Trusted Design

Technique 一覧

Technique ID 名称 概要 戦術
T1497 Virtualization/Sandbox Evasion Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include chan… defense-evasion
T1059.005 Visual Basic Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interopera… execution
T1588.006 Vulnerabilities Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakne… resource-development
T1595.002 Vulnerability Scanning Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check … reconnaissance
T1596.002 WHOIS Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is … reconnaissance
T1600 Weaken Encryption Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise p… defense-evasion
T1606.001 Web Cookies Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applicat… credential-access
T1056.003 Web Portal Capture Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials… collection
T1071.001 Web Protocols Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network fil… command-and-control
T1102 Web Service Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised syst… command-and-control
T1583.006 Web Services Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adv… resource-development
T1584.006 Web Services Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular we… resource-development
T1550.004 Web Session Cookie Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses som… defense-evasion
T1506 Web Session Cookie Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses som… defense-evasion
T1505.003 Web Shell Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web scr… persistence
T1100 Web Shell A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web serve… persistence
T1016.002 Wi-Fi Discovery Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems… discovery
T1669 Wi-Fi Networks Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by ex… initial-access
T1077 Windows Admin Shares Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote… lateral-movement
T1059.003 Windows Command Shell Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org… execution
T1555.004 Windows Credential Manager Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for s… credential-access
T1222.001 Windows File and Directory Permissions Modification Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte… defense-evasion
T1047 Windows Management Instrumentation Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is design… execution
T1546.003 Windows Management Instrumentation Event Subscription Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Manag… privilege-escalation
T1084 Windows Management Instrumentation Event Subscription Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that e… persistence
T1021.006 Windows Remote Management Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Wi… lateral-movement
T1028 Windows Remote Management Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact wi… execution
T1543.003 Windows Service Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When … persistence
T1004 Winlogon Helper DLL Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SA… persistence
T1547.004 Winlogon Helper DLL Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Win… persistence
T1595.003 Wordlist Scanning Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique emplo… reconnaissance
T1547.013 XDG Autostart Entries Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop envi… persistence
T1559.003 XPC Services Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for… execution
T1220 XSL Script Processing Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensib… defense-evasion
T1505.006 vSphere Installation Bundles Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are c… persistence