|
T1119
|
Automated Collection |
Once established within a system or network, an adversary may use automated techniques for collecting internal data. Met… |
collection |
|
T1020
|
Automated Exfiltration |
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gather… |
exfiltration |
|
T1197
|
BITS Jobs |
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background In… |
defense-evasion |
|
T1518.002
|
Backup Software Discovery |
Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversarie… |
discovery |
|
T1496.002
|
Bandwidth Hijacking |
Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which… |
impact |
|
T1139
|
Bash History |
Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the hi… |
credential-access |
|
T1102.002
|
Bidirectional Communication |
Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output… |
command-and-control |
|
T1009
|
Binary Padding |
Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting t… |
defense-evasion |
|
T1027.001
|
Binary Padding |
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done w… |
defense-evasion |
|
T1564.013
|
Bind Mounts |
Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind … |
defense-evasion |
|
T1547
|
Boot or Logon Autostart Execution |
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain per… |
persistence |
|
T1037
|
Boot or Logon Initialization Scripts |
Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: M… |
persistence |
|
T1067
|
Bootkit |
A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) an… |
persistence |
|
T1542.003
|
Bootkit |
Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a h… |
persistence |
|
T1583.005
|
Botnet |
Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a ne… |
resource-development |
|
T1584.005
|
Botnet |
Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is … |
resource-development |
|
T1036.009
|
Break Process Trees |
An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). … |
defense-evasion |
|
T1176.001
|
Browser Extensions |
Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions o… |
persistence |
|
T1036.012
|
Browser Fingerprint |
Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating sys… |
defense-evasion |
|
T1217
|
Browser Information Discovery |
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browser… |
discovery |
|
T1185
|
Browser Session Hijacking |
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change cont… |
collection |
|
T1110
|
Brute Force |
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes… |
credential-access |
|
T1612
|
Build Image on Host |
Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of maliciou… |
defense-evasion |
|
T1591.002
|
Business Relationships |
Adversaries may gather information about the victim's business relationships that can be used during targeting. Informat… |
reconnaissance |
|
T1548.002
|
Bypass User Account Control |
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows… |
privilege-escalation |
|
T1088
|
Bypass User Account Control |
Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-leve… |
defense-evasion |
|
T1596.004
|
CDNs |
Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow a… |
reconnaissance |
|
T1218.003
|
CMSTP |
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CM… |
defense-evasion |
|
T1191
|
CMSTP |
The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Mana… |
defense-evasion |
|
T1574.012
|
COR_PROFILER |
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .N… |
persistence |
|
T1003.005
|
Cached Domain Credentials |
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain … |
credential-access |
|
T1558.005
|
Ccache Files |
Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used fo… |
credential-access |
|
T1042
|
Change Default File Association |
When a file is opened, the default program used to open the file (also called the file association or handler) is checke… |
persistence |
|
T1546.001
|
Change Default File Association |
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file i… |
privilege-escalation |
|
T1552.008
|
Chat Messages |
Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials… |
credential-access |
|
T1070.003
|
Clear Command History |
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the … |
defense-evasion |
|
T1146
|
Clear Command History |
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the … |
defense-evasion |
|
T1070.002
|
Clear Linux or Mac System Logs |
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-in… |
defense-evasion |
|
T1070.008
|
Clear Mailbox Data |
Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow use… |
defense-evasion |
|
T1070.007
|
Clear Network Connection History and Configurations |
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operation… |
defense-evasion |
|
T1070.009
|
Clear Persistence |
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence o… |
defense-evasion |
|
T1070.001
|
Clear Windows Event Logs |
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a comp… |
defense-evasion |
|
T1127.002
|
ClickOnce |
Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trus… |
defense-evasion |
|
T1592.004
|
Client Configurations |
Adversaries may gather information about the victim's client configurations that can be used during targeting. Informati… |
reconnaissance |
|
T1115
|
Clipboard Data |
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Fo… |
collection |
|
T1059.009
|
Cloud API |
Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various fun… |
execution |
|
T1087.004
|
Cloud Account |
Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organi… |
discovery |
|
T1136.003
|
Cloud Account |
Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such acc… |
persistence |
|
T1586.003
|
Cloud Accounts |
Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accou… |
resource-development |
|
T1585.003
|
Cloud Accounts |
Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accoun… |
resource-development |
Trusted Design