|
T1546.002
|
Screensaver |
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are prog… |
privilege-escalation |
|
T1064
|
Scripting |
**This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques… |
defense-evasion |
|
T1597
|
Search Closed Sources |
Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely av… |
reconnaissance |
|
T1593.002
|
Search Engines |
Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine… |
reconnaissance |
|
T1596
|
Search Open Technical Databases |
Adversaries may search freely available technical databases for information about victims that can be used during target… |
reconnaissance |
|
T1593
|
Search Open Websites/Domains |
Adversaries may search freely available websites and/or domains for information about victims that can be used during ta… |
reconnaissance |
|
T1681
|
Search Threat Vendor Data |
Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own c… |
reconnaissance |
|
T1594
|
Search Victim-Owned Websites |
Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned webs… |
reconnaissance |
|
T1003.002
|
Security Account Manager |
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through i… |
credential-access |
|
T1063
|
Security Software Discovery |
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are ins… |
discovery |
|
T1518.001
|
Security Software Discovery |
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are ins… |
discovery |
|
T1547.005
|
Security Support Provider |
Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are load… |
persistence |
|
T1101
|
Security Support Provider |
Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start.… |
persistence |
|
T1555.002
|
Securityd Memory |
An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon re… |
credential-access |
|
T1167
|
Securityd Memory |
In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because App… |
credential-access |
|
T1679
|
Selective Exclusion |
Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encrypt… |
defense-evasion |
|
T1583.004
|
Server |
Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an… |
resource-development |
|
T1584.004
|
Server |
Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to … |
resource-development |
|
T1505
|
Server Software Component |
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. E… |
persistence |
|
T1583.007
|
Serverless |
Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions… |
resource-development |
|
T1584.007
|
Serverless |
Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google … |
resource-development |
|
T1648
|
Serverless Execution |
Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud envi… |
execution |
|
T1569.002
|
Service Execution |
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service… |
execution |
|
T1035
|
Service Execution |
Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Serv… |
execution |
|
T1499.002
|
Service Exhaustion Flood |
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversar… |
impact |
|
T1058
|
Service Registry Permissions Weakness |
Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Service… |
persistence |
|
T1489
|
Service Stop |
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping … |
impact |
|
T1574.010
|
Services File Permissions Weakness |
Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use fla… |
persistence |
|
T1574.011
|
Services Registry Permissions Weakness |
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the pe… |
persistence |
|
T1548.001
|
Setuid and Setgid |
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code runnin… |
privilege-escalation |
|
T1166
|
Setuid and Setgid |
When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run wi… |
privilege-escalation |
|
T1129
|
Shared Modules |
Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are load… |
execution |
|
T1051
|
Shared Webroot |
**This technique has been deprecated and should no longer be used.**
Adversaries may add malicious content to an intern… |
lateral-movement |
|
T1213.002
|
Sharepoint |
Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often conta… |
collection |
|
T1552.003
|
Shell History |
Adversaries may search the command history on compromised systems for insecurely stored credentials.
On Linux and macOS… |
credential-access |
|
T1547.009
|
Shortcut Modification |
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or sym… |
persistence |
|
T1023
|
Shortcut Modification |
Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the sho… |
persistence |
|
T1558.002
|
Silver Ticket |
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket gr… |
credential-access |
|
T1593.001
|
Social Media |
Adversaries may search social media for information about victims that can be used during targeting. Social media sites … |
reconnaissance |
|
T1586.001
|
Social Media Accounts |
Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social … |
resource-development |
|
T1585.001
|
Social Media Accounts |
Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create soc… |
resource-development |
|
T1205.002
|
Socket Filters |
Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command an… |
defense-evasion |
|
T1592.002
|
Software |
Adversaries may gather information about the victim's host software that can be used during targeting. Information about… |
reconnaissance |
|
T1072
|
Software Deployment Tools |
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands an… |
execution |
|
T1518
|
Software Discovery |
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud … |
discovery |
|
T1176
|
Software Extensions |
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modu… |
persistence |
|
T1045
|
Software Packing |
Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signatur… |
defense-evasion |
|
T1027.002
|
Software Packing |
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing … |
defense-evasion |
|
T1153
|
Source |
**This technique has been deprecated and should no longer be used.**
The <code>source</code> command loads functions in… |
execution |
|
T1151
|
Space after Filename |
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specificall… |
defense-evasion |
Trusted Design