|
T1102.001
|
Dead Drop Resolver |
Adversaries may use an existing, legitimate external Web service to host information that points to additional command a… |
command-and-control |
|
T1622
|
Debugger Evasion |
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace a… |
defense-evasion |
|
T1491
|
Defacement |
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the in… |
impact |
|
T1078.001
|
Default Accounts |
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Pri… |
defense-evasion |
|
T1678
|
Delay Execution |
Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system… |
defense-evasion |
|
T1578.003
|
Delete Cloud Instance |
An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection… |
defense-evasion |
|
T1140
|
Deobfuscate/Decode Files or Information |
Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an… |
defense-evasion |
|
T1610
|
Deploy Container |
Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversa… |
defense-evasion |
|
T1591.001
|
Determine Physical Locations |
Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical l… |
reconnaissance |
|
T1587
|
Develop Capabilities |
Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or ste… |
resource-development |
|
T1652
|
Device Driver Discovery |
Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlig… |
discovery |
|
T1098.005
|
Device Registration |
Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authent… |
persistence |
|
T1596.003
|
Digital Certificates |
Adversaries may search public digital certificate data for information about victims that can be used during targeting. … |
reconnaissance |
|
T1588.004
|
Digital Certificates |
Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are design… |
resource-development |
|
T1587.003
|
Digital Certificates |
Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are desi… |
resource-development |
|
T1021.008
|
Direct Cloud VM Connections |
Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible clo… |
lateral-movement |
|
T1498.001
|
Direct Network Flood |
Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a tar… |
impact |
|
T1006
|
Direct Volume Access |
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows progr… |
defense-evasion |
|
T1600.002
|
Disable Crypto Hardware |
Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in so… |
defense-evasion |
|
T1562.002
|
Disable Windows Event Logging |
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows eve… |
defense-evasion |
|
T1562.007
|
Disable or Modify Cloud Firewall |
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud re… |
defense-evasion |
|
T1562.008
|
Disable or Modify Cloud Logs |
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their … |
defense-evasion |
|
T1562.012
|
Disable or Modify Linux Audit System |
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins us… |
defense-evasion |
|
T1562.013
|
Disable or Modify Network Device Firewall |
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in … |
defense-evasion |
|
T1562.004
|
Disable or Modify System Firewall |
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be … |
defense-evasion |
|
T1562.001
|
Disable or Modify Tools |
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. … |
defense-evasion |
|
T1089
|
Disabling Security Tools |
Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form… |
defense-evasion |
|
T1488
|
Disk Content Wipe |
Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a netwo… |
impact |
|
T1561.001
|
Disk Content Wipe |
Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt … |
impact |
|
T1561.002
|
Disk Structure Wipe |
Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific … |
impact |
|
T1487
|
Disk Structure Wipe |
Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific cri… |
impact |
|
T1561
|
Disk Wipe |
Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availabi… |
impact |
|
T1021.003
|
Distributed Component Object Model |
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taki… |
lateral-movement |
|
T1087.002
|
Domain Account |
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domai… |
discovery |
|
T1136.002
|
Domain Account |
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Activ… |
persistence |
|
T1078.002
|
Domain Accounts |
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Priv… |
defense-evasion |
|
T1556.001
|
Domain Controller Authentication |
Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms … |
credential-access |
|
T1172
|
Domain Fronting |
Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host mul… |
command-and-control |
|
T1090.004
|
Domain Fronting |
Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host mult… |
command-and-control |
|
T1568.002
|
Domain Generation Algorithms |
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command… |
command-and-control |
|
T1483
|
Domain Generation Algorithms |
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and co… |
command-and-control |
|
T1069.002
|
Domain Groups |
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission gr… |
discovery |
|
T1590.001
|
Domain Properties |
Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information a… |
reconnaissance |
|
T1482
|
Domain Trust Discovery |
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movemen… |
discovery |
|
T1484
|
Domain or Tenant Policy Modification |
Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privi… |
defense-evasion |
|
T1583.001
|
Domains |
Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to rep… |
resource-development |
|
T1584.001
|
Domains |
Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the… |
resource-development |
|
T1036.007
|
Double File Extension |
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may … |
defense-evasion |
|
T1562.010
|
Downgrade Attack |
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support … |
defense-evasion |
|
T1601.002
|
Downgrade System Image |
Adversaries may install an older version of the operating system of a network device to weaken security. Older operatin… |
defense-evasion |
Trusted Design