firewall [T1562.007], Disable Cloud Logs [T1562.008], Hidden Files and Directories [T1564.001], Hidden Users [T1564.002], Hidden Window [T1564.003], NTFS File Attributes [T1564.004], Hidden File System [T1564.005], Run Virtual Instance [T1564.006], VBA Stomping [T1564.007], DLL Search Order Hijacking [T1574.001], DLL Side-Loading [T1574.002], Dylib Hijacking [T1574.004], Executable Installer File Permissions Weakness [T1574.005], LD_PRELOAD [T1574.006], Path Interception by PATH Environment Variable [T1574.007], Path Interception by Search Order Hijacking [T1574.008], Path Interception by Unquoted Path [T1574.009], Services File Permissions Weakness [T1574.010], Services Registry Permissions Weakness [T1574.011], COR_PROFILER [T1574.012], Create Snapshot [T1578.001], Create Cloud Instance [T1578.002], Delete Cloud Instance [T1578.003], Revert Cloud Instance [T1578.004], Network Address Translation Traversal [T1599.001], Reduce Key Space [T1600.001], Disable Crypto Hardware [T1600.002], Patch System Image [T1601.001], Downgrade System Image [T1601.002]]
Tactic Credential Access [TA0006] has 49 techniques
    14 main techniques=[OS Credential Dumping [T1003], Network Sniffing [T1040], Input Capture [T1056], Brute Force [T1110], Two-Factor Authentication Interception [T1111], Forced Authentication [T1187], Exploitation for Credential Access [T1212], Steal Application Access Token [T1528], Steal Web Session Cookie [T1539], Unsecured Credentials [T1552], Credentials from Password Stores [T1555], Modify Authentication Process [T1556], Man-in-the-Middle [T1557], Steal or Forge Kerberos Tickets [T1558]]
    35 subtechniques=[LSASS Memory [T1003.001], Security Account Manager [T1003.002], NTDS [T1003.003], LSA Secrets [T1003.004], Cached Domain Credentials [T1003.005], DCSync [T1003.006], Proc Filesystem [T1003.007], /etc/passwd and /etc/shadow [T1003.008], Keylogging [T1056.001], GUI Input Capture [T1056.002], Web Portal Capture [T1056.003], Credential API Hooking [T1056.004], Password Guessing [T1110.001], Password Cracking [T1110.002], Password Spraying [T1110.003], Credential Stuffing [T1110.004], Credentials In Files [T1552.001], Credentials in Registry [T1552.002], Bash History [T1552.003], Private Keys [T1552.004], Cloud Instance Metadata API [T1552.005], Group Policy Preferences [T1552.006], Keychain [T1555.001], Securityd Memory [T1555.002], Credentials from Web Browsers [T1555.003], Domain Controller Authentication [T1556.001], Password Filter DLL [T1556.002], Pluggable Authentication Modules [T1556.003], Network Device Authentication [T1556.004], LLMNR/NBT-NS Poisoning and SMB Relay [T1557.001], ARP Cache Poisoning [T1557.002], Golden Ticket [T1558.001], Silver Ticket [T1558.002], Kerberoasting [T1558.003], AS-REP Roasting [T1558.004]]
Tactic Discovery [TA0007] has 36 techniques
    25 main techniques=[System Service Discovery [T1007], Application Window Discovery [T1010], Query Registry [T1012], System Network Configuration Discovery [T1016], Remote System Discovery [T1018], System Owner/User Discovery [T1033], Network Sniffing [T1040], Network Service Scanning [T1046], System Network Connections Discovery [T1049], Process Discovery [T1057], Permission Groups Discovery [T1069], System Information Discovery [T1082], File and Directory Discovery [T1083], Account Discovery [T1087], Peripheral Device Discovery [T1120], System Time Discovery [T1124], Network Share Discovery [T1135], Password Policy Discovery [T1201], Browser Bookmark Discovery [T1217], Domain Trust Discovery [T1482], Virtualization/Sandbox Evasion [T1497], Software Discovery [T1518], Cloud Service Discovery [T1526], Cloud Service Dashboard [T1538], Cloud Infrastructure Discovery [T1580]]
    11 subtechniques=[Local Groups [T1069.001], Domain Groups [T1069.002], Cloud Groups [T1069.003], Local Account [T1087.001], Domain Account [T1087.002], Email Account [T1087.003], Cloud Account [T1087.004], System Checks [T1497.001], User Activity Based Checks [T1497.002], Time Based Evasion [T1497.003], Security Software Discovery [T1518.001]]
Tactic Lateral Movement [TA0008] has 21 techniques
    9 main techniques=[Remote Services [T1021], Software Deployment Tools [T1072], Taint Shared Content [T1080], Replication Through Removable Media [T1091], Exploitation of Remote Services [T1210], Internal Spearphishing [T1534], Use Alternate Authentication Material [T1550], Remote Service Session Hijacking [T1563], Lateral Tool Transfer [T1570]]
    12 subtechniques=[Remote Desktop Protocol [T1021.001], SMB/Windows Admin Shares [T1021.002], Distributed Component Object Model [T1021.003], SSH [T1021.004], VNC [T1021.005], Windows Remote Management [T1021.006], Application Access Token [T1550.001], Pass the Hash [T1550.002], Pass the Ticket [T1550.003], Web Session Cookie [T1550.004], SSH Hijacking [T1563.001], RDP Hijacking [T1563.002]]
Tactic Collection [TA0009] has 35 techniques
    17 main techniques=[Data from Local System [T1005], Data from Removable Media [T1025], Data from Network Shared Drive [T1039], Input Capture [T1056], Data Staged [T1074], Screen Capture [T1113], Email Collection [T1114], Clipboard Data [T1115], Automated Collection [T1119], Audio Capture [T1123], Video Capture [T1125], Man in the Browser [T1185], Data from Information Repositories [T1213], Data from Cloud Storage Object [T1530], Man-in-the-Middle [T1557], Archive Collected Data [T1560], Data from Configuration Repository [T1602]]
    18 subtechniques=[Keylogging [T1056.001], GUI Input Capture [T1056.002], Web Portal Capture [T1056.003], Credential API Hooking [T1056.004], Local Data Staging [T1074.001], Remote Data Staging [T1074.002], Local Email Collection [T1114.001], Remote Email Collection [T1114.002], Email Forwarding Rule [T1114.003], Confluence [T1213.001], Sharepoint [T1213.002], LLMNR/NBT-NS Poisoning and SMB Relay [T1557.001], ARP Cache Poisoning [T1557.002], Archive via Utility [T1560.001], Archive via Library [T1560.002], Archive via Custom Method [T1560.003], SNMP (MIB Dump) [T1602.001], Network Device Configuration Dump [T1602.002]]
Tactic Command and Control [TA0011] has 38 techniques
    16 main techniques=[Data Obfuscation [T1001], Fallback Channels [T1008], Application Layer Protocol [T1071], Proxy [T1090], Communication Through Removable Media [T1092], Non-Application Layer Protocol [T1095], Web Service [T1102], Multi-Stage Channels [T1104], Ingress Tool Transfer [T1105], Data Encoding [T1132], Traffic Signaling [T1205], Remote Access Software [T1219], Dynamic Resolution [T1568], Non-Standard Port [T1571], Protocol Tunneling [T1572], Encrypted Channel [T1573]]
    22 subtechniques=[Junk Data [T1001.001], Steganography [T1001.002], Protocol Impersonation [T1001.003], Web Protocols [T1071.001], File Transfer Protocols [T1071.002], Mail Protocols [T1071.003], DNS [T1071.004], Internal Proxy [T1090.001], External Proxy [T1090.002], Multi-hop Proxy [T1090.003], Domain Fronting [T1090.004], Dead Drop Resolver [T1102.001], Bidirectional Communication [T1102.002], One-Way Communication [T1102.003], Standard Encoding [T1132.001], Non-Standard Encoding [T1132.002], Port Knocking [T1205.001], Fast Flux DNS [T1568.001], Domain Generation Algorithms [T1568.002], DNS Calculation [T1568.003], Symmetric Cryptography [T1573.001], Asymmetric Cryptography [T1573.002]]
Tactic Exfiltration [TA0010] has 17 techniques
    9 main techniques=[Exfiltration Over Other Network Medium [T1011], Automated Exfiltration [T1020], Scheduled Transfer [T1029], Data Transfer Size Limits [T1030], Exfiltration Over C2 Channel [T1041], Exfiltration Over Alternative Protocol [T1048], Exfiltration Over Physical Medium [T1052], Transfer Data to Cloud Account [T1537], Exfiltration Over Web Service [T1567]]
    8 subtechniques=[Exfiltration Over Bluetooth [T1011.001], Traffic Duplication [T1020.001], Exfiltration Over Symmetric Encrypted Non-C2 Protocol [T1048.001], Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [T1048.002], Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [T1048.003], Exfiltration over USB [T1052.001], Exfiltration to Code Repository [T1567.001], Exfiltration to Cloud Storage [T1567.002]]
Tactic Impact [TA0040] has 26 techniques
    13 main techniques=[Data Destruction [T1485], Data Encrypted for Impact [T1486], Service Stop [T1489], Inhibit System Recovery [T1490], Defacement [T1491], Firmware Corruption [T1495], Resource Hijacking [T1496], Network Denial of Service [T1498], Endpoint Denial of Service [T1499], System Shutdown/Reboot [T1529], Account Access Removal [T1531], Disk Wipe [T1561], Data Manipulation [T1565]]
    13 subtechniques=[Internal Defacement [T1491.001], External Defacement [T1491.002], Direct Network Flood [T1498.001], Reflection Amplification [T1498.002], OS Exhaustion Flood [T1499.001], Service Exhaustion Flood [T1499.002], Application Exhaustion Flood [T1499.003], Application or System Exploitation [T1499.004], Disk Content Wipe [T1561.001], Disk Structure Wipe [T1561.002], Stored Data Manipulation [T1565.001], Transmitted Data Manipulation [T1565.002], Runtime Data Manipulation [T1565.003]]
dfirence commented 3 years ago

Thank you @grimlock81 - I concur

@slimbentami

I created a tool based on the same needs and looking at the validation from @grimlock81, I concur with him. However, note that these numbers can change as the Mitre Teams update/modify the matrix we all love today. My numbers are from the enterprise.json file provided in this CTI github repo

mitre-assistant search -m enterprise -t "stats:tactics"


image


From the Uniq Counts perspective I also concur

mitre-assistant search -m enterprise -t "stats"


image

ghost commented 3 years ago

Thank you @grimlock81 and @dfirence. You are right. My mistake. I use R to ingest the json and was not careful enough with the handling of NA values for some of these fields like revoked or x_mitre_is_subtechnique which for some reason contain NA after ingestion. I now can recover the same counts so all is well. appreciate your help.