|
T1166
|
Setuid and Setgid |
When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run wi… |
privilege-escalation
|
|
T1129
|
Shared Modules |
Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are load… |
execution
|
|
T1051
|
Shared Webroot |
**This technique has been deprecated and should no longer be used.**
Adversaries may add malicious content to an intern… |
lateral-movement
|
|
T1213.002
|
Sharepoint |
Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often conta… |
collection
|
|
T1552.003
|
Shell History |
Adversaries may search the command history on compromised systems for insecurely stored credentials.
On Linux and macOS… |
credential-access
|
|
T1547.009
|
Shortcut Modification |
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or sym… |
persistence
|
|
T1023
|
Shortcut Modification |
Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the sho… |
persistence
|
|
T1558.002
|
Silver Ticket |
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket gr… |
credential-access
|
|
T1684
|
Social Engineering |
Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access,… |
stealth
|
|
T1593.001
|
Social Media |
Adversaries may search social media for information about victims that can be used during targeting. Social media sites … |
reconnaissance
|
|
T1586.001
|
Social Media Accounts |
Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social … |
resource-development
|
|
T1585.001
|
Social Media Accounts |
Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create soc… |
resource-development
|
|
T1205.002
|
Socket Filters |
Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command an… |
stealth
|
|
T1592.002
|
Software |
Adversaries may gather information about the victim's host software that can be used during targeting. Information about… |
reconnaissance
|
|
T1072
|
Software Deployment Tools |
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands an… |
execution
|
|
T1518
|
Software Discovery |
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud … |
discovery
|
|
T1176
|
Software Extensions |
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modu… |
persistence
|
|
T1045
|
Software Packing |
Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signatur… |
stealth
|
|
T1027.002
|
Software Packing |
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing … |
stealth
|
|
T1153
|
Source |
**This technique has been deprecated and should no longer be used.**
The <code>source</code> command loads functions in… |
execution
|
|
T1151
|
Space after Filename |
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specificall… |
stealth
|
|
T1036.006
|
Space after Filename |
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specificall… |
stealth
|
|
T1566.001
|
Spearphishing Attachment |
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Sp… |
initial-access
|
|
T1193
|
Spearphishing Attachment |
Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms … |
initial-access
|
|
T1598.002
|
Spearphishing Attachment |
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used… |
reconnaissance
|
|
T1192
|
Spearphishing Link |
Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in t… |
initial-access
|
|
T1566.002
|
Spearphishing Link |
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphi… |
initial-access
|
|
T1598.003
|
Spearphishing Link |
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used durin… |
reconnaissance
|
|
T1598.001
|
Spearphishing Service |
Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used du… |
reconnaissance
|
|
T1598.004
|
Spearphishing Voice |
Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishin… |
reconnaissance
|
|
T1566.004
|
Spearphishing Voice |
Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific … |
initial-access
|
|
T1194
|
Spearphishing via Service |
Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in t… |
initial-access
|
|
T1566.003
|
Spearphishing via Service |
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spe… |
initial-access
|
|
T1562.011
|
Spoof Security Alerting |
Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of maliciou… |
stealth
|
|
T1608
|
Stage Capabilities |
Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their op… |
resource-development
|
|
T1032
|
Standard Cryptographic Protocol |
Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relyin… |
command-and-control
|
|
T1132.001
|
Standard Encoding |
Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more… |
command-and-control
|
|
T1165
|
Startup Items |
Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or… |
persistence
|
|
T1037.005
|
Startup Items |
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items … |
persistence
|
|
T1528
|
Steal Application Access Token |
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resourc… |
credential-access
|
|
T1539
|
Steal Web Session Cookie |
An adversary may steal web application or service session cookies and use them to gain access to web applications or Int… |
credential-access
|
|
T1649
|
Steal or Forge Authentication Certificates |
Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certi… |
credential-access
|
|
T1558
|
Steal or Forge Kerberos Tickets |
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the T… |
credential-access
|
|
T1027.003
|
Steganography |
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic tec… |
stealth
|
|
T1001.002
|
Steganography |
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficu… |
command-and-control
|
|
T1492
|
Stored Data Manipulation |
Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Ci… |
impact
|
|
T1565.001
|
Stored Data Manipulation |
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thu… |
impact
|
|
T1027.008
|
Stripped Payloads |
Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable in… |
stealth
|
|
T1553
|
Subvert Trust Controls |
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of un… |
defense-impairment
|
|
T1169
|
Sudo |
The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This… |
privilege-escalation
|
Trusted Design