Trusted Design

Technique 一覧

Technique ID 名称 概要 戦術
T1553.004 Install Root Certificate Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary contro… defense-impairment
T1130 Install Root Certificate Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certifi… stealth
T1218.004 InstallUtil Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-l… stealth
T1118 InstallUtil InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific… stealth
T1546.016 Installer Packages Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious… privilege-escalation
T1559 Inter-Process Communication Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically… execution
T1491.001 Internal Defacement An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discredit… impact
T1090.001 Internal Proxy Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised… command-and-control
T1534 Internal Spearphishing After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing… lateral-movement
T1016.001 Internet Connection Discovery Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery… discovery
T1036.001 Invalid Code Signature Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, … stealth
T1027.018 Invisible Unicode Adversaries may abuse invisible or non-printing Unicode characters to conceal malicious content within files, scripts, o… stealth
T1127.003 JamPlus Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code a… stealth
T1059.007 JavaScript Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scr… execution
T1027.016 Junk Code Insertion Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not… stealth
T1001.001 Junk Data Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: Fire… command-and-control
T1208 Kerberoasting Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authenticatio… credential-access
T1558.003 Kerberoasting Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting… credential-access
T1215 Kernel Modules and Extensions Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They e… persistence
T1547.006 Kernel Modules and Extensions Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are p… persistence
T1574.013 KernelCallbackTable Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run the… stealth
T1555.001 Keychain Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management sy… credential-access
T1142 Keychain Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and feature… credential-access
T1056.001 Keylogging Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to … collection
T1161 LC_LOAD_DYLIB Addition Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOA… persistence
T1546.006 LC_LOAD_DYLIB Addition Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mac… privilege-escalation
T1149 LC_MAIN Hijacking **This technique has been deprecated and should no longer be used.** As of OS X 10.8, mach-O binaries introduced a new … stealth
T1171 LLMNR/NBT-NS Poisoning and Relay Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that ser… credential-access
T1027.012 LNK Icon Smuggling Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise see… stealth
T1003.004 LSA Secrets Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain… credential-access
T1177 LSASS Driver The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or doma… execution
T1547.008 LSASS Driver Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem… persistence
T1003.001 LSASS Memory Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsy… credential-access
T1570 Lateral Tool Transfer Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim… lateral-movement
T1543.001 Launch Agent Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a u… persistence
T1159 Launch Agent Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the paramete… persistence
T1543.004 Launch Daemon Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are… persistence
T1160 Launch Daemon Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This p… persistence
T1152 Launchctl Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute… stealth
T1569.001 Launchctl Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service manageme… execution
T1053.004 Launchd This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how th… execution
T1485.001 Lifecycle-Triggered Deletion Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud s… impact
T1608.005 Link Target Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may… resource-development
T1222.002 Linux and Mac Permissions Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte… defense-impairment
T1055.015 ListPlanting Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-base… stealth
T1087.001 Local Account Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which… discovery
T1136.001 Local Account Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an o… persistence
T1078.003 Local Accounts Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privi… stealth
T1074.001 Local Data Staging Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data … collection
T1114.001 Local Email Collection Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be … collection