The Vocabulary for Event Recording and Incident Sharing (VERIS) provides a common language for describing security incidents in a structured and repeatable manner that allows for the analysis of data across a variety of incidents. This project provides mappings to better connect the who, what, and why captured in VERIS incident representation with the when and how described in MITRE ATT&CK® adversary behavioral tactics and techniques.
VERIS Versions: 1.3.7, 1.3.5 ATT&CK Versions: 12.1, 9.0 ATT&CK Domain: Enterprise, ICS, Mobile
| ID | Capability Group Name | Number of Mappings | Number of Capabilities |
|---|---|---|---|
| action.hacking | action.hacking | 379 | 41 |
| action.malware | action.malware | 337 | 42 |
| attribute.integrity | attribute.integrity | 72 | 10 |
| value_chain.development | value_chain.development | 23 | 10 |
| value_chain.distribution | value_chain.distribution | 18 | 5 |
| value_chain.non-distribution_services | value_chain.non-distribution_services | 12 | 1 |
| value_chain.targeting | value_chain.targeting | 43 | 4 |
| action.social | action.social | 29 | 4 |
This is a very large mapping. To reduce the size, we have only downloaded the first 500 of 913 mappings. Load all data (936.7 KB)
Non-mappable capabilities are either out of scope or unable to be mapped to any
ATT&CK objects
| Capability ID | Capability Description |
|---|---|
| action.misuse.vector.Web application | Web application |
| action.misuse.result.Lateral movement | The misuse action used security access or permissions already acuired |
| action.social.result.Lateral movement | The social action used security access or permissions already acuired |
| action.hacking.variety.SQLi | SQL injection. Child of 'Exploit vuln'. |
| action.hacking.result.Other | The result of the hacking action is not listed |
| action.malware.result.Unknown | The result of the malware action is unknown |
| action.hacking.variety.Special element injection | Special element injection. Child of 'Exploit vuln'. |
| action.social.target.Helpdesk | Helpdesk staff |
| value_chain.non-distribution services.variety.VPN | A VPN service (either formally or informally hosted) is used by the actor to obscure their source |
| action.social.target.Auditor | Auditor |
| action.malware.vector.Email other | Email sub-variety known, but not one of those listed (attachment, link, autoexecute, etc). Child of 'Email' |
| action.social.variety.Baiting | Baiting (planting infected media) |
| action.social.target.Call center | Call center staff |
| action.misuse.variety.Unapproved software | Use of unapproved software or services |
| value_chain.targeting.variety.Partner | The actor used access to a partner to target the victim. |
| value_chain.targeting.variety.Default credentials | Credentials the system came with |
| value_chain.distribution.variety.NA | No type of distribution was necessary |
| action.malware.vector.Unknown | Unknown |
| action.malware.vector.Other | Other |
| action.misuse.variety.Net misuse | Inappropriate use of network or Web access including cloud services |
| action.social.target.System admin | System or network administrator |
| action.social.target.Other employee | Regular employee not otherwise listed. Child of 'End-user or employee' |
| action.hacking.variety.SSI injection | SSI injection. Child of 'Exploit vuln'. |
| action.social.vector.In-person | In-person |
| value_chain.targeting.variety.Other | The variety of targeting was known, but is not listed |
| value_chain.targeting.variety.Unknown | Nothing is known about the need for or type of targeting investment other than it was present. |
| action.hacking.variety.XQuery injection | XQuery injection. Child of 'Exploit vuln'. |
| action.malware.vector.Email autoexecute | Email via automatic execution. Child of 'Email' |
| action.malware.result.Other | The result of the malware action is not listed |
| action.social.vector.IM | Instant messaging |
| action.malware.result.Deploy payload | e.g. cryptomining, ransomware, etc |
| value_chain.non-distribution services.variety.DNS | DNS services including fast flux |
| action.misuse.variety.Knowledge abuse | Abuse of private or entrusted knowledge |
| action.malware.variety.Downloader | Downloader (pull updates or other malware) |
| action.social.vector.Social media | Social media or networking |
| value_chain.distribution.variety.Loader | malware that loads other malware |
| action.social.target.End-user | End-user of the victim's products and/or services. Child of 'End-user or employee' |
| value_chain.non-distribution services.variety.C2 | Command and control. Separate from distribution of mawlare or bots, this is how they are maintained |
| action.hacking.vector.VPN | VPN |
| action.social.variety.Spam | Spam (unsolicited or undesired email and advertisements) |
| action.social.variety.Other | Other |
| action.misuse.variety.Data mishandling | Handling of data in an unapproved manner |
| action.social.target.Former employee | Former employee |
| action.misuse.vector.Physical access | Physical access within corporate facility |
| action.social.variety.Unknown | Unknown |
| value_chain.targeting.variety.Vulnerabilities | Knowledge of software vulnerabilities, both at an organization or associated with a specific vendor's product, used to pick them as a target. |
| action.misuse.variety.Unapproved workaround | Unapproved workaround or shortcut |
| value_chain.non-distribution services.variety.Unknown | Nothing is known about the need for or type of non-distribution service investment other than it was present. |
| action.social.result.Exfiltrate | The social action exfiltrated data from the victim |
| attribute.integrity.variety.Fraudulent transaction | Initiate fraudulent transaction |
| action.hacking.variety.Path traversal | Path traversal. Child of 'Exploit vuln'. |
| action.hacking.vector.Unknown | Unknown |
| action.misuse.vector.Non-corporate | Non-corporate facilities or networks |
| action.social.variety.Propaganda | Propaganda or disinformation |
| attribute.integrity.variety.Other | Other |
| action.malware.result.Exfiltrate | The malware action exfiltrated data from the victim |
| action.hacking.vector.Desktop sharing | Graphical desktop sharing (RDP, VNC, PCAnywhere, Citrix) |
| action.misuse.result.Exfiltrate | The misuse action exfiltrated data from the victim |
| action.social.vector.Documents | Documents |
| action.hacking.variety.Null byte injection | Null byte injection. Child of 'Exploit vuln'. |
| action.social.result.Elevate | The social action resulted in additional security permissions |
| action.social.vector.Removable media | Removable storage media |
| action.social.vector.SMS | SMS or texting |
| action.social.vector.Software | Software |
| action.misuse.vector.LAN access | Local network access within corporate facility |
| action.malware.variety.Other | Other |
| action.malware.result.Elevate | The malware action resulted in additional security permissions |
| action.social.variety.Scam | Online scam or hoax (e.g., scareware, 419 scam, auction fraud) |
| action.social.target.Other | Other |
| value_chain.non-distribution services.variety.Marketplace | Use of a marketplace was required as part of this incident. |
| action.social.variety.Elicitation | Elicitation (subtle extraction of info through conversation) |
| action.social.variety.Bribery | Bribery or solicitation |
| action.social.vector.Website | Website |
| action.hacking.variety.XSS | Cross-site scripting. Child of 'Exploit vuln'. |
| action.hacking.result.NA | The hacking action did not have a result |
| action.misuse.result.Infiltrate | Do not use. Misuse inherently implies having permission so none can be gained. |
| action.misuse.vector.Unknown | Unknown |
| value_chain.distribution.variety.Direct | Distributed directly from the actor's computer |
| action.social.target.Partner | Partner (B2B) |
| action.hacking.vector.Other | Other |
| action.misuse.result.Elevate | Do not use. Misuse inherently implies having permission so none can be elevated. |
| action.social.result.Deploy payload | e.g. cryptomining, ransomware, etc |
| action.social.result.Other | The result of the social action is not listed |
| value_chain.development.variety.NA | No type of development was necessary |
| action.misuse.variety.Email misuse | Inappropriate use of email or IM |
| action.malware.variety.SQL injection | SQL injection attack |
| action.misuse.vector.Remote access | Remote access connection to corporate network (i.e. VPN) |
| action.misuse.variety.Unknown | Unknown |
| action.social.target.Developer | Software developer |
| action.social.result.Infiltrate | The social action resulted in additional security access |
| value_chain.non-distribution services.variety.Hashcracking | i.e. converting hashes into the text that produce them |
| action.misuse.variety.Snap picture | Actor photographs the confidentiality data variety. |
| action.hacking.variety.RFI | Remote file inclusion. Child of 'Exploit vuln'. |
| action.social.target.Unknown | Unknown |
| action.malware.vector.Email | Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown' |
| action.hacking.variety.User breakout | Elevation of privilege by another customer in shared environment. Child of 'Exploit vuln'. |
| value_chain.non-distribution services.variety.NA | No type of non-distribution service was necessary |
| action.misuse.result.Other | The result of the misuse action is not listed |
| action.social.target.Maintenance | Maintenance or janitorial staff |
| action.malware.vector.Email unknown | Email but sub-variety (attachment, autoexecute, link, etc) not known. Child of 'Email' |
| action.malware.result.Infiltrate | The malware action resulted in additional security access |
| action.social.target.End-user or employee | End-user or regular employee not otherwise listed. Parent of 'End-user' or 'Other employee' |
| action.hacking.variety.Session prediction | Credential or session prediction. Child of 'Exploit vuln'. |
| value_chain.non-distribution services.variety.Proxy | A proxy service (either formally or informally hosted) is used by the actor to obscure their source |
| action.hacking.variety.Cache poisoning | Cache poisoning. Child of 'Exploit vuln'. |
| action.social.variety.Influence | Influence tactics (Leveraging authority or obligation, framing, etc) |
| action.hacking.result.Lateral movement | The hacking action used security access or permissions already acuired |
| action.hacking.result.Deploy payload | e.g. cryptomining, ransomware, etc |
| action.hacking.result.Elevate | The hacking action resulted in additional security permissions |
| value_chain.non-distribution services.variety.Escrow | Something kept in the custody of a third party until a condition has been fulfilled. |
| action.hacking.variety.OS commanding | OS commanding. Child of 'Exploit vuln'. |
| action.social.vector.Unknown | Unknown |
| attribute.confidentiality.data_disclosure | |
| action.hacking.result.Unknown | The result of the hacking action is unknown |
| action.social.vector.Phone | Phone |
| action.hacking.variety.Reverse engineering | Reverse engineering. Child of 'Exploit vuln'. |
| action.misuse.variety.Illicit content | Storage or distribution of illicit content |
| action.misuse.vector.Other | Other |
| action.social.vector.Other | Other |
| action.social.result.Unknown | The result of the social action is unknown |
| value_chain.targeting.variety.Misconfigurations | Knowledge of system misconfigurations used to pick an organization as a target |
| action.malware.result.Lateral movement | The malware action used security access or permissions already acuired |
| action.social.target.Human resources | Human resources staff |
| action.hacking.result.Exfiltrate | The hacking action exfiltrated data from the victim |
| value_chain.distribution.variety.Partner | The actor distributed the attack to the victim through a partner, (i.e. supply chain attack). |
| attribute.integrity.variety.Hardware tampering | Hardware tampering or physical alteration |
| action.social.target.Guard | Security guard |
| action.misuse.variety.Possession abuse | Abuse of physical access to asset |
| action.malware.result.NA | The malware action did not have a result |
| action.misuse.result.Deploy payload | e.g. cryptomining, ransomware, etc |
| action.misuse.variety.Unapproved hardware | Use of unapproved hardware or devices |
| action.social.target.Manager | Manager or supervisor |
| value_chain.distribution.variety.Email | Distribution by email including anonymous/one time and spam |
| action.misuse.variety.Other | Other |
| value_chain.targeting.variety.Weaknesses | Knowledge of weaknesses other than vulnerability and misconfigurations used to pick an organization as a target |
| action.social.variety.Extortion | Extortion or blackmail |
| action.hacking.variety.CSRF | Cross-site request forgery. Child of 'Exploit vuln'. |
| value_chain.non-distribution services.variety.Counter AV | Services for testing if malware is detected by anti-virus |
| action.hacking.variety.URL redirector abuse | URL redirector abuse. Child of 'Exploit vuln'. |
| action.hacking.vector.Web application | Web application |
| action.hacking.variety.Other | Other |
| action.malware.variety.Spam | Send spam |
| action.misuse.result.Unknown | The result of the misuse action is unknown |
| value_chain.targeting.variety.NA | No type of targeting was necessary. (This includes targeted.Targeted since the victim was chosen without targeting. |
| action.social.target.Cashier | Cashier, teller or waiter |
| action.social.target.Finance | Finance or accounting staff |
| action.misuse.result.NA | The misuse action did not have a result |
| action.social.target.Executive | Senior staff with legal responsibility such as board members and corporate officers |
| value_chain.distribution.variety.Phone | Distribution over the Plain Old Telephone System (POTS). |
| action.social.target.Customer | Customer (B2C) |
| attribute.integrity.variety.Software installation | Software installation or code modification |
| action.hacking.variety.Mail command injection | Mail command injection. Child of 'Exploit vuln'. |
| action.hacking.variety.Session replay | Session replay. Child of 'Exploit vuln'. |
| action.misuse.variety.Privilege abuse | Abuse of system access privileges |
| action.social.result.NA | The social action did not have a result |
| action.hacking.result.Infiltrate | The hacking action resulted in additional security access |
