Trusted Design戦術「Persistence」に関連する攻撃手法(Technique)の一覧です。
| Technique ID | Name | Description |
|---|---|---|
| T1004 | Winlogon Helper DLL | Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SA… |
| T1013 | Port Monitors | A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: … |
| T1015 | Accessibility Features | Windows contains accessibility features that may be launched with a key combination before a user has logged in (for exa… |
| T1019 | System Firmware | The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interfa… |
| T1023 | Shortcut Modification | Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the sho… |
| T1031 | Modify Existing Service | Windows service configuration information, including the file path to the service's executable or recovery programs/comm… |
| T1034 | Path Interception | **This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.o… |
| T1037 | Boot or Logon Initialization Scripts | Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: M… |
| T1037.001 | Logon Script (Windows) | Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windo… |
| T1037.002 | Login Hook | Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that po… |
| T1037.003 | Network Logon Script | Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Netwo… |
| T1037.004 | RC Scripts | Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. T… |
| T1037.005 | Startup Items | Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items … |
| T1038 | DLL Search Order Hijacking | Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) A… |
| T1042 | Change Default File Association | When a file is opened, the default program used to open the file (also called the file association or handler) is checke… |
| T1044 | File System Permissions Weakness | Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the… |
| T1050 | New Service | When operating systems boot up, they can start programs or applications called services that perform background system f… |
| T1058 | Service Registry Permissions Weakness | Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Service… |
| T1060 | Registry Run Keys / Startup Folder | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. A… |
| T1062 | Hypervisor | **This technique has been deprecated and should no longer be used.** A type-1 hypervisor is a software layer that sits … |
| T1067 | Bootkit | A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) an… |
| T1084 | Windows Management Instrumentation Event Subscription | Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that e… |
| T1098 | Account Manipulation | Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consis… |
| T1098.001 | Additional Cloud Credentials | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts… |
| T1098.002 | Additional Email Delegate Permissions | Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email accoun… |
| T1098.003 | Additional Cloud Roles | An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent acc… |
| T1098.004 | SSH Authorized Keys | Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distrib… |
| T1098.005 | Device Registration | Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authent… |
| T1098.006 | Additional Container Cluster Roles | An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain pers… |
| T1098.007 | Additional Local or Domain Groups | An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access … |
| T1100 | Web Shell | A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web serve… |
| T1101 | Security Support Provider | Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start.… |
| T1103 | AppInit DLLs | Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE… |
| T1128 | Netsh Helper DLL | Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configura… |
| T1131 | Authentication Package | Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provi… |
| T1133 | External Remote Services | Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote ser… |
| T1136 | Create Account | Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With … |
| T1136.001 | Local Account | Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an o… |
| T1136.002 | Domain Account | Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Activ… |
| T1136.003 | Cloud Account | Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such acc… |
| T1137 | Office Application Startup | Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fai… |
| T1137.001 | Office Template Macros | Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contain… |
| T1137.002 | Office Test | Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An … |
| T1137.003 | Outlook Forms | Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as t… |
| T1137.004 | Outlook Home Page | Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home … |
| T1137.005 | Outlook Rules | Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user … |
| T1137.006 | Add-ins | Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used… |
| T1138 | Application Shimming | The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for bac… |
| T1156 | Malicious Shell Modification | Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User shells exec… |
| T1157 | Dylib Hijacking | macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search… |
| T1159 | Launch Agent | Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the paramete… |
| T1160 | Launch Daemon | Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This p… |
| T1161 | LC_LOAD_DYLIB Addition | Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOA… |
| T1162 | Login Item | MacOS provides the option to list specific applications to run when a user logs in. These applications run under the log… |
| T1163 | Rc.common | During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various u… |
| T1164 | Re-opened Applications | Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machi… |
| T1165 | Startup Items | Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or… |
| T1168 | Local Job Scheduling | On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron… |
| T1176 | Software Extensions | Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modu… |
| T1176.001 | Browser Extensions | Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions o… |
| T1176.002 | IDE Extensions | Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim sys… |
| T1179 | Hooking | Windows processes often leverage application programming interface (API) functions to perform tasks that require reusabl… |
| T1180 | Screensaver | Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (… |
| T1182 | AppCert DLLs | Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\System\C… |
| T1209 | Time Providers | The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time … |
| T1215 | Kernel Modules and Extensions | Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They e… |
| T1501 | Systemd Service | Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used fo… |
| T1504 | PowerShell Profile | Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mit… |
| T1505 | Server Software Component | Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. E… |
| T1505.001 | SQL Stored Procedures | Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code th… |
| T1505.002 | Transport Agent | Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport… |
| T1505.003 | Web Shell | Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web scr… |
| T1505.004 | IIS Components | Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish pe… |
| T1505.005 | Terminal Services DLL | Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Service… |
| T1505.006 | vSphere Installation Bundles | Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are c… |
| T1519 | Emond | Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on pre… |
| T1525 | Implant Internal Image | Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to a… |
| T1543 | Create or Modify System Process | Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.… |
| T1543.001 | Launch Agent | Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a u… |
| T1543.002 | Systemd Service | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Syste… |
| T1543.003 | Windows Service | Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When … |
| T1543.004 | Launch Daemon | Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are… |
| T1543.005 | Container Service | Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or service… |
| T1546.017 | Udev Rules | Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux k… |
| T1546.018 | Python Startup Hooks | Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) fil… |
| T1547 | Boot or Logon Autostart Execution | Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain per… |
| T1547.001 | Registry Run Keys / Startup Folder | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. A… |
| T1547.002 | Authentication Package | Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs… |
| T1547.003 | Time Providers | Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables t… |
| T1547.004 | Winlogon Helper DLL | Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Win… |
| T1547.005 | Security Support Provider | Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are load… |
| T1547.006 | Kernel Modules and Extensions | Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are p… |
| T1547.007 | Re-opened Applications | Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or rest… |
| T1547.008 | LSASS Driver | Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem… |
| T1547.009 | Shortcut Modification | Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or sym… |
| T1547.010 | Port Monitors | Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escal… |
| T1547.011 | Plist Modification | Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plis… |
| T1547.012 | Print Processors | Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalat… |
| T1547.013 | XDG Autostart Entries | Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop envi… |
| T1547.014 | Active Setup | Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a… |
| T1547.015 | Login Items | Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are a… |
| T1554 | Compromise Host Software Binary | Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables p… |
| T1653 | Power Settings | Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machi… |
| T1668 | Exclusive Control | Adversaries who successfully compromise a system may attempt to maintain persistence by “closing the door” behind them … |
| T1671 | Cloud Application Integration | Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment.… |