|
T1204.002
|
Malicious File |
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social … |
execution |
|
T1204.003
|
Malicious Image |
Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machi… |
execution |
|
T1204.005
|
Malicious Library |
Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may [Upload Malware… |
execution |
|
T1204.001
|
Malicious Link |
An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social… |
execution |
|
T1156
|
Malicious Shell Modification |
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User shells exec… |
persistence |
|
T1583.008
|
Malvertising |
Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased… |
resource-development |
|
T1587.001
|
Malware |
Adversaries may develop malware and malware components that can be used during targeting. Building malicious software ca… |
resource-development |
|
T1588.001
|
Malware |
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloa… |
resource-development |
|
T1553.005
|
Mark-of-the-Web Bypass |
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downl… |
defense-evasion |
|
T1036.010
|
Masquerade Account Name |
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This wil… |
defense-evasion |
|
T1036.008
|
Masquerade File Type |
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including… |
defense-evasion |
|
T1036.004
|
Masquerade Task or Service |
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/servic… |
defense-evasion |
|
T1036
|
Masquerading |
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/… |
defense-evasion |
|
T1036.005
|
Match Legitimate Resource Name or Location |
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when na… |
defense-evasion |
|
T1218.013
|
Mavinject |
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Vir… |
defense-evasion |
|
T1213.005
|
Messaging Applications |
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valua… |
collection |
|
T1556
|
Modify Authentication Process |
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarrante… |
credential-access |
|
T1578.005
|
Modify Cloud Compute Configurations |
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infra… |
defense-evasion |
|
T1578
|
Modify Cloud Compute Infrastructure |
An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to… |
defense-evasion |
|
T1666
|
Modify Cloud Resource Hierarchy |
Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to… |
defense-evasion |
|
T1031
|
Modify Existing Service |
Windows service configuration information, including the file path to the service's executable or recovery programs/comm… |
persistence |
|
T1112
|
Modify Registry |
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, p… |
defense-evasion |
|
T1601
|
Modify System Image |
Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capa… |
defense-evasion |
|
T1218.005
|
Mshta |
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted … |
defense-evasion |
|
T1170
|
Mshta |
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension <code>.hta</co… |
defense-evasion |
|
T1218.007
|
Msiexec |
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for … |
defense-evasion |
|
T1556.006
|
Multi-Factor Authentication |
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromise… |
credential-access |
|
T1111
|
Multi-Factor Authentication Interception |
Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain… |
credential-access |
|
T1621
|
Multi-Factor Authentication Request Generation |
Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating… |
credential-access |
|
T1104
|
Multi-Stage Channels |
Adversaries may create multiple stages for command and control that are employed under different conditions or for certa… |
command-and-control |
|
T1188
|
Multi-hop Proxy |
To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will… |
command-and-control |
|
T1090.003
|
Multi-hop Proxy |
Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will … |
command-and-control |
|
T1026
|
Multiband Communication |
**This technique has been deprecated and should no longer be used.**
Some adversaries may split communications between … |
command-and-control |
|
T1079
|
Multilayer Encryption |
An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a… |
command-and-control |
|
T1480.002
|
Mutual Exclusion |
Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a lo… |
defense-evasion |
|
T1003.003
|
NTDS |
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential … |
credential-access |
|
T1564.004
|
NTFS File Attributes |
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology … |
defense-evasion |
|
T1096
|
NTFS File Attributes |
Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record f… |
defense-evasion |
|
T1106
|
Native API |
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs pr… |
execution |
|
T1128
|
Netsh Helper DLL |
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configura… |
persistence |
|
T1546.007
|
Netsh Helper DLL |
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also ref… |
privilege-escalation |
|
T1599.001
|
Network Address Translation Traversal |
Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuratio… |
defense-evasion |
|
T1599
|
Network Boundary Bridging |
Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for … |
defense-evasion |
|
T1498
|
Network Denial of Service |
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resourc… |
impact |
|
T1556.004
|
Network Device Authentication |
Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the o… |
credential-access |
|
T1059.008
|
Network Device CLI |
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious comm… |
execution |
|
T1602.002
|
Network Device Configuration Dump |
Adversaries may access network configuration files to collect sensitive data about the device and the network. The netwo… |
collection |
|
T1584.008
|
Network Devices |
Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small… |
resource-development |
|
T1037.003
|
Network Logon Script |
Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Netwo… |
persistence |
|
T1556.008
|
Network Provider DLL |
Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials … |
credential-access |
Trusted Design