| Credential Access (credential-access) |
Execution (execution) |
Impact (impact) |
Persistence (persistence) |
Privilege Escalation (privilege-escalation) |
Lateral Movement (lateral-movement) |
Defense Evasion (defense-evasion) |
Exfiltration (exfiltration) |
Discovery (discovery) |
Collection (collection) |
Resource Development (resource-development) |
Reconnaissance (reconnaissance) |
Command and Control (command-and-control) |
Initial Access (initial-access) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
T1557 — Adversary-in-the-Middle Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on … |
T1047 — Windows Management Instrumentation Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is … |
T1561.002 — Disk Structure Wipe Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific … |
T1156 — Malicious Shell Modification Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User shells execute several configuration scripts at … |
T1055.011 — Extra Window Memory Injection Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well … |
T1021.005 — VNC Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing … |
T1093 — Process Hollowing Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with … |
T1567 — Exfiltration Over Web Service Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. … |
T1016.001 — Internet Connection Discovery Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished … |
T1560.001 — Archive via Utility Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, … |
T1583 — Acquire Infrastructure Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists … |
T1592 — Gather Victim Host Information Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a … |
T1132.001 — Standard Encoding Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more … |
T1133 — External Remote Services Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, … |
|
T1110.001 — Password Guessing Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to … |
T1059.007 — JavaScript Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) … |
T1498.001 — Direct Network Flood Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a … |
T1161 — LC_LOAD_DYLIB Addition Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The … |
T1037 — Boot or Logon Initialization Scripts Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov … |
T1080 — Taint Shared Content Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal … |
T1066 — Indicator Removal from Tools If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the … |
T1567.004 — Exfiltration Over Webhook Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple … |
T1033 — System Owner/User Discovery Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, … |
T1113 — Screen Capture Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen … |
T1583.007 — Serverless Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that … |
T1596.003 — Digital Certificates Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are … |
T1568.003 — DNS Calculation Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for … |
T1195.001 — Compromise Software Dependencies and Development Tools Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data … |
|
T1171 — LLMNR/NBT-NS Poisoning and Relay Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of … |
T1121 — Regsvcs/Regasm Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are … |
T1492 — Stored Data Manipulation Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 … |
T1067 — Bootkit A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record … |
T1150 — Plist Modification Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. … |
T1527 — Application Access Token Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on … |
T1055.011 — Extra Window Memory Injection Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well … |
T1029 — Scheduled Transfer Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could … |
T1613 — Container and Resource Discovery Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include … |
T1557 — Adversary-in-the-Middle Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on … |
T1588.007 — Artificial Intelligence Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during … |
T1597.002 — Purchase Technical Data Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for … |
T1001 — Data Obfuscation Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command … |
T1192 — Spearphishing Link Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that … |
|
T1539 — Steal Web Session Cookie An adversary may steal web application or service session cookies and use them to gain access to web applications or … |
T1053.007 — Container Orchestration Job Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured … |
T1491.002 — External Defacement An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an … |
T1037 — Boot or Logon Initialization Scripts Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov … |
T1044 — File System Permissions Weakness Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on … |
T1021.004 — SSH Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions … |
T1099 — Timestomp Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activities. Timestomping … |
T1011 — Exfiltration Over Other Network Medium Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command … |
T1069.002 — Domain Groups Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine … |
T1056.001 — Keylogging Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to … |
T1584.008 — Network Devices Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) … |
T1590.005 — IP Addresses Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to … |
T1090.003 — Multi-hop Proxy Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to … |
T1566.002 — Spearphishing Link Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with … |
|
T1056.001 — Keylogging Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to … |
T1129 — Shared Modules Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to … |
T1499.001 — OS Exhaustion Flood Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible … |
T1150 — Plist Modification Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. … |
T1053.007 — Container Orchestration Job Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured … |
T1017 — Application Deployment Software Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions … |
T1027.011 — Fileless Storage Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as … |
T1011.001 — Exfiltration Over Bluetooth Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control … |
T1069 — Permission Groups Discovery Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups … |
T1602 — Data from Configuration Repository Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order … |
T1583.008 — Malvertising Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant … |
T1590.002 — DNS Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety … |
T1071.005 — Publish/Subscribe Protocols Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands … |
T1566.001 — Spearphishing Attachment Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment … |
|
T1003 — OS Credential Dumping Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash … |
T1204.002 — Malicious File An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected … |
T1485.001 — Lifecycle-Triggered Deletion Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets … |
T1044 — File System Permissions Weakness Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on … |
T1546.013 — PowerShell Profile Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is … |
T1091 — Replication Through Removable Media Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking … |
T1578.004 — Revert Cloud Instance An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade … |
T1020 — Automated Exfiltration Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET … |
T1497.003 — Time Based Checks Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms … |
T1213.002 — Sharepoint Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for … |
T1588.004 — Digital Certificates Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. … |
T1596.002 — WHOIS Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored … |
T1573.001 — Symmetric Cryptography Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent … |
T1195.003 — Compromise Hardware Supply Chain Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or … |
|
T1552.005 — Cloud Instance Metadata API Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud service … |
T1053.003 — Cron Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS … |
T1496.003 — SMS Pumping Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS … |
T1109 — Component Firmware Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside … |
T1548.002 — Bypass User Account Control Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to … |
T1021.008 — Direct Cloud VM Connections Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud … |
T1564.012 — File/Path Exclusions Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus … |
T1048.001 — Exfiltration Over Symmetric Encrypted Non-C2 Protocol Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command … |
T1063 — Security Software Discovery Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the … |
T1123 — Audio Capture An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) … |
T1583.002 — DNS Server Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, … |
T1594 — Search Victim-Owned Websites Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain … |
T1172 — Domain Fronting Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to … |
T1091 — Replication Through Removable Media Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking … |
|
T1555.002 — Securityd Memory An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security … |
T1675 — ESXi Administration Command Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background … |
T1499.003 — Application Exhaustion Flood Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. … |
T1053.007 — Container Orchestration Job Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured … |
T1514 — Elevated Execution with Prompt Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of … |
T1563.001 — SSH Hijacking Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard … |
T1216.001 — PubPrn Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a … |
T1020.001 — Traffic Duplication Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature … |
T1615 — Group Policy Discovery Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, … |
T1560.003 — Archive via Custom Method An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose … |
T1587.003 — Digital Certificates Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They … |
T1596.001 — DNS/Passive DNS Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a … |
T1071 — Application Layer Protocol Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to … |
T1195 — Supply Chain Compromise Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data … |
|
T1003.004 — LSA Secrets Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a … |
T1053 — Scheduled Task/Job Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major … |
T1561 — Disk Wipe Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt … |
T1133 — External Remote Services Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, … |
T1543 — Create or Modify System Process Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot … |
T1021.002 — SMB/Windows Admin Shares Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may … |
T1218.011 — Rundll32 Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid … |
T1567.001 — Exfiltration to Code Repository Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are … |
T1120 — Peripheral Device Discovery Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: … |
T1114 — Email Collection Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, … |
T1587.001 — Malware Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development … |
T1591.003 — Identify Business Tempo Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business … |
T1024 — Custom Cryptographic Protocol Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as … |
T1190 — Exploit Public-Facing Application Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness … |
|
T1056.002 — GUI Input Capture Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs … |
T1106 — Native API Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means … |
T1565.001 — Stored Data Manipulation Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening … |
T1546.013 — PowerShell Profile Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is … |
T1013 — Port Monitors A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at … |
T1550 — Use Alternate Authentication Material Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move … |
T1006 — Direct Volume Access Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have … |
T1048.002 — Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command … |
T1040 — Network Sniffing Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network … |
T1025 — Data from Removable Media Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be … |
T1586.001 — Social Media Accounts Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of … |
T1592.001 — Hardware Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may … |
T1079 — Multilayer Encryption An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within … |
T1659 — Content Injection Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather … |
|
T1522 — Cloud Instance Metadata API Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud service … |
T1153 — Source **This technique has been deprecated and should no longer be used.** The <code>source</code> command loads functions into the current shell … |
T1489 — Service Stop Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services … |
T1163 — Rc.common During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various utility functions. This file also … |
T1178 — SID-History Injection The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by … |
T1076 — Remote Desktop Protocol Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with … |
T1036.005 — Match Legitimate Resource Name or Location Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. … |
T1041 — Exfiltration Over C2 Channel Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the … |
T1652 — Device Driver Discovery Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights … |
T1074.001 — Local Data Staging Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may … |
T1588.006 — Vulnerabilities Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware … |
T1598.003 — Spearphishing Link Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing … |
T1219 — Remote Access Tools An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote … |
T1078.001 — Default Accounts Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
|
T1555.001 — Keychain Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, … |
T1569.003 — Systemctl Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system … |
T1499.004 — Application or System Exploitation Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: … |
T1501 — Systemd Service Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for … |
T1182 — AppCert DLLs Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that … |
T1021 — Remote Services Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. … |
T1143 — Hidden Window Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that … |
T1048 — Exfiltration Over Alternative Protocol Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. … |
T1087.001 — Local Account Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts … |
T1114.001 — Local Email Collection Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from … |
T1583.005 — Botnet Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is … |
T1590.004 — Network Topology Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may … |
T1205 — Traffic Signaling Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. … |
T1193 — Spearphishing Attachment Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it … |
|
T1552.002 — Credentials in Registry Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can … |
T1152 — Launchctl Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands … |
T1487 — Disk Structure Wipe Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems … |
T1543 — Create or Modify System Process Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot … |
T1546.018 — Python Startup Hooks Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. … |
T1563 — Remote Service Session Hijacking Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid … |
T1027.009 — Embedded Payloads Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts … |
T1052.001 — Exfiltration over USB Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network … |
T1497.001 — System Checks Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based … |
T1213.006 — Databases Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in … |
T1608.004 — Drive-by Target Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint … |
T1590.003 — Network Trust Dependencies Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts … |
T1032 — Standard Cryptographic Protocol Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent … |
T1199 — Trusted Relationship Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses … |
|
T1040 — Network Sniffing Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network … |
T1059.009 — Cloud API Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a … |
T1565.003 — Runtime Data Manipulation Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, … |
T1013 — Port Monitors A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at … |
T1574.011 — Services Registry Permissions Weakness Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for … |
T1021.006 — Windows Remote Management Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform … |
T1014 — Rootkit Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits … |
T1002 — Data Compressed An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable … |
T1087.003 — Email Account Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists … |
T1119 — Automated Collection Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing … |
T1587.002 — Code Signing Certificates Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally … |
T1597.001 — Threat Intel Vendors Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors … |
T1572 — Protocol Tunneling Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or … |
T1566 — Phishing Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. … |
|
T1556.002 — Password Filter DLL Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they … |
T1059.002 — AppleScript Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the … |
T1498.002 — Reflection Amplification Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. … |
T1182 — AppCert DLLs Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that … |
T1053.003 — Cron Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS … |
T1021.003 — Distributed Component Object Model Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The … |
T1218.014 — MMC Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may … |
T1567.003 — Exfiltration to Text Storage Sites Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such … |
T1010 — Application Window Discovery Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system … |
T1115 — Clipboard Data Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows … |
T1584.003 — Virtual Private Server Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud … |
T1589 — Gather Victim Identity Information Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a … |
T1568 — Dynamic Resolution Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved … |
T1078 — Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or … |
|
T1167 — Securityd Memory In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because … |
T1674 — Input Injection Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of … |
T1499.002 — Service Exhaustion Flood Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target … |
T1542.001 — System Firmware Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) … |
T1206 — Sudo Caching The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability … |
T1175 — Component Object Model and Distributed COM **This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Component Object Model](https://attack.mitre.org/techniques/T1559/001).** Adversaries may use the Windows … |
T1150 — Plist Modification Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. … |
T1567.002 — Exfiltration to Cloud Storage Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage … |
T1007 — System Service Discovery Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as … |
T1530 — Data from Cloud Storage Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon … |
T1586.003 — Cloud Accounts Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their … |
T1595.002 — Vulnerability Scanning Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of … |
T1092 — Communication Through Removable Media Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from … |
T1566.004 — Spearphishing Voice Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. … |
|
T1558 — Steal or Forge Kerberos Tickets Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is … |
T1085 — Rundll32 The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy … |
T1491 — Defacement Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original … |
T1542 — Pre-OS Boot Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of … |
T1574.001 — DLL Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries … |
T1550.003 — Pass the Ticket Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. … |
T1666 — Modify Cloud Resource Hierarchy Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. IaaS environments often group … |
T1030 — Data Transfer Size Limits An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. … |
T1135 — Network Share Discovery Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to … |
T1074.002 — Remote Data Staging Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. … |
T1586.002 — Email Accounts Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their … |
T1596 — Search Open Technical Databases Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims … |
T1090.002 — External Proxy Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server … |
T1195.002 — Compromise Software Supply Chain Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. … |
|
T1555 — Credentials from Password Stores Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several … |
T1053.001 — At (Linux) Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The … |
T1496.002 — Bandwidth Hijacking Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted … |
T1546.018 — Python Startup Hooks Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. … |
T1547 — Boot or Logon Autostart Execution Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain … |
T1051 — Shared Webroot **This technique has been deprecated and should no longer be used.** Adversaries may add malicious content to an internally accessible … |
T1601 — Modify System Image Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for … |
T1537 — Transfer Data to Cloud Account Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud … |
T1082 — System Information Discovery An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, … |
T1005 — Data from Local System Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, … |
T1608.001 — Upload Malware Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include … |
T1681 — Search Threat Vendor Data Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as … |
T1659 — Content Injection Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather … |
T1078.002 — Domain Accounts Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
|
T1139 — Bash History Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, … |
T1177 — LSASS Driver The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or … |
T1657 — Financial Theft Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own … |
T1574.011 — Services Registry Permissions Weakness Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for … |
T1103 — AppInit DLLs Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are … |
T1021.007 — Cloud Services Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated … |
T1121 — Regsvcs/Regasm Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are … |
T1022 — Data Encrypted Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to … |
T1016 — System Network Configuration Discovery Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they … |
T1560.002 — Archive via Library An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist … |
T1583.001 — Domains Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent … |
T1595 — Active Scanning Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where … |
T1188 — Multi-hop Proxy To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to … |
T1194 — Spearphishing via Service Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it … |
|
T1214 — Credentials in Registry The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the … |
T1677 — Poisoned Pipeline Execution Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process. There are … |
T1491.001 — Internal Defacement An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the … |
T1053.003 — Cron Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS … |
T1053 — Scheduled Task/Job Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major … |
T1072 — Software Deployment Tools Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally … |
T1148 — HISTCONTROL The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> … |
T1052 — Exfiltration Over Physical Medium Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as … |
T1482 — Domain Trust Discovery Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in … |
T1557.004 — Evil Twin Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of … |
T1608.002 — Upload Tool Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open … |
T1589.002 — Email Addresses Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing … |
T1090 — Proxy Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications … |
T1200 — Hardware Additions Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be … |
|
T1557.004 — Evil Twin Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of … |
T1609 — Container Administration Command Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the … |
T1496.004 — Cloud Service Hijacking Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability. For example, adversaries … |
T1137 — Office Application Startup Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based … |
T1098.007 — Additional Local or Domain Groups An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system … |
T1210 — Exploitation of Remote Services Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a … |
T1109 — Component Firmware Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside … |
T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and … |
T1497.002 — User Activity Based Checks Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors … |
T1602.002 — Network Device Configuration Dump Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is … |
T1583.004 — Server Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an … |
T1598.004 — Spearphishing Voice Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an … |
T1102 — Web Service Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular … |
T1189 — Drive-by Compromise Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple … |
|
T1556.007 — Hybrid Identity Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to … |
T1059 — Command and Scripting Interpreter Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of … |
T1496.001 — Compute Hijacking Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service … |
T1542.003 — Bootkit Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of … |
T1165 — Startup Items Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other … |
T1534 — Internal Spearphishing After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access … |
T1027.013 — Encrypted/Encoded File Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding … |
T1016.002 — Wi-Fi Discovery Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use … |
T1560 — Archive Collected Data An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate … |
T1585.002 — Email Accounts Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to … |
T1590.006 — Network Security Appliances Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security … |
T1104 — Multi-Stage Channels Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use … |
T1078.004 — Cloud Accounts Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense … |
|
|
T1145 — Private Keys Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto) Adversaries may … |
T1059.008 — Network Device CLI Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The … |
T1565 — Data Manipulation Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity … |
T1574.001 — DLL Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries … |
T1098.003 — Additional Cloud Roles An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. … |
T1097 — Pass the Ticket Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an … |
T1578 — Modify Cloud Compute Infrastructure An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute … |
T1083 — File and Directory Discovery Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain … |
T1185 — Browser Session Hijacking Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept … |
T1588.001 — Malware Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise … |
T1593.002 — Search Engines Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical … |
T1205.001 — Port Knocking Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, … |
T1566.003 — Spearphishing via Service Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service … |
|
|
T1558.005 — Ccache Files Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for short … |
T1191 — CMSTP The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft … |
T1531 — Account Access Removal Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may … |
T1547 — Boot or Logon Autostart Execution Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain … |
T1547.010 — Port Monitors Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A … |
T1570 — Lateral Tool Transfer Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., … |
T1564.008 — Email Hiding Rules Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to … |
T1497 — Virtualization/Sandbox Evasion Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on … |
T1557.003 — DHCP Spoofing Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a … |
T1583.003 — Virtual Private Server Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service … |
T1591.002 — Business Relationships Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business … |
T1483 — Domain Generation Algorithms Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather … |
T1078.003 — Local Accounts Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
|
|
T1552 — Unsecured Credentials Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in … |
T1053.004 — Launchd This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how … |
T1486 — Data Encrypted for Impact Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to … |
T1103 — AppInit DLLs Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are … |
T1055 — Process Injection Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection … |
T1184 — SSH Hijacking Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to … |
T1497.003 — Time Based Checks Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms … |
T1619 — Cloud Storage Object Discovery Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, … |
T1557.001 — LLMNR/NBT-NS Poisoning and SMB Relay By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an … |
T1584 — Compromise Infrastructure Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network … |
T1593.003 — Code Repositories Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code … |
T1026 — Multiband Communication **This technique has been deprecated and should no longer be used.** Some adversaries may split communications between different protocols. There … |
T1669 — Wi-Fi Networks Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by exploiting open … |
|
|
T1003.001 — LSASS Memory Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). … |
T1610 — Deploy Container Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy … |
T1488 — Disk Content Wipe Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a … |
T1137.006 — Add-ins Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add … |
T1050 — New Service When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet … |
T1075 — Pass the Hash Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. … |
T1548.002 — Bypass User Account Control Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to … |
T1538 — Cloud Service Dashboard An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud … |
T1056.003 — Web Portal Capture Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of … |
T1586 — Compromise Accounts Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of … |
T1589.003 — Employee Names Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as … |
T1071.002 — File Transfer Protocols Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing … |
||
|
T1503 — Credentials from Web Browsers Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018) … |
T1155 — AppleScript macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily … |
T1667 — Email Bombing Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails in a flood … |
T1053 — Scheduled Task/Job Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major … |
T1055.003 — Thread Execution Hijacking Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. … |
T1028 — Windows Remote Management Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to … |
T1542.001 — System Firmware Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) … |
T1580 — Cloud Infrastructure Discovery An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute … |
T1125 — Video Capture An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to … |
T1584.005 — Botnet Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a … |
T1592.004 — Client Configurations Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may … |
T1102.003 — One-Way Communication Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without … |
||
|
T1558.001 — Golden Ticket Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: … |
T1170 — Mshta Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension <code>.hta</code>. (Citation: Wikipedia HTML … |
T1499 — Endpoint Denial of Service Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint … |
T1556.002 — Password Filter DLL Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they … |
T1547.009 — Shortcut Modification Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic … |
T1550.004 — Web Session Cookie Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols … |
T1218.013 — Mavinject Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility … |
T1069.001 — Local Groups Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help … |
T1213.001 — Confluence Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally … |
T1608 — Stage Capabilities Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an … |
T1598.002 — Spearphishing Attachment Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing … |
T1571 — Non-Standard Port Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: … |
||
|
T1003.005 — Cached Domain Credentials Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller … |
T1061 — Graphical User Interface **This technique has been deprecated. Please use [Remote Services](https://attack.mitre.org/techniques/T1021) where appropriate.** The Graphical User Interfaces (GUI) is a common way … |
T1494 — Runtime Data Manipulation Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: … |
T1098.007 — Additional Local or Domain Groups An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system … |
T1038 — DLL Search Order Hijacking Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) … |
T1506 — Web Session Cookie Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols … |
T1564 — Hide Artifacts Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide … |
T1217 — Browser Information Discovery Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, … |
T1114.003 — Email Forwarding Rule Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities … |
T1608.005 — Link Target Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary … |
T1596.004 — CDNs Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization … |
T1573 — Encrypted Channel Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided … |
||
|
T1649 — Steal or Forge Authentication Certificates Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used … |
T1059.011 — Lua Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for … |
T1493 — Transmitted Data Manipulation Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: … |
T1180 — Screensaver Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with … |
T1547.005 — Security Support Provider Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into … |
T1563.002 — RDP Hijacking Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common … |
T1027.003 — Steganography Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to … |
T1673 — Virtual Machine Discovery An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, … |
T1074 — Data Staged Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate … |
T1583.006 — Web Services Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries … |
T1591 — Gather Victim Org Information Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include … |
T1065 — Uncommonly Used Port Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured. |
||
|
T1606 — Forge Web Credentials Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications … |
T1154 — Trap The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common … |
T1496 — Resource Hijacking Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. … |
T1165 — Startup Items Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other … |
T1574.014 — AppDomainManager Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the … |
T1550.002 — Pass the Hash Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. … |
T1542 — Pre-OS Boot Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of … |
T1012 — Query Registry Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains … |
T1056.002 — GUI Input Capture Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs … |
T1585.003 — Cloud Accounts Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further … |
T1590 — Gather Victim Network Information Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a … |
T1132 — Data Encoding Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control … |
||
|
T1528 — Steal Application Access Token Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access … |
T1117 — Regsvr32 Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), … |
T1565.002 — Transmitted Data Manipulation Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, … |
T1098.003 — Additional Cloud Roles An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. … |
T1134.002 — Create Process with Token Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be … |
T1021.001 — Remote Desktop Protocol Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then … |
T1574.011 — Services Registry Permissions Weakness Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for … |
T1087 — Account Discovery Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a … |
T1039 — Data from Network Shared Drive Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected … |
T1588.002 — Tool Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed … |
T1593 — Search Open Websites/Domains Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about … |
T1090.004 — Domain Fronting Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to … |
||
|
T1556.008 — Network Provider DLL Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network … |
T1053.006 — Systemd Timers Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are … |
T1485 — Data Destruction Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to … |
T1547.010 — Port Monitors Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A … |
T1548 — Abuse Elevation Control Mechanism Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control … |
T1550.001 — Application Access Token Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services … |
T1500 — Compile After Delivery Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar … |
T1518 — Software Discovery Adversaries may attempt to get a listing of software and software versions that are installed on a system or in … |
T1114.002 — Remote Email Collection Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's … |
T1584.006 — Web Services Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist … |
T1597 — Search Closed Sources Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that … |
T1132.002 — Non-Standard Encoding Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more … |
||
|
T1141 — Input Prompt When programs are executed that need additional privileges than are present in the current user context, it is common for … |
T1059.004 — Unix Shell Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, … |
T1498 — Network Denial of Service Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. … |
T1205 — Traffic Signaling Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. … |
T1053.001 — At (Linux) Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The … |
T1077 — Windows Admin Shares Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy … |
T1562.009 — Safe Mode Boot Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a … |
T1526 — Cloud Service Discovery An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ … |
T1056 — Input Capture Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often … |
T1585.001 — Social Media Accounts Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts … |
T1592.003 — Firmware Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may … |
T1071.001 — Web Protocols Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing … |
||
|
T1142 — Keychain Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features … |
T1028 — Windows Remote Management Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to … |
T1495 — Firmware Corruption Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a … |
T1050 — New Service When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet … |
T1058 — Service Registry Permissions Weakness Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can … |
T1218.004 — InstallUtil Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that … |
T1049 — System Network Connections Discovery Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing … |
T1213.004 — Customer Relationship Management Software Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in … |
T1587.004 — Exploits Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in … |
T1592.002 — Software Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may … |
T1219.002 — Remote Desktop Software An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within … |
|||
|
T1552.004 — Private Keys Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates … |
T1559 — Inter-Process Communication Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to … |
T1490 — Inhibit System Recovery Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted … |
T1062 — Hypervisor **This technique has been deprecated and should no longer be used.** A type-1 hypervisor is a software layer that sits … |
T1546.001 — Change Default File Association Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the … |
T1070.002 — Clear Linux or Mac System Logs Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or … |
T1046 — Network Service Discovery Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those … |
T1557.002 — ARP Cache Poisoning Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. … |
T1608.003 — Install Digital Certificate Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on … |
T1593.001 — Social Media Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain … |
T1071.003 — Mail Protocols Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with … |
|||
|
T1110.004 — Credential Stuffing Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. … |
T1203 — Exploitation for Client Execution Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding … |
T1561.001 — Disk Content Wipe Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt … |
T1547.009 — Shortcut Modification Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic … |
T1548.005 — Temporary Elevated Cloud Access Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow … |
T1116 — Code Signing Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has … |
T1654 — Log Enumeration Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights … |
T1213.003 — Code Repositories Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software … |
T1584.002 — DNS Server Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic … |
T1589.001 — Credentials Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated … |
T1090.001 — Internal Proxy Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised … |
|||
|
T1179 — Hooking Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions … |
T1175 — Component Object Model and Distributed COM **This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Component Object Model](https://attack.mitre.org/techniques/T1559/001).** Adversaries may use the Windows … |
T1529 — System Shutdown/Reboot Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain … |
T1038 — DLL Search Order Hijacking Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) … |
T1037.002 — Login Hook Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file … |
T1542.003 — Bootkit Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of … |
T1057 — Process Discovery Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an … |
T1213 — Data from Information Repositories Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically … |
T1585 — Establish Accounts Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can … |
T1595.003 — Wordlist Scanning Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its … |
T1094 — Custom Command and Control Protocol Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Application Layer Protocol](https://attack.mitre.org/techniques/T1071). … |
|||
|
T1187 — Forced Authentication Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in … |
T1569 — System Services Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with … |
T1547.005 — Security Support Provider Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into … |
T1548.001 — Setuid and Setgid An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code … |
T1089 — Disabling Security Tools Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of … |
T1018 — Remote System Discovery Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a … |
T1602.001 — SNMP (MIB Dump) Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple … |
T1588 — Obtain Capabilities Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries … |
T1591.004 — Identify Roles Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about … |
T1001.001 — Junk Data Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor … |
||||
|
T1212 — Exploitation for Credential Access Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary … |
T1059.012 — Hypervisor CLI Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of … |
T1131 — Authentication Package Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for … |
T1611 — Escape to Host Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow … |
T1027.008 — Stripped Payloads Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts … |
T1069.003 — Cloud Groups Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine … |
T1056.004 — Credential API Hooking Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking … |
T1650 — Acquire Access Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services … |
T1598 — Phishing for Information Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an … |
T1043 — Commonly Used Port **This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.** Adversaries may communicate over a commonly used port to … |
||||
|
T1174 — Password Filter DLL Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link … |
T1223 — Compiled HTML File Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations … |
T1152 — Launchctl Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands … |
T1138 — Application Shimming The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating … |
T1574.001 — DLL Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries … |
T1087.002 — Domain Account Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist … |
T1213.005 — Messaging Applications Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information. The … |
T1584.007 — Serverless Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be … |
T1595.001 — Scanning IP Blocks Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be … |
T1205.002 — Socket Filters Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. … |
||||
|
T1056 — Input Capture Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often … |
T1651 — Cloud Administration Command Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, … |
T1556.007 — Hybrid Identity Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to … |
T1098.001 — Additional Cloud Credentials Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the … |
T1527 — Application Access Token Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on … |
T1087.004 — Cloud Account Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization … |
T1584.004 — Server Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, … |
T1590.001 — Domain Properties Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their … |
T1568.002 — Domain Generation Algorithms Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic … |
|||||
|
T1556.006 — Multi-Factor Authentication Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained … |
T1064 — Scripting **This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) where appropriate.** Adversaries may use scripts to aid in … |
T1505.002 — Transport Agent Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email … |
T1181 — Extra Window Memory Injection Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior … |
T1218.007 — Msiexec Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and … |
T1614.001 — System Language Discovery Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location … |
T1608.006 — SEO Poisoning Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines … |
T1596.005 — Scan Databases Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services … |
T1105 — Ingress Tool Transfer Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be … |
|||||
|
T1556.001 — Domain Controller Authentication Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to … |
T1569.001 — Launchctl Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl … |
T1574.014 — AppDomainManager Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the … |
T1134.003 — Make and Impersonate Token Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary … |
T1600 — Weaken Encryption Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: … |
T1518.002 — Backup Software Discovery Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may … |
T1588.003 — Code Signing Certificates Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of … |
T1591.001 — Determine Physical Locations Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target … |
T1071.004 — DNS Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with … |
|||||
|
T1003.008 — /etc/passwd and /etc/shadow Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating … |
T1559.003 — XPC Services Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic … |
T1112 — Modify Registry Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, … |
T1053.004 — Launchd This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how … |
T1556.002 — Password Filter DLL Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they … |
T1201 — Password Policy Discovery Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password … |
T1587 — Develop Capabilities Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may … |
T1598.001 — Spearphishing Service Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for … |
T1219.003 — Remote Access Hardware An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within … |
|||||
|
T1003.003 — NTDS Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential … |
T1204.001 — Malicious Link An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected … |
T1162 — Login Item MacOS provides the option to list specific applications to run when a user logs in. These applications run under the … |
T1574.004 — Dylib Hijacking Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path … |
T1070.003 — Clear Command History In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the … |
T1614 — System Location Discovery Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the … |
T1588.005 — Exploits Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug … |
T1573.002 — Asymmetric Cryptography Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent … |
||||||
|
T1556.005 — Reversible Encryption An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property … |
T1035 — Service Execution Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service … |
T1505.003 — Web Shell Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web … |
T1055.013 — Process Doppelgänging Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly … |
T1536 — Revert Cloud Instance An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade … |
T1622 — Debugger Evasion Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze … |
T1584.001 — Domains Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing … |
T1219.001 — IDE Tunneling Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel … |
||||||
|
T1552.001 — Credentials In Files Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files … |
T1204 — User Execution An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to … |
T1031 — Modify Existing Service Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. … |
T1098.005 — Device Registration Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which … |
T1497.001 — System Checks Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based … |
T1680 — Local Storage Discovery Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. … |
T1102.001 — Dead Drop Resolver Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) … |
|||||||
|
T1552.007 — Container API Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and … |
T1196 — Control Panel Items Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered … |
T1176 — Software Extensions Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or … |
T1169 — Sudo The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands … |
T1562 — Impair Defenses Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only … |
T1124 — System Time Discovery An adversary may gather the system time and/or time zone settings from a local or remote system. The system time … |
T1001.003 — Protocol or Service Impersonation Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By … |
|||||||
|
T1556.004 — Network Device Authentication Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication … |
T1072 — Software Deployment Tools Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally … |
T1136.001 — Local Account Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization … |
T1055.014 — VDSO Hijacking Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly … |
T1036 — Masquerading Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security … |
T1518.001 — Security Software Discovery Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a … |
T1095 — Non-Application Layer Protocol Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within … |
|||||||
|
T1111 — Multi-Factor Authentication Interception Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can … |
T1559.002 — Dynamic Data Exchange Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or … |
T1053.001 — At (Linux) Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The … |
T1502 — Parent PID Spoofing Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. … |
T1205 — Traffic Signaling Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. … |
T1665 — Hide Infrastructure Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished … |
||||||||
|
T1558.003 — Kerberoasting Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket … |
T1059.010 — AutoHotKey & AutoIT Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting … |
T1058 — Service Registry Permissions Weakness Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can … |
T1484.001 — Group Policy Modification Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the … |
T1055 — Process Injection Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection … |
T1001.002 — Steganography Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can … |
||||||||
|
T1556.003 — Pluggable Authentication Modules Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is … |
T1173 — Dynamic Data Exchange Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a … |
T1019 — System Firmware The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of … |
T1547.003 — Time Providers Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization … |
T1055.003 — Thread Execution Hijacking Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. … |
T1008 — Fallback Channels Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain … |
||||||||
|
T1003.002 — Security Account Manager Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through … |
T1053.002 — At Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) … |
T1164 — Re-opened Applications Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their … |
T1183 — Image File Execution Options Injection Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, … |
T1222.002 — Linux and Mac File and Directory Permissions Modification Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 … |
T1568.001 — Fast Flux DNS Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP … |
||||||||
|
T1110.002 — Password Cracking Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as … |
T1059.001 — PowerShell Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included … |
T1108 — Redundant Access **This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell](https://attack.mitre.org/techniques/T1505/003), and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.** Adversaries may use … |
T1157 — Dylib Hijacking macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program … |
T1620 — Reflective Code Loading Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves … |
T1102.002 — Bidirectional Communication Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from … |
||||||||
|
T1555.005 — Password Managers Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to … |
T1204.003 — Malicious Image Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images … |
T1101 — Security Support Provider Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded … |
T1546.005 — Trap Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells … |
T1218 — System Binary Proxy Execution Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries … |
|||||||||
|
T1003.007 — Proc Filesystem Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface … |
T1053.005 — Scheduled Task Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There … |
T1546.001 — Change Default File Association Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the … |
T1574 — Hijack Execution Flow Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be … |
T1553.002 — Code Signing Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level … |
|||||||||
|
T1555.003 — Credentials from Web Browsers Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web … |
T1204.004 — Malicious Copy and Paste An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected … |
T1177 — LSASS Driver The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or … |
T1015 — Accessibility Features Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, … |
T1038 — DLL Search Order Hijacking Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) … |
|||||||||
|
T1557.003 — DHCP Spoofing Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a … |
T1569.002 — Service Execution Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) … |
T1198 — SIP and Trust Provider Hijacking In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables … |
T1179 — Hooking Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions … |
T1009 — Binary Padding Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality … |
|||||||||
|
T1556 — Modify Authentication Process Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication … |
T1059.003 — Windows Command Shell Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on … |
T1037.002 — Login Hook Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file … |
T1134.005 — SID-History Injection Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique … |
T1152 — Launchctl Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands … |
|||||||||
|
T1056.003 — Web Portal Capture Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of … |
T1168 — Local Job Scheduling On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux … |
T1136.002 — Domain Account Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory … |
T1547.004 — Winlogon Helper DLL Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows … |
T1553.003 — SIP and Trust Provider Hijacking Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting … |
|||||||||
|
T1552.003 — Shell History Adversaries may search the command history on compromised systems for insecurely stored credentials. On Linux and macOS systems, shells such … |
T1059.006 — Python Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform … |
T1542.002 — Component Firmware Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and … |
T1546 — Event Triggered Execution Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems … |
T1556.007 — Hybrid Identity Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to … |
|||||||||
|
T1606.001 — Web Cookies Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications … |
T1204.005 — Malicious Library Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may [Upload Malware](https://attack.mitre.org/techniques/T1608/001) to package … |
T1542.005 — TFTP Boot Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. … |
T1547.001 — Registry Run Keys / Startup Folder Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. … |
T1562.012 — Disable or Modify Linux Audit System Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the … |
|||||||||
|
T1552.008 — Chat Messages Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in … |
T1151 — Space after Filename Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this … |
T1525 — Implant Internal Image Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon … |
T1098 — Account Manipulation Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that … |
T1574.014 — AppDomainManager Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the … |
|||||||||
|
T1621 — Multi-Factor Authentication Request Generation Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to … |
T1648 — Serverless Execution Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer … |
T1004 — Winlogon Helper DLL Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by … |
T1053.006 — Systemd Timers Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are … |
T1207 — Rogue Domain Controller Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create … |
|||||||||
|
T1557.002 — ARP Cache Poisoning Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. … |
T1086 — PowerShell PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries … |
T1138 — Application Shimming The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating … |
T1543.005 — Container Service Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual … |
T1112 — Modify Registry Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, … |
|||||||||
|
T1558.002 — Silver Ticket Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service … |
T1118 — InstallUtil InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in … |
T1205.001 — Port Knocking Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, … |
T1546.012 — Image File Execution Options Injection Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs … |
T1134.002 — Create Process with Token Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be … |
|||||||||
|
T1555.004 — Windows Credential Manager Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or … |
T1559.001 — Component Object Model Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component … |
T1098.001 — Additional Cloud Credentials Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the … |
T1037.005 — Startup Items Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase … |
T1107 — File Deletion Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped … |
|||||||||
|
T1056.004 — Credential API Hooking Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking … |
T1059.013 — Container CLI/API Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI is … |
T1556.008 — Network Provider DLL Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network … |
T1037.003 — Network Logon Script Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned … |
T1562.008 — Disable or Modify Cloud Logs An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities … |
|||||||||
|
T1110 — Brute Force Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are … |
T1059.005 — Visual Basic Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many … |
T1122 — Component Object Model Hijacking The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. … |
T1166 — Setuid and Setgid When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application … |
T1027.001 — Binary Padding Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done … |
|||||||||
|
T1208 — Kerberoasting Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires … |
T1053.004 — Launchd This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how … |
T1100 — Web Shell A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary … |
T1085 — Rundll32 The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy … |
||||||||||
|
T1081 — Credentials in Files Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by … |
T1574.004 — Dylib Hijacking Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path … |
T1078 — Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or … |
T1548 — Abuse Elevation Control Mechanism Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control … |
||||||||||
|
T1606.002 — SAML Tokens An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: … |
T1060 — Registry Run Keys / Startup Folder Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. … |
T1034 — Path Interception **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or … |
T1070.001 — Clear Windows Event Logs Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of … |
||||||||||
|
T1558.004 — AS-REP Roasting Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan … |
T1023 — Shortcut Modification Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the … |
T1574.005 — Executable Installer File Permissions Weakness Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute … |
T1070.007 — Clear Network Connection History and Configurations Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration … |
||||||||||
|
T1110.003 — Password Spraying Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire … |
T1098.005 — Device Registration Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which … |
T1088 — Bypass User Account Control Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by … |
T1202 — Indirect Command Execution Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. … |
||||||||||
|
T1555.006 — Cloud Secrets Management Stores Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, … |
T1136.003 — Cloud Account Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts … |
T1504 — PowerShell Profile Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile (<code>profile.ps1</code>) is a … |
T1140 — Deobfuscate/Decode Files or Information Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms … |
||||||||||
|
T1552.006 — Group Policy Preferences Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create … |
T1542.004 — ROMMONkit Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and … |
T1134 — Access Token Manipulation Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass … |
T1108 — Redundant Access **This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell](https://attack.mitre.org/techniques/T1505/003), and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.** Adversaries may use … |
||||||||||
|
T1557.001 — LLMNR/NBT-NS Poisoning and SMB Relay By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an … |
T1547.003 — Time Providers Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization … |
T1519 — Emond Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. … |
T1578.003 — Delete Cloud Instance An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and … |
||||||||||
|
T1003.006 — DCSync Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: … |
T1183 — Image File Execution Options Injection Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, … |
T1543.002 — Systemd Service Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system … |
T1218.008 — Odbcconf Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure … |
||||||||||
|
T1556.009 — Conditional Access Policies Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional … |
T1157 — Dylib Hijacking macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program … |
T1547.007 — Re-opened Applications Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out … |
T1548.005 — Temporary Elevated Cloud Access Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow … |
||||||||||
|
T1137.003 — Outlook Forms Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for … |
T1098.002 — Additional Email Delegate Permissions Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the <code>Add-MailboxPermission</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) … |
T1045 — Software Packing Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an … |
|||||||||||
|
T1546.005 — Trap Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells … |
T1160 — Launch Daemon Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process … |
T1198 — SIP and Trust Provider Hijacking In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables … |
|||||||||||
|
T1574 — Hijack Execution Flow Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be … |
T1037.001 — Logon Script (Windows) Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be … |
T1548.001 — Setuid and Setgid An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code … |
|||||||||||
|
T1015 — Accessibility Features Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, … |
T1078.003 — Local Accounts Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
T1070.006 — Timestomp Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that … |
|||||||||||
|
T1154 — Trap The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common … |
T1134.004 — Parent PID Spoofing Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. … |
T1497.002 — User Activity Based Checks Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors … |
|||||||||||
|
T1179 — Hooking Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions … |
T1574.007 — Path Interception by PATH Environment Variable Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains … |
T1542.002 — Component Firmware Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and … |
|||||||||||
|
T1547.004 — Winlogon Helper DLL Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows … |
T1574.002 — DLL Side-Loading Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program … |
T1070 — Indicator Removal Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts … |
|||||||||||
|
T1042 — Change Default File Association When a file is opened, the default program used to open the file (also called the file association or handler) … |
T1546.006 — LC_LOAD_DYLIB Addition Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series … |
T1036.004 — Masquerade Task or Service Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services … |
|||||||||||
|
T1546 — Event Triggered Execution Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems … |
T1547.014 — Active Setup Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is … |
T1480.002 — Mutual Exclusion Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a … |
|||||||||||
|
T1547.001 — Registry Run Keys / Startup Folder Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. … |
T1098.006 — Additional Container Cluster Roles An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to … |
T1127.003 — JamPlus Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code … |
|||||||||||
|
T1098 — Account Manipulation Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that … |
T1484 — Domain or Tenant Policy Modification Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally … |
T1036.012 — Browser Fingerprint Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, … |
|||||||||||
|
T1128 — Netsh Helper DLL Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a … |
T1546.011 — Application Shimming Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility … |
T1553.005 — Mark-of-the-Web Bypass Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, … |
|||||||||||
|
T1053.006 — Systemd Timers Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are … |
T1543.004 — Launch Daemon Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files … |
T1600.002 — Disable Crypto Hardware Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order … |
|||||||||||
|
T1215 — Kernel Modules and Extensions Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. … |
T1574.006 — Dynamic Linker Hijacking Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During … |
T1562.002 — Disable Windows Event Logging Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs … |
|||||||||||
|
T1543.005 — Container Service Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual … |
T1053.002 — At Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) … |
T1612 — Build Image on Host Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious … |
|||||||||||
|
T1546.012 — Image File Execution Options Injection Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs … |
T1078.001 — Default Accounts Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
T1542.005 — TFTP Boot Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. … |
|||||||||||
|
T1137.004 — Outlook Home Page Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a … |
T1546.017 — Udev Rules Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that … |
T1218.005 — Mshta Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. … |
|||||||||||
|
T1037.005 — Startup Items Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase … |
T1546.009 — AppCert DLLs Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries … |
T1497 — Virtualization/Sandbox Evasion Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on … |
|||||||||||
|
T1037.003 — Network Logon Script Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned … |
T1055.004 — Asynchronous Procedure Call Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses … |
T1550 — Use Alternate Authentication Material Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move … |
|||||||||||
|
T1166 — Setuid and Setgid When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application … |
T1055.002 — Portable Executable Injection Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. … |
T1191 — CMSTP The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft … |
|||||||||||
|
T1100 — Web Shell A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary … |
T1547.015 — Login Items Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, … |
T1205.001 — Port Knocking Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, … |
|||||||||||
|
T1078 — Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or … |
T1546.003 — Windows Management Instrumentation Event Subscription Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. … |
T1181 — Extra Window Memory Injection Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior … |
|||||||||||
|
T1671 — Cloud Application Integration Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add … |
T1574.013 — KernelCallbackTable Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: … |
T1073 — DLL Side-Loading Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be … |
|||||||||||
|
T1556.006 — Multi-Factor Authentication Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained … |
T1055.009 — Proc Memory Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as … |
T1564.002 — Hidden Users Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to … |
|||||||||||
|
T1034 — Path Interception **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or … |
T1548.003 — Sudo and Sudo Caching Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands … |
T1134.003 — Make and Impersonate Token Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary … |
|||||||||||
|
T1574.005 — Executable Installer File Permissions Weakness Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute … |
T1543.003 — Windows Service Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, … |
T1556.008 — Network Provider DLL Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network … |
|||||||||||
|
T1504 — PowerShell Profile Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile (<code>profile.ps1</code>) is a … |
T1053.005 — Scheduled Task Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There … |
T1122 — Component Object Model Hijacking The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. … |
|||||||||||
|
T1197 — BITS Jobs Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) … |
T1546.002 — Screensaver Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable … |
T1574.004 — Dylib Hijacking Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path … |
|||||||||||
|
T1505 — Server Software Component Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include … |
T1574.008 — Path Interception by Search Order Hijacking Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs … |
T1218.015 — Electron Applications Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such … |
|||||||||||
|
T1556.001 — Domain Controller Authentication Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to … |
T1037.004 — RC Scripts Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system … |
T1610 — Deploy Container Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy … |
|||||||||||
|
T1519 — Emond Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. … |
T1055.005 — Thread Local Storage Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as … |
T1562.013 — Disable or Modify Network Device Firewall Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls … |
|||||||||||
|
T1543.002 — Systemd Service Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system … |
T1547.013 — XDG Autostart Entries Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is … |
T1055.013 — Process Doppelgänging Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly … |
|||||||||||
|
T1668 — Exclusive Control Adversaries who successfully compromise a system may attempt to maintain persistence by “closing the door” behind them – in other … |
T1055.015 — ListPlanting Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well … |
T1535 — Unused/Unsupported Cloud Regions Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through … |
|||||||||||
|
T1547.007 — Re-opened Applications Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out … |
T1546.007 — Netsh Helper DLL Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is … |
T1070.005 — Network Share Connection Removal Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows … |
|||||||||||
|
T1098.002 — Additional Email Delegate Permissions Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the <code>Add-MailboxPermission</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) … |
T1546.008 — Accessibility Features Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that … |
T1679 — Selective Exclusion Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware … |
|||||||||||
|
T1084 — Windows Management Instrumentation Event Subscription Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a … |
T1134.001 — Token Impersonation/Theft Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary … |
T1564.013 — Bind Mounts Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount … |
|||||||||||
|
T1160 — Launch Daemon Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process … |
T1574.012 — COR_PROFILER Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The … |
T1055.014 — VDSO Hijacking Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly … |
|||||||||||
|
T1556.005 — Reversible Encryption An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property … |
T1547.011 — Plist Modification Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are … |
T1502 — Parent PID Spoofing Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. … |
|||||||||||
|
T1037.001 — Logon Script (Windows) Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be … |
T1547.002 — Authentication Package Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the … |
T1484.001 — Group Policy Modification Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the … |
|||||||||||
|
T1209 — Time Providers The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers … |
T1068 — Exploitation for Privilege Escalation Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary … |
T1149 — LC_MAIN Hijacking **This technique has been deprecated and should no longer be used.** As of OS X 10.8, mach-O binaries introduced a … |
|||||||||||
|
T1137.002 — Office Test Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test … |
T1546.015 — Component Object Model Hijacking Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is … |
T1678 — Delay Execution Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing … |
|||||||||||
|
T1556.004 — Network Device Authentication Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication … |
T1546.010 — AppInit DLLs Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries … |
T1170 — Mshta Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension <code>.hta</code>. (Citation: Wikipedia HTML … |
|||||||||||
|
T1078.003 — Local Accounts Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
T1543.001 — Launch Agent Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs … |
T1027.005 — Indicator Removal from Tools Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can … |
|||||||||||
|
T1159 — Launch Agent Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for … |
T1078.002 — Domain Accounts Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
T1542.004 — ROMMONkit Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and … |
|||||||||||
|
T1205.002 — Socket Filters Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. … |
T1098.004 — SSH Authorized Keys Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors … |
T1183 — Image File Execution Options Injection Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, … |
|||||||||||
|
T1556.003 — Pluggable Authentication Modules Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is … |
T1547.006 — Kernel Modules and Extensions Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code … |
T1562.001 — Disable or Modify Tools Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many … |
|||||||||||
|
T1574.007 — Path Interception by PATH Environment Variable Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains … |
T1548.004 — Elevated Execution with Prompt Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of … |
T1574 — Hijack Execution Flow Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be … |
|||||||||||
|
T1574.002 — DLL Side-Loading Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program … |
T1484.002 — Trust Modification Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust … |
T1564.009 — Resource Forking Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource … |
|||||||||||
|
T1546.006 — LC_LOAD_DYLIB Addition Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series … |
T1546.016 — Installer Packages Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages … |
T1222 — File and Directory Permissions Modification Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 … |
|||||||||||
|
T1547.014 — Active Setup Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is … |
T1547.012 — Print Processors Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are … |
T1036.001 — Invalid Code Signature Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or … |
|||||||||||
|
T1098.006 — Additional Container Cluster Roles An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to … |
T1574.010 — Services File Permissions Weakness Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the … |
T1027.016 — Junk Code Insertion Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does … |
|||||||||||
|
T1505.005 — Terminal Services DLL Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop … |
T1548.006 — TCC Manipulation Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. … |
T1134.005 — SID-History Injection Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique … |
|||||||||||
|
T1137.005 — Outlook Rules Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define … |
T1546.014 — Emond Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is … |
T1553 — Subvert Trust Controls Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating … |
|||||||||||
|
T1546.011 — Application Shimming Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility … |
T1055.012 — Process Hollowing Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a … |
T1117 — Regsvr32 Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), … |
|||||||||||
|
T1543.004 — Launch Daemon Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files … |
T1055.008 — Ptrace System Calls Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as … |
T1054 — Indicator Blocking An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could … |
|||||||||||
|
T1574.006 — Dynamic Linker Hijacking Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During … |
T1547.008 — LSASS Driver Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set … |
T1078 — Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or … |
|||||||||||
|
T1176.002 — IDE Extensions Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.(Citation: Mnemonic misuse visual studio) … |
T1055.001 — Dynamic-link Library Injection Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. … |
T1027 — Obfuscated Files or Information Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating … |
|||||||||||
|
T1053.002 — At Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) … |
T1574.009 — Path Interception by Unquoted Path Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that … |
T1144 — Gatekeeper Bypass In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set … |
|||||||||||
|
T1078.001 — Default Accounts Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
T1078.004 — Cloud Accounts Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense … |
T1506 — Web Session Cookie Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols … |
|||||||||||
|
T1556 — Modify Authentication Process Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication … |
T1546.004 — Unix Shell Configuration Modification Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts … |
T1556.006 — Multi-Factor Authentication Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained … |
|||||||||||
|
T1546.017 — Udev Rules Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that … |
T1218.009 — Regsvcs/Regasm Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are … |
||||||||||||
|
T1546.009 — AppCert DLLs Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries … |
T1564.006 — Run Virtual Instance Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist … |
||||||||||||
|
T1137.001 — Office Template Macros Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part … |
T1127.001 — MSBuild Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a … |
||||||||||||
|
T1547.015 — Login Items Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, … |
T1218.010 — Regsvr32 Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister … |
||||||||||||
|
T1546.003 — Windows Management Instrumentation Event Subscription Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. … |
T1574.005 — Executable Installer File Permissions Weakness Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute … |
||||||||||||
|
T1574.013 — KernelCallbackTable Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: … |
T1088 — Bypass User Account Control Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by … |
||||||||||||
|
T1505.004 — IIS Components Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several … |
T1564.003 — Hidden Window Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that … |
||||||||||||
|
T1554 — Compromise Host Software Binary Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system … |
T1147 — Hidden Users Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID … |
||||||||||||
|
T1543.003 — Windows Service Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, … |
T1562.006 — Indicator Blocking An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could … |
||||||||||||
|
T1176.001 — Browser Extensions Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs … |
T1564.007 — VBA Stomping Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source … |
||||||||||||
|
T1505.006 — vSphere Installation Bundles Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used … |
T1197 — BITS Jobs Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) … |
||||||||||||
|
T1053.005 — Scheduled Task Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There … |
T1223 — Compiled HTML File Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations … |
||||||||||||
|
T1546.002 — Screensaver Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable … |
T1601.001 — Patch System Image Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the … |
||||||||||||
|
T1574.008 — Path Interception by Search Order Hijacking Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs … |
T1127.002 — ClickOnce Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA … |
||||||||||||
|
T1037.004 — RC Scripts Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system … |
T1556.001 — Domain Controller Authentication Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to … |
||||||||||||
|
T1547.013 — XDG Autostart Entries Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is … |
T1130 — Install Root Certificate Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is … |
||||||||||||
|
T1546.007 — Netsh Helper DLL Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is … |
T1134 — Access Token Manipulation Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass … |
||||||||||||
|
T1546.008 — Accessibility Features Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that … |
T1146 — Clear Command History In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the … |
||||||||||||
|
T1574.012 — COR_PROFILER Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The … |
T1647 — Plist File Modification Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system … |
||||||||||||
|
T1547.011 — Plist Modification Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are … |
T1064 — Scripting **This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) where appropriate.** Adversaries may use scripts to aid in … |
||||||||||||
|
T1547.002 — Authentication Package Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the … |
T1036.006 — Space after Filename Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this … |
||||||||||||
|
T1546.015 — Component Object Model Hijacking Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is … |
T1218.012 — Verclsid Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and … |
||||||||||||
|
T1546.010 — AppInit DLLs Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries … |
T1070.004 — File Deletion Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped … |
||||||||||||
|
T1168 — Local Job Scheduling On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux … |
T1556.005 — Reversible Encryption An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property … |
||||||||||||
|
T1543.001 — Launch Agent Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs … |
T1221 — Template Injection Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, … |
||||||||||||
|
T1078.002 — Domain Accounts Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
T1220 — XSL Script Processing Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) … |
||||||||||||
|
T1158 — Hidden Files and Directories To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a … |
T1550.001 — Application Access Token Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services … |
||||||||||||
|
T1098.004 — SSH Authorized Keys Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors … |
T1480 — Execution Guardrails Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are … |
||||||||||||
|
T1136 — Create Account Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of … |
T1564.004 — NTFS File Attributes Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File … |
||||||||||||
|
T1547.006 — Kernel Modules and Extensions Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code … |
T1027.012 — LNK Icon Smuggling Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut … |
||||||||||||
|
T1653 — Power Settings Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. … |
T1196 — Control Panel Items Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered … |
||||||||||||
|
T1505.001 — SQL Stored Procedures Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be … |
T1216 — System Script Proxy Execution Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts … |
||||||||||||
|
T1546.016 — Installer Packages Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages … |
T1556.004 — Network Device Authentication Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication … |
||||||||||||
|
T1547.012 — Print Processors Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are … |
T1078.003 — Local Accounts Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
||||||||||||
|
T1574.010 — Services File Permissions Weakness Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the … |
T1564.010 — Process Argument Spoofing Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process … |
||||||||||||
|
T1546.014 — Emond Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is … |
T1127 — Trusted Developer Utilities Proxy Execution Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for … |
||||||||||||
|
T1556.009 — Conditional Access Policies Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional … |
T1134.004 — Parent PID Spoofing Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. … |
||||||||||||
|
T1547.008 — LSASS Driver Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set … |
T1205.002 — Socket Filters Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. … |
||||||||||||
|
T1574.009 — Path Interception by Unquoted Path Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that … |
T1556.003 — Pluggable Authentication Modules Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is … |
||||||||||||
|
T1078.004 — Cloud Accounts Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense … |
T1574.007 — Path Interception by PATH Environment Variable Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains … |
||||||||||||
|
T1546.004 — Unix Shell Configuration Modification Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts … |
T1574.002 — DLL Side-Loading Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program … |
||||||||||||
|
T1216.002 — SyncAppvPublishingServer Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how … |
|||||||||||||
|
T1600.001 — Reduce Key Space Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength … |
|||||||||||||
|
T1222.001 — Windows File and Directory Permissions Modification Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 … |
|||||||||||||
|
T1484 — Domain or Tenant Policy Modification Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally … |
|||||||||||||
|
T1218.003 — CMSTP Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line … |
|||||||||||||
|
T1562.004 — Disable or Modify System Firewall Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the … |
|||||||||||||
|
T1564.011 — Ignore Process Interrupts Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to … |
|||||||||||||
|
T1036.011 — Overwrite Process Arguments Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign … |
|||||||||||||
|
T1599.001 — Network Address Translation Traversal Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may … |
|||||||||||||
|
T1218.002 — Control Panel Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of … |
|||||||||||||
|
T1553.006 — Code Signing Policy Modification Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of … |
|||||||||||||
|
T1574.006 — Dynamic Linker Hijacking Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During … |
|||||||||||||
|
T1078.001 — Default Accounts Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
|||||||||||||
|
T1556 — Modify Authentication Process Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication … |
|||||||||||||
|
T1564.014 — Extended Attributes Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. … |
|||||||||||||
|
T1055.004 — Asynchronous Procedure Call Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses … |
|||||||||||||
|
T1027.017 — SVG Smuggling Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave … |
|||||||||||||
|
T1036.002 — Right-to-Left Override Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make … |
|||||||||||||
|
T1601.002 — Downgrade System Image Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system … |
|||||||||||||
|
T1055.002 — Portable Executable Injection Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. … |
|||||||||||||
|
T1562.003 — Impair Command History Logging Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track … |
|||||||||||||
|
T1574.013 — KernelCallbackTable Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: … |
|||||||||||||
|
T1055.009 — Proc Memory Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as … |
|||||||||||||
|
T1548.003 — Sudo and Sudo Caching Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands … |
|||||||||||||
|
T1036.008 — Masquerade File Type Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, … |
|||||||||||||
|
T1036.003 — Rename Legitimate Utilities Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security … |
|||||||||||||
|
T1562.011 — Spoof Security Alerting Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced … |
|||||||||||||
|
T1553.004 — Install Root Certificate Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. … |
|||||||||||||
|
T1550.004 — Web Session Cookie Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols … |
|||||||||||||
|
T1070.010 — Relocate Malware Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence … |
|||||||||||||
|
T1553.001 — Gatekeeper Bypass Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a … |
|||||||||||||
|
T1574.008 — Path Interception by Search Order Hijacking Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs … |
|||||||||||||
|
T1027.002 — Software Packing Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of … |
|||||||||||||
|
T1055.005 — Thread Local Storage Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as … |
|||||||||||||
|
T1055.015 — ListPlanting Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well … |
|||||||||||||
|
T1550.002 — Pass the Hash Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. … |
|||||||||||||
|
T1070.008 — Clear Mailbox Data Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other … |
|||||||||||||
|
T1480.001 — Environmental Keying Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target … |
|||||||||||||
|
T1134.001 — Token Impersonation/Theft Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary … |
|||||||||||||
|
T1096 — NTFS File Attributes Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every … |
|||||||||||||
|
T1574.012 — COR_PROFILER Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The … |
|||||||||||||
|
T1656 — Impersonation Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action … |
|||||||||||||
|
T1599 — Network Boundary Bridging Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices … |
|||||||||||||
|
T1550.003 — Pass the Ticket Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. … |
|||||||||||||
|
T1186 — Process Doppelgänging Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To … |
|||||||||||||
|
T1078.002 — Domain Accounts Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, … |
|||||||||||||
|
T1578.002 — Create Cloud Instance An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to … |
|||||||||||||
|
T1027.010 — Command Obfuscation Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns … |
|||||||||||||
|
T1070.009 — Clear Persistence Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This … |
|||||||||||||
|
T1158 — Hidden Files and Directories To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a … |
|||||||||||||
|
T1027.007 — Dynamic API Resolution Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair … |
|||||||||||||
|
T1672 — Email Spoofing Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish … |
|||||||||||||
|
T1151 — Space after Filename Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this … |
|||||||||||||
|
T1622 — Debugger Evasion Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze … |
|||||||||||||
|
T1126 — Network Share Connection Removal Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows … |
|||||||||||||
|
T1218.001 — Compiled HTML File Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the … |
|||||||||||||
|
T1027.014 — Polymorphic Code Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type … |
|||||||||||||
|
T1548.004 — Elevated Execution with Prompt Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of … |
|||||||||||||
|
T1211 — Exploitation for Defense Evasion Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary … |
|||||||||||||
|
T1578.001 — Create Snapshot An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a … |
|||||||||||||
|
T1118 — InstallUtil InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in … |
|||||||||||||
|
T1027.006 — HTML Smuggling Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML … |
|||||||||||||
|
T1484.002 — Trust Modification Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust … |
|||||||||||||
|
T1036.009 — Break Process Trees An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection … |
|||||||||||||
|
T1574.010 — Services File Permissions Weakness Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the … |
|||||||||||||
|
T1562.010 — Downgrade Attack Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated … |
|||||||||||||
|
T1548.006 — TCC Manipulation Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. … |
|||||||||||||
|
T1027.004 — Compile After Delivery Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based … |
|||||||||||||
|
T1055.012 — Process Hollowing Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a … |
|||||||||||||
|
T1578.005 — Modify Cloud Compute Configurations Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to … |
|||||||||||||
|
T1556.009 — Conditional Access Policies Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional … |
|||||||||||||
|
T1564.005 — Hidden File System Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a … |
|||||||||||||
|
T1055.008 — Ptrace System Calls Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as … |
|||||||||||||
|
T1564.001 — Hidden Files and Directories Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing … |
|||||||||||||
|
T1055.001 — Dynamic-link Library Injection Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. … |
|||||||||||||
|
T1036.007 — Double File Extension Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file … |
|||||||||||||
|
T1562.007 — Disable or Modify Cloud Firewall Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. … |
|||||||||||||
|
T1574.009 — Path Interception by Unquoted Path Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that … |
|||||||||||||
|
T1078.004 — Cloud Accounts Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense … |
|||||||||||||
|
T1027.015 — Compression Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR … |
|||||||||||||
|
T1036.010 — Masquerade Account Name Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically … |
Generated from techniques across 14 tactics.