Trusted Design

Technique 一覧

Technique ID 名称 概要 戦術
T1059.006 Python Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language… execution
T1546.018 Python Startup Hooks Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) fil… persistence
T1682 Query Public AI Services Adversaries may query publicly accessible artificial intelligence (AI) services, such as large language models (LLMs), t… reconnaissance
T1012 Query Registry Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed … discovery
T1037.004 RC Scripts Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. T… persistence
T1563.002 RDP Hijacking Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote deskto… lateral-movement
T1542.004 ROMMONkit Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persis… stealth
T1163 Rc.common During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various u… persistence
T1164 Re-opened Applications Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machi… persistence
T1547.007 Re-opened Applications Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or rest… persistence
T1600.001 Reduce Key Space Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher … defense-impairment
T1108 Redundant Access **This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell… stealth
T1498.002 Reflection Amplification Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. T… impact
T1620 Reflective Code Loading Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflectiv… stealth
T1060 Registry Run Keys / Startup Folder Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. A… persistence
T1547.001 Registry Run Keys / Startup Folder Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. A… persistence
T1121 Regsvcs/Regasm Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemb… stealth
T1218.009 Regsvcs/Regasm Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regas… stealth
T1117 Regsvr32 Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including … stealth
T1218.010 Regsvr32 Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to … stealth
T1070.010 Relocate Malware Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidenc… stealth
T1219.003 Remote Access Hardware An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target… command-and-control
T1219 Remote Access Tools An adversary may use legitimate remote access tools to establish an interactive command and control channel within a net… command-and-control
T1074.002 Remote Data Staging Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exf… collection
T1076 Remote Desktop Protocol Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a syst… lateral-movement
T1021.001 Remote Desktop Protocol Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote … lateral-movement
T1219.002 Remote Desktop Software An adversary may use legitimate desktop support software to establish an interactive command and control channel to targ… command-and-control
T1114.002 Remote Email Collection Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries… collection
T1563 Remote Service Session Hijacking Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may… lateral-movement
T1021 Remote Services Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remot… lateral-movement
T1018 Remote System Discovery Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a netw… discovery
T1036.003 Rename Legitimate Utilities Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those u… stealth
T1091 Replication Through Removable Media Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removabl… lateral-movement
T1564.009 Resource Forking Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applic… stealth
T1496 Resource Hijacking Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system… impact
T1556.005 Reversible Encryption An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows sy… defense-impairment
T1578.004 Revert Cloud Instance An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to ev… defense-impairment
T1536 Revert Cloud Instance An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to ev… stealth
T1036.002 Right-to-Left Override Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name … stealth
T1207 Rogue Domain Controller Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used… defense-impairment
T1014 Rootkit Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other … stealth
T1564.006 Run Virtual Instance Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualiza… stealth
T1218.011 Rundll32 Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.… stealth
T1085 Rundll32 The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functional… stealth
T1565.003 Runtime Data Manipulation Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus thre… impact
T1494 Runtime Data Manipulation Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation:… impact
T1606.002 SAML Tokens An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing … credential-access
T1608.006 SEO Poisoning Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities to… resource-development
T1178 SID-History Injection The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Window… privilege-escalation
T1134.005 SID-History Injection Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identi… stealth