Mappings
Enterprise
Action.Hacking.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Abuse of functionality |
T1047 |
Windows Management Instrumentation |
T1053 |
Scheduled Task/Job |
|
T1053.002 |
Scheduled Task/Job: At |
|
T1053.003 |
Scheduled Task/Job: Cron |
|
T1053.005 |
Scheduled Task/Job: Scheduled Task |
|
T1053.006 |
Scheduled Task/Job: Systemd Timers |
|
T1053.007 |
Scheduled Task/Job: Container Orchestration Job |
|
T1059 |
Command and Scripting Interpreter |
|
T1059.001 |
Command and Scripting Interpreter: PowerShell |
|
T1059.002 |
Command and Scripting Interpreter: AppleScript |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
|
T1059.004 |
Command and Scripting Interpreter: Unix Shell |
|
T1059.005 |
Command and Scripting Interpreter: Visual Basic |
|
T1059.006 |
Command and Scripting Interpreter: Python |
|
T1059.007 |
Command and Scripting Interpreter: JavaScript |
|
T1059.008 |
Command and Scripting Interpreter: Network Device CLI |
|
T1072 |
Software Deployment Tools |
|
T1106 |
Native API |
|
T1112 |
Modify Registry |
|
T1127 |
Trusted Developer Utilities Proxy Execution |
|
T1127.001 |
Tursted Developer Utilities Proxy Execution: MSBuild |
|
T1129 |
Shared Modules |
|
T1137 |
Office Application Startup |
|
T1137.001 |
Office Application Startup: Office Template Macros |
|
T1137.002 |
Office Application Startup: Office Test |
|
T1137.003 |
Office Application Startup: Outlook Forms |
|
T1137.004 |
Office Application Startup: Outlook Home Page |
|
T1137.005 |
Office Application Startup: Outlook Rules |
|
T1187 |
Forced Authentication |
|
T1202 |
Indirect Command Execution |
|
T1216 |
Signed Script Proxy Execution |
|
T1216.001 |
Signed Script Proxy Execution: PubPrn |
|
T1218 |
Signed Binary Proxy Execution |
|
T1218.001 |
Signed Binary Proxy Execution: Compiled HTML File |
|
T1218.002 |
Signed Binary Proxy Execution: Control Panel |
|
T1218.003 |
Signed Binary Proxy Execution: CMSTP |
|
T1218.004 |
Signed Binary Proxy Execution: InstallUtil |
|
T1218.005 |
Signed Binary Proxy Execution: Mshta |
|
T1218.007 |
Signed Binary Proxy Execution: Msiexec |
|
T1218.008 |
Signed Binary Proxy Execution: Odbcconf |
|
T1218.009 |
Signed Binary Proxy Execution: Regsvcs/Regasm |
|
T1218.010 |
Signed Binary Proxy Execution: Regsvr32 |
|
T1218.011 |
Signed Binary Proxy Execution: Rundll32 |
|
T1218.012 |
Signed Binary Proxy Execution: Verclsid |
|
T1218.013 |
System Binary Proxy Execution: Mavinject |
|
T1218.014 |
System Binary Proxy Execution: MMC |
|
T1220 |
XSL Script Processing |
|
T1505.001 |
Server Software Component: SQL Stored Procedures |
|
T1505.002 |
Server Software Component: Transport Agent |
|
T1529 |
System Shutdown/Reboot |
|
T1543 |
Create or Modify System Process |
|
T1543.001 |
Create or Modify System Process: Launch Agent |
|
T1543.002 |
Create or Modify System Process: Systemd Service |
|
T1543.003 |
Create or Modify System Process: Windows Service |
|
T1543.004 |
Create or Modify System Process: Launch Daemon |
|
T1547 |
Boot or Logon Autostart Execution |
|
T1548 |
Abuse Elevation Control Mechanism |
|
T1548.001 |
Abuse Elevation Control Mechanism: Setuid and Setgid |
|
T1548.002 |
Abuse Elevation Control Mechanism: Bypass User Account Control |
|
T1548.003 |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
|
T1548.004 |
Abuse Elevation Control Mechanism: Elevated Execution with Prompt |
|
T1559 |
Inter-Process Communication |
|
T1559.001 |
Inter-Process Communication: Component Object Model |
|
T1559.002 |
Inter-Process Communication: Dynamic Data Exchange |
|
T1563 |
Remote Service Session Hijacking |
|
T1563.001 |
Remote Service Session Hijacking: SSH Hijacking |
|
T1563.002 |
Remote Service Session Hijacking: RDP Hijacking |
|
T1564 |
Hide Artifacts |
|
T1564.001 |
Hide Artifacts: Hidden Files and Directories |
|
T1564.002 |
Hide Artifacts: Hidden Users |
|
T1564.003 |
Hide Artifacts: Hidden Window |
|
T1564.004 |
Hide Artifacts: NTFS File Attributes |
|
T1564.005 |
Hide Artifacts: Hidden File System |
|
T1564.006 |
Hide Artifacts: Run Virtual Instance |
|
T1564.007 |
Hide Artifacts: VBA Stomping |
|
T1569 |
System Services |
|
T1569.001 |
System Services: Launchctl |
|
T1569.002 |
System Services: Service Execution |
|
T1578 |
Modify Cloud Computer Infrastructure |
|
T1578.001 |
Modify Cloud Computer Infrastructure: Create Snapshot |
|
T1578.002 |
Modify Cloud Computer Infrastructure: Create Cloud Instance |
|
T1578.003 |
Modify Cloud Computer Infrastructure: Delete Cloud Instance |
|
T1578.004 |
Modify Cloud Computer Infrastructure: Revert Cloud Instance |
|
T1609 |
Container Administration Command |
|
Backdoor |
T1098 |
Account Manipulation |
T1547 |
Boot or Logon Autostart Execution |
|
T1037 |
Boot or Logon Initialization Scripts |
|
T1554 |
Compromise Client Software Binary |
|
T1136 |
Create Accounts |
|
T1543 |
Create or Modify System Process |
|
T1546 |
Event Triggered Execution |
|
T1133 |
External Remote Services |
|
T1525 |
Implant Internal Image |
|
T1556 |
Modify Authentication Process |
|
T1053 |
Scheduled Task/Job |
|
T1078 |
Valid Accounts |
|
Brute force |
T1110 |
Brute Force |
T1110.001 |
Brute Force: Password Guessing |
|
T1110.002 |
Brute Force: Password Cracking |
|
T1110.003 |
Brute Force: Password Spraying |
|
T1110.004 |
Brute Force: Credential Stuffing |
|
Buffer overflow |
T1203 |
Exploitation for Client Execution |
Cache poisoning |
T1557.002 |
Adversary-in-the-Middle: ARP Cache Poisoning |
Cryptanalysis |
T1600 |
Weaken Encryption |
Disable controls |
T1562 |
Impair Defenses |
T1562.001 |
Disable or Modify Tools |
|
T1562.002 |
Disable Windows Event Logging |
|
T1562.003 |
Impair Command History Logging |
|
T1562.004 |
Disable or Modify System Firewall |
|
T1562.007 |
Disable or Modify Cloud Firewall |
|
T1562.008 |
Disable Cloud Logs |
|
T1489 |
Service Stop |
|
DoS |
T1498 |
Network Denial of Service |
T1498.001 |
Network Denial of Service: Direct Network Flood |
|
T1498.002 |
Network Denial of Service: Reflection Amplification |
|
T1499 |
Endpoint Denial of Service |
|
T1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
|
T1499.002 |
Endpoint Denial of Service: Service Exhaustion Flood |
|
T1499.003 |
Endpoint Denial of Service: Application Exhaustion Flood |
|
T1499.004 |
Endpoint Denial of Service: Application or System Exploitation |
|
T1583.005 |
Acquire Infrastructure: Botnet |
|
T1584.005 |
Compromise Infrastructure: Botnet |
|
Evade Defenses |
T1564 |
Hide Artifacts |
T1564.001 |
Hide Artifacts: Hidden Files and Directories |
|
T1564.002 |
Hide Artifacts: Hidden Users |
|
T1564.003 |
Hide Artifacts: Hidden Window |
|
T1564.004 |
Hide Artifacts: NTFS File Attributes |
|
T1564.005 |
Hide Artifacts: Hidden File System |
|
T1564.006 |
Hide Artifacts: Run Virtual Instance |
|
T1564.007 |
Hide Artifacts: VBA Stomping |
|
T1622 |
Debugger Evasion |
|
T1211 |
Exploitation for Defense Evasion |
|
T1562 |
Impair Defenses |
|
T1036 |
Masquerading |
|
T1014 |
Rootkit |
|
T1553 |
Subvert Trust Controls |
|
T1001 |
Data Obfuscation |
|
T1001.001 |
Data Obfuscation: Junk Data |
|
T1001.002 |
Data Obfuscation: Steganography |
|
T1001.003 |
Data Obfuscation: Protocol Impersonation |
|
T1071 |
Application Layer Protocol |
|
T1132 |
Data Encoding |
|
T1132.001 |
Data Encoding: Standard Encoding |
|
T1132.002 |
Data Encoding: Non-Standard Encoding |
|
T1568 |
Dynamic Resolution |
|
T1568.001 |
Dynamic Resolution: Fast Flux DSN |
|
T1568.002 |
Dynamic Resolution: Domain Generation Algorithms |
|
T1568.003 |
Dynamic Resolution: DNS Calculation |
|
T1573 |
Encrypted Channels |
|
T1573.002 |
Encrypted Channels: Asymmetric Cryptography |
|
T1573.001 |
Encrypted Channels: Symmetric Cryptography |
|
T1008 |
Fallback Channels |
|
T1104 |
Multi-Stage Channels |
|
T1572 |
Protocol Tunneling |
|
T1090 |
Proxy |
|
T1205 |
Traffic Signaling |
|
T1205.001 |
Traffic Signaling: Port Knocking |
|
T1205.002 |
Traffic Signaling: Socket Filters |
|
T1102 |
Web Service |
|
Exploit misconfig |
T1068 |
Exploitation for Privilege Escalation |
T1190 |
Exploit Public-Facing Application |
|
T1212 |
Exploitation for Credential Access |
|
T1548.002 |
Abuse Elevation Control Mechanism: Bypass User Account Control |
|
T1548.003 |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
|
T1548.004 |
Abuse Elevation Control Mechanism: Elevated Execution with Prompt |
|
T1558.004 |
Steal or Forge Kerberos Tickets: AS-REP Roasting |
|
T1574.001 |
Hijack Execution Flow: DLL Search Order Hijacking |
|
T1574.002 |
Hijack Execution Flow: DLL Side-Loading |
|
T1574.005 |
Hijack Execution Flow: Executable Installer File Permissions Weakness |
|
T1574.010 |
Hijack Execution Flow: Services File Permissions Weakness |
|
T1574.011 |
Hijack Execution Flow: Services Registry Permissions Weakness |
|
Exploit vuln |
T1068 |
Exploitation for Privilege Escalation |
T1212 |
Exploitation for Credential Access |
|
T1574.001 |
Hijack Execution Flow: DLL Search Order Hijacking |
|
T1574.002 |
Hijack Execution Flow: DLL Side-Loading |
|
T1574.004 |
Hijack Execution Flow: Dylib Hijacking |
|
T1595.002 |
Active Scanning: Vulnerability Scanning |
|
Forced browsing |
T1539 |
Steal Web Session Cookie |
T1583.003 |
Acquire Infrastructure: Virtual Private Server |
|
T1583.004 |
Acquire Infrastructure: Server |
|
T1583.006 |
Acquire Infrastructure: Web Services |
|
Format string attack |
T1068 |
Exploitation for Privilege Escalation |
Fuzz testing |
T1068 |
Exploitation for Privilege Escalation |
Hijack |
T1563 |
Remote Service Session Hijacking |
T1563.001 |
Remote Service Session Hijacking: SSH Hijacking |
|
T1563.002 |
Remote Service Session Hijacking: RDP Hijacking |
|
T1185 |
Browser Session Hijacking |
|
T1496 |
Resource Hijacking |
|
T1574 |
Hijack Execution Flow |
|
T1574.001 |
Hijack Execution Flow: DLL Search Order Hijacking |
|
T1574.002 |
Hijack Execution Flow: DLL Side-Loading |
|
T1574.004 |
Hijack Execution Flow: Dylib Hijacking |
|
T1574.005 |
Hijack Execution Flow: Executable Installer File Permissions Weakness |
|
HTTP request smuggling |
T1203 |
Exploitation for Client Execution |
T1185 |
Browser Session Hijacking |
|
HTTP request splitting |
T1203 |
Exploitation for Client Execution |
T1185 |
Browser Session Hijacking |
|
HTTP response smuggling |
T1203 |
Exploitation for Client Execution |
T1185 |
Browser Session Hijacking |
|
HTTP response splitting |
T1203 |
Exploitation for Client Execution |
T1185 |
Browser Session Hijacking |
|
Insecure deserialization |
T1068 |
Exploitation for Privilege Escalation |
Integer overflows |
T1068 |
Exploitation for Privilege Escalation |
LDAP injection |
T1068 |
Exploitation for Privilege Escalation |
MitM |
T1185 |
Browser Session Hijacking |
T1187 |
Forced Authentication |
|
T1557 |
Man-in-the-Middle |
|
T1557.001 |
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay |
|
T1557.002 |
Adversary-in-the-Middle: ARP Cache Poisoning |
|
T1539 |
Steal Web Session Cookie |
|
Null byte injection |
T1027 |
Obfuscated Files or Information |
Offline cracking |
T1110.002 |
Brute Force: Password Cracking |
OS commanding |
T1059 |
Command and Scripting Interpreter |
T1059.002 |
Command and Scripting Interpreter: AppleScript |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
|
T1059.004 |
Command and Scripting Interpreter: Unix Shell |
|
Pass-the-hash |
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
Profile host |
T1082 |
System Information Discovery |
T1033 |
System Owner/User Discovery |
|
T1007 |
System Service Discovery |
|
T1012 |
Query Registry |
|
T1083 |
File and Directory Discovery |
|
T1057 |
Process Discovery |
|
T1120 |
Peripheral Device Discovery |
|
T1124 |
System Time Discovery |
|
T1201 |
Password Policy Discovery |
|
T1119 |
Automated Collection |
|
T1480 |
Execution Guardrails |
|
T1480.001 |
Execution Guardrails: Environmental Keying |
|
T1518 |
Software Discovery |
|
T1518.001 |
Software Discovery: Security Software Discovery |
|
T1087 |
Account Discovery |
|
T1087.001 |
Account Discovery: Local Account |
|
T1069 |
Permission Groups Discovery |
|
T1069.001 |
Permission Groups Discovery: Local Groups |
|
T1614 |
System Location Discovery |
|
T1614.001 |
System Location Discovery: System Language Discovery |
|
Routing detour |
T1557 |
Man-in-the-Middle |
Scan network |
T1046 |
Network Service Discovery |
T1135 |
Network Share Discovery |
|
T1040 |
Network Sniffing |
|
T1018 |
Remote System Discovery |
|
T1049 |
System Network Connections Discovery |
|
T1589 |
Gather Victim Identity Information |
|
T1589.001 |
Gather Victim Identity Information: Credentials |
|
T1589.002 |
Gather Victim Identity Information: Email Addresses |
|
T1589.003 |
Gather Victim Identity Information: Employee Names |
|
T1590 |
Gather Victim Network Information |
|
T1590.001 |
Gather Victim Network Information: Domain Properties |
|
T1590.002 |
Gather Victim Network Information: DNS |
|
T1590.003 |
Gather Victim Network Information: Network Trust Dependencies |
|
T1590.004 |
Gather Victim Network Information: Network Topology |
|
T1590.005 |
Gather Victim Network Information: IP Addresses |
|
T1590.006 |
Gather Victim Network Information: Network Security Appliances |
|
T1592 |
Gather Victim Host Information |
|
T1592.001 |
Gather Victim Host Information: Hardware |
|
T1592.002 |
Gather Victim Host Information: Software |
|
T1592.003 |
Gather Victim Host Information: Firmware |
|
T1592.004 |
Gather Victim Host Information: Client Configurations |
|
T1119 |
Automated Collection |
|
T1480 |
Execution Guardrails |
|
T1480.001 |
Execution Guardrails: Environmental Keying |
|
T1613 |
Container and Resource Discovery |
|
T1602 |
Data from Configuration Repository |
|
T1602.001 |
Data from Configuration Repository: SNMP (MIB Dump) |
|
T1602.002 |
Data from Configuration Repository: Network Device Configuration Dump |
|
T1526 |
Cloud Service Discovery |
|
T1580 |
Cloud Infrastructure Discovery |
|
Session fixation |
T1185 |
Browser Session Hijacking |
T1212 |
Exploitation for Credential Access |
|
Session prediction |
T1606 |
Forge Web Credentials |
T1606.001 |
Forge Web Credentials: Web Cookies |
|
Session replay |
T1539 |
Steal Web Session Cookie |
T1550.004 |
Use Alternate Authentication Material:Web Session Cookie |
|
Soap array abuse |
T1499 |
Endpoint Denial of Service |
SQLi |
T1190 |
Exploit Public-Facing Application |
Use of stolen creds |
T1021 |
Remote Services |
T1021.001 |
Remote Services: Remote Desktop Protocol |
|
T1021.002 |
Remote Services: SMB/Windows Admin Shares |
|
T1021.003 |
Remote Services: Distributed Component Object Model |
|
T1021.004 |
Remote Services: SSH |
|
T1021.005 |
Remote Services: VNC |
|
T1021.006 |
Remote Services: Windows Remote Management |
|
T1078 |
Valid Accounts |
|
T1078.001 |
Valid Accounts: Default Accounts |
|
T1078.002 |
Valid Accounts: Domain Accounts |
|
T1078.003 |
Valid Accounts: Local Accounts |
|
T1078.004 |
Valid Accounts: Cloud Accounts |
|
T1133 |
External Remote Services |
|
T1134 |
Access Token Manipulation |
|
T1134.001 |
Access Token Manipulation: Token Impersonation/Theft |
|
T1134.002 |
Access Token Manipulation: Create Process with Token |
|
T1134.003 |
Access Token Manipulation: Make and Impersonate Token |
|
T1134.004 |
Access Token Manipulation: Parent PID Spoofing |
|
T1134.005 |
Access Token Manipulation: SID-History Injection |
|
T1550 |
Use Alternate Authentication Material |
|
T1550.001 |
Use Alternate Authentication Material: Application Access Token |
|
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
|
T1550.003 |
Use Alternate Authentication Material: Pass the Ticket |
|
T1550.004 |
Use Alternate Authentication Material:Web Session Cookie |
|
T1558 |
Steal or Forge Kerberos Tickets |
|
T1558.001 |
Steal or Forge Kerberos Tickets: Golden Ticket |
|
T1558.002 |
Steal or Forge Kerberos Tickets: Silver Ticket |
|
T1558.003 |
Steal or Forge Kerberos Tickets: Kerberoasting |
|
T1558.004 |
Steal or Forge Kerberos Tickets: AS-REP Roasting |
|
T1586 |
Compromise Account |
|
T1586.001 |
Compromise Account: Social Media Accounts |
|
T1586.002 |
Compromise Account: Email Accounts |
|
Virtual machine escape |
T1611 |
Escape to Host |
XML external entities |
T1499 |
Endpoint Denial of Service |
T1213 |
Data from Information Repository |
|
XML injection |
T1546 |
Event Triggered Execution |
T1574 |
Hijack Execution Flow |
|
XPath injection |
T1010 |
Application Window Discovery |
Unknown |
T1105 |
Ingress Tool Transfer |
T1111 |
Two-Factor Authentication Interception |
|
T1127 |
Trusted Developer Utilities Proxy Execution |
|
T1127.001 |
Tursted Developer Utilities Proxy Execution: MSBuild |
|
T1574 |
Hijack Execution Flow |
|
T1574.001 |
Hijack Execution Flow: DLL Search Order Hijacking |
|
T1574.002 |
Hijack Execution Flow: DLL Side-Loading |
|
T1574.004 |
Hijack Execution Flow: Dylib Hijacking |
|
T1574.005 |
Hijack Execution Flow: Executable Installer File Permissions Weakness |
|
T1583 |
Acquire Infrastructure |
|
T1583.001 |
Acquire Infrastructure: Domains |
|
T1583.002 |
Acquire Infrastructure: DNS Server |
|
T1583.003 |
Acquire Infrastructure: Virtual Private Server |
|
T1583.004 |
Acquire Infrastructure: Server |
|
T1583.005 |
Acquire Infrastructure: Botnet |
|
T1583.006 |
Acquire Infrastructure: Web Services |
|
T1584 |
Compromise Infrastructure |
|
T1584.001 |
Compromise Infrastructure: Domains |
|
T1584.002 |
Compromise Infrastructure: DNS Server |
|
T1584.003 |
Compromise Infrastructure: Virtual Private Server |
|
T1584.004 |
Compromise Infrastructure: Server |
|
T1584.005 |
Compromise Infrastructure: Botnet |
|
T1584.006 |
Compromise Infrastructure: Web Services |
|
T1587 |
Develop Capabilities |
|
T1587.001 |
Develop Capabilities: Malware |
|
T1587.002 |
Develop Capabilities: Code Signing Certificates |
|
T1587.003 |
Develop Capabilities: Digital Certificates |
|
T1587.004 |
Develop Capabilities: Exploits |
|
T1588 |
Obtain Capabilities |
|
T1588.001 |
Obtain Capabilities: Malware |
|
T1588.002 |
Obtain Capabilities: Tool |
|
T1588.003 |
Obtain Capabilities: Code Signing Certificates |
|
T1588.004 |
Obtain Capabilities: Digital Certificates |
|
T1588.005 |
Obtain Capabilities: Exploits |
|
T1588.006 |
Obtain Capabilities: Vulnerabilities |
|
T1599 |
Network Boundry Bridging |
|
T1599.001 |
Network Boundry Bridging: Network Address Translation Traversal |
|
T1606 |
Forge Web Credentials |
|
T1606.001 |
Forge Web Credentials: Web Cookies |
|
T1606.002 |
Forge Web Credentials: SAML Tokens |
|
T1531 |
Account Access Removal |
Action.Hacking.Vector
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
3rd party desktop |
T1133 |
External Remote Services |
Backdoor |
T1098 |
Account Manipulation |
T1547 |
Boot or Logon Autostart Execution |
|
T1037 |
Boot or Logon Initialization Scripts |
|
T1554 |
Compromise Client Software Binary |
|
T1136 |
Create Accounts |
|
T1543 |
Create or Modify System Process |
|
T1546 |
Event Triggered Execution |
|
T1525 |
Implant Internal Image |
|
T1556 |
Modify Authentication Process |
|
T1053 |
Scheduled Task/Job |
|
T1078 |
Valid Accounts |
|
T1133 |
External Remote Services |
|
Command shell |
T1021.002 |
Remote Services: SMB/Windows Admin Shares |
T1021.003 |
Remote Services: Distributed Component Object Model |
|
T1021.004 |
Remote Services: SSH |
|
T1021.006 |
Remote Services: Windows Remote Management |
|
T1047 |
Windows Management Instrumentation |
|
T1059 |
Command and Scripting Interpreter |
|
T1059.001 |
Command and Scripting Interpreter: PowerShell |
|
T1059.002 |
Command and Scripting Interpreter: AppleScript |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
|
T1059.004 |
Command and Scripting Interpreter: Unix Shell |
|
T1059.005 |
Command and Scripting Interpreter: Visual Basic |
|
T1059.006 |
Command and Scripting Interpreter: Python |
|
T1059.007 |
Command and Scripting Interpreter: JavaScript |
|
T1059.008 |
Command and Scripting Interpreter: Network Device CLI |
|
Desktop sharing software |
T1021.001 |
Remote Services: Remote Desktop Protocol |
T1021.005 |
Remote Services: VNC |
|
T1133 |
External Remote Services |
|
T1219 |
Remote Access Software |
|
Hypervisor |
T1497 |
Virtualization/Sandbox Evasion |
T1578 |
Modify Cloud Computer Infrastructure |
|
Inter-tenant |
T1497 |
Virtualization/Sandbox Evasion |
T1578 |
Modify Cloud Computer Infrastructure |
|
Partner |
T1199 |
Trusted Relationship |
T1195 |
Supply Chain Compromise |
|
T1195.001 |
Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
|
T1195.002 |
Supply Chain Compromise: Compromise Software Supply Chain |
|
T1195.003 |
Supply Chain Compromise: Compromise Hardware Supply Chain |
|
Physical access |
T1200 |
Hardware Additions |
VPN |
T1133 |
External Remote Services |
Web application |
T1056.003 |
Input Capture: Web Portal Capture |
Other network service |
T1008 |
Fallback Channels |
T1071 |
Application Layer Protocol |
|
T1090 |
Proxy |
|
T1095 |
Non-Application Layer Protocol |
|
T1102 |
Web Service |
|
T1104 |
Multi-Stage Channels |
|
T1105 |
Ingress Tool Transfer |
|
T1568 |
Dynamic Resolution |
|
T1571 |
Non-Standard Port |
|
T1572 |
Protocol Tunneling |
|
T1573 |
Encrypted Channels |
Action.Malware.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Adminware |
T1072 |
Software Deployment Tools |
T1219 |
Remote Access Software |
|
T1554 |
Compromise Client Software Binary |
|
Adware |
T1199 |
Trusted Relationship |
Backdoor |
T1037 |
Boot or Logon Initialization Scripts |
T1098 |
Account Manipulation |
|
T1133 |
External Remote Services |
|
T1205.001 |
Traffic Signaling: Port Knocking |
|
T1505 |
Server Software Component |
|
T1505.001 |
Server Software Component: SQL Stored Procedures |
|
T1505.002 |
Server Software Component: Transport Agent |
|
T1505.003 |
Server Software Component: Web Shell |
|
T1525 |
Implant Internal Image |
|
T1543 |
Create or Modify System Process |
|
T1546 |
Event Triggered Execution |
|
T1547 |
Boot or Logon Autostart Execution |
|
T1554 |
Compromise Client Software Binary |
|
Backdoor or C2 |
T1037 |
Boot or Logon Initialization Scripts |
T1098 |
Account Manipulation |
|
T1133 |
External Remote Services |
|
T1205.001 |
Traffic Signaling: Port Knocking |
|
T1505 |
Server Software Component |
|
T1505.001 |
Server Software Component: SQL Stored Procedures |
|
T1505.002 |
Server Software Component: Transport Agent |
|
T1505.003 |
Server Software Component: Web Shell |
|
T1525 |
Implant Internal Image |
|
T1543 |
Create or Modify System Process |
|
T1546 |
Event Triggered Execution |
|
T1547 |
Boot or Logon Autostart Execution |
|
T1554 |
Compromise Client Software Binary |
|
T1001.001 |
Data Obfuscation: Junk Data |
|
T1008 |
Fallback Channels |
|
T1071 |
Application Layer Protocol |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
|
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
|
T1071.003 |
Application Layer Protocol: Mail Protocols |
|
T1071.004 |
Application Layer Protocol: DNS |
|
T1090 |
Proxy |
|
T1090.001 |
Proxy: Internal Proxy |
|
T1090.002 |
Proxy: External Proxy |
|
T1090.003 |
Proxy: Multi-hop Proxy |
|
T1090.004 |
Proxy: Domain Fronting |
|
T1095 |
Non-Application Layer Protocol |
|
T1102 |
Web Service |
|
T1102.001 |
Web Service: Dead Drop Resolver |
|
T1102.002 |
Web Service: Bidirectional Communication |
|
T1102.003 |
Web Service: One-Way Communication |
|
T1104 |
Multi-Stage Channels |
|
T1132 |
Data Encoding |
|
T1132.001 |
Data Encoding: Standard Encoding |
|
T1132.002 |
Data Encoding: Non-Standard Encoding |
|
T1205 |
Traffic Signaling |
|
T1568 |
Dynamic Resolution |
|
T1568.001 |
Dynamic Resolution: Fast Flux DSN |
|
T1568.002 |
Dynamic Resolution: Domain Generation Algorithms |
|
T1568.003 |
Dynamic Resolution: DNS Calculation |
|
T1571 |
Non-Standard Port |
|
T1572 |
Protocol Tunneling |
|
T1573 |
Encrypted Channels |
|
T1573.001 |
Encrypted Channels: Symmetric Cryptography |
|
T1573.002 |
Encrypted Channels: Asymmetric Cryptography |
|
T1583.001 |
Acquire Infrastructure: Domains |
|
T1583.002 |
Acquire Infrastructure: DNS Server |
|
T1583.006 |
Acquire Infrastructure: Web Services |
|
T1584.002 |
Compromise Infrastructure: DNS Server |
|
Brute force |
T1110 |
Brute Force |
T1110.001 |
Brute Force: Password Guessing |
|
T1110.002 |
Brute Force: Password Cracking |
|
T1110.003 |
Brute Force: Password Spraying |
|
T1110.004 |
Brute Force: Credential Stuffing |
|
C2 |
T1001.001 |
Data Obfuscation: Junk Data |
T1008 |
Fallback Channels |
|
T1071 |
Application Layer Protocol |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
|
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
|
T1071.003 |
Application Layer Protocol: Mail Protocols |
|
T1071.004 |
Application Layer Protocol: DNS |
|
T1090 |
Proxy |
|
T1090.001 |
Proxy: Internal Proxy |
|
T1090.002 |
Proxy: External Proxy |
|
T1090.003 |
Proxy: Multi-hop Proxy |
|
T1090.004 |
Proxy: Domain Fronting |
|
T1095 |
Non-Application Layer Protocol |
|
T1102 |
Web Service |
|
T1102.001 |
Web Service: Dead Drop Resolver |
|
T1102.002 |
Web Service: Bidirectional Communication |
|
T1102.003 |
Web Service: One-Way Communication |
|
T1104 |
Multi-Stage Channels |
|
T1132 |
Data Encoding |
|
T1132.001 |
Data Encoding: Standard Encoding |
|
T1132.002 |
Data Encoding: Non-Standard Encoding |
|
T1205 |
Traffic Signaling |
|
T1205.001 |
Traffic Signaling: Port Knocking |
|
T1568 |
Dynamic Resolution |
|
T1568.001 |
Dynamic Resolution: Fast Flux DSN |
|
T1568.002 |
Dynamic Resolution: Domain Generation Algorithms |
|
T1568.003 |
Dynamic Resolution: DNS Calculation |
|
T1571 |
Non-Standard Port |
|
T1572 |
Protocol Tunneling |
|
T1573 |
Encrypted Channels |
|
T1573.001 |
Encrypted Channels: Symmetric Cryptography |
|
T1573.002 |
Encrypted Channels: Asymmetric Cryptography |
|
T1583.001 |
Acquire Infrastructure: Domains |
|
T1583.002 |
Acquire Infrastructure: DNS Server |
|
T1583.006 |
Acquire Infrastructure: Web Services |
|
T1584.002 |
Compromise Infrastructure: DNS Server |
|
Capture app data |
T1056 |
Input Capture |
T1056.001 |
Input Capture: Keylogging |
|
T1056.002 |
Input Capture: GUI Input Capture |
|
T1056.003 |
Input Capture: Web Portal Capture |
|
T1056.004 |
Input Capture: Credential API Hooking |
|
T1113 |
Screen Capture |
|
T1114 |
Email Collection |
|
T1114.001 |
Email Collection: Local Email Collection |
|
T1114.002 |
Email Collection: Remote Email Collection |
|
T1114.003 |
Email Collection: Email Forwarding Rule |
|
T1123 |
Audio Capture |
|
T1125 |
Video Capture |
|
T1176 |
Browser Extensions |
|
T1185 |
Browser Session Hijacking |
|
T1207 |
Rogue Domain Controller |
|
T1217 |
Browser Bookmark Discovery |
|
T1528 |
Steal Application Access Token |
|
T1539 |
Steal Web Session Cookie |
|
Capture stored data |
T1003.002 |
OS Credential Dumping: Security Account Manager |
T1003.003 |
OS Credential Dumping: NTDS |
|
T1003.006 |
OS Credential Dumping: DCSync |
|
T1003.008 |
OS Credential Dumping: /etc/passwd and /etc/shadow |
|
T1005 |
Data from Local System |
|
T1010 |
Application Window Discovery |
|
T1025 |
Data from Removable Media |
|
T1033 |
System Owner/User Discovery |
|
T1039 |
Data from Network Shared Drive |
|
T1083 |
File and Directory Discovery |
|
T1119 |
Automated Collection |
|
T1213 |
Data from Information Repository |
|
T1213.001 |
Data from Information Repositories: Confluence |
|
T1213.002 |
Data from Information Repositories: Sharepoint |
|
T1530 |
Data from Cloud Storage |
|
T1602 |
Data from Configuration Repository |
|
Click fraud |
T1496 |
Resource Hijacking |
Click fraud and cryptocurrency mining |
T1496 |
Resource Hijacking |
Client-side attack |
T1203 |
Exploitation for Client Execution |
T1221 |
Template Injection |
|
T1548.003 |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
|
Cryptocurrency mining |
T1496 |
Resource Hijacking |
Destroy data |
T1070 |
Indicator Removal on Host |
T1070.001 |
Indicator Removal on Host: Clear Windows Event Logs |
|
T1070.002 |
Indicator Removal on Host: Clear Linux or Mac System Logs |
|
T1070.003 |
Indicator Removal on Host: Clear Command History |
|
T1070.004 |
Indicator Removal on Host: File Deletion |
|
T1070.005 |
Indicator Removal on Host: Network Share Connection Removal |
|
T1070.006 |
Indicator Removal on Host: Timestomp |
|
T1485 |
Data Destruction |
|
T1495 |
Firmware Corruption |
|
T1561 |
Disk Wipe |
|
T1561.001 |
Disk Wipe: Disk Content Wipe |
|
T1561.002 |
Disk Wipe: Disk Structure Wipe |
|
Disable controls |
T1006 |
Direct Volume Access |
T1027 |
Obfuscated Files or Information |
|
T1027.001 |
Obfuscated Files or Information: Binary Padding |
|
T1027.002 |
Obfuscated Files or Information: Software Packaging |
|
T1027.003 |
Obfuscated Files or Information: Steganography |
|
T1027.004 |
Obfuscated Files or Information: Compile After Dilevery |
|
T1027.005 |
Obfuscated Files or Information: Indicator Removal from Tools |
|
T1036 |
Masquerading |
|
T1036.001 |
Masquerading: Invalid Code Signature |
|
T1036.002 |
Masquerading: Right-to-Left Override |
|
T1036.003 |
Masquerading: Rename System Utilities |
|
T1036.004 |
Masquerading: Masquerade Task or Service |
|
T1036.005 |
Masquerading: Match Legitimate Name or Location |
|
T1036.006 |
Masquerading: Space after Filename |
|
T1212 |
Exploitation for Credential Access |
|
T1222 |
File and Directory Permissions Modification |
|
T1222.001 |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
|
T1222.002 |
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
|
T1490 |
Inhibit System Recovery |
|
T1497 |
Virtualization/Sandbox Evasion |
|
T1497.001 |
Virtualization/Sandbox Evasion: System Checks |
|
T1497.002 |
Virtualization/Sandbox Evasion: User Activity Based Checks |
|
T1497.003 |
Virtualization/Sandbox Evasion: Time Based Evasion |
|
T1553 |
Subvert Trust Controls |
|
T1553.001 |
Subvert Trust Contols: Gatekeeper Bypass |
|
T1553.002 |
Subvert Trust Contols: Code Signing |
|
T1553.003 |
Subvert Trust Contols: SIP and Trust Provider Hijacking |
|
T1553.004 |
Subvert Trust Contols: Install Root Certificate |
|
T1553.005 |
Subvert Trust Contols: Mark-of-the-Web Bypass |
|
T1553.006 |
Subvert Trust Contols: Code Signing Policy Modification |
|
T1562 |
Impair Defenses |
|
T1562.001 |
Disable or Modify Tools |
|
T1562.002 |
Disable Windows Event Logging |
|
T1562.003 |
Impair Command History Logging |
|
T1562.004 |
Disable or Modify System Firewall |
|
T1562.006 |
Impair Defenses: Indicator Blocking |
|
T1562.007 |
Disable or Modify Cloud Firewall |
|
T1562.008 |
Disable Cloud Logs |
|
T1574.012 |
Hijack Execution Flow: COR_PROFILER |
|
T1600 |
Weaken Encryption |
|
T1600.001 |
Weaken Encryption: Reduce Key Space |
|
T1600.002 |
Weaken Encryption: Disable Crypto Hardware |
|
T1601 |
Modify System Image |
|
T1601.001 |
Modify System Image: Patch System Image |
|
T1601.002 |
Modify System Image: Downgrade System Image |
|
DoS |
T1489 |
Service Stop |
T1499 |
Endpoint Denial of Service |
|
T1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
|
T1499.002 |
Endpoint Denial of Service: Service Exhaustion Flood |
|
T1499.003 |
Endpoint Denial of Service: Application Exhaustion Flood |
|
T1499.004 |
Endpoint Denial of Service: Application or System Exploitation |
|
T1498 |
Network Denial of Service |
|
T1498.001 |
Network Denial of Service: Direct Network Flood |
|
T1498.002 |
Network Denial of Service: Reflection Amplification |
|
Downloader |
T1610 |
Deploy Container |
T1204 |
User Execution |
|
T1204.001 |
User Execution: Malicious Link |
|
T1204.002 |
User Execution: Malicious File |
|
T1204.003 |
User Execution: Malicious Image |
|
Exploit misconfig |
T1068 |
Exploitation for Privilege Escalation |
T1548.002 |
Abuse Elevation Control Mechanism: Bypass User Account Control |
|
T1558.004 |
Steal or Forge Kerberos Tickets: AS-REP Roasting |
|
Evade Defenses |
T1564 |
Hide Artifacts |
T1564.001 |
Hide Artifacts: Hidden Files and Directories |
|
T1564.002 |
Hide Artifacts: Hidden Users |
|
T1564.003 |
Hide Artifacts: Hidden Window |
|
T1564.004 |
Hide Artifacts: NTFS File Attributes |
|
T1564.005 |
Hide Artifacts: Hidden File System |
|
T1564.006 |
Hide Artifacts: Run Virtual Instance |
|
T1564.007 |
Hide Artifacts: VBA Stomping |
|
T1622 |
Debugger Evasion |
|
T1211 |
Exploitation for Defense Evasion |
|
T1562 |
Impair Defenses |
|
T1036 |
Masquerading |
|
T1014 |
Rootkit |
|
T1553 |
Subvert Trust Controls |
|
Export data |
T1003.006 |
OS Credential Dumping: DCSync |
T1011 |
Exfiltration Over Other Network Medium |
|
T1011.001 |
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth |
|
T1020 |
Automated Exfiltration |
|
T1020.001 |
Automated Exfiltration: Traffic Duplication |
|
T1029 |
Scheduled Transfer |
|
T1030 |
Data Transfer Size Limits |
|
T1041 |
Exfiltration Over C2 Channels |
|
T1048 |
Exfiltration Over Alternative Protocol |
|
T1048.001 |
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
|
T1048.002 |
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
|
T1048.003 |
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol |
|
T1052 |
Exfiltration Over Physical Medium |
|
T1052.001 |
Exfiltration Over Physical Medium: Exfiltration over USB |
|
T1074 |
Data Staged |
|
T1074.001 |
Data Staged: Local Data Staging |
|
T1074.002 |
Data Staged: Remote Data Staging |
|
T1197 |
BITS Jobs |
|
T1537 |
Transfer Data to Cloud Account |
|
T1560 |
Archive Collected Data |
|
T1560.001 |
Archive Collected Data: Archive via Utility |
|
T1560.002 |
Archive Collected Data: Archive via Library |
|
T1560.003 |
Archive Collected Data: Archive via Custom Method |
|
T1567 |
Exfiltration Over Web Service |
|
T1567.001 |
Exfiltration Over Web Service: Exfiltration to Code Repository |
|
T1567.002 |
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
|
In-memory |
T1003.007 |
OS Credential Dumping: Proc Filesystem |
T1055 |
Process Injection |
|
T1055.001 |
Process Injection: Dynamic-link Library Injection |
|
T1055.002 |
Process Injection: Portable Executable Injection |
|
T1055.003 |
Process Injection: Thread Execution Hijacking |
|
T1055.004 |
Process Injection: Asynchronous Procedure Call |
|
T1055.005 |
Process Injection: Thread Local Storage |
|
T1055.008 |
Process Injection: Ptrace System Calls |
|
T1055.009 |
Process Injection: Proc Memory |
|
T1055.011 |
Process Injection: Extra Window Memory Injection |
|
T1055.012 |
Process Injection: Process Hollowing |
|
T1055.013 |
Process Injection: Process Doppelganging |
|
T1055.014 |
Process Injection: VDSO Hijacking |
|
T1115 |
Clipboard Data |
|
MitM |
T1557 |
Man-in-the-Middle |
T1557.001 |
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay |
|
T1557.002 |
Adversary-in-the-Middle: ARP Cache Poisoning |
|
T1557.003 |
DHCP Spoofing |
|
Modify data |
T1136 |
Create Accounts |
T1562 |
Impair Defenses |
|
Packet sniffer |
T1040 |
Network Sniffing |
Pass-the-hash |
T1550 |
Use Alternate Authentication Material |
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
|
Password dumper |
T1003 |
OS Credential Dumping |
T1003.001 |
OS Credential Dumping: LSASS Memory |
|
T1003.002 |
OS Credential Dumping: Security Account Manager |
|
T1003.003 |
OS Credential Dumping: NTDS |
|
T1003.004 |
OS Credential Dumping: LSA Secrets |
|
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
|
T1003.006 |
OS Credential Dumping: DCSync |
|
T1003.007 |
OS Credential Dumping: Proc Filesystem |
|
T1003.008 |
OS Credential Dumping: /etc/passwd and /etc/shadow |
|
T1056.004 |
Input Capture: Credential API Hooking |
|
T1212 |
Exploitation for Credential Access |
|
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
|
T1552.001 |
Unsecured Credentials: Credentials in Files |
|
T1552.002 |
Unsecured Credentials: Credentials in Registry |
|
T1552.003 |
Unsecured Credentials: Bash History |
|
T1552.004 |
Unsecured Credentials: Private Keys |
|
T1552.005 |
Unsecured Credentials: Cloud Instance Metadata API |
|
T1552.006 |
Unsecured Credentials: Group Policy Preferences |
|
T1555 |
Credentials from Password Stores |
|
T1555.001 |
Credentials from Password Stores: Keychain |
|
T1555.002 |
Credentials from Password Stores: Securityd Memory |
|
T1555.003 |
Credentials from Password Stores: Credentials from Web Browser |
|
T1555.004 |
Credentials from Password Stores: Windows Credential Manager |
|
T1555.005 |
Credentials from Password Stores: Password Managers |
|
Profile host |
T1082 |
System Information Discovery |
T1033 |
System Owner/User Discovery |
|
T1007 |
System Service Discovery |
|
T1012 |
Query Registry |
|
T1083 |
File and Directory Discovery |
|
RAM scraper |
T1003.001 |
OS Credential Dumping: LSASS Memory |
T1003.002 |
OS Credential Dumping: Security Account Manager |
|
T1003.004 |
OS Credential Dumping: LSA Secrets |
|
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
|
T1555.002 |
Credentials from Password Stores: Securityd Memory |
|
Ransomware |
T1486 |
Data Encrypted for Impact |
T1490 |
Inhibit System Recovery |
|
RAT |
T1543.003 |
Create or Modify System Process: Windows Service |
T1525 |
Implant Internal Image |
|
Rootkit |
T1014 |
Rootkit |
T1036.003 |
Masquerading: Rename System Utilities |
|
T1542 |
Pre-OS Boot |
|
T1542.001 |
Pre-OS Boot: System Firmware |
|
T1542.002 |
Pre-OS Boot: Component Firmware |
|
T1542.003 |
Pre-OS Boot: Bootkit |
|
T1542.004 |
Pre-OS Boot: ROMMONkit |
|
T1542.005 |
Pre-OS Boot: TFTP Boot |
|
T1543 |
Create or Modify System Process |
|
Scan network |
T1016 |
System Network Configuration Discovery |
T1016.001 |
System Network Configuration Discovery: Internet Connection Discovery |
|
T1018 |
Remote System Discovery |
|
T1040 |
Network Sniffing |
|
T1046 |
Network Service Discovery |
|
T1049 |
System Network Connections Discovery |
|
T1135 |
Network Share Discovery |
|
T1482 |
Domain Trust Discovery |
|
T1595 |
Active Scanning |
|
T1595.001 |
Active Scanning: Scanning IP Blocks |
|
T1595.002 |
Active Scanning: Vulnerability Scanning |
|
Spyware/Keylogger |
T1056.004 |
Input Capture: Credential API Hooking |
Trojan |
T1204.003 |
User Execution: Malicious Image |
T1554 |
Compromise Client Software Binary |
|
T1564.007 |
Hide Artifacts: VBA Stomping |
|
Worm |
T1080 |
Taint Shared Content |
T1091 |
Replication Through Removable Media |
|
Unknown |
T1001 |
Data Obfuscation |
T1001.001 |
Data Obfuscation: Junk Data |
|
T1001.002 |
Data Obfuscation: Steganography |
|
T1001.003 |
Data Obfuscation: Protocol Impersonation |
|
T1071 |
Application Layer Protocol |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
|
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
|
T1071.003 |
Application Layer Protocol: Mail Protocols |
|
T1071.004 |
Application Layer Protocol: DNS |
|
T1080 |
Taint Shared Content |
|
T1140 |
Deobfuscate/Decode Files or Information |
|
T1204 |
User Execution |
|
T1204.001 |
User Execution: Malicious Link |
|
T1204.002 |
User Execution: Malicious File |
|
T1204.003 |
User Execution: Malicious Image |
|
T1525 |
Implant Internal Image |
|
T1587.001 |
Develop Capabilities: Malware |
|
T1587.004 |
Develop Capabilities: Exploits |
|
T1588.001 |
Obtain Capabilities: Malware |
|
T1588.005 |
Obtain Capabilities: Exploits |
|
T1588.006 |
Obtain Capabilities: Vulnerabilities |
|
T1608 |
Stage Capabilities |
|
T1608.001 |
Stage Capabilities: Upload Malware |
|
T1608.002 |
Stage Capabilities: Upload Tools |
|
T1608.003 |
Stage Capabilities: Install Digital Certificate |
|
T1608.004 |
Stage Capabilities: Drive-by Target |
|
T1608.005 |
Stage Capabilities: Link Target |
|
T1610 |
Deploy Container |
|
T1612 |
Build Image on Host |
Action.Malware.Vector
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Direct install |
T1047 |
Windows Management Instrumentation |
T1569.002 |
System Services: Service Execution |
|
Download by malware |
T1568 |
Dynamic Resolution |
T1566.001 |
Phishing: Spearphishing Attachment |
|
Email attachment |
T1036 |
Masquerading |
T1059.005 |
Command and Scripting Interpreter: Visual Basic |
|
T1059.007 |
Command and Scripting Interpreter: JavaScript |
|
T1203 |
Exploitation for Client Execution |
|
T1204.002 |
User Execution: Malicious File |
|
T1566.001 |
Phishing: Spearphishing Attachment |
|
T1598.002 |
Phishing for Information: Spearphishing Attachment |
|
Email link |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
T1204.001 |
User Execution: Malicious Link |
|
T1556.002 |
Phishing: Spearphishing Link |
|
T1598.003 |
Phishing for Information: Spearphishing Link |
|
Instant messaging |
T1566 |
Phishing |
Network propagation |
T1021 |
Remote Services |
T1550 |
Use Alternate Authentication Material |
|
T1563 |
Remote Service Session Hijacking |
|
T1563.001 |
Remote Service Session Hijacking: SSH Hijacking |
|
T1563.002 |
Remote Service Session Hijacking: RDP Hijacking |
|
T1570 |
Lateral Tool Transfer |
|
Partner |
T1195 |
Supply Chain Compromise |
T1199 |
Trusted Relationship |
|
Remote injection |
T1133 |
External Remote Services |
Removable media |
T1091 |
Replication Through Removable Media |
T1092 |
Communication Through Removable Media |
|
Software update |
T1072 |
Software Deployment Tools |
T1195 |
Supply Chain Compromise |
|
Web application |
T1133 |
External Remote Services |
Web application - download |
T1583 |
Acquire Infrastructure |
T1584 |
Compromise Infrastructure |
|
Web application - drive-by |
T1176 |
Browser Extensions |
T1189 |
Drive-by Compromise |
|
T1212 |
Exploitation for Credential Access |
Attribute.Integrity.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Alter behavior |
T1114.003 |
Email Collection: Email Forwarding Rule |
T1546 |
Event Triggered Execution |
|
T1546.001 |
Event Triggered Execution: Change Default File Association |
|
T1546.002 |
Event Triggered Execution Screensaver |
|
T1546.003 |
Event Triggered Execution: Windows Management Instrumentation Event Subscription |
|
T1546.004 |
Event Triggered Execution: Unix Shell Configuration Modification |
|
T1546.005 |
Event Triggered Execution: Trap |
|
T1546.006 |
Event Triggered Execution: LC_LOAD_DYLIB Addition |
|
T1546.007 |
Event Triggered Execution: Netsh Helper DLL |
|
T1546.008 |
Event Triggered Execution: Accessibility Features |
|
T1546.009 |
Event Triggered Execution: AppCert DLLs |
|
T1546.010 |
Event Triggered Execution: AppInit DLLs |
|
T1546.011 |
Event Triggered Execution: Application Shimming |
|
T1546.012 |
Event Triggered Execution: Image File Execution Options Injection |
|
T1546.013 |
Event Triggered Execution: PowerShell Profile |
|
T1546.014 |
Event Triggered Execution: Emond |
|
T1546.015 |
Event Triggered Execution: Component Object Model Hijacking |
|
Created account |
T1136 |
Create Accounts |
T1136.001 |
Create Account: Local Account |
|
T1136.002 |
Create Account: Domain Account |
|
T1136.003 |
Create Account: Cloud Account |
|
Defacement |
T1491 |
Defacement |
T1491.001 |
Defacement: Internal Defacement |
|
T1491.002 |
Defacement: External Defacement |
|
Log tampering |
T1070.001 |
Indicator Removal on Host: Clear Windows Event Logs |
T1070.002 |
Indicator Removal on Host: Clear Linux or Mac System Logs |
|
Misrepresentation |
T1534 |
Internal Spearphishing |
Modify configuration |
T1037 |
Boot or Logon Initialization Scripts |
T1037.001 |
Boot or Logon Initialization Scripts: Logon Script (Windows) |
|
T1037.002 |
Boot or Logon Initialization Scripts: Logon Script (Mac) |
|
T1037.003 |
Boot or Logon Initialization Scripts: Network Logon Script |
|
T1037.004 |
Boot or Logon Initialization Scripts: RC Scripts |
|
T1037.005 |
Boot or Logon Initialization Scripts: Startup Items |
|
T1484 |
Domain Policy Modification |
|
T1484.001 |
Domain Policy Modification: Group Policy Modification |
|
T1484.002 |
Domain Policy Modification: Domain Trust Modification |
|
T1547 |
Boot or Logon Autostart Execution |
|
T1547.001 |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
|
T1547.002 |
Boot or Logon Autostart Execution: Authentication Package |
|
T1547.003 |
Boot or Logon Autostart Execution: Time Providers |
|
T1547.004 |
Boot or Logon Autostart Execution: Winlogon Helper DLL |
|
T1547.005 |
Boot or Logon Autostart Execution: Security Support Provider |
|
T1547.006 |
Boot or Logon Autostart Execution: Kernel Modules and Extensions |
|
T1547.007 |
Boot or Logon Autostart Execution: Re-opened Applications |
|
T1547.008 |
Boot or Logon Autostart Execution: LSASS Driver |
|
T1547.009 |
Boot or Logon Autostart Execution: Shortcut Modification |
|
T1547.010 |
Boot or Logon Autostart Execution: Port Monitors |
|
T1547.012 |
Boot or Logon Autostart Execution: Print Processors |
|
T1547.013 |
Boot or Logon Autostart Execution: XDG Autostart Entries |
|
T1556 |
Modify Authentication Process |
|
T1556.001 |
Modify Authentication Process: Domain Controller Authentication |
|
T1556.002 |
Phishing: Spearphishing Link |
|
T1556.003 |
Modify Authentication Process: Pluggable Authentication Modules |
|
T1556.004 |
Modify Authentication Process: Network Device Authentication |
|
Modify data |
T1565 |
Data Manipulation |
T1565.001 |
Data Manipulation: Stored Data Manipulation |
|
T1565.002 |
Data Manipulation: Transmitted Data Manipulation |
|
T1565.003 |
Data Manipulation: Runtime Data Manipulation |
|
Modify privileges |
T1098 |
Account Manipulation |
T1098.001 |
Account Manipulation: Additional Cloud Credentials |
|
T1098.002 |
Account Manipulation: Exchange Email Delegate Permissions |
|
T1098.003 |
Account Manipulation: Add Office 365 Global Administrator Role |
|
T1098.004 |
Account Manipulation: SSH Authorized Keys |
|
T1547.014 |
Boot or Logon Autostart Execution: Active Setup |
|
T1556 |
Modify Authentication Process |
|
T1556.001 |
Modify Authentication Process: Domain Controller Authentication |
|
T1556.002 |
Phishing: Spearphishing Link |
|
T1556.003 |
Modify Authentication Process: Pluggable Authentication Modules |
|
T1556.004 |
Modify Authentication Process: Network Device Authentication |
|
Repurpose |
T1535 |
Unused/Unsupported Cloud Regions |
Software installation |
T1072 |
Software Deployment Tools |
T1080 |
Taint Shared Content |
|
T1543 |
Create or Modify System Process |
|
T1543.001 |
Create or Modify System Process: Launch Agent |
|
T1543.002 |
Create or Modify System Process: Systemd Service |
|
T1543.003 |
Create or Modify System Process: Windows Service |
|
T1543.004 |
Create or Modify System Process: Launch Daemon |
|
T1546.016 |
Event Triggered Execution: Installer Packages |
|
T1601 |
Modify System Image |
|
T1601.001 |
Modify System Image: Patch System Image |
|
Unknown |
T1531 |
Account Access Removal |
Attribute.Confidentiality.Data_Disclosure
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
data_disclosure |
T1003 |
OS Credential Dumping |
T1003.001 |
OS Credential Dumping: LSASS Memory |
|
T1003.002 |
OS Credential Dumping: Security Account Manager |
|
T1003.003 |
OS Credential Dumping: NTDS |
|
T1003.004 |
OS Credential Dumping: LSA Secrets |
|
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
|
T1003.006 |
OS Credential Dumping: DCSync |
|
T1003.007 |
OS Credential Dumping: Proc Filesystem |
|
T1003.008 |
OS Credential Dumping: /etc/passwd and /etc/shadow |
|
T1005 |
Data from Local System |
|
T1011 |
Exfiltration Over Other Network Medium |
|
T1011.001 |
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth |
|
T1020 |
Automated Exfiltration |
|
T1020.001 |
Automated Exfiltration: Traffic Duplication |
|
T1025 |
Data from Removable Media |
|
T1029 |
Scheduled Transfer |
|
T1030 |
Data Transfer Size Limits |
|
T1039 |
Data from Network Shared Drive |
|
T1040 |
Network Sniffing |
|
T1041 |
Exfiltration Over C2 Channels |
|
T1048 |
Exfiltration Over Alternative Protocol |
|
T1048.001 |
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
|
T1048.002 |
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
|
T1048.003 |
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol |
|
T1052 |
Exfiltration Over Physical Medium |
|
T1052.001 |
Exfiltration Over Physical Medium: Exfiltration over USB |
|
T1056 |
Input Capture |
|
T1056.001 |
Input Capture: Keylogging |
|
T1056.002 |
Input Capture: GUI Input Capture |
|
T1056.003 |
Input Capture: Web Portal Capture |
|
T1056.004 |
Input Capture: Credential API Hooking |
|
T1113 |
Screen Capture |
|
T1114 |
Email Collection |
|
T1114.001 |
Email Collection: Local Email Collection |
|
T1114.002 |
Email Collection: Remote Email Collection |
|
T1114.003 |
Email Collection: Email Forwarding Rule |
|
T1115 |
Clipboard Data |
|
T1119 |
Automated Collection |
|
T1123 |
Audio Capture |
|
T1125 |
Video Capture |
|
T1187 |
Forced Authentication |
|
T1212 |
Exploitation for Credential Access |
|
T1213 |
Data from Information Repository |
|
T1213.001 |
Data from Information Repositories: Confluence |
|
T1213.002 |
Data from Information Repositories: Sharepoint |
|
T1213.003 |
Code Repositories |
|
T1530 |
Data from Cloud Storage |
|
T1537 |
Transfer Data to Cloud Account |
|
T1552 |
Unsecured Credentials |
|
T1552.001 |
Unsecured Credentials: Credentials in Files |
|
T1552.002 |
Unsecured Credentials: Credentials in Registry |
|
T1552.003 |
Unsecured Credentials: Bash History |
|
T1552.004 |
Unsecured Credentials: Private Keys |
|
T1552.005 |
Unsecured Credentials: Cloud Instance Metadata API |
|
T1552.006 |
Unsecured Credentials: Group Policy Preferences |
|
T1552.007 |
Unsecured Credentials: Container API |
|
T1555 |
Credentials from Password Stores |
|
T1555.001 |
Credentials from Password Stores: Keychain |
|
T1555.002 |
Credentials from Password Stores: Securityd Memory |
|
T1555.003 |
Credentials from Password Stores: Credentials from Web Browser |
|
T1555.004 |
Credentials from Password Stores: Windows Credential Manager |
|
T1555.005 |
Credentials from Password Stores: Password Managers |
|
T1557 |
Man-in-the-Middle |
|
T1567 |
Exfiltration Over Web Service |
|
T1567.001 |
Exfiltration Over Web Service: Exfiltration to Code Repository |
|
T1567.002 |
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
|
T1602 |
Data from Configuration Repository |
|
T1602.001 |
Data from Configuration Repository: SNMP (MIB Dump) |
|
T1602.002 |
Data from Configuration Repository: Network Device Configuration Dump |
Attribute.Availability.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Degradation |
T1496 |
Resource Hijacking |
T1498 |
Network Denial of Service |
|
T1498.001 |
Network Denial of Service: Direct Network Flood |
|
T1498.002 |
Network Denial of Service: Reflection Amplification |
|
T1499 |
Endpoint Denial of Service |
|
T1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
|
T1499.002 |
Endpoint Denial of Service: Service Exhaustion Flood |
|
T1499.003 |
Endpoint Denial of Service: Application Exhaustion Flood |
|
T1499.004 |
Endpoint Denial of Service: Application or System Exploitation |
|
Destruction |
T1495 |
Firmware Corruption |
T1485 |
Data Destruction |
|
T1531 |
Account Access Removal |
|
T1561 |
Disk Wipe |
|
T1561.001 |
Disk Wipe: Disk Content Wipe |
|
T1561.002 |
Disk Wipe: Disk Structure Wipe |
|
Interruption |
T1485 |
Data Destruction |
T1486 |
Data Encrypted for Impact |
|
T1489 |
Service Stop |
|
T1495 |
Firmware Corruption |
|
T1529 |
System Shutdown/Reboot |
|
T1531 |
Account Access Removal |
|
T1561 |
Disk Wipe |
|
T1561.002 |
Disk Wipe: Disk Structure Wipe |
|
Loss |
T1490 |
Inhibit System Recovery |
T1495 |
Firmware Corruption |
|
T1498 |
Network Denial of Service |
|
T1498.001 |
Network Denial of Service: Direct Network Flood |
|
T1498.002 |
Network Denial of Service: Reflection Amplification |
|
T1499 |
Endpoint Denial of Service |
|
T1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
|
T1499.002 |
Endpoint Denial of Service: Service Exhaustion Flood |
|
T1499.003 |
Endpoint Denial of Service: Application Exhaustion Flood |
|
T1499.004 |
Endpoint Denial of Service: Application or System Exploitation |
|
T1561 |
Disk Wipe |
|
T1561.001 |
Disk Wipe: Disk Content Wipe |
|
T1561.002 |
Disk Wipe: Disk Structure Wipe |
|
Obscuration |
T1486 |
Data Encrypted for Impact |
T1491 |
Defacement |
|
T1491.001 |
Defacement: Internal Defacement |
|
T1491.002 |
Defacement: External Defacement |
Value_Chain.Development.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Bot |
T1583.005 |
Acquire Infrastructure: Botnet |
T1587.001 |
Develop Capabilities: Malware |
|
T1588.001 |
Obtain Capabilities: Malware |
|
Exploit |
T1587.004 |
Develop Capabilities: Exploits |
T1588.005 |
Obtain Capabilities: Exploits |
|
Exploit Kits |
T1587.004 |
Develop Capabilities: Exploits |
T1588.005 |
Obtain Capabilities: Exploits |
|
Payload |
T1587.001 |
Develop Capabilities: Malware |
T1588.001 |
Obtain Capabilities: Malware |
|
Persona |
T1585 |
Establish Accounts |
T1585.001 |
Establish Accounts: Social Media Accounts |
|
T1585.002 |
Establish Accounts: Email Account |
|
Ransomware |
T1587.001 |
Develop Capabilities: Malware |
T1588.001 |
Obtain Capabilities: Malware |
|
Trojan |
T1587.001 |
Develop Capabilities: Malware |
T1588.001 |
Obtain Capabilities: Malware |
|
Website |
T1583.006 |
Acquire Infrastructure: Web Services |
Other |
T1587.002 |
Develop Capabilities: Code Signing Certificates |
T1587.003 |
Develop Capabilities: Digital Certificates |
|
T1588.003 |
Obtain Capabilities: Code Signing Certificates |
|
T1588.004 |
Obtain Capabilities: Digital Certificates |
|
Unknown |
T1587 |
Develop Capabilities |
T1588 |
Obtain Capabilities |
Groups
Actor.External.Motive
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Espionage |
G0130 |
Ajax Security Team |
G1000 |
ALLANITE |
|
G0138 |
Andariel |
|
G1007 |
Aoqin Dragon |
|
G0099 |
APT-C-36 |
|
G0006 |
APT1 |
|
G0005 |
APT12 |
|
G0023 |
APT16 |
|
G0016 |
APT29 |
|
G0013 |
APT30 |
|
G0050 |
APT32 |
|
G0064 |
APT33 |
|
G0067 |
APT37 |
|
G0087 |
APT39 |
|
G0096 |
APT41 |
|
G0143 |
Aquatic Panda |
|
G0001 |
Axiom |
|
G0135 |
BackdoorDiplomacy |
|
G1002 |
BITTER |
|
G0063 |
BlackOasis |
|
G0098 |
BlackTech |
|
G0097 |
Bouncing Golf |
|
G0060 |
BRONZE BUTLER |
|
G0142 |
Confucius |
|
G0052 |
CopyKittens |
|
G0070 |
Dark Caracal |
|
G0012 |
Darkhotel |
|
G0035 |
Dragonfly |
|
G1006 |
Earth Lusca |
|
G0066 |
Elderwood |
|
G1003 |
Ember Bear |
|
G0093 |
GALLIUM |
|
G0084 |
Gallmaker |
|
G0047 |
Gamaredon Group |
|
G0125 |
HAFNIUM |
|
G1001 |
HEXANE |
|
G0126 |
Higaisa Group |
|
G0100 |
Inception |
|
G0136 |
IndigoZebra |
|
G0004 |
Ke3chang |
|
G0094 |
Kimsuky |
|
G0032 |
Lazarus Group |
|
G0077 |
Leafminer |
|
G0065 |
Leviathan |
|
G0030 |
Lotus Blossom |
|
G0095 |
Machete |
|
G0059 |
Magic Hound |
|
G0103 |
Mofang |
|
G0021 |
Molerats |
|
G0069 |
MuddyWater |
|
G0129 |
Mustang Panda |
|
G0019 |
Naikon |
|
G0055 |
NEODYMIUM |
|
G0133 |
Nomadic Octopus |
|
G0049 |
OilRig (previously APT34) |
|
G0071 |
Orangeworm |
|
G0040 |
Patchwork |
|
G0068 |
PLATINUM |
|
G1005 |
POLONIUM |
|
G0033 |
Poseidon Group |
|
G0056 |
PROMETHIUM |
|
G0024 |
Putter Panda |
|
G0075 |
Rancor |
|
G0034 |
Sandworm Team |
|
G0029 |
Scarlet Mimic |
|
G1008 |
SideCopy |
|
G0121 |
Sidewinder |
|
G0122 |
Silent Librarian |
|
G0054 |
Sowbug |
|
G0038 |
Stealth Falcon |
|
G0041 |
Strider |
|
G0039 |
Suckfly |
|
G0062 |
TA459 |
|
G0088 |
TEMP.Veles |
|
G0089 |
The White Company |
|
G0027 |
Threat Group-3390 |
|
G0076 |
Thrip |
|
G0131 |
Tonto Team |
|
G0134 |
Transparent Tribe |
|
G0081 |
Tropic Trooper |
|
G0010 |
Turla |
|
G0123 |
Volatile Cedar |
|
G0107 |
Whitefly |
|
G0112 |
Windshift |
|
G0044 |
Winnti Group |
|
G0090 |
WIRTE |
|
G0128 |
ZIRCONIUM |
|
Financial |
G0138 |
Andariel |
G0082 |
APT38 |
|
G0096 |
APT41 |
|
G0108 |
Blue Mockingbird |
|
G0008 |
Carbanak |
|
G0080 |
Cobalt Group |
|
G0105 |
DarkVishnya |
|
G1006 |
Earth Lusca |
|
G0120 |
Evilnum |
|
G1011 |
EXOTIC LILY |
|
G0051 |
FIN10 |
|
G0085 |
FIN4 |
|
G0053 |
FIN5 |
|
G0037 |
FIN6 |
|
G0046 |
FIN7 |
|
G0061 |
FIN8 |
|
G0036 |
GCMAN |
|
G0115 |
GOLD SOUTHFIELD |
|
G0119 |
Indrik Spider |
|
G0004 |
Ke3chang |
|
G1004 |
LAPSUS$ |
|
G0032 |
Lazarus Group |
|
G0045 |
menuPass |
|
G0033 |
Poseidon Group |
|
G0106 |
Rocke |
|
G0048 |
RTM |
|
G0091 |
Silence |
|
G0122 |
Silent Librarian |
|
G0083 |
SilverTerrier |
|
G0062 |
TA459 |
|
G0092 |
TA505 |
|
G0127 |
TA551 |
|
G0139 |
TeamTNT |
|
G0124 |
Windigo |
|
G0102 |
Wizard Spider |
ICS
Action.Hacking.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Abuse of functionality |
T0800 |
Activate Firmware Update Mode |
T0885 |
Commonly Used Port |
|
T0816 |
Device Restart/Shutdown |
|
T0817 |
Drive-by Compromise |
|
T0871 |
Execution through API |
|
T0823 |
Graphical User Interface |
|
T0874 |
Hooking |
|
T0867 |
Lateral Tool Transfer |
|
T0855 |
Unauthorized Command Message |
|
T0869 |
Standard Application Layer Protocol |
|
T0881 |
Service Stop |
|
T0853 |
Scripting |
|
Backdoor |
T0822 |
External Remote Services |
T0883 |
Internet Accessible Device |
|
T0855 |
Unauthorized Command Message |
|
T0869 |
Standard Application Layer Protocol |
|
T0853 |
Scripting |
|
T0848 |
Rogue Master |
|
T0835 |
Manipulate I/O Image |
|
T0831 |
Manipulation of Control |
|
Brute force |
T0806 |
Brute Force I/O |
Disable controls |
T0858 |
Change Operating Mode |
DoS |
T0813 |
Denial of Control |
T0814 |
Denial of Service |
|
T0815 |
Denial of View |
|
T0816 |
Device Restart/Shutdown |
|
Evade Defenses |
T0800 |
Activate Firmware Update Mode |
T0878 |
Alarm Suppression |
|
T0804 |
Block Reporting Message |
|
T0805 |
Block Serial COM |
|
T0820 |
Exploitation for Evasion |
|
T0872 |
Indicator Removal on Host |
|
Exploit misconfig |
T0819 |
Exploit Public-Facing Application |
T0883 |
Internet Accessible Device |
|
Exploit vuln |
T0820 |
Exploitation for Evasion |
T0890 |
Exploitation for Privilege Escalation |
|
T0866 |
Exploitation of Remote Services |
|
MitM |
T0830 |
Adversary-in-the-Middle |
T0860 |
Wireless Compromise |
|
Use of stolen creds |
T0812 |
Default Credentials |
T0891 |
Hardcoded Credentials |
|
T0859 |
Valid Accounts |
Action.Hacking.Vector
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Backdoor |
T0884 |
Connection Proxy |
T0822 |
External Remote Services |
|
T0855 |
Unauthorized Command Message |
|
T0848 |
Rogue Master |
|
Command shell |
T0807 |
Command-Line Interface |
T0855 |
Unauthorized Command Message |
|
T0853 |
Scripting |
|
Web application |
T0819 |
Exploit Public-Facing Application |
Other network service |
T0887 |
Wireless Sniffing |
Action.Malware.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Backdoor |
T0864 |
Transient Cyber Asset |
Backdoor or C2 |
T0822 |
External Remote Services |
Capture app data |
T0868 |
Detect Operating Mode |
T0877 |
I/O Image |
|
T0852 |
Screen Capture |
|
Capture stored data |
T0811 |
Data from Information Repositories |
Destroy data |
T0809 |
Data Destruction |
DoS |
T0813 |
Denial of Control |
T0814 |
Denial of Service |
|
T0815 |
Denial of View |
|
T0816 |
Device Restart/Shutdown |
|
Exploit misconfig |
T0819 |
Exploit Public-Facing Application |
Evade Defenses |
T0820 |
Exploitation for Evasion |
T0872 |
Indicator Removal on Host |
|
Exploit vuln |
T0890 |
Exploitation for Privilege Escalation |
T0866 |
Exploitation of Remote Services |
|
Export data |
T0882 |
Theft of Operational Information |
Modify data |
T0877 |
I/O Image |
T0872 |
Indicator Removal on Host |
|
Packet sniffer |
T0830 |
Adversary-in-the-Middle |
T0887 |
Wireless Sniffing |
|
Profile host |
T0802 |
Automated Collection |
Rootkit |
T0857 |
System Firmware |
T0851 |
Rootkit |
|
Scan network |
T0802 |
Automated Collection |
T0887 |
Wireless Sniffing |
|
T0860 |
Wireless Compromise |
|
Worm |
T0847 |
Replication Through Removable Media |
Action.Malware.Vector
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Download by malware |
T0863 |
User Execution |
Email attachment |
T0863 |
User Execution |
T0865 |
Spearphishing Attachment |
|
Partner |
T0864 |
Transient Cyber Asset |
T0862 |
Supply Chain Compromise |
|
Web application |
T0819 |
Exploit Public-Facing Application |
Web application - drive-by |
T0817 |
Drive-by Compromise |
Action.Social.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Evade Defenses |
T0858 |
Change Operating Mode |
T0820 |
Exploitation for Evasion |
|
T0872 |
Indicator Removal on Host |
|
T0849 |
Masquerading |
|
T0851 |
Rootkit |
|
T0856 |
Spoof Reporting Message |
|
Phishing |
T0865 |
Spearphishing Attachment |
Other |
T0817 |
Drive-by Compromise |
T0819 |
Exploit Public-Facing Application |
|
T0866 |
Exploitation of Remote Services |
|
T0864 |
Transient Cyber Asset |
|
T0822 |
External Remote Services |
|
T0883 |
Internet Accessible Device |
|
T0886 |
Remote Services |
|
T0847 |
Replication Through Removable Media |
|
T0848 |
Rogue Master |
|
T0862 |
Supply Chain Compromise |
|
T0860 |
Wireless Compromise |
Action.Social.Vector
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Documents |
T0863 |
User Execution |
T0865 |
Spearphishing Attachment |
|
T0863 |
User Execution |
|
In-person |
T0864 |
Transient Cyber Asset |
Removable media |
T0847 |
Replication Through Removable Media |
Software |
T0862 |
Supply Chain Compromise |
T0866 |
Exploitation of Remote Services |
|
Web application |
T0817 |
Drive-by Compromise |
T0819 |
Exploit Public-Facing Application |
|
Other |
T0822 |
External Remote Services |
T0883 |
Internet Accessible Device |
|
T0886 |
Remote Services |
|
T0860 |
Wireless Compromise |
|
T0848 |
Rogue Master |
Attribute.Integrity.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Alter behavior |
T0803 |
Block Command Message |
T0804 |
Block Reporting Message |
|
T0805 |
Block Serial COM |
|
T0858 |
Change Operating Mode |
|
T0881 |
Service Stop |
|
Hardware tampering |
T0800 |
Activate Firmware Update Mode |
T0862 |
Supply Chain Compromise |
|
Log tampering |
T0872 |
Indicator Removal on Host |
Misrepresentation |
T0856 |
Spoof Reporting Message |
Modify configuration |
T0836 |
Modify Parameter |
T0821 |
Modify Controller Tasking |
|
T0889 |
Modify Program |
|
T0873 |
Project File Infection |
|
Modify data |
T0830 |
Adversary-in-the-Middle |
T0856 |
Spoof Reporting Message |
|
T0835 |
Manipulate I/O Image |
|
T0821 |
Modify Controller Tasking |
|
T0873 |
Project File Infection |
|
T0889 |
Modify Program |
|
T0836 |
Modify Parameter |
|
Software installation |
T0867 |
Lateral Tool Transfer |
Attribute.Confidentiality.Data_Disclosure
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
data_disclosure |
T0830 |
Adversary-in-the-Middle |
T0891 |
Hardcoded Credentials |
|
T0859 |
Valid Accounts |
|
T0882 |
Theft of Operational Information |
|
T0811 |
Data from Information Repositories |
Attribute.Availability.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Degradation |
T0835 |
Manipulate I/O Image |
T0831 |
Manipulation of Control |
|
Interruption |
T0800 |
Activate Firmware Update Mode |
T0804 |
Block Reporting Message |
|
T0878 |
Alarm Suppression |
|
T0803 |
Block Command Message |
|
T0805 |
Block Serial COM |
|
Loss |
T0879 |
Damage to Property |
T0809 |
Data Destruction |
|
T0813 |
Denial of Control |
|
T0814 |
Denial of Service |
|
T0815 |
Denial of View |
|
T0826 |
Loss of Availability |
|
T0816 |
Device Restart/Shutdown |
|
T0881 |
Service Stop |
|
T0827 |
Loss of Control |
|
T0828 |
Loss of Productivity and Revenue |
|
T0837 |
Loss of Protection |
|
T0880 |
Loss of Safety |
|
T0829 |
Loss of View |
Value_Chain.Distribution.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Compromised server |
T0848 |
Rogue Master |
T0865 |
Spearphishing Attachment |
|
Partner |
T0862 |
Supply Chain Compromise |
Website |
T0817 |
Drive-by Compromise |
Value_Chain.Non-Distribution Services.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
C2 |
T0869 |
Standard Application Layer Protocol |
Proxy |
T0884 |
Connection Proxy |
Value_Chain.Targeting.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Default credentials |
T0812 |
Default Credentials |
Email addresses |
T0865 |
Spearphishing Attachment |
Lost or stolen credentials |
T0891 |
Hardcoded Credentials |
T0859 |
Valid Accounts |
|
Misconfigurations |
T0811 |
Data from Information Repositories |
T0855 |
Unauthorized Command Message |
|
Partner |
T0862 |
Supply Chain Compromise |
T0864 |
Transient Cyber Asset |
|
Organizational Information |
T0882 |
Theft of Operational Information |
T0802 |
Automated Collection |
|
Vulnerabilities |
T0890 |
Exploitation for Privilege Escalation |
T0822 |
External Remote Services |
|
Weaknesses |
T0819 |
Exploit Public-Facing Application |
T0866 |
Exploitation of Remote Services |
|
T0874 |
Hooking |
|
T0855 |
Unauthorized Command Message |
|
Other |
T0860 |
Wireless Compromise |
T0887 |
Wireless Sniffing |
|
Unknown |
T0857 |
System Firmware |
Mobile
Action.Hacking.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Abuse of functionality |
T1626 |
Abuse Elevation Control Mechanism |
T1626.001 |
Abuse Elevation Control Mechanism: Device Administrator Permissions |
|
T1640 |
Account Access Removal |
|
T1437 |
Application Layer Protocol |
|
T1532 |
Archive Collected Data |
|
T1398 |
Boot or Logon Initialization Scripts |
|
T1623 |
Command and Scripting Interpreter |
|
T1623.001 |
Command and Scripting Interpreter: Unix Shell |
|
T1624 |
Event Triggered Execution |
|
T1624.001 |
Event Triggered Execution: Broadcast Receivers |
|
T1636 |
Protected User Data |
|
T1636.001 |
Protected User Data: Calendar Entries |
|
T1636.002 |
Protected User Data: Call Log |
|
T1636.003 |
Protected User Data: Contact List |
|
T1636.004 |
Protected User Data: SMS Messages |
|
T1603 |
Scheduled Task/Job |
|
T1541 |
Foreground Persistence |
|
T1629.001 |
Impair Defenses: Prevent Application Removal |
|
T1629.002 |
Impair Defenses: Device Lockout |
|
Backdoor |
T1521 |
Encrypted Channel |
T1521.001 |
Encrypted Channel: Symmetric Cryptography |
|
T1521.002 |
Encrypted Channel: Asymmetric Cryptography |
|
DoS |
T1642 |
Endpoint Denial of Service |
T1464 |
Network Denial of Service |
|
Evade Defenses |
T1627 |
Execution Guardrails |
T1627.001 |
Execution Guardrails: GeoFencing |
|
T1628 |
Hide Artifacts |
|
T1628.001 |
Hide Artifacts: Suppress Application Icon |
|
T1628.002 |
Hide Artifacts: User Evasion |
|
T1630 |
Indicator Removal on Host |
|
T1406 |
Obfuscated Files or Information |
|
T1406.001 |
Obfuscated Files or Information: Steganography |
|
T1406.002 |
Obfuscated Files or Information: Software Packing |
|
T1644 |
Out of Band Data |
|
Exploit misconfig |
T1626 |
Abuse Elevation Control Mechanism |
T1404 |
Exploitation for Privilege Escalation |
|
T1428 |
Exploitation of Remote Services |
|
Exploit vuln |
T1404 |
Exploitation for Privilege Escalation |
Fuzz testing |
T1404 |
Exploitation for Privilege Escalation |
Hijack |
T1625 |
Hijack Execution Flow |
T1625.001 |
System Runtime API Hijacking |
|
T1635.001 |
URI Hijacking |
|
MitM |
T1638 |
Adversary-in-the-Middle |
Profile host |
T1426 |
System Information Discovery |
T1418 |
Software Discovery |
|
T1418.001 |
Software Discovery: Security Software Discovery |
|
T1627 |
Execution Guardrails |
|
T1627.001 |
Execution Guardrails: GeoFencing |
|
T1424 |
Process Discovery |
|
Scan network |
T1422 |
System Network Configuration Discovery |
T1421 |
System Network Connections Discovery |
|
T1423 |
Network Service Scanning |
|
Use of stolen creds |
T1635.001 |
URI Hijacking |
Other |
T1631 |
Process Injection |
T1631.001 |
Ptrace System Calls |
|
Unknown |
T1625 |
Hijack Execution Flow |
T1625.001 |
System Runtime API Hijacking |
Action.Hacking.Vector
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Backdoor |
T1437 |
Application Layer Protocol |
T1398 |
Boot or Logon Initialization Scripts |
|
T1577 |
Compromise Application Executable |
|
T1645 |
Compromise Client Software Binary |
|
T1637 |
Dynamic Resolution |
|
T1637.001 |
Dynamic Resolution: Domain Generation Algorithms |
|
T1481 |
Web Service |
|
T1481.001 |
Web Service: Drop Dead Resolver |
|
T1481.002 |
Web Service: Biderectional Communication |
|
T1481.003 |
Web Service: One-Way Communication |
|
T1644 |
Out of Band Data |
|
Command shell |
T1623 |
Command and Scripting Interpreter |
T1623.001 |
Command and Scripting Interpreter: Unix Shell |
|
Partner |
T1474 |
Supply Chain Compromise |
T1474.001 |
Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
|
T1474.002 |
Supply Chain Compromise: Compromise Hardware Supply Chain |
|
T1474.003 |
Supply Chain Compromise: Compromise Software Supply Chain |
|
Other network service |
T1641.001 |
Data Manipulation: Transmitted Data Manipulation |
Action.Malware.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Backdoor |
T1577 |
Compromise Application Executable |
Backdoor or C2 |
T1398 |
Boot or Logon Initialization Scripts |
C2 |
T1437 |
Application Layer Protocol |
T1437.001 |
Application Layer Protocol: Web Protocols |
|
T1637 |
Dynamic Resolution |
|
T1637.001 |
Dynamic Resolution: Domain Generation Algorithms |
|
T1521 |
Encrypted Channel |
|
T1521.001 |
Encrypted Channel: Symmetric Cryptography |
|
T1521.002 |
Encrypted Channel: Asymmetric Cryptography |
|
T1643 |
Generate Traffic from Victim |
|
T1644 |
Out of Band Data |
|
T1604 |
Proxy Through Victim |
|
T1582 |
SMS Control |
|
Capture app data |
T1429 |
Audio Capture |
T1512 |
Video Capture |
|
T1513 |
Screen Capture |
|
Capture stored data |
T1517 |
Access Notifications |
T1634 |
Credentials from Password Stores |
|
T1634.001 |
Credentials from Password Stores: Keychain |
|
T1533 |
Data from Local System |
|
T1636 |
Protected User Data |
|
T1636.001 |
Protected User Data: Calendar Entries |
|
T1636.002 |
Protected User Data: Call Log |
|
T1636.003 |
Protected User Data: Contact List |
|
T1636.004 |
Protected User Data: SMS Messages |
|
T1420 |
File and Directory Discovery |
|
T1409 |
Stored Application Data |
|
Client-side attack |
T1626 |
Abuse Elevation Control Mechanism |
T1626.001 |
Abuse Elevation Control Mechanism: Device Administrator Permissions |
|
Disable controls |
T1633 |
Virtualization /Sandbox Evasion |
T1633.001 |
Virtualization /Sandbox Evasion: System Checks |
|
T1629 |
Impair Defenses |
|
T1629.003 |
Impair Defenses: Disable of Modify Tools |
|
T1632 |
Subvert Trust Controls |
|
T1632.001 |
Subvert Trust Controls: Code Signing Policy Modification |
|
DoS |
T1642 |
Endpoint Denial of Service |
T1464 |
Network Denial of Service |
|
Evade Defenses |
T1627 |
Execution Guardrails |
T1627.001 |
Execution Guardrails: GeoFencing |
|
T1628 |
Hide Artifacts |
|
T1628.001 |
Hide Artifacts: Suppress Application Icon |
|
T1628.002 |
Hide Artifacts: User Evasion |
|
T1630 |
Indicator Removal on Host |
|
T1406 |
Obfuscated Files or Information |
|
T1406.001 |
Obfuscated Files or Information: Steganography |
|
T1406.002 |
Obfuscated Files or Information: Software Packing |
|
T1644 |
Out of Band Data |
|
T1617 |
Hooking |
|
T1630.001 |
Indicator Removal on Host: Uninstall Malicious Application |
|
T1630.002 |
Indicator Removal on Host: File Deletion |
|
T1630.003 |
Indicator Removal on Host: Disguise Root/Jailbreak Indicators |
|
T1544 |
Ingress Tool Transfer |
|
Exploit vuln |
T1428 |
Exploitation of Remote Services |
Export data |
T1639 |
Exfiltration over Alternative Protocol |
T1639.001 |
Exfiltration over Unencrypted Non-C2 Channel |
|
T1646 |
Exfiltration over C2 Channel |
|
In-memory |
T1414 |
Clipboard Data |
MitM |
T1635.001 |
URI Hijacking |
Modify data |
T1532 |
Archive Collected Data |
T1641 |
Data Manipulation |
|
T1641.001 |
Data Manipulation: Transmitted Data Manipulation |
|
Ransomware |
T1471 |
Data Encrypted for Impact |
Spyware/Keylogger |
T1417 |
Input Capture |
Trojan |
T1577 |
Compromise Application Executable |
Worm |
T1458 |
Replication Through Removable Media |
Action.Malware.Vector
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Instant messaging |
T1582 |
SMS Control |
Removable media |
T1458 |
Replication Through Removable Media |
Software update |
T1407 |
Download New Code at Runtime |
Web application - drive-by |
T1456 |
Drive-By Compromise |
Action.Social.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Evade Defenses |
T1627 |
Execution Guardrails |
T1627.001 |
Execution Guardrails: GeoFencing |
|
T1628 |
Hide Artifacts |
|
T1628.001 |
Hide Artifacts: Suppress Application Icon |
|
T1628.002 |
Hide Artifacts: User Evasion |
|
T1630 |
Indicator Removal on Host |
|
T1406 |
Obfuscated Files or Information |
|
T1406.001 |
Obfuscated Files or Information: Steganography |
|
T1406.002 |
Obfuscated Files or Information: Software Packing |
|
T1644 |
Out of Band Data |
|
T1617 |
Hooking |
|
T1630.001 |
Indicator Removal on Host: Uninstall Malicious Application |
|
T1630.002 |
Indicator Removal on Host: File Deletion |
|
T1630.003 |
Indicator Removal on Host: Disguise Root/Jailbreak Indicators |
|
T1544 |
Ingress Tool Transfer |
|
Pretexting |
T1582 |
SMS Control |
Action.Social.Vector
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
T1517 |
Access Notifications |
|
In-person |
T1461 |
Lockscreen Bypass |
Phone |
T1474.002 |
Supply Chain Compromise: Compromise Hardware Supply Chain |
Removable media |
T1458 |
Replication Through Removable Media |
SMS |
T1517 |
Access Notifications |
T1582 |
SMS Control |
|
Software |
T1474.003 |
Supply Chain Compromise: Compromise Software Supply Chain |
T1474.001 |
Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
|
Web application |
T1456 |
Drive-By Compromise |
Attribute.Integrity.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Alter behavior |
T1616 |
Call Control |
T1624 |
Event Triggered Execution |
|
T1624.001 |
Event Triggered Execution: Broadcast Receivers |
|
Hardware tampering |
T1474.002 |
Supply Chain Compromise: Compromise Hardware Supply Chain |
Log tampering |
T1630 |
Indicator Removal on Host |
Misrepresentation |
T1643 |
Generate Traffic from Victim |
T1582 |
SMS Control |
|
T1616 |
Call Control |
|
Modify configuration |
T1640 |
Account Access Removal |
T1398 |
Boot or Logon Initialization Scripts |
|
T1577 |
Compromise Application Executable |
|
T1645 |
Compromise Client Software Binary |
|
T1629 |
Impair Defenses |
|
T1629.003 |
Impair Defenses: Disable of Modify Tools |
|
T1629.002 |
Impair Defenses: Device Lockout |
|
T1632 |
Subvert Trust Controls |
|
T1632.001 |
Subvert Trust Controls: Code Signing Policy Modification |
|
Modify data |
T1641.001 |
Data Manipulation: Transmitted Data Manipulation |
T1630 |
Indicator Removal on Host |
|
T1630.001 |
Indicator Removal on Host: Uninstall Malicious Application |
|
T1630.002 |
Indicator Removal on Host: File Deletion |
|
T1630.003 |
Indicator Removal on Host: Disguise Root/Jailbreak Indicators |
|
Modify privileges |
T1398 |
Boot or Logon Initialization Scripts |
Software installation |
T1407 |
Download New Code at Runtime |
Attribute.Confidentiality.Data_Disclosure
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
data_disclosure |
T1517 |
Access Notifications |
T1635 |
Steal Application Access Token |
|
T1646 |
Exfiltration over C2 Channel |
|
T1639 |
Exfiltration over Alternative Protocol |
|
T1639.001 |
Exfiltration over Unencrypted Non-C2 Channel |
|
T1638 |
Adversary-in-the-Middle |
|
T1429 |
Audio Capture |
|
T1414 |
Clipboard Data |
|
T1634 |
Credentials from Password Stores |
|
T1634.001 |
Credentials from Password Stores: Keychain |
|
T1533 |
Data from Local System |
|
T1417 |
Input Capture |
|
T1417.001 |
Input Capture: Keylogging |
|
T1417.002 |
Input Capture: GUI Input Capture |
|
T1430 |
Location Tracking |
|
T1430.001 |
Location Tracking: Remote Device Management Services |
|
T1430.002 |
Location Tracking: Impersonate SS7 Nodes |
|
T1636 |
Protected User Data |
|
T1636.001 |
Protected User Data: Calendar Entries |
|
T1636.002 |
Protected User Data: Call Log |
|
T1636.003 |
Protected User Data: Contact List |
|
T1636.004 |
Protected User Data: SMS Messages |
|
T1513 |
Screen Capture |
|
T1409 |
Stored Application Data |
|
T1512 |
Video Capture |
Attribute.Availability.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Degradation |
T1642 |
Endpoint Denial of Service |
T1464 |
Network Denial of Service |
|
Destruction |
T1640 |
Account Access Removal |
T1630.002 |
Indicator Removal on Host: File Deletion |
|
Interruption |
T1629.002 |
Impair Defenses: Device Lockout |
T1640 |
Account Access Removal |
|
T1616 |
Call Control |
|
T1471 |
Data Encrypted for Impact |
|
Loss |
T1471 |
Data Encrypted for Impact |
T1642 |
Endpoint Denial of Service |
|
T1464 |
Network Denial of Service |
|
T1630.002 |
Indicator Removal on Host: File Deletion |
|
Obscuration |
T1406 |
Obfuscated Files or Information |
T1406.001 |
Obfuscated Files or Information: Steganography |
|
T1406.002 |
Obfuscated Files or Information: Software Packing |
|
T1471 |
Data Encrypted for Impact |
Value_Chain.Distribution.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Phone |
T1456 |
Drive-By Compromise |
T1461 |
Lockscreen Bypass |
|
T1458 |
Replication Through Removable Media |
|
T1623 |
Command and Scripting Interpreter |
|
T1623.001 |
Command and Scripting Interpreter: Unix Shell |
|
T1575 |
Native API |
|
T1603 |
Scheduled Task/Job |
Value_Chain.Non-Distribution Services.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Proxy |
T1604 |
Proxy Through Victim |
Value_Chain.Targeting.Variety
VERIS PATH |
TECHNIQUE ID |
ATT&CK TECHNIQUE |
|---|---|---|
Lost or stolen credentials |
T1635 |
Steal Application Access Token |