APT3 Evaluation: Technique Scope
For the APT3 evaluation, we tested 56 Enterprise ATT&CK techniques across 10 ATT&CK tactics. The Initial Access tactic was considered out of scope for the APT3 evaluation. The in-scope techniques for the APT3 evaluation are displayed below and are also highlighted in each vendor’s results page.
We divided the tested techniques into “Primary” techniques and “Enabling” techniques. Execution of many of the techniques required Command-Line Interface, Execution through API, and PowerShell. We considered these to be “Enabling” techniques for the evaluation, and we generally did not capture detections directly associated with their execution (except in cases where one of those techniques was executing the behavior under test, such as “RunAs”). Instead, we focused on the Primary technique that was performed, rather than the mechanism of execution (which was considered the Enabling technique). For example, if Process Discovery was performed via Command-Line Interface, we captured detections for Process Discovery but not Command-Line Interface.
You can view the in scope Techniques for the APT3 evaluation in the ATT&CK Navigator by checking out the layer file we made available here. A preview is shown below! The Techniques in scope for the APT3 evaluation are highlighted in green.