271 defences2,365 crosswalks

D3FENDD3FEND defensive matrix

7 tactics · 271 defensive techniques · 2,365 defends_against crosswalks to MITRE ATT&CK. Authored by Adam Lundqvist.

TACTICModelHardenDetectIsolateDeceiveEvictRestoreLEVELTechniqueSub-technique
ATT&CK coverage
0
1
2-3
4-5
6+

MODModel0 techniques

HARHarden0 techniques

DETDetect68 techniques

D3-PM
Platform Monitoring
D3-FA
File Analysis
D3-FCOA
File Content Analysis
D3-FH
File Hashing
D3-FIM
File Integrity Monitoring
D3-UBA
User Behavior Analysis
D3-NTA
Network Traffic Analysis
D3-APCA
Application Protocol Command Analysis
D3-CSPP
Client-server Payload Profiling
D3-NTCD
Network Traffic Community Deviation
D3-NTSA
Network Traffic Signature Analysis
D3-PHDURA
Per Host Download-Upload Ratio Analysis
D3-PMAD
Protocol Metadata Anomaly Detection
D3-RTSD
Remote Terminal Session Detection
D3-UGLPA
User Geolocation Logon Pattern Analysis
D3-PA
Process Analysis
D3-OSM
Operating System Monitoring
D3-SCA
System Call Analysis
D3-DA
Dynamic Analysis
D3-EFA
Emulated File Analysis
D3-PSA
Process Spawn Analysis
D3-RPA
Relay Pattern Analysis
D3-CCSA
Credential Compromise Scope Analysis
D3-CAA
Connection Attempt Analysis
D3-APM
Application Performance Monitoring
D3-PSMD
Process Self-Modification Detection
D3-OPM
Operational Process Monitoring
D3-ANAA
Administrative Network Activity Analysis
D3-HD
Homoglyph Detection
D3-ID
Identifier Analysis
D3-PCSV
Process Code Segment Verification
D3-CA
Certificate Analysis
D3-ISVA
Inbound Session Volume Analysis
D3-DAM
Domain Account Monitoring
D3-SSC
Shadow Stack Comparisons
D3-FBA
Firmware Behavior Analysis
D3-FEMC
Firmware Embedded Monitoring Code
D3-FV
Firmware Verification
D3-IAA
Identifier Activity Analysis
D3-IRA
Identifier Reputation Analysis
D3-MA
Message Analysis
D3-SMRA
Sender MTA Reputation Analysis
D3-SRA
Sender Reputation Analysis
D3-UA
URL Analysis
D3-DNSTA
DNS Traffic Analysis
D3-LAM
Local Account Monitoring
D3-FC
File Carving
D3-DQSA
Database Query String Analysis
D3-IPCTA
IPC Traffic Analysis
D3-PHAM
Physical Access Monitoring
D3-RTA
RPC Traffic Analysis
D3-VS
Video Surveillance
D3-ANET
Authentication Event Thresholding
D3-AZET
Authorization Event Thresholding
D3-BSE
Byte Sequence Emulation
D3-ELM
Electronic Lock Monitoring
D3-FAPA
File Access Pattern Analysis
D3-IBCA
Indirect Branch Call Analysis
D3-JFAPA
Job Function Access Pattern Analysis
D3-MSM
Motion Sensor Monitoring
D3-OMM
Operating Mode Monitoring
D3-PSM
Proximity Sensor Monitoring
D3-PUM
Platform Uptime Monitoring
D3-RAPA
Resource Access Pattern Analysis
D3-SDA
Session Duration Analysis
D3-SEA
Script Execution Analysis
D3-UDTA
User Data Transfer Analysis
D3-WSAA
Web Session Activity Analysis

ISOIsolate0 techniques

DECDeceive11 techniques

D3-DO
Decoy Object
D3-DF
Decoy File
D3-DUC
Decoy User Credential
D3-DNR
Decoy Network Resource
D3-CHN
Connected Honeynet
D3-DE
Decoy Environment
D3-IHN
Integrated Honeynet
D3-SHN
Standalone Honeynet
D3-DP
Decoy Persona
D3-DPR
Decoy Public Release
D3-DST
Decoy Session Token

EVIEvict15 techniques

D3-OE
Object Eviction
D3-FEV
File Eviction
D3-CE
Credential Eviction
D3-PE
Process Eviction
D3-ANCI
Authentication Cache Invalidation
D3-CR
Credential Revocation
D3-AL
Account Locking
D3-HS
Host Shutdown
D3-PS
Process Suspension
D3-PT
Process Termination
D3-ST
Session Termination
D3-DKF
Disk Formatting
D3-RKD
Registry Key Deletion
D3-DNSCE
DNS Cache Eviction
D3-DRT
Domain Registration Takedown

RESRestore0 techniques

Sourced from MITRE D3FEND ontology. Cross-walks ingested via the D3FEND CSV feed. Curated by Adam Lundqvist, Founder at SQUR.
D3FEND defensive matrix | SQUR Knowledge Base