|
T1553.003
|
SIP and Trust Provider Hijacking |
Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control to… |
defense-impairment
|
|
T1198
|
SIP and Trust Provider Hijacking |
In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's ori… |
stealth
|
|
T1021.002
|
SMB/Windows Admin Shares |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share … |
lateral-movement
|
|
T1496.003
|
SMS Pumping |
Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.… |
impact
|
|
T1602.001
|
SNMP (MIB Dump) |
Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network ma… |
collection
|
|
T1505.001
|
SQL Stored Procedures |
Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code th… |
persistence
|
|
T1021.004
|
SSH |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure… |
lateral-movement
|
|
T1098.004
|
SSH Authorized Keys |
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distrib… |
persistence
|
|
T1563.001
|
SSH Hijacking |
Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a … |
lateral-movement
|
|
T1184
|
SSH Hijacking |
Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to anoth… |
lateral-movement
|
|
T1027.017
|
SVG Smuggling |
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG … |
stealth
|
|
T1562.009
|
Safe Mode Boot |
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system w… |
stealth
|
|
T1688
|
Safe Mode Boot |
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system w… |
defense-impairment
|
|
T1596.005
|
Scan Databases |
Adversaries may search within public scan databases for information about victims that can be used during targeting. Var… |
reconnaissance
|
|
T1595.001
|
Scanning IP Blocks |
Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may b… |
reconnaissance
|
|
T1053.005
|
Scheduled Task |
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malici… |
execution
|
|
T1053
|
Scheduled Task/Job |
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Util… |
execution
|
|
T1029
|
Scheduled Transfer |
Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This co… |
exfiltration
|
|
T1113
|
Screen Capture |
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Sc… |
collection
|
|
T1180
|
Screensaver |
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (… |
persistence
|
|
T1546.002
|
Screensaver |
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are prog… |
privilege-escalation
|
|
T1064
|
Scripting |
**This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques… |
stealth
|
|
T1597
|
Search Closed Sources |
Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely av… |
reconnaissance
|
|
T1593.002
|
Search Engines |
Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine… |
reconnaissance
|
|
T1596
|
Search Open Technical Databases |
Adversaries may search freely available technical databases for information about victims that can be used during target… |
reconnaissance
|
|
T1593
|
Search Open Websites/Domains |
Adversaries may search freely available websites and/or domains for information about victims that can be used during ta… |
reconnaissance
|
|
T1681
|
Search Threat Vendor Data |
Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own c… |
reconnaissance
|
|
T1594
|
Search Victim-Owned Websites |
Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned webs… |
reconnaissance
|
|
T1003.002
|
Security Account Manager |
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through i… |
credential-access
|
|
T1063
|
Security Software Discovery |
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are ins… |
discovery
|
|
T1518.001
|
Security Software Discovery |
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are ins… |
discovery
|
|
T1547.005
|
Security Support Provider |
Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are load… |
persistence
|
|
T1101
|
Security Support Provider |
Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start.… |
persistence
|
|
T1555.002
|
Securityd Memory |
An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon re… |
credential-access
|
|
T1167
|
Securityd Memory |
In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because App… |
credential-access
|
|
T1679
|
Selective Exclusion |
Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encrypt… |
stealth
|
|
T1583.004
|
Server |
Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an… |
resource-development
|
|
T1584.004
|
Server |
Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to … |
resource-development
|
|
T1505
|
Server Software Component |
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. E… |
persistence
|
|
T1583.007
|
Serverless |
Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions… |
resource-development
|
|
T1584.007
|
Serverless |
Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google … |
resource-development
|
|
T1648
|
Serverless Execution |
Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud envi… |
execution
|
|
T1569.002
|
Service Execution |
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service… |
execution
|
|
T1035
|
Service Execution |
Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Serv… |
execution
|
|
T1499.002
|
Service Exhaustion Flood |
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversar… |
impact
|
|
T1058
|
Service Registry Permissions Weakness |
Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Service… |
persistence
|
|
T1489
|
Service Stop |
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping … |
impact
|
|
T1574.010
|
Services File Permissions Weakness |
Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use fla… |
stealth
|
|
T1574.011
|
Services Registry Permissions Weakness |
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the pe… |
stealth
|
|
T1548.001
|
Setuid and Setgid |
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code runnin… |
privilege-escalation
|
Trusted Design