Skip to content

Summiting The Pyramid v2.0.0

The Center for Threat-Informed Defense

Contents

  • Overview
  • Introduction
  • Definitions
  • Model Mapping Pages
    • Level 5: Core to Sub-Technique or Technique
    • Level 4: Core to Some Implementations of (Sub-)Technique
    • Level 3: Core to Pre-Existing Tools or Inside Boundary
    • Level 2: Core to Adversary-Brought Tool or Outside Boundary
    • Level 1: Ephemeral Values
    • Column A: Application
    • Column U: User-Mode
    • Column K: Kernel-Mode
    • Column P: Payload Visibility
    • Column P: Header Visibility
    • Observables Quick Search
  • Combining Observables
  • Example Mappings
  • How to Score Resistance to Adversary Evasion Over Time
  • Analytics Repository
    • Suspicious ADFind
    • Scheduled Task/Job
    • Service Registry Permissions Weakness Check
    • Potential Access Token Abuse
    • Executable (EXE) File Download from a WebDAV Server
    • Link (LNK) File Download Containing a WebDAV UNC Hyperlink
    • Remote Registry Management Using Reg Utility
    • File Creation Date Changed to Another Year
    • Zeek DCE-RPC MITRE BZAR Execution
  • Components of a Robust Detection
  • How to Build a Robust Detection
  • Detection Decomposition Diagram (D3)
  • Future Work
  • Acknowledgements
  • Changelog
  1. Docs
  2. Search

The Center for Threat-Informed Defense

The Center for Threat-Informed Defense is a non-profit, privately funded research and development organization. Our mission is to advance the state of the art and the state of the practice in threat-informed defense globally.

The Center for Threat-Informed Defense

Related Sites

Measure Maximize and Mature Threat-Informed Defense Sensor Mappings To ATT&CK

© 2023, 2024 MITRE. Approved for public release. Document number(s) CT0078, CT0128.