9 - Detection & Prevention

- MITRE's ATT&CK framework is a "a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations." ## Notable MITRE ATT&CK Tactics and Techniques | **Tactic / Technique** | **Description** | | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [Initial Access](https://attack.mitre.org/techniques/T1190/) | Attackers will attempt to gain initial access by compromising a public-facing host or service such as web Applications, misconfigured services such as SMB or authentication protocols, and/or bugs in a public-facing host that introduce a vulnerability | | [Execution](https://attack.mitre.org/tactics/TA0002) | This technique depends on code supplied and planted by an attacker running on the victim host. `The Shells & Payloads` module focuses mainly on this tactic. | | [Command & Control](https://attack.mitre.org/tactics/TA0011) | Command and Control (`C2`) can be looked at as the culmination of our efforts within this module. We gain access to a host and establish some mechanism for continued and/or interactive access via code execution, then utilize that access to perform follow on actions on objectives within the victim network. | ## Events to Watch for - File Uploads - counter with FW and AV, layered defense, hardened hosts/networks - Suspicious non-admin user actions - counter with logging - Anomalous network sessions - counter with logging and netflow parsing ## Establish network Visibility - network topology - establish a baseline ## Protecting End Devices - change mgmt - patch mgmt - host-AV or Windows Defender ## Potential Mitigations - application sandboxing - least privilege perm policies - host segmentation and hardening - physical and application layer FWs