Summiting the Pyramid v3.0.0¶

Summiting the Pyramid is a research project focused on engineering cyber analytics to make adversary evasion more difficult. This project is created and maintained by the MITRE Center for Threat-Informed Defense in futherance of our mission to advance the state of the art and the state of the practice in threat-informed defense globally.
Important
What’s New In V3:
In version 3.0, we updated and improved the project in the following ways!
Defined a framework for deriving malicious intent for ambiguous techniques.
Identified a method to employ co-occuring techniques to support chained analytic development.
Developed a context-based methodology for deriving malicious intent when engineering robust analytics with lower false positive rates.
Contents
- Overview
- Introduction
- Definitions
- Summiting Levels
- Level 5: Core to Sub-Technique or Technique
- Level 4: Core to Some Implementations of (Sub-)Technique
- Level 3: Core to Pre-Existing Tools or Inside Boundary
- Level 2: Core to Adversary-Brought Tool or Outside Boundary
- Level 1: Ephemeral Values
- Column A: Application
- Column U: User-Mode
- Column K: Kernel-Mode
- Column P: Payload Visibility
- Column H: Header Visibility
- Observables Quick Search
- Combining Observables
- Context to Determine Intent
- Chaining Analytics
- Example Mappings
- How to Score Resistance to Adversary Evasion Over Time
- Analytics Repository
- Access Token Abuse
- ADFind
- Archive Collected Data
- Domain Account Discovery
- Executable (EXE) File Download from a WebDAV Server
- File Creation Date Changed to Another Year
- File & Directory Discovery
- Link (LNK) File Download Containing a WebDAV UNC Hyperlink
- LSASS Memory
- Remote Registry Management Using Reg Utility
- Service Registry Permissions Weakness Check
- Scheduled Task/Job
- Zeek DCE-RPC MITRE BZAR Execution
- Components of a Robust Detection
- How to Build a Robust Detection
- Detection Decomposition Diagram (D3)
- Changelog
Notice¶
© 2023, 2024, 2025 MITRE. Approved for public release. Document number(s) CT0078, CT0128, 25-1550.
Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This project makes use of ATT&CK®: ATT&CK Terms of Use