|
T1078.004
|
Cloud Accounts |
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Pr… |
defense-evasion |
|
T1651
|
Cloud Administration Command |
Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Syste… |
execution |
|
T1671
|
Cloud Application Integration |
Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment.… |
persistence |
|
T1069.003
|
Cloud Groups |
Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help … |
discovery |
|
T1580
|
Cloud Infrastructure Discovery |
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-servi… |
discovery |
|
T1552.005
|
Cloud Instance Metadata API |
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most… |
credential-access |
|
T1522
|
Cloud Instance Metadata API |
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most… |
credential-access |
|
T1555.006
|
Cloud Secrets Management Stores |
Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secre… |
credential-access |
|
T1538
|
Cloud Service Dashboard |
An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operationa… |
discovery |
|
T1526
|
Cloud Service Discovery |
An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can dif… |
discovery |
|
T1496.004
|
Cloud Service Hijacking |
Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, whi… |
impact |
|
T1021.007
|
Cloud Services |
Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attac… |
lateral-movement |
|
T1619
|
Cloud Storage Object Discovery |
Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated… |
discovery |
|
T1593.003
|
Code Repositories |
Adversaries may search public code repositories for information about victims that can be used during targeting. Victims… |
reconnaissance |
|
T1213.003
|
Code Repositories |
Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that st… |
collection |
|
T1116
|
Code Signing |
Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not bee… |
defense-evasion |
|
T1553.002
|
Code Signing |
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a… |
defense-evasion |
|
T1587.002
|
Code Signing Certificates |
Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the proc… |
resource-development |
|
T1588.003
|
Code Signing Certificates |
Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the proces… |
resource-development |
|
T1553.006
|
Code Signing Policy Modification |
Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides … |
defense-evasion |
|
T1027.010
|
Command Obfuscation |
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of … |
defense-evasion |
|
T1059
|
Command and Scripting Interpreter |
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and la… |
execution |
|
T1043
|
Commonly Used Port |
**This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where ap… |
command-and-control |
|
T1092
|
Communication Through Removable Media |
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removab… |
command-and-control |
|
T1027.004
|
Compile After Delivery |
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled … |
defense-evasion |
|
T1500
|
Compile After Delivery |
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled … |
defense-evasion |
|
T1218.001
|
Compiled HTML File |
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part o… |
defense-evasion |
|
T1223
|
Compiled HTML File |
Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed … |
defense-evasion |
|
T1109
|
Component Firmware |
Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that wi… |
defense-evasion |
|
T1542.002
|
Component Firmware |
Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to comp… |
persistence |
|
T1559.001
|
Component Object Model |
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communica… |
execution |
|
T1122
|
Component Object Model Hijacking |
The Component Object Model (COM) is a system within Windows to enable interaction between software components through th… |
defense-evasion |
|
T1546.015
|
Component Object Model Hijacking |
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Objec… |
privilege-escalation |
|
T1175
|
Component Object Model and Distributed COM |
**This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/technique… |
lateral-movement |
|
T1027.015
|
Compression |
Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and… |
defense-evasion |
|
T1586
|
Compromise Accounts |
Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social… |
resource-development |
|
T1195.003
|
Compromise Hardware Supply Chain |
Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data … |
initial-access |
|
T1554
|
Compromise Host Software Binary |
Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables p… |
persistence |
|
T1584
|
Compromise Infrastructure |
Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions includ… |
resource-development |
|
T1195.001
|
Compromise Software Dependencies and Development Tools |
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purp… |
initial-access |
|
T1195.002
|
Compromise Software Supply Chain |
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system c… |
initial-access |
|
T1496.001
|
Compute Hijacking |
Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impac… |
impact |
|
T1556.009
|
Conditional Access Policies |
Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Condi… |
credential-access |
|
T1213.001
|
Confluence |
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments … |
collection |
|
T1552.007
|
Container API |
Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Doc… |
credential-access |
|
T1609
|
Container Administration Command |
Adversaries may abuse a container administration service to execute commands within a container. A container administrat… |
execution |
|
T1059.013
|
Container CLI/API |
Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments.
The … |
execution |
|
T1053.007
|
Container Orchestration Job |
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to sche… |
execution |
|
T1543.005
|
Container Service |
Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or service… |
persistence |
|
T1613
|
Container and Resource Discovery |
Adversaries may attempt to discover containers and other resources that are available within a containers environment. O… |
discovery |
Trusted Design