|
T1556.003
|
Pluggable Authentication Modules |
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted… |
credential-access |
|
T1677
|
Poisoned Pipeline Execution |
Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code… |
execution |
|
T1027.014
|
Polymorphic Code |
Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic co… |
defense-evasion |
|
T1205.001
|
Port Knocking |
Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an a… |
defense-evasion |
|
T1013
|
Port Monitors |
A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: … |
persistence |
|
T1547.010
|
Port Monitors |
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escal… |
persistence |
|
T1055.002
|
Portable Executable Injection |
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as poss… |
defense-evasion |
|
T1653
|
Power Settings |
Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machi… |
persistence |
|
T1059.001
|
PowerShell |
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line i… |
execution |
|
T1086
|
PowerShell |
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating … |
execution |
|
T1546.013
|
PowerShell Profile |
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.… |
privilege-escalation |
|
T1504
|
PowerShell Profile |
Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mit… |
persistence |
|
T1542
|
Pre-OS Boot |
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process o… |
defense-evasion |
|
T1547.012
|
Print Processors |
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalat… |
persistence |
|
T1145
|
Private Keys |
Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. … |
credential-access |
|
T1552.004
|
Private Keys |
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Priva… |
credential-access |
|
T1003.007
|
Proc Filesystem |
Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used … |
credential-access |
|
T1055.009
|
Proc Memory |
Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses a… |
defense-evasion |
|
T1564.010
|
Process Argument Spoofing |
Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line argum… |
defense-evasion |
|
T1057
|
Process Discovery |
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to ga… |
discovery |
|
T1055.013
|
Process Doppelgänging |
Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as… |
defense-evasion |
|
T1186
|
Process Doppelgänging |
Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microso… |
defense-evasion |
|
T1093
|
Process Hollowing |
Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with ma… |
defense-evasion |
|
T1055.012
|
Process Hollowing |
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Pr… |
defense-evasion |
|
T1055
|
Process Injection |
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileg… |
defense-evasion |
|
T1572
|
Protocol Tunneling |
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/… |
command-and-control |
|
T1001.003
|
Protocol or Service Impersonation |
Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thw… |
command-and-control |
|
T1090
|
Proxy |
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network c… |
command-and-control |
|
T1055.008
|
Ptrace System Calls |
Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-b… |
defense-evasion |
|
T1216.001
|
PubPrn |
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.m… |
defense-evasion |
|
T1071.005
|
Publish/Subscribe Protocols |
Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network fil… |
command-and-control |
|
T1597.002
|
Purchase Technical Data |
Adversaries may purchase technical information about victims that can be used during targeting. Information about victim… |
reconnaissance |
|
T1059.006
|
Python |
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language… |
execution |
|
T1546.018
|
Python Startup Hooks |
Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) fil… |
persistence |
|
T1012
|
Query Registry |
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed … |
discovery |
|
T1037.004
|
RC Scripts |
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. T… |
persistence |
|
T1563.002
|
RDP Hijacking |
Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote deskto… |
lateral-movement |
|
T1542.004
|
ROMMONkit |
Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persis… |
defense-evasion |
|
T1163
|
Rc.common |
During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various u… |
persistence |
|
T1164
|
Re-opened Applications |
Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machi… |
persistence |
|
T1547.007
|
Re-opened Applications |
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or rest… |
persistence |
|
T1600.001
|
Reduce Key Space |
Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher … |
defense-evasion |
|
T1108
|
Redundant Access |
**This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell… |
defense-evasion |
|
T1498.002
|
Reflection Amplification |
Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. T… |
impact |
|
T1620
|
Reflective Code Loading |
Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflectiv… |
defense-evasion |
|
T1060
|
Registry Run Keys / Startup Folder |
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. A… |
persistence |
|
T1547.001
|
Registry Run Keys / Startup Folder |
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. A… |
persistence |
|
T1121
|
Regsvcs/Regasm |
Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemb… |
defense-evasion |
|
T1218.009
|
Regsvcs/Regasm |
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regas… |
defense-evasion |
|
T1117
|
Regsvr32 |
Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including … |
defense-evasion |
Trusted Design