MITRE ATT&CK mapping
Definition
The process of classifying observed malware behaviours against the MITRE ATT&CK framework's taxonomy of adversary tactics and techniques. Sandbox platforms increasingly produce ATT&CK-tagged reports, allowing investigators to compare sample behaviour against known threat-actor TTPs.
Related terms
- API hooking
- A monitoring technique in which the sandbox intercepts calls the malware makes to operating-system API functions. Each intercepted call is logged with...
- Behavioural analysis
- The examination of what a program does at runtime rather than what its code says at rest. Behavioural analysis captures the actual...
- Evasion detection
- Malware logic that checks whether the execution environment is a real host or an analysis sandbox. Checks may query hardware identifiers, count...
- Network indicator
- A network-based artefact produced by malware at runtime, such as a DNS query, an IP address contacted, an HTTP request path, a...
- Sandbox
- An isolated execution environment, typically a virtual machine, where a malware sample runs under full instrumentation. The sandbox logs all system calls,...
Explained in
- Dynamic Malware Analysis and Sandbox EnvironmentsThe process of classifying observed malware behaviours against the MITRE ATT&CK framework's taxonomy of adversary tactics and techniques. Sandbox platforms inc...