MITRE ATT&CK Analyzer

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques, based on real-world observations.

The ATT&CK knowledge base serves as the foundation for developing specific threat models and methodologies. These threat models and methodologies hold significance across various sectors, including private industry and government organizations, and they form a cornerstone for communities dedicated to cybersecurity products and services.

ATT&CK is an open platform, and its integration into AIR delivers additional benefits by utilizing up-to-the-minute YARA rules for detecting potential IoCs (Indicators of Compromise) or TTPs (Tactics, Techniques, and Procedures).

DRONE's MITRE ATT&CK implementation uses YARA scanning across various folders on the asset and across the running processes. These scans are carried out with rules that the Binalyze threat-hunting DFIR team has crafted, and AIR will check for updated rules every couple of hours. New rules will be pushed automatically to the AIR installation.

The DFIR team also defines scan locations. Here are a few examples;

Recycle bin folders
User folders and sub-directories
Temp directories
Program Files directories
System32 directory

The MITRE ATT&CK scanner runs on the actual asset and is not concerned with the associated triage or acquisition tasking. Nor is it scanning the collected data or case report.

Read more about how AIR uses our MITRE ATT&CK integration to deliver insights here; Focus investigations with MITRE ATT&CK insights

PreviousCross Platform Analyzers NextMITRE ATT&CK Analyzer changelog

Last updated 23 hours ago

Was this helpful?