Trusted Design

Technique 一覧

Technique ID 名称 概要 戦術
T1001.001 Junk Data Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: Fire… command-and-control
T1208 Kerberoasting Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authenticatio… credential-access
T1558.003 Kerberoasting Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting… credential-access
T1215 Kernel Modules and Extensions Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They e… persistence
T1547.006 Kernel Modules and Extensions Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are p… persistence
T1574.013 KernelCallbackTable Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run the… persistence
T1555.001 Keychain Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management sy… credential-access
T1142 Keychain Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and feature… credential-access
T1056.001 Keylogging Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to … collection
T1161 LC_LOAD_DYLIB Addition Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOA… persistence
T1546.006 LC_LOAD_DYLIB Addition Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mac… privilege-escalation
T1149 LC_MAIN Hijacking **This technique has been deprecated and should no longer be used.** As of OS X 10.8, mach-O binaries introduced a new … defense-evasion
T1171 LLMNR/NBT-NS Poisoning and Relay Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that ser… credential-access
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to forc… credential-access
T1027.012 LNK Icon Smuggling Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise see… defense-evasion
T1003.004 LSA Secrets Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain… credential-access
T1177 LSASS Driver The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or doma… execution
T1547.008 LSASS Driver Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem… persistence
T1003.001 LSASS Memory Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsy… credential-access
T1570 Lateral Tool Transfer Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim… lateral-movement
T1543.001 Launch Agent Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a u… persistence
T1159 Launch Agent Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the paramete… persistence
T1543.004 Launch Daemon Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are… persistence
T1160 Launch Daemon Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This p… persistence
T1152 Launchctl Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute… defense-evasion
T1569.001 Launchctl Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service manageme… execution
T1053.004 Launchd This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how th… execution
T1485.001 Lifecycle-Triggered Deletion Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud s… impact
T1608.005 Link Target Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may… resource-development
T1222.002 Linux and Mac File and Directory Permissions Modification Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte… defense-evasion
T1055.015 ListPlanting Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-base… defense-evasion
T1087.001 Local Account Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which… discovery
T1136.001 Local Account Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an o… persistence
T1078.003 Local Accounts Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privi… defense-evasion
T1074.001 Local Data Staging Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data … collection
T1114.001 Local Email Collection Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be … collection
T1069.001 Local Groups Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission gr… discovery
T1168 Local Job Scheduling On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron… persistence
T1680 Local Storage Discovery Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume s… discovery
T1654 Log Enumeration Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuabl… discovery
T1037.002 Login Hook Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that po… persistence
T1162 Login Item MacOS provides the option to list specific applications to run when a user logs in. These applications run under the log… persistence
T1547.015 Login Items Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are a… persistence
T1037.001 Logon Script (Windows) Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windo… persistence
T1059.011 Lua Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language… execution
T1218.014 MMC Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary… defense-evasion
T1127.001 MSBuild Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build E… defense-evasion
T1071.003 Mail Protocols Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detectio… command-and-control
T1134.003 Make and Impersonate Token Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if… defense-evasion
T1204.004 Malicious Copy and Paste An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social … execution