Trusted Design戦術「Stealth」に関連する攻撃手法(Technique)の一覧です。
| Technique ID | Name | Description |
|---|---|---|
| T1006 | Direct Volume Access | Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows progr… |
| T1009 | Binary Padding | Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting t… |
| T1014 | Rootkit | Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other … |
| T1027 | Obfuscated Files or Information | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or other… |
| T1027.001 | Binary Padding | Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done w… |
| T1027.002 | Software Packing | Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing … |
| T1027.003 | Steganography | Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic tec… |
| T1027.004 | Compile After Delivery | Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled … |
| T1027.005 | Indicator Removal from Tools | Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwis… |
| T1027.006 | HTML Smuggling | Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML… |
| T1027.007 | Dynamic API Resolution | Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious f… |
| T1027.008 | Stripped Payloads | Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable in… |
| T1027.009 | Embedded Payloads | Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign… |
| T1027.010 | Command Obfuscation | Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of … |
| T1027.011 | Fileless Storage | Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be br… |
| T1027.012 | LNK Icon Smuggling | Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise see… |
| T1027.013 | Encrypted/Encoded File | Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. En… |
| T1027.014 | Polymorphic Code | Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic co… |
| T1027.015 | Compression | Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and… |
| T1027.016 | Junk Code Insertion | Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not… |
| T1027.017 | SVG Smuggling | Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG … |
| T1027.018 | Invisible Unicode | Adversaries may abuse invisible or non-printing Unicode characters to conceal malicious content within files, scripts, o… |
| T1036 | Masquerading | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/… |
| T1036.001 | Invalid Code Signature | Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, … |
| T1036.002 | Right-to-Left Override | Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name … |
| T1036.003 | Rename Legitimate Utilities | Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those u… |
| T1036.004 | Masquerade Task or Service | Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/servic… |
| T1036.005 | Match Legitimate Resource Name or Location | Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when na… |
| T1036.006 | Space after Filename | Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specificall… |
| T1036.007 | Double File Extension | Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may … |
| T1036.008 | Masquerade File Type | Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including… |
| T1036.009 | Break Process Trees | An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). … |
| T1036.010 | Masquerade Account Name | Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This wil… |
| T1036.011 | Overwrite Process Arguments | Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign p… |
| T1036.012 | Browser Fingerprint | Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating sys… |
| T1045 | Software Packing | Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signatur… |
| T1054 | Indicator Blocking | An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. T… |
| T1055 | Process Injection | Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileg… |
| T1055.001 | Dynamic-link Library Injection | Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as … |
| T1055.002 | Portable Executable Injection | Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as poss… |
| T1055.003 | Thread Execution Hijacking | Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possib… |
| T1055.004 | Asynchronous Procedure Call | Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade p… |
| T1055.005 | Thread Local Storage | Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-… |
| T1055.008 | Ptrace System Calls | Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-b… |
| T1055.009 | Proc Memory | Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses a… |
| T1055.011 | Extra Window Memory Injection | Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defense… |
| T1055.012 | Process Hollowing | Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Pr… |
| T1055.013 | Process Doppelgänging | Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as… |
| T1055.014 | VDSO Hijacking | Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well… |
| T1055.015 | ListPlanting | Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-base… |
| T1064 | Scripting | **This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques… |
| T1066 | Indicator Removal from Tools | If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the ma… |
| T1070 | Indicator Removal | Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in wi… |
| T1070.001 | Clear Windows Event Logs | Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a comp… |
| T1070.002 | Clear Linux or Mac System Logs | Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-in… |
| T1070.003 | Clear Command History | In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the … |
| T1070.004 | File Deletion | Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native… |
| T1070.005 | Network Share Connection Removal | Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windo… |
| T1070.006 | Timestomp | Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique … |
| T1070.007 | Clear Network Connection History and Configurations | Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operation… |
| T1070.008 | Clear Mailbox Data | Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow use… |
| T1070.009 | Clear Persistence | Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence o… |
| T1070.010 | Relocate Malware | Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidenc… |
| T1073 | DLL Side-Loading | Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be … |
| T1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Pri… |
| T1078.001 | Default Accounts | Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Pri… |
| T1078.002 | Domain Accounts | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Priv… |
| T1078.003 | Local Accounts | Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privi… |
| T1078.004 | Cloud Accounts | Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Pr… |
| T1085 | Rundll32 | The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functional… |
| T1088 | Bypass User Account Control | Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-leve… |
| T1089 | Disabling Security Tools | Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form… |
| T1093 | Process Hollowing | Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with ma… |
| T1096 | NTFS File Attributes | Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record f… |
| T1099 | Timestomp | Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activit… |
| T1107 | File Deletion | Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native… |
| T1108 | Redundant Access | **This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell… |
| T1109 | Component Firmware | Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that wi… |
| T1116 | Code Signing | Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not bee… |
| T1117 | Regsvr32 | Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including … |
| T1118 | InstallUtil | InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific… |
| T1121 | Regsvcs/Regasm | Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemb… |
| T1122 | Component Object Model Hijacking | The Component Object Model (COM) is a system within Windows to enable interaction between software components through th… |
| T1126 | Network Share Connection Removal | Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windo… |
| T1127 | Trusted Developer Utilities Proxy Execution | Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many u… |
| T1127.001 | MSBuild | Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build E… |
| T1127.002 | ClickOnce | Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trus… |
| T1127.003 | JamPlus | Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code a… |
| T1130 | Install Root Certificate | Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certifi… |
| T1134 | Access Token Manipulation | Adversaries may modify access tokens to operate under a different user or system security context to perform actions and… |
| T1134.001 | Token Impersonation/Theft | Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access contro… |
| T1134.002 | Create Process with Token | Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes… |
| T1134.003 | Make and Impersonate Token | Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if… |
| T1134.004 | Parent PID Spoofing | Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to e… |
| T1134.005 | SID-History Injection | Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identi… |
| T1140 | Deobfuscate/Decode Files or Information | Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an… |
| T1143 | Hidden Window | Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, win… |
| T1144 | Gatekeeper Bypass | In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on t… |
| T1146 | Clear Command History | In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the … |
| T1147 | Hidden Users | Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that a… |
| T1148 | HISTCONTROL | The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> comman… |
| T1149 | LC_MAIN Hijacking | **This technique has been deprecated and should no longer be used.** As of OS X 10.8, mach-O binaries introduced a new … |
| T1150 | Plist Modification | Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and servic… |
| T1151 | Space after Filename | Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specificall… |
| T1152 | Launchctl | Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute… |
| T1158 | Hidden Files and Directories | To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of… |
| T1170 | Mshta | Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension <code>.hta</co… |
| T1181 | Extra Window Memory Injection | Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipula… |
| T1186 | Process Doppelgänging | Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microso… |
| T1191 | CMSTP | The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Mana… |
| T1196 | Control Panel Items | Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are… |
| T1197 | BITS Jobs | Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background In… |
| T1198 | SIP and Trust Provider Hijacking | In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's ori… |
| T1202 | Indirect Command Execution | Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of c… |
| T1205 | Traffic Signaling | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or comman… |
| T1205.001 | Port Knocking | Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an a… |
| T1205.002 | Socket Filters | Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command an… |
| T1211 | Exploitation for Stealth | Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within … |
| T1216 | System Script Proxy Execution | Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several … |
| T1216.001 | PubPrn | Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.m… |
| T1216.002 | SyncAppvPublishingServer | Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org… |
| T1218 | System Binary Proxy Execution | Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, o… |
| T1218.001 | Compiled HTML File | Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part o… |
| T1218.002 | Control Panel | Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (co… |
| T1218.003 | CMSTP | Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CM… |
| T1218.004 | InstallUtil | Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-l… |
| T1218.005 | Mshta | Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted … |
| T1218.007 | Msiexec | Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for … |
| T1218.008 | Odbcconf | Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allo… |
| T1218.009 | Regsvcs/Regasm | Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regas… |
| T1218.010 | Regsvr32 | Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to … |
| T1218.011 | Rundll32 | Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.… |
| T1218.012 | Verclsid | Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Ve… |
| T1218.013 | Mavinject | Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Vir… |
| T1218.014 | MMC | Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary… |
| T1218.015 | Electron Applications | Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many … |
| T1220 | XSL Script Processing | Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensib… |
| T1221 | Template Injection | Adversaries may create or modify references in user document templates to conceal malicious code or force authentication… |
| T1223 | Compiled HTML File | Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed … |
| T1480 | Execution Guardrails | Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment s… |
| T1480.001 | Environmental Keying | Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to … |
| T1480.002 | Mutual Exclusion | Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a lo… |
| T1497 | Virtualization/Sandbox Evasion | Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include chan… |
| T1497.001 | System Checks | Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may incl… |
| T1497.002 | User Activity Based Checks | Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This m… |
| T1497.003 | Time Based Checks | Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those… |
| T1500 | Compile After Delivery | Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled … |
| T1502 | Parent PID Spoofing | Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to e… |
| T1506 | Web Session Cookie | Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses som… |
| T1527 | Application Access Token | Adversaries may use application access tokens to bypass the typical authentication process and access restricted account… |
| T1535 | Unused/Unsupported Cloud Regions | Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usual… |
| T1536 | Revert Cloud Instance | An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to ev… |
| T1542 | Pre-OS Boot | Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process o… |
| T1542.001 | System Firmware | Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extens… |
| T1542.002 | Component Firmware | Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to comp… |
| T1542.003 | Bootkit | Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a h… |
| T1542.004 | ROMMONkit | Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persis… |
| T1542.005 | TFTP Boot | Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Pr… |
| T1562 | Impair Defenses | Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms… |
| T1562.001 | Disable or Modify Tools | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. … |
| T1562.002 | Disable Windows Event Logging | Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows eve… |
| T1562.003 | Impair Command History Logging | Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interp… |
| T1562.004 | Disable or Modify System Firewall | Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be … |
| T1562.006 | Indicator Blocking | An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. T… |
| T1562.007 | Disable or Modify Cloud Firewall | Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud re… |
| T1562.008 | Disable or Modify Cloud Logs | An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their … |
| T1562.009 | Safe Mode Boot | Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system w… |
| T1562.010 | Downgrade Attack | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support … |
| T1562.011 | Spoof Security Alerting | Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of maliciou… |
| T1562.012 | Disable or Modify Linux Audit System | Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins us… |
| T1562.013 | Disable or Modify Network Device Firewall | Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in … |
| T1564 | Hide Artifacts | Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have… |
| T1564.001 | Hidden Files and Directories | Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accid… |
| T1564.002 | Hidden Users | Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to… |
| T1564.003 | Hidden Window | Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows t… |
| T1564.004 | NTFS File Attributes | Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology … |
| T1564.005 | Hidden File System | Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provi… |
| T1564.006 | Run Virtual Instance | Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualiza… |
| T1564.007 | VBA Stomping | Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by repla… |
| T1564.008 | Email Hiding Rules | Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users t… |
| T1564.009 | Resource Forking | Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applic… |
| T1564.010 | Process Argument Spoofing | Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line argum… |
| T1564.011 | Ignore Process Interrupts | Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operatin… |
| T1564.012 | File/Path Exclusions | Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded fr… |
| T1564.013 | Bind Mounts | Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind … |
| T1564.014 | Extended Attributes | Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade det… |
| T1574 | Hijack Execution Flow | Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking exec… |
| T1574.001 | DLL | Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade … |
| T1574.002 | DLL Side-Loading | Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL](https://attack.mitre.org/tec… |
| T1574.004 | Dylib Hijacking | Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a pat… |
| T1574.005 | Executable Installer File Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may… |
| T1574.006 | Dynamic Linker Hijacking | Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load … |
| T1574.007 | Path Interception by PATH Environment Variable | Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH… |
| T1574.008 | Path Interception by Search Order Hijacking | Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because … |
| T1574.009 | Path Interception by Unquoted Path | Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take … |
| T1574.010 | Services File Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use fla… |
| T1574.011 | Services Registry Permissions Weakness | Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the pe… |
| T1574.012 | COR_PROFILER | Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .N… |
| T1574.013 | KernelCallbackTable | Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run the… |
| T1574.014 | AppDomainManager | Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The … |
| T1612 | Build Image on Host | Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of maliciou… |
| T1620 | Reflective Code Loading | Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflectiv… |
| T1622 | Debugger Evasion | Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace a… |
| T1656 | Impersonation | Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing som… |
| T1672 | Email Spoofing | Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establi… |
| T1678 | Delay Execution | Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system… |
| T1679 | Selective Exclusion | Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encrypt… |
| T1684 | Social Engineering | Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access,… |
| T1684.001 | Impersonation | Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing som… |
| T1684.002 | Email Spoofing | Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establi… |