|
T1590.006
|
Network Security Appliances |
Adversaries may gather information about the victim's network security appliances that can be used during targeting. Inf… |
reconnaissance |
|
T1046
|
Network Service Discovery |
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, i… |
discovery |
|
T1070.005
|
Network Share Connection Removal |
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windo… |
defense-evasion |
|
T1126
|
Network Share Connection Removal |
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windo… |
defense-evasion |
|
T1135
|
Network Share Discovery |
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to… |
discovery |
|
T1040
|
Network Sniffing |
Adversaries may passively sniff network traffic to capture information about an environment, including authentication ma… |
credential-access |
|
T1590.004
|
Network Topology |
Adversaries may gather information about the victim's network topology that can be used during targeting. Information ab… |
reconnaissance |
|
T1590.003
|
Network Trust Dependencies |
Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Info… |
reconnaissance |
|
T1050
|
New Service |
When operating systems boot up, they can start programs or applications called services that perform background system f… |
persistence |
|
T1095
|
Non-Application Layer Protocol |
Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected… |
command-and-control |
|
T1132.002
|
Non-Standard Encoding |
Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic … |
command-and-control |
|
T1571
|
Non-Standard Port |
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over… |
command-and-control |
|
T1003
|
OS Credential Dumping |
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a h… |
credential-access |
|
T1499.001
|
OS Exhaustion Flood |
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is … |
impact |
|
T1027
|
Obfuscated Files or Information |
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or other… |
defense-evasion |
|
T1588
|
Obtain Capabilities |
Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabi… |
resource-development |
|
T1218.008
|
Odbcconf |
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allo… |
defense-evasion |
|
T1137
|
Office Application Startup |
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fai… |
persistence |
|
T1137.001
|
Office Template Macros |
Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contain… |
persistence |
|
T1137.002
|
Office Test |
Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An … |
persistence |
|
T1102.003
|
One-Way Communication |
Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system… |
command-and-control |
|
T1137.003
|
Outlook Forms |
Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as t… |
persistence |
|
T1137.004
|
Outlook Home Page |
Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home … |
persistence |
|
T1137.005
|
Outlook Rules |
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user … |
persistence |
|
T1036.011
|
Overwrite Process Arguments |
Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign p… |
defense-evasion |
|
T1134.004
|
Parent PID Spoofing |
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to e… |
defense-evasion |
|
T1502
|
Parent PID Spoofing |
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to e… |
defense-evasion |
|
T1075
|
Pass the Hash |
Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This… |
lateral-movement |
|
T1550.002
|
Pass the Hash |
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal s… |
defense-evasion |
|
T1550.003
|
Pass the Ticket |
Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing norma… |
defense-evasion |
|
T1097
|
Pass the Ticket |
Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an accou… |
lateral-movement |
|
T1110.002
|
Password Cracking |
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when creden… |
credential-access |
|
T1556.002
|
Password Filter DLL |
Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acqu… |
credential-access |
|
T1174
|
Password Filter DLL |
Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are impl… |
credential-access |
|
T1110.001
|
Password Guessing |
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to at… |
credential-access |
|
T1555.005
|
Password Managers |
Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 201… |
credential-access |
|
T1201
|
Password Policy Discovery |
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cl… |
discovery |
|
T1110.003
|
Password Spraying |
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acqu… |
credential-access |
|
T1601.001
|
Patch System Image |
Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defense… |
defense-evasion |
|
T1034
|
Path Interception |
**This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.o… |
persistence |
|
T1574.007
|
Path Interception by PATH Environment Variable |
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH… |
persistence |
|
T1574.008
|
Path Interception by Search Order Hijacking |
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because … |
persistence |
|
T1574.009
|
Path Interception by Unquoted Path |
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take … |
persistence |
|
T1120
|
Peripheral Device Discovery |
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer s… |
discovery |
|
T1069
|
Permission Groups Discovery |
Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which… |
discovery |
|
T1566
|
Phishing |
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delive… |
initial-access |
|
T1598
|
Phishing for Information |
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for i… |
reconnaissance |
|
T1647
|
Plist File Modification |
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evad… |
defense-evasion |
|
T1150
|
Plist Modification |
Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and servic… |
defense-evasion |
|
T1547.011
|
Plist Modification |
Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plis… |
persistence |
Trusted Design