• caglararli@hotmail.com
  • 05386281520

MITRE ATT&CK Design and Philosophy doc: "Process hollowing sub-technique can’t be under Priviledge Escalation tactic"

Çağlar Arlı      -    43 Views

MITRE ATT&CK Design and Philosophy doc: "Process hollowing sub-technique can’t be under Priviledge Escalation tactic"

I'm new to the MITRE ATT&CK framework, and am familiarizing myself with it by reading the Design and philosophy document (2020).

I'm not sure if the, boldfaced part of the, following passage (p.13) is outdated, an error or if I'm just misinterpreting it:

As long as a sub-techniques conceptually falls under a technique (e.g. sub-techniques that are conceptually a type of process injection will be under process injection), each sub-technique can contribute to which tactics a technique is a part of but are not required to fulfill every parent technique’s tactic (i.e. the Process Hollowing sub-technique can be used for Defense Evasion but not Privilege Escalation even though the Process Injection technique covers both tactics).

In the MITRE Enterprise Matrix, the Process Hollowing sub-technique does appear to fall under the Priviledge Escalation tactic --- under the Process Injection technique, as opposed to the assertion of the boldfaced part of the passage above; it is part of both the Priviledge Escalation and Defense Evasion tactics.