|
T1218.010
|
Regsvr32 |
Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to … |
defense-evasion |
|
T1070.010
|
Relocate Malware |
Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidenc… |
defense-evasion |
|
T1219.003
|
Remote Access Hardware |
An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target… |
command-and-control |
|
T1219
|
Remote Access Tools |
An adversary may use legitimate remote access tools to establish an interactive command and control channel within a net… |
command-and-control |
|
T1074.002
|
Remote Data Staging |
Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exf… |
collection |
|
T1076
|
Remote Desktop Protocol |
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a syst… |
lateral-movement |
|
T1021.001
|
Remote Desktop Protocol |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote … |
lateral-movement |
|
T1219.002
|
Remote Desktop Software |
An adversary may use legitimate desktop support software to establish an interactive command and control channel to targ… |
command-and-control |
|
T1114.002
|
Remote Email Collection |
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries… |
collection |
|
T1563
|
Remote Service Session Hijacking |
Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may… |
lateral-movement |
|
T1021
|
Remote Services |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remot… |
lateral-movement |
|
T1018
|
Remote System Discovery |
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a netw… |
discovery |
|
T1036.003
|
Rename Legitimate Utilities |
Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those u… |
defense-evasion |
|
T1091
|
Replication Through Removable Media |
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removabl… |
lateral-movement |
|
T1564.009
|
Resource Forking |
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applic… |
defense-evasion |
|
T1496
|
Resource Hijacking |
Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system… |
impact |
|
T1556.005
|
Reversible Encryption |
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows sy… |
credential-access |
|
T1578.004
|
Revert Cloud Instance |
An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to ev… |
defense-evasion |
|
T1536
|
Revert Cloud Instance |
An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to ev… |
defense-evasion |
|
T1036.002
|
Right-to-Left Override |
Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name … |
defense-evasion |
|
T1207
|
Rogue Domain Controller |
Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used… |
defense-evasion |
|
T1014
|
Rootkit |
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other … |
defense-evasion |
|
T1564.006
|
Run Virtual Instance |
Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualiza… |
defense-evasion |
|
T1218.011
|
Rundll32 |
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.… |
defense-evasion |
|
T1085
|
Rundll32 |
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functional… |
defense-evasion |
|
T1565.003
|
Runtime Data Manipulation |
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus thre… |
impact |
|
T1494
|
Runtime Data Manipulation |
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation:… |
impact |
|
T1606.002
|
SAML Tokens |
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing … |
credential-access |
|
T1608.006
|
SEO Poisoning |
Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities to… |
resource-development |
|
T1178
|
SID-History Injection |
The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Window… |
privilege-escalation |
|
T1134.005
|
SID-History Injection |
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identi… |
defense-evasion |
|
T1553.003
|
SIP and Trust Provider Hijacking |
Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control to… |
defense-evasion |
|
T1198
|
SIP and Trust Provider Hijacking |
In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's ori… |
defense-evasion |
|
T1021.002
|
SMB/Windows Admin Shares |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share … |
lateral-movement |
|
T1496.003
|
SMS Pumping |
Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.… |
impact |
|
T1602.001
|
SNMP (MIB Dump) |
Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network ma… |
collection |
|
T1505.001
|
SQL Stored Procedures |
Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code th… |
persistence |
|
T1021.004
|
SSH |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure… |
lateral-movement |
|
T1098.004
|
SSH Authorized Keys |
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distrib… |
persistence |
|
T1563.001
|
SSH Hijacking |
Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a … |
lateral-movement |
|
T1184
|
SSH Hijacking |
Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to anoth… |
lateral-movement |
|
T1027.017
|
SVG Smuggling |
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG … |
defense-evasion |
|
T1562.009
|
Safe Mode Boot |
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system w… |
defense-evasion |
|
T1596.005
|
Scan Databases |
Adversaries may search within public scan databases for information about victims that can be used during targeting. Var… |
reconnaissance |
|
T1595.001
|
Scanning IP Blocks |
Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may b… |
reconnaissance |
|
T1053.005
|
Scheduled Task |
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malici… |
execution |
|
T1053
|
Scheduled Task/Job |
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Util… |
execution |
|
T1029
|
Scheduled Transfer |
Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This co… |
exfiltration |
|
T1113
|
Screen Capture |
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Sc… |
collection |
|
T1180
|
Screensaver |
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (… |
persistence |
Trusted Design