|
T1564.002
|
Hidden Users |
Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to… |
defense-evasion |
|
T1147
|
Hidden Users |
Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that a… |
defense-evasion |
|
T1143
|
Hidden Window |
Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, win… |
defense-evasion |
|
T1564.003
|
Hidden Window |
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows t… |
defense-evasion |
|
T1564
|
Hide Artifacts |
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have… |
defense-evasion |
|
T1665
|
Hide Infrastructure |
Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be … |
command-and-control |
|
T1574
|
Hijack Execution Flow |
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking exec… |
persistence |
|
T1179
|
Hooking |
Windows processes often leverage application programming interface (API) functions to perform tasks that require reusabl… |
persistence |
|
T1556.007
|
Hybrid Identity |
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user id… |
credential-access |
|
T1062
|
Hypervisor |
**This technique has been deprecated and should no longer be used.**
A type-1 hypervisor is a software layer that sits … |
persistence |
|
T1059.012
|
Hypervisor CLI |
Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typical… |
execution |
|
T1176.002
|
IDE Extensions |
Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim sys… |
persistence |
|
T1219.001
|
IDE Tunneling |
Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an… |
command-and-control |
|
T1505.004
|
IIS Components |
Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish pe… |
persistence |
|
T1590.005
|
IP Addresses |
Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated… |
reconnaissance |
|
T1591.003
|
Identify Business Tempo |
Adversaries may gather information about the victim's business tempo that can be used during targeting. Information abou… |
reconnaissance |
|
T1591.004
|
Identify Roles |
Adversaries may gather information about identities and roles within the victim organization that can be used during tar… |
reconnaissance |
|
T1564.011
|
Ignore Process Interrupts |
Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operatin… |
defense-evasion |
|
T1183
|
Image File Execution Options Injection |
Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created… |
privilege-escalation |
|
T1546.012
|
Image File Execution Options Injection |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File E… |
privilege-escalation |
|
T1562.003
|
Impair Command History Logging |
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interp… |
defense-evasion |
|
T1562
|
Impair Defenses |
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms… |
defense-evasion |
|
T1656
|
Impersonation |
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing som… |
defense-evasion |
|
T1525
|
Implant Internal Image |
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to a… |
persistence |
|
T1054
|
Indicator Blocking |
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. T… |
defense-evasion |
|
T1562.006
|
Indicator Blocking |
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. T… |
defense-evasion |
|
T1070
|
Indicator Removal |
Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defen… |
defense-evasion |
|
T1066
|
Indicator Removal from Tools |
If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the ma… |
defense-evasion |
|
T1027.005
|
Indicator Removal from Tools |
Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwis… |
defense-evasion |
|
T1202
|
Indirect Command Execution |
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of c… |
defense-evasion |
|
T1105
|
Ingress Tool Transfer |
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may… |
command-and-control |
|
T1490
|
Inhibit System Recovery |
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted syst… |
impact |
|
T1056
|
Input Capture |
Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system u… |
collection |
|
T1674
|
Input Injection |
Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of t… |
execution |
|
T1141
|
Input Prompt |
When programs are executed that need additional privileges than are present in the current user context, it is common fo… |
credential-access |
|
T1608.003
|
Install Digital Certificate |
Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can … |
resource-development |
|
T1553.004
|
Install Root Certificate |
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary contro… |
defense-evasion |
|
T1130
|
Install Root Certificate |
Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certifi… |
defense-evasion |
|
T1218.004
|
InstallUtil |
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-l… |
defense-evasion |
|
T1118
|
InstallUtil |
InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific… |
defense-evasion |
|
T1546.016
|
Installer Packages |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious… |
privilege-escalation |
|
T1559
|
Inter-Process Communication |
Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically… |
execution |
|
T1491.001
|
Internal Defacement |
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discredit… |
impact |
|
T1090.001
|
Internal Proxy |
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised… |
command-and-control |
|
T1534
|
Internal Spearphishing |
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing… |
lateral-movement |
|
T1016.001
|
Internet Connection Discovery |
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery… |
discovery |
|
T1036.001
|
Invalid Code Signature |
Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, … |
defense-evasion |
|
T1127.003
|
JamPlus |
Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code a… |
defense-evasion |
|
T1059.007
|
JavaScript |
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scr… |
execution |
|
T1027.016
|
Junk Code Insertion |
Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not… |
defense-evasion |
Trusted Design