|
T1036.006
|
Space after Filename |
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specificall… |
defense-evasion |
|
T1566.001
|
Spearphishing Attachment |
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Sp… |
initial-access |
|
T1193
|
Spearphishing Attachment |
Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms … |
initial-access |
|
T1598.002
|
Spearphishing Attachment |
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used… |
reconnaissance |
|
T1192
|
Spearphishing Link |
Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in t… |
initial-access |
|
T1566.002
|
Spearphishing Link |
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphi… |
initial-access |
|
T1598.003
|
Spearphishing Link |
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used durin… |
reconnaissance |
|
T1598.001
|
Spearphishing Service |
Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used du… |
reconnaissance |
|
T1598.004
|
Spearphishing Voice |
Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishin… |
reconnaissance |
|
T1566.004
|
Spearphishing Voice |
Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific … |
initial-access |
|
T1194
|
Spearphishing via Service |
Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in t… |
initial-access |
|
T1566.003
|
Spearphishing via Service |
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spe… |
initial-access |
|
T1562.011
|
Spoof Security Alerting |
Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of maliciou… |
defense-evasion |
|
T1608
|
Stage Capabilities |
Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their op… |
resource-development |
|
T1032
|
Standard Cryptographic Protocol |
Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relyin… |
command-and-control |
|
T1132.001
|
Standard Encoding |
Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more… |
command-and-control |
|
T1165
|
Startup Items |
Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or… |
persistence |
|
T1037.005
|
Startup Items |
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items … |
persistence |
|
T1528
|
Steal Application Access Token |
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resourc… |
credential-access |
|
T1539
|
Steal Web Session Cookie |
An adversary may steal web application or service session cookies and use them to gain access to web applications or Int… |
credential-access |
|
T1649
|
Steal or Forge Authentication Certificates |
Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certi… |
credential-access |
|
T1558
|
Steal or Forge Kerberos Tickets |
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the T… |
credential-access |
|
T1027.003
|
Steganography |
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic tec… |
defense-evasion |
|
T1001.002
|
Steganography |
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficu… |
command-and-control |
|
T1492
|
Stored Data Manipulation |
Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Ci… |
impact |
|
T1565.001
|
Stored Data Manipulation |
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thu… |
impact |
|
T1027.008
|
Stripped Payloads |
Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable in… |
defense-evasion |
|
T1553
|
Subvert Trust Controls |
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of un… |
defense-evasion |
|
T1169
|
Sudo |
The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This… |
privilege-escalation |
|
T1206
|
Sudo Caching |
The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of u… |
privilege-escalation |
|
T1548.003
|
Sudo and Sudo Caching |
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execu… |
privilege-escalation |
|
T1195
|
Supply Chain Compromise |
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose … |
initial-access |
|
T1573.001
|
Symmetric Cryptography |
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying… |
command-and-control |
|
T1216.002
|
SyncAppvPublishingServer |
Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org… |
defense-evasion |
|
T1218
|
System Binary Proxy Execution |
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, o… |
defense-evasion |
|
T1497.001
|
System Checks |
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may incl… |
defense-evasion |
|
T1542.001
|
System Firmware |
Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extens… |
persistence |
|
T1019
|
System Firmware |
The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interfa… |
persistence |
|
T1082
|
System Information Discovery |
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches… |
discovery |
|
T1614.001
|
System Language Discovery |
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical l… |
discovery |
|
T1614
|
System Location Discovery |
Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries m… |
discovery |
|
T1016
|
System Network Configuration Discovery |
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of syste… |
discovery |
|
T1049
|
System Network Connections Discovery |
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently acc… |
discovery |
|
T1033
|
System Owner/User Discovery |
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system… |
discovery |
|
T1216
|
System Script Proxy Execution |
Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several … |
defense-evasion |
|
T1007
|
System Service Discovery |
Adversaries may try to gather information about registered local system services. Adversaries may obtain information abo… |
discovery |
|
T1569
|
System Services |
Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious cont… |
execution |
|
T1529
|
System Shutdown/Reboot |
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating s… |
impact |
|
T1124
|
System Time Discovery |
An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set … |
discovery |
|
T1569.003
|
Systemctl |
Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Lin… |
execution |
Trusted Design