Table 5 MITRE ATT&CK® tactics, techniques, and sub-techniques exercised in the evaluation environment to challenge the assessment methods. Technique IDs follow the MITRE ATT&CK for Enterprise schema.

Reconnaissance (TA0043)

Active scanning (T1595)

Wordlist scanning (T1595.003)

Scanning IP blocks (T1595.001)

Initial Access (TA0001)

Valid Accounts (T1078)

Domain Accounts (T1078.002)

Exploit Public-Facing Application (T1190)

-

Phishing (T1566)

Spearphishing Link (T1566.002)

Execution (TA0002)

Command and Scripting Interpreter (T1059)

Powershell (T1059.001)

Windows Command Shell (T1059.003)

Deploy Container (T1610)

-

Scheduled Task/Job (T1053)

Scheduled Task (T1053.005)

Windows Management Instrumentation (T1047)

-

Persistence (TA0003)

Boot or Logon Autostart Execution (T1547)

Registry Run Keys/Startup Folder (T1547.001)

Authentication Package (T1547.002)

Modify Authentication Process (T1556)

Reversible Encryption (T1556.005)

Create or Modify System Process (T1543)

Windows Service (T1543.003)

Server Software Component (T1505)

Web Shell (T1505.003)

Privilege Escalation (TA0004)

Domain or Tenant Policy Modification (T1484)

Group Policy Modification (T1484.001)

Exploitation for Privilege Escalation (T1068)

-

Defense Evasion (TA0005)

Impair Defenses (T1562)

Disable Windows Event Logging (T1562.002)

Indicator Removal (T1070)

Timestomp (T1070.006)

Credential Access (TA0006)

OS Credential Dumping (T1003)

LSASS Memory (T1003.001)

NTDS (T1003.002)

Discovery (TA0007)

Account Discovery (T1087)

Domain Account (T1087.002)

Network Service Discovery (T1046)

-

Network Share Discovery (T1135)

-

Lateral Movement (TA0008)

Lateral Tool Transfer (T1570)

-

Remote Services (T1021)

Remote Desktop Protocol (T1021.001)

SMB/Windows Admin Shares (T1021.002)

SSH (T1021.004)

Exfiltration (TA0010)

Exfiltration Over Web Service (T1567)

Exfiltration to Cloud Storage (T1567.002)