|
T1069.001
|
Local Groups |
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission gr… |
discovery
|
|
T1168
|
Local Job Scheduling |
On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron… |
persistence
|
|
T1680
|
Local Storage Discovery |
Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume s… |
discovery
|
|
T1654
|
Log Enumeration |
Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuabl… |
discovery
|
|
T1037.002
|
Login Hook |
Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that po… |
persistence
|
|
T1162
|
Login Item |
MacOS provides the option to list specific applications to run when a user logs in. These applications run under the log… |
persistence
|
|
T1547.015
|
Login Items |
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are a… |
persistence
|
|
T1037.001
|
Logon Script (Windows) |
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windo… |
persistence
|
|
T1059.011
|
Lua |
Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language… |
execution
|
|
T1218.014
|
MMC |
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary… |
stealth
|
|
T1127.001
|
MSBuild |
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build E… |
stealth
|
|
T1071.003
|
Mail Protocols |
Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detectio… |
command-and-control
|
|
T1134.003
|
Make and Impersonate Token |
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if… |
stealth
|
|
T1204.004
|
Malicious Copy and Paste |
An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social … |
execution
|
|
T1204.002
|
Malicious File |
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social … |
execution
|
|
T1204.003
|
Malicious Image |
Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machi… |
execution
|
|
T1204.005
|
Malicious Library |
Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may [Upload Malware… |
execution
|
|
T1204.001
|
Malicious Link |
An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social… |
execution
|
|
T1156
|
Malicious Shell Modification |
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User shells exec… |
persistence
|
|
T1583.008
|
Malvertising |
Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased… |
resource-development
|
|
T1587.001
|
Malware |
Adversaries may develop malware and malware components that can be used during targeting. Building malicious software ca… |
resource-development
|
|
T1588.001
|
Malware |
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloa… |
resource-development
|
|
T1553.005
|
Mark-of-the-Web Bypass |
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downl… |
defense-impairment
|
|
T1036.010
|
Masquerade Account Name |
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This wil… |
stealth
|
|
T1036.008
|
Masquerade File Type |
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including… |
stealth
|
|
T1036.004
|
Masquerade Task or Service |
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/servic… |
stealth
|
|
T1036
|
Masquerading |
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/… |
stealth
|
|
T1036.005
|
Match Legitimate Resource Name or Location |
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when na… |
stealth
|
|
T1218.013
|
Mavinject |
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Vir… |
stealth
|
|
T1213.005
|
Messaging Applications |
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valua… |
collection
|
|
T1556
|
Modify Authentication Process |
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarrante… |
defense-impairment
|
|
T1578.005
|
Modify Cloud Compute Configurations |
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infra… |
defense-impairment
|
|
T1578
|
Modify Cloud Compute Infrastructure |
An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to… |
defense-impairment
|
|
T1666
|
Modify Cloud Resource Hierarchy |
Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to… |
defense-impairment
|
|
T1031
|
Modify Existing Service |
Windows service configuration information, including the file path to the service's executable or recovery programs/comm… |
persistence
|
|
T1112
|
Modify Registry |
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, p… |
defense-impairment
|
|
T1601
|
Modify System Image |
Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capa… |
defense-impairment
|
|
T1685.003
|
Modify or Spoof Tool UI |
Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normal… |
defense-impairment
|
|
T1218.005
|
Mshta |
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted … |
stealth
|
|
T1170
|
Mshta |
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension <code>.hta</co… |
stealth
|
|
T1218.007
|
Msiexec |
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for … |
stealth
|
|
T1556.006
|
Multi-Factor Authentication |
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromise… |
defense-impairment
|
|
T1111
|
Multi-Factor Authentication Interception |
Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain… |
credential-access
|
|
T1621
|
Multi-Factor Authentication Request Generation |
Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating… |
credential-access
|
|
T1104
|
Multi-Stage Channels |
Adversaries may create multiple stages for command and control that are employed under different conditions or for certa… |
command-and-control
|
|
T1188
|
Multi-hop Proxy |
To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will… |
command-and-control
|
|
T1090.003
|
Multi-hop Proxy |
Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will … |
command-and-control
|
|
T1026
|
Multiband Communication |
**This technique has been deprecated and should no longer be used.**
Some adversaries may split communications between … |
command-and-control
|
|
T1079
|
Multilayer Encryption |
An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a… |
command-and-control
|
|
T1480.002
|
Mutual Exclusion |
Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a lo… |
stealth
|
Trusted Design