|
T1501
|
Systemd Service |
Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used fo… |
persistence |
|
T1543.002
|
Systemd Service |
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Syste… |
persistence |
|
T1053.006
|
Systemd Timers |
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Sy… |
execution |
|
T1548.006
|
TCC Manipulation |
Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious ex… |
defense-evasion |
|
T1542.005
|
TFTP Boot |
Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Pr… |
defense-evasion |
|
T1080
|
Taint Shared Content |
Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drive… |
lateral-movement |
|
T1221
|
Template Injection |
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication… |
defense-evasion |
|
T1548.005
|
Temporary Elevated Cloud Access |
Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. … |
privilege-escalation |
|
T1505.005
|
Terminal Services DLL |
Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Service… |
persistence |
|
T1055.003
|
Thread Execution Hijacking |
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possib… |
defense-evasion |
|
T1055.005
|
Thread Local Storage |
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-… |
defense-evasion |
|
T1597.001
|
Threat Intel Vendors |
Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. … |
reconnaissance |
|
T1497.003
|
Time Based Checks |
Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those… |
defense-evasion |
|
T1547.003
|
Time Providers |
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables t… |
persistence |
|
T1209
|
Time Providers |
The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time … |
persistence |
|
T1099
|
Timestomp |
Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activit… |
defense-evasion |
|
T1070.006
|
Timestomp |
Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique … |
defense-evasion |
|
T1134.001
|
Token Impersonation/Theft |
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access contro… |
defense-evasion |
|
T1588.002
|
Tool |
Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed so… |
resource-development |
|
T1020.001
|
Traffic Duplication |
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traff… |
exfiltration |
|
T1205
|
Traffic Signaling |
Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or comman… |
defense-evasion |
|
T1537
|
Transfer Data to Cloud Account |
Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of clou… |
exfiltration |
|
T1493
|
Transmitted Data Manipulation |
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activit… |
impact |
|
T1565.002
|
Transmitted Data Manipulation |
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activit… |
impact |
|
T1505.002
|
Transport Agent |
Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport… |
persistence |
|
T1546.005
|
Trap |
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</c… |
privilege-escalation |
|
T1154
|
Trap |
The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interr… |
execution |
|
T1484.002
|
Trust Modification |
Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configur… |
defense-evasion |
|
T1127
|
Trusted Developer Utilities Proxy Execution |
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many u… |
defense-evasion |
|
T1199
|
Trusted Relationship |
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted t… |
initial-access |
|
T1546.017
|
Udev Rules |
Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux k… |
persistence |
|
T1065
|
Uncommonly Used Port |
Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improp… |
command-and-control |
|
T1059.004
|
Unix Shell |
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux… |
execution |
|
T1546.004
|
Unix Shell Configuration Modification |
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell… |
privilege-escalation |
|
T1552
|
Unsecured Credentials |
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be st… |
credential-access |
|
T1535
|
Unused/Unsupported Cloud Regions |
Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usual… |
defense-evasion |
|
T1608.001
|
Upload Malware |
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during target… |
resource-development |
|
T1608.002
|
Upload Tool |
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targetin… |
resource-development |
|
T1550
|
Use Alternate Authentication Material |
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access… |
defense-evasion |
|
T1497.002
|
User Activity Based Checks |
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This m… |
defense-evasion |
|
T1204
|
User Execution |
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engin… |
execution |
|
T1564.007
|
VBA Stomping |
Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by repla… |
defense-evasion |
|
T1055.014
|
VDSO Hijacking |
Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well… |
defense-evasion |
|
T1021.005
|
VNC |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtu… |
lateral-movement |
|
T1078
|
Valid Accounts |
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Pri… |
defense-evasion |
|
T1218.012
|
Verclsid |
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Ve… |
defense-evasion |
|
T1125
|
Video Capture |
An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., v… |
collection |
|
T1673
|
Virtual Machine Discovery |
An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For e… |
discovery |
|
T1584.003
|
Virtual Private Server |
Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a v… |
resource-development |
|
T1583.003
|
Virtual Private Server |
Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud se… |
resource-development |
Trusted Design