Esc
Trusted Relationship - T1199
(ATT&CK® Technique)
Definition
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1199["Trusted Relationship"] --> |creates| LoginSession["Login Session"]; class T1199 OffensiveTechniqueNode;
class LoginSession ArtifactNode; click LoginSession href "/dao/artifact/d3f:LoginSession";
click T1199 href "/offensive-technique/attack/T1199/"; click LoginSession href "/dao/artifact/d3f:LoginSession"; T1199["Trusted Relationship"] --> |produces| IntranetNetworkTraffic["Intranet Network Traffic"]; class T1199 OffensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode; click IntranetNetworkTraffic href "/dao/artifact/d3f:IntranetNetworkTraffic";
click T1199 href "/offensive-technique/attack/T1199/"; click IntranetNetworkTraffic href "/dao/artifact/d3f:IntranetNetworkTraffic"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1199["Trusted Relationship"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1199["Trusted Relationship"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1199["Trusted Relationship"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1199["Trusted Relationship"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| may-detect | T1199["Trusted Relationship"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1199["Trusted Relationship"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1199["Trusted Relationship"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1199["Trusted Relationship"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; SessionTermination["Session Termination"] -->
| deletes | LoginSession["Login Session"];
SessionTermination["Session Termination"] -.->
| may-evict | T1199["Trusted Relationship"] ;
class SessionTermination DefensiveTechniqueNode;
class LoginSession ArtifactNode;
click SessionTermination href "/technique/d3f:SessionTermination"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetNetworkTraffic["Intranet Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1199["Trusted Relationship"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";