|
T1189
|
Drive-by Compromise |
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple w… |
initial-access |
|
T1608.004
|
Drive-by Target |
Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of brow… |
resource-development |
|
T1157
|
Dylib Hijacking |
macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search… |
persistence |
|
T1574.004
|
Dylib Hijacking |
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a pat… |
persistence |
|
T1027.007
|
Dynamic API Resolution |
Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious f… |
defense-evasion |
|
T1559.002
|
Dynamic Data Exchange |
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol f… |
execution |
|
T1173
|
Dynamic Data Exchange |
Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communicati… |
execution |
|
T1574.006
|
Dynamic Linker Hijacking |
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load … |
persistence |
|
T1568
|
Dynamic Resolution |
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and r… |
command-and-control |
|
T1055.001
|
Dynamic-link Library Injection |
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as … |
defense-evasion |
|
T1675
|
ESXi Administration Command |
Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual e… |
execution |
|
T1218.015
|
Electron Applications |
Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many … |
defense-evasion |
|
T1514
|
Elevated Execution with Prompt |
Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for cre… |
privilege-escalation |
|
T1548.004
|
Elevated Execution with Prompt |
Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the… |
privilege-escalation |
|
T1087.003
|
Email Account |
Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address l… |
discovery |
|
T1586.002
|
Email Accounts |
Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accou… |
resource-development |
|
T1585.002
|
Email Accounts |
Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email… |
resource-development |
|
T1589.002
|
Email Addresses |
Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organization… |
reconnaissance |
|
T1667
|
Email Bombing |
Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails … |
impact |
|
T1114
|
Email Collection |
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade s… |
collection |
|
T1114.003
|
Email Forwarding Rule |
Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding ru… |
collection |
|
T1564.008
|
Email Hiding Rules |
Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users t… |
defense-evasion |
|
T1672
|
Email Spoofing |
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establi… |
defense-evasion |
|
T1027.009
|
Embedded Payloads |
Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign… |
defense-evasion |
|
T1546.014
|
Emond |
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Da… |
privilege-escalation |
|
T1519
|
Emond |
Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on pre… |
persistence |
|
T1589.003
|
Employee Names |
Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresse… |
reconnaissance |
|
T1573
|
Encrypted Channel |
Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inheren… |
command-and-control |
|
T1027.013
|
Encrypted/Encoded File |
Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. En… |
defense-evasion |
|
T1499
|
Endpoint Denial of Service |
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to use… |
impact |
|
T1480.001
|
Environmental Keying |
Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to … |
defense-evasion |
|
T1611
|
Escape to Host |
Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allo… |
privilege-escalation |
|
T1585
|
Establish Accounts |
Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create ac… |
resource-development |
|
T1546
|
Event Triggered Execution |
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on … |
privilege-escalation |
|
T1557.004
|
Evil Twin |
Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a w… |
credential-access |
|
T1668
|
Exclusive Control |
Adversaries who successfully compromise a system may attempt to maintain persistence by “closing the door” behind them … |
persistence |
|
T1574.005
|
Executable Installer File Permissions Weakness |
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may… |
persistence |
|
T1480
|
Execution Guardrails |
Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment s… |
defense-evasion |
|
T1048
|
Exfiltration Over Alternative Protocol |
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control ch… |
exfiltration |
|
T1048.002
|
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the e… |
exfiltration |
|
T1011.001
|
Exfiltration Over Bluetooth |
Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command an… |
exfiltration |
|
T1041
|
Exfiltration Over C2 Channel |
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into … |
exfiltration |
|
T1011
|
Exfiltration Over Other Network Medium |
Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the … |
exfiltration |
|
T1052
|
Exfiltration Over Physical Medium |
Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, s… |
exfiltration |
|
T1048.001
|
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the exi… |
exfiltration |
|
T1048.003
|
Exfiltration Over Unencrypted Non-C2 Protocol |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing comm… |
exfiltration |
|
T1567
|
Exfiltration Over Web Service |
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command an… |
exfiltration |
|
T1567.004
|
Exfiltration Over Webhook |
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhoo… |
exfiltration |
|
T1052.001
|
Exfiltration over USB |
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an ai… |
exfiltration |
|
T1567.002
|
Exfiltration to Cloud Storage |
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. C… |
exfiltration |
Trusted Design