MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques, based on real-world observations.

The ATT&CK knowledge base is used as the foundation for the development of specific threat models and methodologies. These threat models and methodologies hold significance across various sectors such as private industry and government organizations, and they form a cornerstone for the communities dedicated to cybersecurity products and services.

ATT&CK is an open platform and its integration into AIR delivers additional benefits by utilizing up-to-the-minute YARA rules for detecting potential IoCs (Indicators of Compromise) or TTPs (Tactics, Techniques, and Procedures).

DRONE's MITRE ATT&CK implementation uses YARA scanning across various folders on the asset and across the running processes. These scans are carried out with rules that the Binalyze threat-hunting DFIR team has crafted and AIR will check for updated rules every couple of hours. New rules will be pushed automatically to the AIR installation.

Scan locations are also defined by the DFIR team, here are a few examples;

  • Recycle bin folders

  • User folders and sub-directories

  • Temp directories

  • Program Files directories

  • System32 directory

The MITRE ATT&CK scanner runs on the actual asset and is not concerned with the associated triage or acquisition tasking. Nor is it scanning the collected data or case report.

Read more about how AIR uses our MITRE ATT&CK integration to deliver insights here; Focus investigations with MITRE ATT&CK insights

Last updated