212 indexed
ATT&CKATT&CK techniques
212 top-level MITRE ATT&CK Enterprise techniques (T-IDs), grouped by tactic. Filter to a tactic or browse the full kill chain, then click into a technique for sub-techniques and mitigations. Authored by Adam Lundqvist.
212 across 14 categories
Reconnaissance10
| ID | Title | Summary |
|---|---|---|
| T1589 | Gather Victim Identity Information | Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details… |
| T1590 | Gather Victim Network Information | Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, … |
| T1591 | Gather Victim Org Information | Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety o… |
| T1592 | Gather Victim Host Information | Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, includ… |
| T1593 | Search Open Websites/Domains | Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may … |
| T1594 | Search Victim-Owned Websites | Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, … |
| T1595 | Active Scanning | Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes … |
| T1596 | Search Open Technical Databases | Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be a… |
| T1597 | Search Closed Sources | Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available f… |
| T1598 | Phishing for Information | Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targe… |
Resource Development8
| ID | Title | Summary |
|---|---|---|
| T1583 | Acquire Infrastructure | Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adv… |
| T1584 | Compromise Infrastructure | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, a… |
| T1585 | Establish Accounts | Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a pers… |
| T1586 | Compromise Accounts | Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an onl… |
| T1587 | Develop Capabilities | Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may dev… |
| T1588 | Obtain Capabilities | Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purcha… |
| T1608 | Stage Capabilities | Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take… |
| T1650 | Acquire Access | Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks… |
Initial Access7
| ID | Title | Summary |
|---|---|---|
| T1189 | Drive-by Compromise | Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is ty… |
| T1190 | Exploit Public-Facing Application | Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software … |
| T1195 | Supply Chain Compromise | Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply c… |
| T1199 | Trusted Relationship | Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an exist… |
| T1200 | Hardware Additions | Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain a… |
| T1566 | Phishing | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be… |
| T1659 | Content Injection | Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than l… |
Execution13
| ID | Title | Summary |
|---|---|---|
| T1047 | Windows Management Instrumentation | Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uni… |
| T1053 | Scheduled Task/Job | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating … |
| T1059 | Command and Scripting Interpreter | Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting wit… |
| T1072 | Software Deployment Tools | Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment s… |
| T1106 | Native API | Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low… |
| T1129 | Shared Modules | Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to … |
| T1203 | Exploitation for Client Execution | Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices… |
| T1204 | User Execution | An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious… |
| T1559 | Inter-Process Communication | Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, commu… |
| T1569 | System Services | Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating ser… |
| T1609 | Container Administration Command | Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, … |
| T1648 | Serverless Execution | Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a … |
| T1651 | Cloud Administration Command | Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Az… |
Persistence15
| ID | Title | Summary |
|---|---|---|
| T1037 | Boot or Logon Initialization Scripts | Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform admi… |
| T1098 | Account Manipulation | Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modif… |
| T1133 | External Remote Services | Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other a… |
| T1136 | Create Account | Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish seco… |
| T1137 | Office Application Startup | Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows… |
| T1176 | Browser Extensions | Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can a… |
| T1504 | PowerShell Profile | Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A Po… |
| T1505 | Server Software Component | Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may inclu… |
| T1519 | Emond | Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. Emond is a [La… |
| T1525 | Implant Internal Image | Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS… |
| T1543 | Create or Modify System Process | Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they c… |
| T1547 | Boot or Logon Autostart Execution | Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privilege… |
| T1554 | Compromise Client Software Binary | Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a serve… |
| T1574 | Hijack Execution Flow | Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of p… |
| T1653 | Power Settings | Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant s… |
Privilege Escalation5
| ID | Title | Summary |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes a… |
| T1514 | Elevated Execution with Prompt | Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs Authoriza… |
| T1546 | Event Triggered Execution | Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating syst… |
| T1548 | Abuse Elevation Control Mechanism | Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation con… |
| T1611 | Escape to Host | Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the ho… |
Defense Evasion44
| ID | Title | Summary |
|---|---|---|
| T1006 | Direct Volume Access | Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical vo… |
| T1014 | Rootkit | Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are program… |
| T1027 | Obfuscated Files or Information | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the sy… |
| T1036 | Masquerading | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs … |
| T1055 | Process Injection | Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of ex… |
| T1070 | Indicator Removal | Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created b… |
| T1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. … |
| T1112 | Modify Registry | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as par… |
| T1127 | Trusted Developer Utilities Proxy Execution | Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development … |
| T1134 | Access Token Manipulation | Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses a… |
| T1140 | Deobfuscate/Decode Files or Information | Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may requ… |
| T1197 | BITS Jobs | Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a … |
| T1202 | Indirect Command Execution | Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windo… |
| T1205 | Traffic Signaling | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involv… |
| T1207 | Rogue Domain Controller | Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (D… |
| T1211 | Exploitation for Defense Evasion | Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advan… |
| T1216 | System Script Proxy Execution | Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been… |
| T1218 | System Binary Proxy Execution | Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries… |
| T1220 | XSL Script Processing | Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are … |
| T1221 | Template Injection | Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Off… |
| T1222 | File and Directory Permissions Modification | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icac… |
| T1480 | Execution Guardrails | Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to… |
| T1484 | Domain Policy Modification | Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralize… |
| T1497 | Virtualization/Sandbox Evasion | Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of … |
| T1502 | Parent PID Spoofing | Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are ty… |
| T1506 | Web Session Cookie | Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols… |
| T1527 | Application Access Token | Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote s… |
| T1535 | Unused/Unsupported Cloud Regions | Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accoun… |
| T1536 | Revert Cloud Instance | An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of th… |
| T1542 | Pre-OS Boot | Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various star… |
| T1550 | Use Alternate Authentication Material | Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally wit… |
| T1553 | Subvert Trust Controls | Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and… |
| T1562 | Impair Defenses | Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing prev… |
| T1564 | Hide Artifacts | Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, su… |
| T1578 | Modify Cloud Compute Infrastructure | An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can… |
| T1599 | Network Boundary Bridging | Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these d… |
| T1600 | Weaken Encryption | Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: … |
| T1601 | Modify System Image | Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devic… |
| T1610 | Deploy Container | Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to exec… |
| T1612 | Build Image on Host | Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remo… |
| T1620 | Reflective Code Loading | Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then exec… |
| T1622 | Debugger Evasion | Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potentia… |
| T1647 | Plist File Modification | Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macO… |
| T1656 | Impersonation | Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, … |
Credential Access19
| ID | Title | Summary |
|---|---|---|
| T1003 | OS Credential Dumping | Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the … |
| T1040 | Network Sniffing | Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing … |
| T1110 | Brute Force | Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the… |
| T1111 | Multi-Factor Authentication Interception | Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used… |
| T1167 | Securityd Memory | In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows the… |
| T1187 | Forced Authentication | Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they … |
| T1212 | Exploitation for Credential Access | Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes … |
| T1503 | Credentials from Web Browsers | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018) Web browsers… |
| T1522 | Cloud Instance Metadata API | Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud service providers support a Clou… |
| T1528 | Steal Application Access Token | Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used… |
| T1539 | Steal Web Session Cookie | An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user… |
| T1552 | Unsecured Credentials | Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations… |
| T1555 | Credentials from Password Stores | Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the o… |
| T1556 | Modify Authentication Process | Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authenticatio… |
| T1557 | Adversary-in-the-Middle | Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on beh… |
| T1558 | Steal or Forge Kerberos Tickets | Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniq… |
| T1606 | Forge Web Credentials | Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in c… |
| T1621 | Multi-Factor Authentication Request Generation | Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. Adversari… |
| T1649 | Steal or Forge Authentication Certificates | Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encr… |
Discovery29
| ID | Title | Summary |
|---|---|---|
| T1007 | System Service Discovery | Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS u… |
| T1010 | Application Window Discovery | Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevaili… |
| T1012 | Query Registry | Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a sign… |
| T1016 | System Network Configuration Discovery | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information d… |
| T1018 | Remote System Discovery | Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Moveme… |
| T1033 | System Owner/User Discovery | Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using t… |
| T1046 | Network Service Discovery | Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable t… |
| T1049 | System Network Connections Discovery | Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by queryi… |
| T1057 | Process Discovery | Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/… |
| T1069 | Permission Groups Discovery | Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available… |
| T1082 | System Information Discovery | An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architec… |
| T1083 | File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Ad… |
| T1087 | Account Discovery | Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can… |
| T1120 | Peripheral Device Discovery | Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery L… |
| T1124 | System Time Discovery | An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a … |
| T1135 | Network Share Discovery | Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection a… |
| T1201 | Password Policy Discovery | Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are … |
| T1217 | Browser Information Discovery | Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and bro… |
| T1482 | Domain Trust Discovery | Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain… |
| T1518 | Software Discovery | Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the in… |
| T1526 | Cloud Service Discovery | An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), … |
| T1538 | Cloud Service Dashboard | An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific s… |
| T1580 | Cloud Infrastructure Discovery | An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes co… |
| T1613 | Container and Resource Discovery | Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, depl… |
| T1614 | System Location Discovery | Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Loc… |
| T1615 | Group Policy Discovery | Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to disco… |
| T1619 | Cloud Storage Object Discovery | Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors… |
| T1652 | Device Driver Discovery | Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-o… |
| T1654 | Log Enumeration | Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as us… |
Lateral Movement7
| ID | Title | Summary |
|---|---|---|
| T1021 | Remote Services | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and… |
| T1080 | Taint Shared Content | Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Conten… |
| T1091 | Replication Through Removable Media | Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun… |
| T1210 | Exploitation of Remote Services | Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occu… |
| T1534 | Internal Spearphishing | Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have… |
| T1563 | Remote Service Session Hijacking | Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a se… |
| T1570 | Lateral Tool Transfer | Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Trans… |
Collection16
| ID | Title | Summary |
|---|---|---|
| T1005 | Data from Local System | Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prio… |
| T1025 | Data from Removable Media | Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removab… |
| T1039 | Data from Network Shared Drive | Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via sha… |
| T1056 | Input Capture | Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials t… |
| T1074 | Data Staged | Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file thr… |
| T1113 | Screen Capture | Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be inc… |
| T1114 | Email Collection | Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that ca… |
| T1115 | Clipboard Data | Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can a… |
| T1119 | Automated Collection | Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique coul… |
| T1123 | Audio Capture | An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audi… |
| T1125 | Video Capture | An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video re… |
| T1185 | Browser Session Hijacking | Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and interce… |
| T1213 | Data from Information Repositories | Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typic… |
| T1530 | Data from Cloud Storage | Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Googl… |
| T1560 | Archive Collected Data | An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimi… |
| T1602 | Data from Configuration Repository | Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to … |
Command and Control15
| ID | Title | Summary |
|---|---|---|
| T1001 | Data Obfuscation | Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessar… |
| T1008 | Fallback Channels | Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command an… |
| T1071 | Application Layer Protocol | Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the re… |
| T1090 | Proxy | Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control … |
| T1092 | Communication Through Removable Media | Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from syst… |
| T1095 | Non-Application Layer Protocol | Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of po… |
| T1102 | Web Service | Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media a… |
| T1104 | Multi-Stage Channels | Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages ma… |
| T1105 | Ingress Tool Transfer | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-c… |
| T1132 | Data Encoding | Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded us… |
| T1219 | Remote Access Software | An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within net… |
| T1568 | Dynamic Resolution | Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by us… |
| T1571 | Non-Standard Port | Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar… |
| T1572 | Protocol Tunneling | Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access … |
| T1573 | Encrypted Channel | Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a commun… |
Exfiltration9
| ID | Title | Summary |
|---|---|---|
| T1011 | Exfiltration Over Other Network Medium | Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired … |
| T1020 | Automated Exfiltration | Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. When automated … |
| T1029 | Scheduled Transfer | Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns w… |
| T1030 | Data Transfer Size Limits | An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid… |
| T1041 | Exfiltration Over C2 Channel | Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using… |
| T1048 | Exfiltration Over Alternative Protocol | Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an … |
| T1052 | Exfiltration Over Physical Medium | Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise… |
| T1537 | Transfer Data to Cloud Account | Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to… |
| T1567 | Exfiltration Over Web Service | Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services… |
Impact15
| ID | Title | Summary |
|---|---|---|
| T1485 | Data Destruction | Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resourc… |
| T1486 | Data Encrypted for Impact | Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can … |
| T1487 | Disk Structure Wipe | Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number… |
| T1489 | Service Stop | Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhi… |
| T1490 | Inhibit System Recovery | Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos… |
| T1491 | Defacement | Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reason… |
| T1495 | Firmware Corruption | Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inopera… |
| T1496 | Resource Hijacking | Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. … |
| T1498 | Network Denial of Service | Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be perform… |
| T1499 | Endpoint Denial of Service | Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by ex… |
| T1529 | System Shutdown/Reboot | Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate… |
| T1531 | Account Access Removal | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, … |
| T1561 | Disk Wipe | Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. W… |
| T1565 | Data Manipulation | Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By man… |
| T1657 | Financial Theft | Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gai… |