MITRE ATT&CK

Comprendre comment les adversaires opèrent — pas superficiellement, jusqu’au mécanisme.

C’est quoi

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) est une base de connaissance ouverte qui documente les comportements réels d’attaquants observés dans la nature.

Pas théorique. Basé sur des incidents réels, des APT documentées, des malwares analysés.

Maintenu par MITRE Corporation depuis 2013. Gratuit, public, structuré.

Trois matrices principales :

Enterprise — Windows, Linux, macOS, Cloud, réseau
Mobile — Android, iOS
ICS — Systèmes industriels / SCADA

La structure : Tactiques → Techniques → Sous-techniques


Tactique (le "pourquoi" — objectif de l'attaquant) └── Technique (le "comment" — méthode générale) └── Sous-technique (l'implémentation spécifique)

Exemple :


Credential Access (tactique) └── OS Credential Dumping (technique T1003) ├── LSASS Memory (T1003.001) ├── SAM (T1003.002) ├── NTDS (T1003.003) └── ...

Les 14 Tactiques Enterprise

TA0043 — Reconnaissance

Avant de toucher la cible.

Collecte d’informations passive et active avant l’intrusion.

Techniques clés :

T1595 — Active Scanning (Nmap, Masscan)
T1592 — Gather Victim Host Information
T1589 — Gather Victim Identity Information (emails, noms)
T1590 — Gather Victim Network Information (ASN, IP ranges)
T1591 — Gather Victim Org Information (organigramme, fournisseurs)
T1596 — Search Open Technical Databases (Shodan, Censys)
T1597 — Search Closed Sources (dark web, forums)
T1598 — Phishing for Information (pretexting)
T1593 — Search Open Websites (LinkedIn, GitHub, Google dorks)
T1594 — Search Victim-Owned Websites

TA0042 — Resource Development

Construire l’infrastructure d’attaque.

T1583 — Acquire Infrastructure (VPS, domaines, bulletproof hosting)
T1584 — Compromise Infrastructure (détourner infra légitime)
T1585 — Establish Accounts (faux profils LinkedIn, email)
T1586 — Compromise Accounts (hijack comptes existants)
T1587 — Develop Capabilities (écrire son propre malware)
T1588 — Obtain Capabilities (acheter exploits, outils)
T1608 — Stage Capabilities (héberger payloads, C2)

TA0001 — Initial Access

Entrer dans le périmètre.

T1566 — Phishing
- T1566.001 — Spearphishing Attachment
- T1566.002 — Spearphishing Link
- T1566.003 — Spearphishing via Service (Slack, Teams)
T1190 — Exploit Public-Facing Application (CVE sur services exposés)
T1133 — External Remote Services (VPN, RDP, Citrix)
T1078 — Valid Accounts (credentials volés, stuffing)
T1091 — Replication Through Removable Media (USB drop)
T1195 — Supply Chain Compromise
T1199 — Trusted Relationship (MSP, prestataires)
T1200 — Hardware Additions (implant physique)

TA0002 — Execution

Faire tourner du code sur la cible.

T1059 — Command and Scripting Interpreter
- T1059.001 — PowerShell
- T1059.003 — Windows Command Shell (cmd.exe)
- T1059.004 — Unix Shell
- T1059.005 — Visual Basic
- T1059.006 — Python
- T1059.007 — JavaScript
T1203 — Exploitation for Client Execution (exploit navigateur, Office)
T1204 — User Execution
- T1204.001 — Malicious Link
- T1204.002 — Malicious File
T1047 — Windows Management Instrumentation (WMI)
T1053 — Scheduled Task/Job (cron, at, Task Scheduler)
T1569 — System Services
- T1569.002 — Service Execution (sc.exe, PsExec)
T1072 — Software Deployment Tools (SCCM, Ansible compromis)

TA0003 — Persistence

Rester dans le système après reboot.

T1547 — Boot or Logon Autostart Execution
- T1547.001 — Registry Run Keys
- T1547.004 — Winlogon Helper DLL
- T1547.006 — Kernel Modules (Linux)
T1543 — Create or Modify System Process
- T1543.003 — Windows Service
T1053 — Scheduled Task/Job
T1136 — Create Account (compte backdoor)
T1098 — Account Manipulation (ajout de clé SSH, MFA bypass)
T1505 — Server Software Component
- T1505.003 — Web Shell
T1574 — Hijack Execution Flow
- T1574.002 — DLL Side-Loading
T1176 — Browser Extensions (extension malveillante)
T1037 — Boot or Logon Initialization Scripts

TA0004 — Privilege Escalation

Monter en droits.

T1548 — Abuse Elevation Control Mechanism
- T1548.002 — Bypass UAC (Windows)
- T1548.003 — Sudo and Sudo Caching (Linux)
T1134 — Access Token Manipulation
- T1134.001 — Token Impersonation/Theft
T1068 — Exploitation for Privilege Escalation (CVE locaux)
T1055 — Process Injection
- T1055.001 — DLL Injection
- T1055.002 — Portable Executable Injection
- T1055.012 — Process Hollowing
T1574 — Hijack Execution Flow
T1611 — Escape to Host (container breakout)

TA0005 — Defense Evasion

Rester invisible.

T1562 — Impair Defenses
- T1562.001 — Disable/Modify Tools (kill AV)
- T1562.002 — Disable Windows Event Logging
T1070 — Indicator Removal
- T1070.001 — Clear Windows Event Logs
- T1070.003 — Clear Command History
- T1070.004 — File Deletion
T1036 — Masquerading (renommer binaires, faux noms de process)
T1027 — Obfuscated Files or Information
- T1027.002 — Software Packing
- T1027.005 — Indicator Removal from Tools (strip les IOCs)
T1055 — Process Injection
T1218 — System Binary Proxy Execution (LOLBins)
- T1218.011 — Rundll32
- T1218.010 — Regsvr32
- T1218.005 — Mshta
T1497 — Virtualization/Sandbox Evasion
T1620 — Reflective Code Loading (charger code sans écrire sur disque)

TA0006 — Credential Access

Voler des credentials.

T1003 — OS Credential Dumping
- T1003.001 — LSASS Memory (Mimikatz, procdump)
- T1003.002 — SAM (reg save)
- T1003.003 — NTDS.dit (DCSync, ntdsutil)
- T1003.004 — LSA Secrets
T1110 — Brute Force
- T1110.001 — Password Guessing
- T1110.002 — Password Cracking (hashcat, john)
- T1110.003 — Password Spraying
- T1110.004 — Credential Stuffing
T1555 — Credentials from Password Stores
- T1555.003 — Credentials from Web Browsers
T1056 — Input Capture
- T1056.001 — Keylogging
- T1056.003 — Web Portal Capture (fake login)
T1539 — Steal Web Session Cookie
T1558 — Steal or Forge Kerberos Tickets
- T1558.001 — Golden Ticket
- T1558.002 — Silver Ticket
- T1558.003 — Kerberoasting
- T1558.004 — AS-REP Roasting
T1552 — Unsecured Credentials
- T1552.001 — Credentials in Files (configs, scripts)
- T1552.004 — Private Keys

TA0007 — Discovery

Comprendre l’environnement compromis.

T1082 — System Information Discovery
T1083 — File and Directory Discovery
T1057 — Process Discovery (tasklist, ps aux)
T1049 — System Network Connections Discovery (netstat)
T1016 — System Network Configuration Discovery (ipconfig, ifconfig)
T1018 — Remote System Discovery (ping sweep, ARP)
T1069 — Permission Groups Discovery
- T1069.002 — Domain Groups (net group /domain)
T1087 — Account Discovery
- T1087.002 — Domain Account (net user /domain)
T1135 — Network Share Discovery
T1046 — Network Service Discovery (scan interne)
T1201 — Password Policy Discovery
T1217 — Browser Bookmark Discovery
T1482 — Domain Trust Discovery (BloodHound)
T1615 — Group Policy Discovery

TA0008 — Lateral Movement

Se déplacer dans le réseau.

T1021 — Remote Services
- T1021.001 — RDP
- T1021.002 — SMB/Windows Admin Shares (PsExec)
- T1021.004 — SSH
- T1021.006 — Windows Remote Management (WinRM)
T1550 — Use Alternate Authentication Material
- T1550.002 — Pass the Hash (PTH)
- T1550.003 — Pass the Ticket (PTT)
T1563 — Remote Service Session Hijacking
T1534 — Internal Spearphishing
T1570 — Lateral Tool Transfer (copier tools via SMB, SCP)
T1080 — Taint Shared Content (infecter shares réseau)

TA0009 — Collection

Récolter les données d’intérêt.

T1005 — Data from Local System
T1039 — Data from Network Shared Drive
T1025 — Data from Removable Media
T1114 — Email Collection
- T1114.002 — Remote Email Collection (OWA, Exchange)
T1056 — Input Capture (keylogger)
T1113 — Screen Capture
T1125 — Video Capture
T1123 — Audio Capture
T1185 — Browser Session Hijacking
T1530 — Data from Cloud Storage

TA0011 — Command and Control

Maintenir le canal de communication avec les implants.

T1071 — Application Layer Protocol
- T1071.001 — Web Protocols (C2 over HTTP/HTTPS)
- T1071.004 — DNS (DNS tunneling — Iodine, dnscat2)
T1090 — Proxy
- T1090.004 — Domain Fronting
T1095 — Non-Application Layer Protocol (raw TCP/UDP)
T1572 — Protocol Tunneling (SSH tunnel, ICMP tunnel)
T1102 — Web Service (C2 via GitHub, Slack, Discord, Twitter)
T1132 — Data Encoding (base64, XOR)
T1001 — Data Obfuscation
T1573 — Encrypted Channel
- T1573.001 — Symmetric Cryptography
- T1573.002 — Asymmetric Cryptography
T1008 — Fallback Channels (backup C2)
T1105 — Ingress Tool Transfer (download stager)

TA0010 — Exfiltration

Sortir les données.

T1041 — Exfiltration Over C2 Channel
T1048 — Exfiltration Over Alternative Protocol
- T1048.001 — Exfiltration Over Symmetric Encrypted Non-C2
- T1048.003 — Exfiltration Over Unencrypted Protocol (FTP, HTTP)
T1052 — Exfiltration Over Physical Medium (USB)
T1567 — Exfiltration Over Web Service
- T1567.002 — Exfiltration to Cloud Storage (Dropbox, Drive)
T1029 — Scheduled Transfer (exfil à heures fixes pour éviter détection)
T1030 — Data Transfer Size Limits (chunking pour éviter les alertes)

TA0040 — Impact

Détruire, chiffrer, perturber.

T1486 — Data Encrypted for Impact (ransomware)
T1490 — Inhibit System Recovery (shadow copies, backups)
T1489 — Service Stop (arrêt des services de sécurité)
T1485 — Data Destruction (rm -rf, format)
T1491 — Defacement
- T1491.001 — Internal Defacement
- T1491.002 — External Defacement
T1498 — Network Denial of Service
T1496 — Resource Hijacking (cryptomining)
T1561 — Disk Wipe (MBR wipe — NotPetya)
T1529 — System Shutdown/Reboot

Groupes APT documentés (exemples)

Groupe	Alias	Origine présumée	Secteurs ciblés
APT28	Fancy Bear	Russie (GRU)	Gouvernement, défense, médias
APT29	Cozy Bear	Russie (SVR)	Gouvernement, think tanks
APT41	Winnti	Chine	Santé, tech, gaming
Lazarus	Hidden Cobra	Corée du Nord	Finance, crypto, défense
FIN7	Carbanak	—	Finance, retail, hospitality
Sandworm	—	Russie (GRU)	ICS, énergie, Ukraine

Usage offensif — Red Team

Mapper son engagement à ATT&CK

Avant une mission, identifier quelles techniques seront utilisées :


Objectif : compromission AD Techniques prévues :

- T1566.001 — Phishing avec pièce jointe (Initial Access)
- T1059.001 — PowerShell (Execution)
- T1547.001 — Registry Run Key (Persistence)
- T1003.001 — LSASS dump (Credential Access)
- T1558.003 — Kerberoasting (Credential Access)
- T1021.002 — Lateral movement via SMB (Lateral Movement)
- T1003.003 — DCSync (Credential Access)

Outils associés aux techniques

Outil	Techniques ATT&CK
Mimikatz	T1003.001, T1550.002, T1558.001
BloodHound	T1482, T1069.002, T1087.002
Rubeus	T1558.003, T1558.004, T1550.003
CrackMapExec	T1021.002, T1110.003, T1135
Cobalt Strike	T1055, T1071.001, T1573
Metasploit	T1203, T1068, T1055
Impacket	T1003.003, T1021.006, T1550.002
PowerSploit	T1059.001, T1055, T1134

Usage défensif — Blue Team

Détections par tactique

Initial Access — détecter le phishing :

Analyse des pièces jointes (sandbox)
SPF/DKIM/DMARC sur les emails entrants
Corrélation URL cliquées + process spawned

Execution — détecter PowerShell malveillant :


Event ID 4103/4104 — PowerShell Script Block Logging Event ID 4688 — Process Creation (avec ligne de commande) Sysmon Event ID 1 — Process Create

Persistence — détecter les run keys :


Event ID 13 (Sysmon) — Registry value set Chemin : HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Credential Access — détecter LSASS dump :


Event ID 10 (Sysmon) — Process Access sur lsass.exe Event ID 4656 — Handle demandé sur un objet

Lateral Movement — détecter PTH :


Event ID 4624 — Logon type 3 avec NTLMv2 depuis un poste de travail Event ID 4648 — Explicit credential logon

Navigator — Visualiser une campagne

MITRE ATT&CK Navigator est l’outil officiel pour visualiser quelles techniques sont couvertes/utilisées.


https://mitre-attack.github.io/attack-navigator/

Utilisation :

Créer une nouvelle layer
Colorier les techniques utilisées dans un engagement
Exporter en JSON/SVG pour le rapport
Comparer coverage défensif vs techniques Red Team

Sources & Références

Base officielle : https://attack.mitre.org
Navigator : https://mitre-attack.github.io/attack-navigator
CTI Blueprints (rapports APT mappés) : https://attack.mitre.org/resources/ctiBluePrints
Sigma rules (détections mappées à ATT&CK) : https://github.com/SigmaHQ/sigma
Atomic Red Team (tests par technique) : https://github.com/redcanaryco/atomic-red-team

hashwar.net — notes from the edge.