|
T1003.003
|
NTDS |
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential … |
credential-access
|
|
T1564.004
|
NTFS File Attributes |
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology … |
stealth
|
|
T1096
|
NTFS File Attributes |
Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record f… |
stealth
|
|
T1557.001
|
Name Resolution Poisoning and SMB Relay |
By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to… |
credential-access
|
|
T1106
|
Native API |
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs pr… |
execution
|
|
T1128
|
Netsh Helper DLL |
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configura… |
persistence
|
|
T1546.007
|
Netsh Helper DLL |
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also ref… |
privilege-escalation
|
|
T1599.001
|
Network Address Translation Traversal |
Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuratio… |
defense-impairment
|
|
T1599
|
Network Boundary Bridging |
Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for … |
defense-impairment
|
|
T1498
|
Network Denial of Service |
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resourc… |
impact
|
|
T1556.004
|
Network Device Authentication |
Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the o… |
defense-impairment
|
|
T1059.008
|
Network Device CLI |
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious comm… |
execution
|
|
T1602.002
|
Network Device Configuration Dump |
Adversaries may access network configuration files to collect sensitive data about the device and the network. The netwo… |
collection
|
|
T1686.002
|
Network Device Firewall |
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in … |
defense-impairment
|
|
T1584.008
|
Network Devices |
Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small… |
resource-development
|
|
T1037.003
|
Network Logon Script |
Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Netwo… |
persistence
|
|
T1556.008
|
Network Provider DLL |
Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials … |
defense-impairment
|
|
T1590.006
|
Network Security Appliances |
Adversaries may gather information about the victim's network security appliances that can be used during targeting. Inf… |
reconnaissance
|
|
T1046
|
Network Service Discovery |
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, i… |
discovery
|
|
T1070.005
|
Network Share Connection Removal |
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windo… |
stealth
|
|
T1126
|
Network Share Connection Removal |
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windo… |
stealth
|
|
T1135
|
Network Share Discovery |
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to… |
discovery
|
|
T1040
|
Network Sniffing |
Adversaries may passively sniff network traffic to capture information about an environment, including authentication ma… |
credential-access
|
|
T1590.004
|
Network Topology |
Adversaries may gather information about the victim's network topology that can be used during targeting. Information ab… |
reconnaissance
|
|
T1590.003
|
Network Trust Dependencies |
Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Info… |
reconnaissance
|
|
T1050
|
New Service |
When operating systems boot up, they can start programs or applications called services that perform background system f… |
persistence
|
|
T1095
|
Non-Application Layer Protocol |
Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected… |
command-and-control
|
|
T1132.002
|
Non-Standard Encoding |
Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic … |
command-and-control
|
|
T1571
|
Non-Standard Port |
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over… |
command-and-control
|
|
T1003
|
OS Credential Dumping |
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a h… |
credential-access
|
|
T1499.001
|
OS Exhaustion Flood |
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is … |
impact
|
|
T1027
|
Obfuscated Files or Information |
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or other… |
stealth
|
|
T1588
|
Obtain Capabilities |
Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabi… |
resource-development
|
|
T1218.008
|
Odbcconf |
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allo… |
stealth
|
|
T1137
|
Office Application Startup |
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fai… |
persistence
|
|
T1137.001
|
Office Template Macros |
Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contain… |
persistence
|
|
T1137.002
|
Office Test |
Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An … |
persistence
|
|
T1102.003
|
One-Way Communication |
Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system… |
command-and-control
|
|
T1137.003
|
Outlook Forms |
Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as t… |
persistence
|
|
T1137.004
|
Outlook Home Page |
Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home … |
persistence
|
|
T1137.005
|
Outlook Rules |
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user … |
persistence
|
|
T1036.011
|
Overwrite Process Arguments |
Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign p… |
stealth
|
|
T1134.004
|
Parent PID Spoofing |
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to e… |
stealth
|
|
T1502
|
Parent PID Spoofing |
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to e… |
stealth
|
|
T1075
|
Pass the Hash |
Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This… |
lateral-movement
|
|
T1550.002
|
Pass the Hash |
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal s… |
lateral-movement
|
|
T1550.003
|
Pass the Ticket |
Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing norma… |
lateral-movement
|
|
T1097
|
Pass the Ticket |
Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an accou… |
lateral-movement
|
|
T1110.002
|
Password Cracking |
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when creden… |
credential-access
|
|
T1556.002
|
Password Filter DLL |
Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acqu… |
defense-impairment
|
Trusted Design