【安全框架】MITRE ATT&CK

Reconnaissance 侦察	Resource Development 资源扩展	Initial Access 最初入口	Execution 执行攻击	Persistence 持续性控制	Privilege Escalation 权限提升	Defense Evasion 躲避防御机制	Credential Access 获取合法凭证访问	Discovery 查看信息	Lateral Movement 横向权限扩展	Collection 收集信息	Command and Control 命令控制	Exfiltration 信息窃取	Impact
Active Scanning	Acquire Infrastructure	Drive-by Infrastructure	Command and Scripting Interpreter	Account Manipulation	Abuse Elevation Control Mechanism	Abuse Elevation Control Mechanism	Adversary-in-the-Middle	Account Discovery	Exploitation of Remote Services	Adversary-in-the-Middle	Application Layer Protocol	Automated Exfiltration	Account Access Removal
Gather Victim Host Information	Compromise Accounts	Exploit Public-Facing Application	Container Administration Command	BITS Jobs	Access Token Manipulation	Access Token Manipulation	Brute Force	Application Windows Discovery	Internal Spearphishing	Archive Collected Data	Communication Through Removable Media	Data Transfer Size Limits	Data Destruction
Gather Victim Identity Information	Compromise Infrastructure	External Remote Services	Deploy Container	Boot or Logon Autostart Execution	Boot or Logon Autostart Execution	BITS Jobs	Credentials from Password Stores	Browser Bookmark Discovery	Lateral Tool Transfer	Audio Capture	Data Encoding	Exfiltration Over Alternative Protocol	Data Encrypted for Impact
Gather Victim Network Information	Develop Capabilities	Hardware Additions	Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Build Image on Host	Exploitation for Credential Access	Cloud Service Dashboard	Remote Service Session Hijacking	Automated Collection	Data Obfuscation	Exfiltration Over C2 Channel	Data Manipulation
Gather Victim Org Information	Eastablish Accounts	Phishing	Inter-Process Communication	Browser Extensions	Create or Modify System Process	Debugger Evasion	Forced Authentication	Cloud Service Discovery	Remote Services	Browser Session Hijacking	Dynamic Resolution	Exfiltration Over Other Network Medium	Defacement
Phishing for Information	Obtain Capabilities	Replication Through Removable Media	Native API	Compromise Client Software Binary	Domain Policy Modification	Deobfuscate/Decode Files or Information	Forge Web Credentials	Cloud Storage Object Discovery	Replication Through Removable Media	Clipboard Data	Encrypted Channel	Exfiltration Over Physical Medium	Disk Wipe
Search Closed Sources	Stage Capabilities	Supply Chain Compromise	Scheduled Task/Job	Create Account	Escape to Host	Deploy Container	Input Capture	Container and Resource Discovery	Software Deployment Tools	Data from Cloud Storage	Fallback Channels	Exfiltration Over Web Service	Endpoint Denial of Service
Search Open Technical Databases		Trusted Relationship	Serverless Execution	Create or Modify System Process	Event Triggered Execution	Direct Volume Access	Modify Authentication Process	Debugger Evasion	Taint Shared Content	Data from Configuration Repository	Ingress Tool Transfer	Scheduled Transfer	Firmware Corruption
Search Open Websites/Domains		Valid Accounts	Shared Modules	Event Triggered Execution	Exploitation for Privilege Escalation	Domain Policy Modification	Multi-Factor Authentication Interception	Domain Trust Discovery	Use Alternate Authentication Material	Data from Informatoin Repositories	Multi-Stage Channels	Transfer Data to Cloud Account	Inhibit System Recovery
Search Victim-Owned Websites			Software Deployment Tools	External Remote Services	Hijack Execution Flow	Execution Guardrails	Multi-Factor Authentication Request Generation	File and Directory Discovery		Data from Information Repositories	Non-Application Layer Protocol		Network Denial of Service
			System Services	Hijack Execution Flow	Process Injection	Exploitation for Defense Evasion	Network Sniffing	Group Policy Discovery		Data from Local System	Non-Standard Port		Resource Hijacking
			User Execution	Implant Internal Image	Scheduled Task/Job	File and Directory Permissions Modification	OS Credential Dumping	Network Service Discovery		Data from Network Shared Drive	Protocol Tunneling		Service Stop
			Windows Management Instrumentation	Modify Authentication Process	Valid Accounts	Hide Artifacts	Steal Application Access Token	Network Share Discovery		Data from Removable Media	Proxy		System Shutdown/Reboot
				Modify Cloud Compute Infrastructure		Hijack Execution Flow	Steal or Forge Authentication Certificates	Network Sniffing		Data Staged	Remote Access Software
				Modify Registry		Impair Defenses	Steal or Forge Kerberos Tickets	Password Policy		Email Collection	Traffic Signaling
				Modify System Image		Indicator Removal	Steal web Session Cookie	Peripheral Device Discovery		Input Capture	Web Service
				Network Boundary Bridging		Indirect Command Execution	Unsecured Credentials	Permission Groups Discovery		Screen Capture
				Obfuscated Files or Information		Masquerading		Process Discovery		Video Capture
				Plist File Modification		Modify Authentication Process		Query Registry
				Pre-OS Boot		Modify Cloud Compute Infrastructure		Remote System Discovery
				Process Injection		Modify Registry		Software Discovery
						Modify System Image		System Information Discovery
						Network Boundary Bridging		System Network Configuration Discovery
						Obfuscated Files or Information		System Network Connections Discovery
						Plist File Modification		System Owner/User Discovery
						Pre-OS Boot		System Service Discovery
						Process Injection		System Time Discovery
						Reflective Code Loading		Virtualization/Sandbox Evasion
						Rogue Domain Controller
						Rootkit
						Subvert Trust Controls
						System Binary Proxy Execution
						System Script Proxy Execution
						Template Injection
						Traffice Signaling
						Trusted Developer Utilities Proxy Execution
						Unused/Unsupported Cloud Regions
						Use Alternate Authentication Material
						Valid Accounts
						Virtualization/Sandbox Evasion
						Weaken Encryption
						XLS Script Processing

因为攻击手法千奇百怪，所以暂时先从常见的入手：

Non-Standard Port

Non-Standard Port, Technique T1571 - Enterprise | MITRE ATT&CK®

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088[1] or port 587[2] as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.