Archived Content
In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.TTP Table for Detecting APT Activity Related to SolarWinds Compromise
Last Revised
CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds Orion supply chain compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.
CISA encourages network defenders to review [SolarWinds: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures] and implement the recommendations. CISA also recommends network defenders review the following resources regarding this incident:
- Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page
- CISA Emergency Directive 21-01 - Supplemental Guidance v.1
- CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
- CISA Activity Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
This product is provided subject to this Notification and this Privacy & Use policy.