Home/D3FEND
D3FEND

D3FEND defensive techniques

149 countermeasures from MITRE's defensive catalog
D3FEND is the defensive counterpart to ATT&CK. It describes what defenders can do to detect, isolate, deceive, evict, harden, and recover from each attack technique. Use it to map defenses to specific adversary behaviors.
Category Detect Isolate Deceive Evict Harden Restore Model all

Defensive techniques

149
D3-DecoyEnvironment
Decoy Environment
Deceive
D3-DecoyFile
Decoy File
Deceive
D3-DecoyNetworkResource
Decoy Network Resource
Deceive
D3-DecoyUserCredential
Decoy User Credential
Deceive
D3-AdministrativeNetworkActivityAnalysis
Administrative Network Activity Analysis
Detect
D3-ApplicationExceptionMonitoring
Application Exception Monitoring
Detect
D3-ApplicationProtocolCommandAnalysis
Application Protocol Command Analysis
Detect
D3-CertificateAnalysis
Certificate Analysis
Detect
D3-Client-serverPayloadProfiling
Client-server Payload Profiling
Detect
D3-ConnectionAttemptAnalysis
Connection Attempt Analysis
Detect
D3-CredentialCompromiseScopeAnalysis
Credential Compromise Scope Analysis
Detect
D3-DNSTrafficAnalysis
D N S Traffic Analysis
Detect
D3-DatabaseQueryStringAnalysis
Database Query String Analysis
Detect
D3-DomainAccountMonitoring
Domain Account Monitoring
Detect
D3-DynamicAnalysis
Dynamic Analysis
Detect
D3-EmulatedFileAnalysis
Emulated File Analysis
Detect
D3-EndpointHealthBeacon
Endpoint Health Beacon
Detect
D3-FileAnalysis
File Analysis
Detect
D3-FileCarving
File Carving
Detect
D3-FileCreationAnalysis
File Creation Analysis
Detect
D3-FileIntegrityMonitoring
File Integrity Monitoring
Detect
D3-FirmwareBehaviorAnalysis
Firmware Behavior Analysis
Detect
D3-FirmwareEmbeddedMonitoringCode
Firmware Embedded Monitoring Code
Detect
D3-FirmwareVerification
Firmware Verification
Detect
D3-HomoglyphDetection
Homoglyph Detection
Detect
D3-IPCTrafficAnalysis
I P C Traffic Analysis
Detect
D3-IdentifierActivityAnalysis
Identifier Activity Analysis
Detect
D3-InboundSessionVolumeAnalysis
Inbound Session Volume Analysis
Detect
D3-InputDeviceAnalysis
Input Device Analysis
Detect
D3-LocalAccountMonitoring
Local Account Monitoring
Detect
D3-MemoryBoundaryTracking
Memory Boundary Tracking
Detect
D3-NetworkTrafficCommunityDeviation
Network Traffic Community Deviation
Detect
D3-NetworkTrafficSignatureAnalysis
Network Traffic Signature Analysis
Detect
D3-OperationalProcessMonitoring
Operational Process Monitoring
Detect
D3-PerHostDownload-UploadRatioAnalysis
Per Host Download- Upload Ratio Analysis
Detect
D3-ProcessCodeSegmentVerification
Process Code Segment Verification
Detect
D3-ProcessLineageAnalysis
Process Lineage Analysis
Detect
D3-ProcessSelf-ModificationDetection
Process Self- Modification Detection
Detect
D3-ProcessSpawnAnalysis
Process Spawn Analysis
Detect
D3-ProtocolMetadataAnomalyDetection
Protocol Metadata Anomaly Detection
Detect
D3-RPCTrafficAnalysis
R P C Traffic Analysis
Detect
D3-RelayPatternAnalysis
Relay Pattern Analysis
Detect
D3-RemoteTerminalSessionDetection
Remote Terminal Session Detection
Detect
D3-ScheduledJobAnalysis
Scheduled Job Analysis
Detect
D3-SenderMTAReputationAnalysis
Sender M T A Reputation Analysis
Detect
D3-SenderReputationAnalysis
Sender Reputation Analysis
Detect
D3-ServiceBinaryVerification
Service Binary Verification
Detect
D3-ShadowStackComparisons
Shadow Stack Comparisons
Detect
D3-SystemCallAnalysis
System Call Analysis
Detect
D3-SystemDaemonMonitoring
System Daemon Monitoring
Detect
D3-SystemFileAnalysis
System File Analysis
Detect
D3-SystemFirmwareVerification
System Firmware Verification
Detect
D3-SystemInitConfigAnalysis
System Init Config Analysis
Detect
D3-URLAnalysis
U R L Analysis
Detect
D3-URLReputationAnalysis
U R L Reputation Analysis
Detect
D3-UserGeolocationLogonPatternAnalysis
User Geolocation Logon Pattern Analysis
Detect
D3-UserSessionInitConfigAnalysis
User Session Init Config Analysis
Detect
D3-VideoSurveillance
Video Surveillance
Detect
D3-AccountLocking
Account Locking
Evict
D3-AuthenticationCacheInvalidation
Authentication Cache Invalidation
Evict
D3-CredentialRevocation
Credential Revocation
Evict
D3-DiskErasure
Disk Erasure
Evict
D3-DiskFormatting
Disk Formatting
Evict
D3-DiskPartitioning
Disk Partitioning
Evict
D3-EmailRemoval
Email Removal
Evict
D3-FileEviction
File Eviction
Evict
D3-HostReboot
Host Reboot
Evict
D3-HostShutdown
Host Shutdown
Evict
D3-ProcessSuspension
Process Suspension
Evict
D3-ProcessTermination
Process Termination
Evict
D3-RegistryKeyDeletion
Registry Key Deletion
Evict
D3-SessionTermination
Session Termination
Evict
D3-AgentAuthentication
Agent Authentication
Harden
D3-ApplicationConfigurationHardening
Application Configuration Hardening
Harden
D3-BootloaderAuthentication
Bootloader Authentication
Harden
D3-Certificate-basedAuthentication
Certificate-based Authentication
Harden
D3-CertificatePinning
Certificate Pinning
Harden
D3-CertificateRotation
Certificate Rotation
Harden
D3-ChangeDefaultPassword
Change Default Password
Harden
D3-CredentialHardening
Credential Hardening
Harden
D3-CredentialRotation
Credential Rotation
Harden
D3-CredentialScrubbing
Credential Scrubbing
Harden
D3-DisableRemoteAccess
Disable Remote Access
Harden
D3-DiskEncryption
Disk Encryption
Harden
D3-DomainLogicValidation
Domain Logic Validation
Harden
D3-FileEncryption
File Encryption
Harden
D3-Hardware-basedWriteProtection
Hardware-based Write Protection
Harden
D3-Multi-factorAuthentication
Multi-factor Authentication
Harden
D3-One-timePassword
One-time Password
Harden
D3-PasswordAuthentication
Password Authentication
Harden
D3-PasswordRotation
Password Rotation
Harden
D3-ProcessSegmentExecutionPrevention
Process Segment Execution Prevention
Harden
D3-RadiationHardening
Radiation Hardening
Harden
D3-SegmentAddressOffsetRandomization
Segment Address Offset Randomization
Harden
D3-SoftwareUpdate
Software Update
Harden
D3-StackFrameCanaryValidation
Stack Frame Canary Validation
Harden
D3-StrongPasswordPolicy
Strong Password Policy
Harden
D3-SystemConfigurationPermissions
System Configuration Permissions
Harden
D3-Token-basedAuthentication
Token-based Authentication
Harden
D3-TokenBinding
Token Binding
Harden
D3-TrustedLibrary
Trusted Library
Harden
D3-VariableInitialization
Variable Initialization
Harden
D3-Application-basedProcessIsolation
Application-based Process Isolation
Isolate
D3-ContentFiltering
Content Filtering
Isolate
D3-ContentModification
Content Modification
Isolate
D3-ContentQuarantine
Content Quarantine
Isolate
D3-CredentialTransmissionScoping
Credential Transmission Scoping
Isolate
D3-DNSAllowlisting
D N S Allowlisting
Isolate
D3-DNSDenylisting
D N S Denylisting
Isolate
D3-DomainTrustPolicy
Domain Trust Policy
Isolate
D3-EmailFiltering
Email Filtering
Isolate
D3-ExecutableAllowlisting
Executable Allowlisting
Isolate
D3-ExecutableDenylisting
Executable Denylisting
Isolate
D3-FileFormatVerification
File Format Verification
Isolate
D3-ForwardResolutionDomainDenylisting
Forward Resolution Domain Denylisting
Isolate
D3-Hardware-basedProcessIsolation
Hardware-based Process Isolation
Isolate
D3-IOPortRestriction
I O Port Restriction
Isolate
D3-InboundTrafficFiltering
Inbound Traffic Filtering
Isolate
D3-Kernel-basedProcessIsolation
Kernel-based Process Isolation
Isolate
D3-LocalFilePermissions
Local File Permissions
Isolate
D3-NetworkResourceAccessMediation
Network Resource Access Mediation
Isolate
D3-NetworkTrafficFiltering
Network Traffic Filtering
Isolate
D3-OutboundTrafficFiltering
Outbound Traffic Filtering
Isolate
D3-RemoteFileAccessMediation
Remote File Access Mediation
Isolate
D3-ReverseResolutionIPDenylisting
Reverse Resolution I P Denylisting
Isolate
D3-SystemCallFiltering
System Call Filtering
Isolate
D3-UserAccountPermissions
User Account Permissions
Isolate
D3-WebSessionAccessMediation
Web Session Access Mediation
Isolate
D3-AccessModeling
Access Modeling
Model
D3-AssetVulnerabilityEnumeration
Asset Vulnerability Enumeration
Model
D3-ConfigurationInventory
Configuration Inventory
Model
D3-ContainerImageAnalysis
Container Image Analysis
Model
D3-DataInventory
Data Inventory
Model
D3-HardwareComponentInventory
Hardware Component Inventory
Model
D3-LogicalLinkMapping
Logical Link Mapping
Model
D3-NetworkNodeInventory
Network Node Inventory
Model
D3-NetworkTrafficPolicyMapping
Network Traffic Policy Mapping
Model
D3-PhysicalLinkMapping
Physical Link Mapping
Model
D3-SoftwareInventory
Software Inventory
Model
D3-SystemVulnerabilityAssessment
System Vulnerability Assessment
Model
D3-ReissueCredential
Reissue Credential
Restore
D3-RestoreConfiguration
Restore Configuration
Restore
D3-RestoreDatabase
Restore Database
Restore
D3-RestoreEmail
Restore Email
Restore
D3-RestoreFile
Restore File
Restore
D3-RestoreNetworkAccess
Restore Network Access
Restore
D3-RestoreSoftware
Restore Software
Restore
D3-RestoreUserAccountAccess
Restore User Account Access
Restore
D3-UnlockAccount
Unlock Account
Restore
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin