Skip to content

Hide Navigation Hide TOC

Edit

Tidal Tactic

Tidal Tactic Cluster

Authors
Authors and/or Contributors
Tidal Cyber

Reconnaissance

The adversary is trying to gather information they can use to plan future operations.

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.

Internal MISP references

UUID 2706dc98-724b-4cf0-84b6-56cc20b0698e which can be used as unique global reference for Reconnaissance in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 1
source MITRE
tactic_attack_id TA0043
Related clusters

To see the related clusters, click here.

Resource Development

The adversary is trying to establish resources they can use to support operations.

Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.

Internal MISP references

UUID 989d09c2-12b8-4419-9b34-a328cf295fff which can be used as unique global reference for Resource Development in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 2
source MITRE
tactic_attack_id TA0042
Related clusters

To see the related clusters, click here.

Initial Access

The adversary is trying to get into your network.

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Internal MISP references

UUID 586a5b49-c566-4a57-beb4-e7c667f9c34c which can be used as unique global reference for Initial Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 3
source MITRE
tactic_attack_id TA0001
Related clusters

To see the related clusters, click here.

Execution

The adversary is trying to run malicious code.

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Internal MISP references

UUID dad2337d-6d35-410a-acc5-da36ff83ee44 which can be used as unique global reference for Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 4
source MITRE
tactic_attack_id TA0002
Related clusters

To see the related clusters, click here.

Persistence

The adversary is trying to maintain their foothold.

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

Internal MISP references

UUID ec4f9786-c00c-430a-bc6d-0d0d22fdd393 which can be used as unique global reference for Persistence in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 5
source MITRE
tactic_attack_id TA0003
Related clusters

To see the related clusters, click here.

Privilege Escalation

The adversary is trying to gain higher-level permissions.

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:

  • SYSTEM/root level
  • local administrator
  • user account with admin-like access
  • user accounts with access to specific system or perform specific function

These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

Internal MISP references

UUID b17dde68-dbcf-4cfd-9bb8-be014ec65c37 which can be used as unique global reference for Privilege Escalation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 6
source MITRE
tactic_attack_id TA0004
Related clusters

To see the related clusters, click here.

Defense Evasion

The adversary is trying to avoid being detected.

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

Internal MISP references

UUID 8e29c6c9-0c10-4bb0-827d-ff0ab8922726 which can be used as unique global reference for Defense Evasion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 7
source MITRE
tactic_attack_id TA0005
Related clusters

To see the related clusters, click here.

Credential Access

The adversary is trying to steal account names and passwords.

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

Internal MISP references

UUID 0c3132d5-c0df-4793-b5f2-1a95bd64ab53 which can be used as unique global reference for Credential Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 8
source MITRE
tactic_attack_id TA0006
Related clusters

To see the related clusters, click here.

Discovery

The adversary is trying to figure out your environment.

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

Internal MISP references

UUID ee7e5a85-a940-46e4-b408-12956f3baafa which can be used as unique global reference for Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 9
source MITRE
tactic_attack_id TA0007
Related clusters

To see the related clusters, click here.

Lateral Movement

The adversary is trying to move through your environment.

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

Internal MISP references

UUID 50ba4930-7c8e-4ef9-bc36-70e7dae661eb which can be used as unique global reference for Lateral Movement in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 10
source MITRE
tactic_attack_id TA0008
Related clusters

To see the related clusters, click here.

Collection

The adversary is trying to gather data of interest to their goal.

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

Internal MISP references

UUID 1ca65327-b553-4923-ae19-8e6987ca250a which can be used as unique global reference for Collection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 11
source MITRE
tactic_attack_id TA0009
Related clusters

To see the related clusters, click here.

Command and Control

The adversary is trying to communicate with compromised systems to control them.

Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.

Internal MISP references

UUID 94ffe549-1c29-438d-9c7f-e27f7acee0bb which can be used as unique global reference for Command and Control in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 12
source MITRE
tactic_attack_id TA0011
Related clusters

To see the related clusters, click here.

Exfiltration

The adversary is trying to steal data.

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

Internal MISP references

UUID 66249a6d-be4e-43ab-a295-349d03a98023 which can be used as unique global reference for Exfiltration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 13
source MITRE
tactic_attack_id TA0010
Related clusters

To see the related clusters, click here.

Impact

The adversary is trying to manipulate, interrupt, or destroy your systems and data.

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

Internal MISP references

UUID 52c0edbc-ce4d-429a-b1d5-720403e0172f which can be used as unique global reference for Impact in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
ordinal_position 14
source MITRE
tactic_attack_id TA0040
Related clusters

To see the related clusters, click here.