MITRE ATT&CK^®

Corelight’s coverage includes comprehensive approaches to uncover over 80 techniques, with exceptional visibility into adversary methods used for Defense Evasion, Credential Access, Discovery, and Command and Control.

Download coverage chart

Visit our interactive MITRE ATT&CK navigator.

Corelight excels at spotting C2, Discovery, and more:

Initial access

Drive-by Compromise Exploit Public-Facing Application External Remote Services Phishing Valid Accounts

Defense evasion

Exploitation for Defense Evasion Hijack Execution Flow Indicator Removal on Host Masquerading Modify Authentication Process Modify Registry Process Injection Rogue Domain Controller Subvert Trust Controls Valid Accounts

Credential access

Brute Force Credentials from Password Stores Forced Authentication Man-in-the-Middle Modify Authentication Processes OS Credential Dumping Steal or Forge Kerberos Tickets

Discovery

Account Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Permission Groups Discovery Remote System Discovery System Information Discovery System Location Discovery System Network Configuration Discovery System Network Connections DiscoverySystem Time Discovery

Lateral movement

Exploitation of Remote Services Lateral Tool Transfer Remote Service Session Hijacking Remote Services

C2

Application Layer Protocol Data Encoding Dynamic Resolution Encrypted Channel Fallback Channels Ingress Tool Transfer Non-Application Layer Protocol Non-Standard Port Protocol Tunneling Proxy Web Service

Initial Access	Defense Evasion	Credential Access	Discovery	Lateral Movement	C2
Drive-by Compromise	Exploitation for Defense Evasion	Brute Force	Account Discovery	Exploitation of Remote Services	Application Layer Protocol
Exploit Public-Facing Application	Hijack Execution Flow	Credentials from Password Stores	Domain Trust Discovery	Lateral Tool Transfer	Data Encoding
External Remote Services	Indicator Removal on Host	Forced Authentication	File and Directory Discovery	Remote Service Session Hijacking	Dynamic Resolution
Phishing	Masquerading	Man-in-the-Middle	Network Service Scanning	Remote Services	Encrypted Channel
Valid Accounts	Modify Authentication Process	Modify Authentication Processes	Network Share Discovery		Fallback Channels
	Modify Registry	OS Credential Dumping	Password Policy Discovery		Ingress Tool Transfer
	Process Injection	Steal or Forge Kerberos Tickets	Permission Groups Discovery		Non-Application Layer Protocol
	Rogue Domain Controller		Remote System Discovery		Non-Standard Port
	Subvert Trust Controls		System Information Discovery		Protocol Tunneling
	Valid Accounts		System Location Discovery		Proxy
			System Network Configuration Discovery		Web Service
			System Network Connections Discovery
			System Time Discovery

Reconnaissance

Execution

Persistence

Privilege Escalation

Collection

Exfiltration

Impact

Corelight’s MITRE ATT&CK approach

Corelight drives broad coverage across the MITRE ATT&CK TTPs using an approach focused on visibility and explainable, evidence-based analytics. The foundation of this approach is Zeek® network telemetry, data that captures activity across a broad set of network protocols and fuels advanced analytics. With these analytics, Corelight provides machine learning models, behavioral alerts, and Suricata-based IDS and SIEM rules to detect the relevant ATT&CK tactics, techniques, and procedures. Corelight’s Open NDR Platform allows you to build your own detection content or use community contributions such as MITRE’s BZAR package.

Get a demo

Corelight announces cloud enrichment for AWS, GCP, and Azure

The Corelight Partner Program

10 considerations for implementing an XDR strategy

Don't trust. Verify with evidence

Network Detection & Response

MITRE ATT&CK^®

Visit our interactive MITRE ATT&CK navigator.