|
T1003.008
|
/etc/passwd and /etc/shadow |
Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline … |
credential-access |
|
T1557.002
|
ARP Cache Poisoning |
Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two … |
credential-access |
|
T1558.004
|
AS-REP Roasting |
Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](http… |
credential-access |
|
T1548
|
Abuse Elevation Control Mechanism |
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most mode… |
privilege-escalation |
|
T1134
|
Access Token Manipulation |
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and… |
defense-evasion |
|
T1546.008
|
Accessibility Features |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibilit… |
privilege-escalation |
|
T1015
|
Accessibility Features |
Windows contains accessibility features that may be launched with a key combination before a user has logged in (for exa… |
persistence |
|
T1531
|
Account Access Removal |
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legi… |
impact |
|
T1087
|
Account Discovery |
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compro… |
discovery |
|
T1098
|
Account Manipulation |
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consis… |
persistence |
|
T1650
|
Acquire Access |
Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online serv… |
resource-development |
|
T1583
|
Acquire Infrastructure |
Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastr… |
resource-development |
|
T1595
|
Active Scanning |
Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scan… |
reconnaissance |
|
T1547.014
|
Active Setup |
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a… |
persistence |
|
T1137.006
|
Add-ins |
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used… |
persistence |
|
T1098.001
|
Additional Cloud Credentials |
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts… |
persistence |
|
T1098.003
|
Additional Cloud Roles |
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent acc… |
persistence |
|
T1098.006
|
Additional Container Cluster Roles |
An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain pers… |
persistence |
|
T1098.002
|
Additional Email Delegate Permissions |
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email accoun… |
persistence |
|
T1098.007
|
Additional Local or Domain Groups |
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access … |
persistence |
|
T1557
|
Adversary-in-the-Middle |
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (A… |
credential-access |
|
T1182
|
AppCert DLLs |
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\System\C… |
persistence |
|
T1546.009
|
AppCert DLLs |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs… |
privilege-escalation |
|
T1574.014
|
AppDomainManager |
Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The … |
persistence |
|
T1103
|
AppInit DLLs |
Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE… |
persistence |
|
T1546.010
|
AppInit DLLs |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs… |
privilege-escalation |
|
T1059.002
|
AppleScript |
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applicati… |
execution |
|
T1155
|
AppleScript |
macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages… |
execution |
|
T1527
|
Application Access Token |
Adversaries may use application access tokens to bypass the typical authentication process and access restricted account… |
defense-evasion |
|
T1550.001
|
Application Access Token |
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted … |
defense-evasion |
|
T1017
|
Application Deployment Software |
Adversaries may deploy malicious software to systems within a network using application deployment systems employed by e… |
lateral-movement |
|
T1499.003
|
Application Exhaustion Flood |
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availabil… |
impact |
|
T1071
|
Application Layer Protocol |
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in wi… |
command-and-control |
|
T1546.011
|
Application Shimming |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application … |
privilege-escalation |
|
T1138
|
Application Shimming |
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for bac… |
persistence |
|
T1010
|
Application Window Discovery |
Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how… |
discovery |
|
T1499.004
|
Application or System Exploitation |
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability … |
impact |
|
T1560
|
Archive Collected Data |
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to … |
collection |
|
T1560.003
|
Archive via Custom Method |
An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may… |
collection |
|
T1560.002
|
Archive via Library |
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many librar… |
collection |
|
T1560.001
|
Archive via Utility |
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include fu… |
collection |
|
T1588.007
|
Artificial Intelligence |
Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid … |
resource-development |
|
T1573.002
|
Asymmetric Cryptography |
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relyin… |
command-and-control |
|
T1055.004
|
Asynchronous Procedure Call |
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade p… |
defense-evasion |
|
T1053.002
|
At |
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial o… |
execution |
|
T1053.001
|
At (Linux) |
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, … |
execution |
|
T1123
|
Audio Capture |
An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice a… |
collection |
|
T1131
|
Authentication Package |
Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provi… |
persistence |
|
T1547.002
|
Authentication Package |
Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs… |
persistence |
|
T1059.010
|
AutoHotKey & AutoIT |
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and … |
execution |
Trusted Design