Trusted Design戦術「Defense Impairment」に関連する攻撃手法(Technique)の一覧です。
| Technique ID | Name | Description |
|---|---|---|
| T1112 | Modify Registry | Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, p… |
| T1207 | Rogue Domain Controller | Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used… |
| T1222 | File and Directory Permissions Modification | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte… |
| T1222.001 | Windows Permissions | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte… |
| T1222.002 | Linux and Mac Permissions | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte… |
| T1484 | Domain or Tenant Policy Modification | Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privi… |
| T1484.001 | Group Policy Modification | Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, u… |
| T1484.002 | Trust Modification | Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configur… |
| T1553 | Subvert Trust Controls | Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of un… |
| T1553.001 | Gatekeeper Bypass | Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted … |
| T1553.002 | Code Signing | Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a… |
| T1553.003 | SIP and Trust Provider Hijacking | Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control to… |
| T1553.004 | Install Root Certificate | Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary contro… |
| T1553.005 | Mark-of-the-Web Bypass | Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downl… |
| T1553.006 | Code Signing Policy Modification | Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides … |
| T1556 | Modify Authentication Process | Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarrante… |
| T1556.001 | Domain Controller Authentication | Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms … |
| T1556.002 | Password Filter DLL | Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acqu… |
| T1556.003 | Pluggable Authentication Modules | Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted… |
| T1556.004 | Network Device Authentication | Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the o… |
| T1556.005 | Reversible Encryption | An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows sy… |
| T1556.006 | Multi-Factor Authentication | Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromise… |
| T1556.007 | Hybrid Identity | Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user id… |
| T1556.008 | Network Provider DLL | Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials … |
| T1556.009 | Conditional Access Policies | Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Condi… |
| T1578 | Modify Cloud Compute Infrastructure | An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to… |
| T1578.001 | Create Snapshot | An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-tim… |
| T1578.002 | Create Cloud Instance | An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade de… |
| T1578.003 | Delete Cloud Instance | An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection… |
| T1578.004 | Revert Cloud Instance | An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to ev… |
| T1578.005 | Modify Cloud Compute Configurations | Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infra… |
| T1599 | Network Boundary Bridging | Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for … |
| T1599.001 | Network Address Translation Traversal | Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuratio… |
| T1600 | Weaken Encryption | Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise p… |
| T1600.001 | Reduce Key Space | Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher … |
| T1600.002 | Disable Crypto Hardware | Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in so… |
| T1601 | Modify System Image | Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capa… |
| T1601.001 | Patch System Image | Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defense… |
| T1601.002 | Downgrade System Image | Adversaries may install an older version of the operating system of a network device to weaken security. Older operatin… |
| T1647 | Plist File Modification | Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evad… |
| T1666 | Modify Cloud Resource Hierarchy | Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to… |
| T1685 | Disable or Modify Tools | Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (… |
| T1685.001 | Disable or Modify Windows Event Log | Adversaries may disable or modify the Windows Event Log to limit data that can be leveraged for detections and audits. W… |
| T1685.002 | Disable or Modify Cloud Log | An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their … |
| T1685.003 | Modify or Spoof Tool UI | Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normal… |
| T1685.004 | Disable or Modify Linux Audit System Log | Adversaries may disable or modify the Linux Audit system to hide malicious activity and avoid detection. Linux admins us… |
| T1685.005 | Clear Windows Event Logs | Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a comp… |
| T1685.006 | Clear Linux or Mac System Logs | Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-in… |
| T1686 | Disable or Modify System Firewall | Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further acti… |
| T1686.001 | Cloud Firewall | Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud re… |
| T1686.002 | Network Device Firewall | Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in … |
| T1686.003 | Windows Host Firewall | Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include … |
| T1687 | Exploitation for Defense Impairment | Adversaries may exploit vulnerabilities in security software, infrastructure, or defensive components to degrade, disabl… |
| T1688 | Safe Mode Boot | Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system w… |
| T1689 | Downgrade Attack | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support … |
| T1690 | Prevent Command History Logging | Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interp… |