|
T1567.001
|
Exfiltration to Code Repository |
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code re… |
exfiltration |
|
T1567.003
|
Exfiltration to Text Storage Sites |
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage… |
exfiltration |
|
T1190
|
Exploit Public-Facing Application |
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The we… |
initial-access |
|
T1203
|
Exploitation for Client Execution |
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in so… |
execution |
|
T1212
|
Exploitation for Credential Access |
Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulner… |
credential-access |
|
T1211
|
Exploitation for Defense Evasion |
Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerabili… |
defense-evasion |
|
T1068
|
Exploitation for Privilege Escalation |
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnera… |
privilege-escalation |
|
T1210
|
Exploitation of Remote Services |
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploi… |
lateral-movement |
|
T1587.004
|
Exploits |
Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability… |
resource-development |
|
T1588.005
|
Exploits |
Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug … |
resource-development |
|
T1564.014
|
Extended Attributes |
Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade det… |
defense-evasion |
|
T1491.002
|
External Defacement |
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise… |
impact |
|
T1090.002
|
External Proxy |
Adversaries may use an external proxy to act as an intermediary for network communications to a command and control serv… |
command-and-control |
|
T1133
|
External Remote Services |
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote ser… |
persistence |
|
T1055.011
|
Extra Window Memory Injection |
Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defense… |
defense-evasion |
|
T1181
|
Extra Window Memory Injection |
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipula… |
defense-evasion |
|
T1008
|
Fallback Channels |
Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible i… |
command-and-control |
|
T1568.001
|
Fast Flux DNS |
Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses… |
command-and-control |
|
T1107
|
File Deletion |
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native… |
defense-evasion |
|
T1070.004
|
File Deletion |
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native… |
defense-evasion |
|
T1044
|
File System Permissions Weakness |
Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the… |
persistence |
|
T1071.002
|
File Transfer Protocols |
Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/netw… |
command-and-control |
|
T1083
|
File and Directory Discovery |
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certa… |
discovery |
|
T1222
|
File and Directory Permissions Modification |
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte… |
defense-evasion |
|
T1564.012
|
File/Path Exclusions |
Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded fr… |
defense-evasion |
|
T1027.011
|
Fileless Storage |
Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be br… |
defense-evasion |
|
T1657
|
Financial Theft |
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other m… |
impact |
|
T1592.003
|
Firmware |
Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about… |
reconnaissance |
|
T1495
|
Firmware Corruption |
Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a… |
impact |
|
T1187
|
Forced Authentication |
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication informa… |
credential-access |
|
T1606
|
Forge Web Credentials |
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web… |
credential-access |
|
T1056.002
|
GUI Input Capture |
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate… |
collection |
|
T1553.001
|
Gatekeeper Bypass |
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted … |
defense-evasion |
|
T1144
|
Gatekeeper Bypass |
In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on t… |
defense-evasion |
|
T1592
|
Gather Victim Host Information |
Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts m… |
reconnaissance |
|
T1589
|
Gather Victim Identity Information |
Adversaries may gather information about the victim's identity that can be used during targeting. Information about iden… |
reconnaissance |
|
T1590
|
Gather Victim Network Information |
Adversaries may gather information about the victim's networks that can be used during targeting. Information about netw… |
reconnaissance |
|
T1591
|
Gather Victim Org Information |
Adversaries may gather information about the victim's organization that can be used during targeting. Information about … |
reconnaissance |
|
T1558.001
|
Golden Ticket |
Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a … |
credential-access |
|
T1061
|
Graphical User Interface |
**This technique has been deprecated. Please use [Remote Services](https://attack.mitre.org/techniques/T1021) where appr… |
execution |
|
T1615
|
Group Policy Discovery |
Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measure… |
discovery |
|
T1484.001
|
Group Policy Modification |
Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, u… |
defense-evasion |
|
T1552.006
|
Group Policy Preferences |
Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow admini… |
credential-access |
|
T1148
|
HISTCONTROL |
The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> comman… |
defense-evasion |
|
T1027.006
|
HTML Smuggling |
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML… |
defense-evasion |
|
T1592.001
|
Hardware |
Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about… |
reconnaissance |
|
T1200
|
Hardware Additions |
Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system… |
initial-access |
|
T1564.005
|
Hidden File System |
Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provi… |
defense-evasion |
|
T1158
|
Hidden Files and Directories |
To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of… |
defense-evasion |
|
T1564.001
|
Hidden Files and Directories |
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accid… |
defense-evasion |
Trusted Design