mapping_objects: - attack_object_id: T1036.008 attack_object_name: Masquerade File Type capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.009 attack_object_name: Break Process Trees capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.001 attack_object_name: Invalid Code Signature capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.005 attack_object_name: Match Legitimate Resource Name or Location capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.006 attack_object_name: Space after Filename capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.007 attack_object_name: Double File Extension capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.010 attack_object_name: Masquerade Account Name capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.004 attack_object_name: Masquerade Task or Service capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.003 attack_object_name: Rename Legitimate Utilities capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.015 attack_object_name: Compression capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Other capability_group: action.malware capability_id: action.malware.variety.Other mapping_type: related_to references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: OS commanding. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.OS commanding mapping_type: related_to references: [] - attack_object_id: T1677 attack_object_name: Poisoned Pipeline Execution capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1489 attack_object_name: Service Stop capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1687 attack_object_name: Exploitation for Defense Impairment capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln mapping_type: related_to references: [] - attack_object_id: T1685.003 attack_object_name: Modify or Spoof Tool UI capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1685.005 attack_object_name: Clear Windows Event Logs capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1684 attack_object_name: Social Engineering capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1684.001 attack_object_name: Impersonation capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1673 attack_object_name: Virtual Machine Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1678 attack_object_name: Delay Execution capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1679 attack_object_name: Selective Exclusion capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1027.011 attack_object_name: Fileless Storage capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1001 attack_object_name: Data Obfuscation capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1680 attack_object_name: Local Storage Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: null attack_object_name: null capability_description: Malicious actions taken against an LLM model capability_group: action.hacking capability_id: action.hacking.variety.Prompt injection mapping_type: non_mappable references: [] - attack_object_id: T1564.014 attack_object_name: Extended Attributes capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1675 attack_object_name: ESXi Administration Command capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1667 attack_object_name: Email Bombing capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1569 attack_object_name: System Services capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1564.013 attack_object_name: Bind Mounts capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1564.014 attack_object_name: Extended Attributes capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1564.013 attack_object_name: Bind Mounts capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.012 attack_object_name: File/Path Exclusions capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1518.001 attack_object_name: Security Software Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1505.001 attack_object_name: SQL Stored Procedures capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Physical access or connection (i.e., at keyboard or via cable) capability_group: action.hacking capability_id: action.hacking.vector.Physical access mapping_type: related_to references: [] - attack_object_id: T1219 attack_object_name: Remote Access Tools capability_description: System or network utilities (e.g., PsTools, Netcat) capability_group: action.malware capability_id: action.malware.variety.Adminware mapping_type: related_to references: [] - attack_object_id: T1219 attack_object_name: Remote Access Tools capability_description: Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two capability_group: action.hacking capability_id: action.hacking.vector.Desktop sharing software mapping_type: related_to references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1204.004 attack_object_name: Malicious Copy and Paste capability_description: Other capability_group: action.malware capability_id: action.malware.variety.Other mapping_type: related_to references: [] - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Other capability_group: action.malware capability_id: action.malware.variety.Other mapping_type: related_to references: [] - attack_object_id: T1176.001 attack_object_name: Browser Extensions capability_description: Other capability_group: action.malware capability_id: Action.Malware.Vector.Other mapping_type: related_to references: [] - attack_object_id: T1127.001 attack_object_name: MSBuild capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.012 attack_object_name: Hypervisor CLI capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1684.002 attack_object_name: Email Spoofing capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.002 attack_object_name: Right-to-Left Override capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.004 attack_object_name: Masquerade Task or Service capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1027.018 attack_object_name: Invisible Unicode capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1036.011 attack_object_name: Overwrite Process Arguments capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.017 attack_object_name: SVG Smuggling capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Soap array abuse. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.Soap array abuse mapping_type: related_to references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Soap array abuse. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.Soap array abuse mapping_type: related_to references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Soap array abuse. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.Soap array abuse mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Reverse engineering. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.Reverse engineering mapping_type: related_to references: [] - attack_object_id: T1683.001 attack_object_name: Written Content capability_description: Develop an email such as for phishing. capability_group: value_chain.development capability_id: Value_chain.development.variety.Email mapping_type: related_to references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Hardware tampering or physical alteration capability_group: attribute.integrity capability_id: Attribute.Integrity.Variety.Hardware tampering mapping_type: related_to references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Acceleration capability_group: attribute.availability capability_id: Attribute.Availability.Variety.Acceleration mapping_type: related_to references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Mail command injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.Mail command injection mapping_type: related_to references: [] - attack_object_id: T1036.011 attack_object_name: Overwrite Process Arguments capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Cross-site request forgery. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.CSRF mapping_type: related_to references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Mail command injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.Mail command injection mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Path traversal. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.Path traversal mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Reverse engineering. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.Reverse engineering mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Remote file inclusion. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.RFI mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Special element injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.Special element injection mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: SSI injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.SSI injection mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: URL redirector abuse. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.URL redirector abuse mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Elevation of privilege by another customer in shared environment. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.User breakout mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: XML attribute blowup. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.XML attribute blowup mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: XML entity expansion. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.XML entity expansion mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: XQuery injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.XQuery injection mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Cross-site scripting. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: Action.Hacking.Variety.XSS mapping_type: related_to references: [] - attack_object_id: T1669 attack_object_name: Wi-Fi Networks capability_description: Other capability_group: action.hacking capability_id: Action.Hacking.Vector.Other mapping_type: related_to references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Send spam capability_group: action.malware capability_id: Action.Malware.Variety.Spam mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Email via automatic execution. Child of 'Email' capability_group: action.malware capability_id: Action.Malware.Vector.Email autoexecute mapping_type: related_to references: [] - attack_object_id: null attack_object_name: null capability_description: Email but sub-variety (attachment, autoexecute, link, etc) not known. Child of 'Email' capability_group: action.malware capability_id: Action.Malware.Vector.Email unknown mapping_type: non_mappable references: [] - attack_object_id: T1176.002 attack_object_name: IDE Extensions capability_description: Other capability_group: action.malware capability_id: Action.Malware.Vector.Other mapping_type: related_to references: [] - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: action.malware capability_id: Action.Malware.Vector.Unknown mapping_type: non_mappable references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: 'Prepare malicious content in a location where a victim is likely to interact with it. (e.g. SEO - vect: websites, left usbs- vect: removable media, etc)' capability_group: action.social capability_id: Action.Social.Variety.Baiting mapping_type: related_to references: [] - attack_object_id: T1684 attack_object_name: Social Engineering capability_description: Bribery or solicitation capability_group: action.social capability_id: Action.Social.Variety.Bribery mapping_type: related_to references: [] - attack_object_id: T1684 attack_object_name: Social Engineering capability_description: Elicitation (subtle extraction of info through conversation) capability_group: action.social capability_id: Action.Social.Variety.Elicitation mapping_type: related_to references: [] - attack_object_id: T1684 attack_object_name: Social Engineering capability_description: Extortion or blackmail capability_group: action.social capability_id: Action.Social.Variety.Extortion mapping_type: related_to references: [] - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.social capability_id: Action.Social.Variety.Other mapping_type: non_mappable references: [] - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: Bombarding the user with MFA prompts to get them to accept the login request capability_group: action.social capability_id: Action.Social.Variety.Prompt Bombing mapping_type: related_to references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Propaganda or disinformation capability_group: action.social capability_id: Action.Social.Variety.Propaganda mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Online scam or hoax (e.g., scareware, 419 scam, auction fraud) capability_group: action.social capability_id: Action.Social.Variety.Scam mapping_type: related_to references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Spam (unsolicited or undesired email and advertisements) capability_group: action.social capability_id: Action.Social.Variety.Spam mapping_type: related_to references: [] - attack_object_id: T1684 attack_object_name: Social Engineering capability_description: Unknown capability_group: action.social capability_id: Action.Social.Variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Documents capability_group: action.social capability_id: Action.Social.Vector.Documents mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Instant messaging capability_group: action.social capability_id: Action.Social.Vector.IM mapping_type: related_to references: [] - attack_object_id: null attack_object_name: null capability_description: In-person capability_group: action.social capability_id: Action.Social.Vector.In-person mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.social capability_id: Action.Social.Vector.Other mapping_type: non_mappable references: [] - attack_object_id: T1598.004 attack_object_name: Spearphishing Voice capability_description: Phone capability_group: action.social capability_id: Action.Social.Vector.Phone mapping_type: related_to references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: SMS or texting capability_group: action.social capability_id: Action.Social.Vector.SMS mapping_type: related_to references: [] - attack_object_id: T1684 attack_object_name: Social Engineering capability_description: Video call or virtual meeting capability_group: action.social capability_id: action.social.vector.Virtual meeting mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Acceleration capability_group: attribute.availability capability_id: Attribute.Availability.Variety.Acceleration mapping_type: related_to references: [] - attack_object_id: null attack_object_name: null capability_description: Other capability_group: attribute.availability capability_id: Attribute.Availability.Variety.Other mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: attribute.availability capability_id: Attribute.Availability.Variety.Unknown mapping_type: non_mappable references: [] - attack_object_id: T1657 attack_object_name: Financial Theft capability_description: Initiate fraudulent transaction capability_group: attribute.integrity capability_id: Attribute.Integrity.Variety.Fraudulent transaction mapping_type: related_to references: [] - attack_object_id: T1195.003 attack_object_name: Compromise Hardware Supply Chain capability_description: Hardware tampering or physical alteration capability_group: attribute.integrity capability_id: Attribute.Integrity.Variety.Hardware tampering mapping_type: related_to references: [] - attack_object_id: null attack_object_name: null capability_description: Other capability_group: attribute.integrity capability_id: Attribute.Integrity.Variety.Other mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: No type of development was necessary capability_group: value_chain.development capability_id: Value_chain.development.variety.NA mapping_type: non_mappable references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Development of something physical such as a skimming device capability_group: value_chain.development capability_id: Value_chain.development.variety.Physical mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: Malware capability_description: Other capability_group: action.malware capability_id: action.malware.variety.Other mapping_type: related_to references: [] - attack_object_id: T1684.002 attack_object_name: Email Spoofing capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1674 attack_object_name: Input Injection capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1001.001 attack_object_name: Junk Data capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1001.002 attack_object_name: Steganography capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1001.003 attack_object_name: Protocol or Service Impersonation capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1071.002 attack_object_name: File Transfer Protocols capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1071.003 attack_object_name: Mail Protocols capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1071.004 attack_object_name: DNS capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1127.001 attack_object_name: MSBuild capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Other capability_group: action.malware capability_id: action.malware.variety.Other mapping_type: related_to references: [] - attack_object_id: T1204.005 attack_object_name: Malicious Library capability_description: Other capability_group: action.malware capability_id: action.malware.variety.Other mapping_type: related_to references: [] - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Other capability_group: action.malware capability_id: action.malware.variety.Other mapping_type: related_to references: [] - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Other capability_group: action.malware capability_id: action.malware.variety.Other mapping_type: related_to references: [] - attack_object_id: T1671 attack_object_name: Cloud Application Integration capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1027.012 attack_object_name: LNK Icon Smuggling capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1027.013 attack_object_name: Encrypted/Encoded File capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.013 attack_object_name: Container CLI/API capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.010 attack_object_name: AutoHotKey & AutoIT capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.011 attack_object_name: Lua capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1127.002 attack_object_name: ClickOnce capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1098.007 attack_object_name: Additional Local or Domain Groups capability_description: Hacking action that creates a backdoor for use. capability_group: attribute.integrity capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1027.016 attack_object_name: Junk Code Insertion capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.001 attack_object_name: Binary Padding capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.002 attack_object_name: Software Packing capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.003 attack_object_name: Steganography capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.004 attack_object_name: Compile After Delivery capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.010 attack_object_name: Command Obfuscation capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.011 attack_object_name: Fileless Storage capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.012 attack_object_name: LNK Icon Smuggling capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.013 attack_object_name: Encrypted/Encoded File capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1027.014 attack_object_name: Polymorphic Code capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1070.010 attack_object_name: Relocate Malware capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1132.002 attack_object_name: Non-Standard Encoding capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: OS commanding. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.OS commanding mapping_type: related_to references: [] - attack_object_id: T1059.010 attack_object_name: AutoHotKey & AutoIT capability_description: OS commanding. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.OS commanding mapping_type: related_to references: [] - attack_object_id: T1059.011 attack_object_name: Lua capability_description: OS commanding. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.OS commanding mapping_type: related_to references: [] - attack_object_id: T1127.002 attack_object_name: ClickOnce capability_description: OS commanding. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.OS commanding mapping_type: related_to references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1021.008 attack_object_name: Direct Cloud VM Connections capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1134.003 attack_object_name: Make and Impersonate Token capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1021.008 attack_object_name: Direct Cloud VM Connections capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1027.010 attack_object_name: Command Obfuscation capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1059.010 attack_object_name: AutoHotKey & AutoIT capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1059.011 attack_object_name: Lua capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1016.002 attack_object_name: Wi-Fi Discovery capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1036.009 attack_object_name: Break Process Trees capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1016.002 attack_object_name: Wi-Fi Discovery capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1111 attack_object_name: Multi-Factor Authentication Interception capability_description: Spyware, keylogger or form-grabber (capture user input or activity) capability_group: action.malware capability_id: action.malware.variety.Spyware/Keylogger mapping_type: related_to references: [] - attack_object_id: T1036.008 attack_object_name: Masquerade File Type capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.010 attack_object_name: Masquerade Account Name capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1098.007 attack_object_name: Additional Local or Domain Groups capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1053.002 attack_object_name: At capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1053.003 attack_object_name: Cron capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1053.005 attack_object_name: Scheduled Task capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1053.006 attack_object_name: Systemd Timers capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1053.007 attack_object_name: Container Orchestration Job capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.002 attack_object_name: AppleScript capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.003 attack_object_name: Windows Command Shell capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.004 attack_object_name: Unix Shell capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.005 attack_object_name: Visual Basic capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.006 attack_object_name: Python capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1059.008 attack_object_name: Network Device CLI capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1106 attack_object_name: Native API capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1112 attack_object_name: Modify Registry capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1127 attack_object_name: Trusted Developer Utilities Proxy Execution capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1127.003 attack_object_name: JamPlus capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1129 attack_object_name: Shared Modules capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1137.001 attack_object_name: Office Template Macros capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1137.002 attack_object_name: Office Test capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1137.003 attack_object_name: Outlook Forms capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1137.004 attack_object_name: Outlook Home Page capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1137.005 attack_object_name: Outlook Rules capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1216 attack_object_name: System Script Proxy Execution capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1216.001 attack_object_name: PubPrn capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1216.002 attack_object_name: SyncAppvPublishingServer capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218.001 attack_object_name: Compiled HTML File capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218.002 attack_object_name: Control Panel capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218.003 attack_object_name: CMSTP capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218.004 attack_object_name: InstallUtil capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218.005 attack_object_name: Mshta capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218.007 attack_object_name: Msiexec capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218.008 attack_object_name: Odbcconf capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218.009 attack_object_name: Regsvcs/Regasm capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218.010 attack_object_name: Regsvr32 capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1111 attack_object_name: Multi-Factor Authentication Interception capability_description: Adversary-in-the-middle attack. Child of 'Exploit vuln' capability_group: action.hacking capability_id: action.hacking.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: Adversary-in-the-middle attack. Child of 'Exploit vuln' capability_group: action.hacking capability_id: action.hacking.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Adversary-in-the-middle attack. Child of 'Exploit vuln' capability_group: action.hacking capability_id: action.hacking.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1037 attack_object_name: Boot or Logon Initialization Scripts capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Brute force or password guessing attacks. capability_group: action.hacking capability_id: action.hacking.variety.Brute force mapping_type: related_to references: [] - attack_object_id: T1222.002 attack_object_name: Linux and Mac Permissions capability_description: Brute force or password guessing attacks. capability_group: action.hacking capability_id: action.hacking.variety.Brute force mapping_type: related_to references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Brute force or password guessing attacks. capability_group: action.hacking capability_id: action.hacking.variety.Brute force mapping_type: related_to references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Brute force or password guessing attacks. capability_group: action.hacking capability_id: action.hacking.variety.Brute force mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Buffer overflow. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Buffer overflow mapping_type: related_to references: [] - attack_object_id: T1001 attack_object_name: Data Obfuscation capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1102.001 attack_object_name: Dead Drop Resolver capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1584.002 attack_object_name: DNS Server capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036.012 attack_object_name: Browser Fingerprint capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1132 attack_object_name: Data Encoding capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1583.007 attack_object_name: Serverless capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1205 attack_object_name: Traffic Signaling capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1053.005 attack_object_name: Scheduled Task capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Stealth capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Format string attack. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Format string attack mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Fuzz testing. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Fuzz testing mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: HTTP request smuggling. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP request smuggling mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: HTTP request smuggling. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP request smuggling mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: HTTP request splitting. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP request splitting mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: HTTP request splitting. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP request splitting mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: HTTP response smuggling. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP response smuggling mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: HTTP response smuggling. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP response smuggling mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: HTTP response splitting. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP response splitting mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: HTTP response splitting. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP response splitting mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Insecure deserialization mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Integer overflows. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Integer overflows mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: LDAP injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.LDAP injection mapping_type: related_to references: [] - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Null byte injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Null byte injection mapping_type: related_to references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Offline password or key cracking (e.g., rainbow tables, Hashcat, JtR) capability_group: action.hacking capability_id: action.hacking.variety.Offline cracking mapping_type: related_to references: [] - attack_object_id: T1690 attack_object_name: Prevent Command History Logging capability_description: OS commanding. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.OS commanding mapping_type: related_to references: [] - attack_object_id: T1505.005 attack_object_name: Terminal Services DLL capability_description: OS commanding. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.OS commanding mapping_type: related_to references: [] - attack_object_id: T1569 attack_object_name: System Services capability_description: OS commanding. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.OS commanding mapping_type: related_to references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: OS commanding. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.OS commanding mapping_type: related_to references: [] - attack_object_id: T1007 attack_object_name: System Service Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1012 attack_object_name: Query Registry capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1033 attack_object_name: System Owner/User Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1057 attack_object_name: Process Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1069 attack_object_name: Permission Groups Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1082 attack_object_name: System Information Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1083 attack_object_name: File and Directory Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1120 attack_object_name: Peripheral Device Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1124 attack_object_name: System Time Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1201 attack_object_name: Password Policy Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1018 attack_object_name: Remote System Discovery capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1007 attack_object_name: System Service Discovery capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1049 attack_object_name: System Network Connections Discovery capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1135 attack_object_name: Network Share Discovery capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: Session fixation. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Session fixation mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Session fixation. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Session fixation mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: SQL injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.SQLi mapping_type: related_to references: [] - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1127 attack_object_name: Trusted Developer Utilities Proxy Execution capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1027.007 attack_object_name: Dynamic API Resolution capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1029 attack_object_name: Scheduled Transfer capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1547.004 attack_object_name: Winlogon Helper DLL capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1560.001 attack_object_name: Archive via Utility capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1583.004 attack_object_name: Server capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1011.001 attack_object_name: Exfiltration Over Bluetooth capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1601.002 attack_object_name: Downgrade System Image capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1569.002 attack_object_name: Service Execution capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1654 attack_object_name: Log Enumeration capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1558.002 attack_object_name: Silver Ticket capability_description: XML external entities. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XML external entities mapping_type: related_to references: [] - attack_object_id: T1010 attack_object_name: Application Window Discovery capability_description: XPath injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XPath injection mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: 3rd party online desktop sharing (LogMeIn, Go2Assist) capability_group: action.hacking capability_id: action.hacking.vector.3rd party desktop mapping_type: related_to references: [] - attack_object_id: T1037 attack_object_name: Boot or Logon Initialization Scripts capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1029 attack_object_name: Scheduled Transfer capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1547.004 attack_object_name: Winlogon Helper DLL capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1583.004 attack_object_name: Server capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1552.008 attack_object_name: Chat Messages capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1505.005 attack_object_name: Terminal Services DLL capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1569 attack_object_name: System Services capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1127.002 attack_object_name: ClickOnce capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1546.013 attack_object_name: PowerShell Profile capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1584.005 attack_object_name: Botnet capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell mapping_type: related_to references: [] - attack_object_id: T1027.007 attack_object_name: Dynamic API Resolution capability_description: Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two capability_group: action.hacking capability_id: action.hacking.vector.Desktop sharing software mapping_type: related_to references: [] - attack_object_id: T1560.001 attack_object_name: Archive via Utility capability_description: Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two capability_group: action.hacking capability_id: action.hacking.vector.Desktop sharing software mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two capability_group: action.hacking capability_id: action.hacking.vector.Desktop sharing software mapping_type: related_to references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.hacking capability_id: action.hacking.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.hacking capability_id: action.hacking.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1589.001 attack_object_name: Credentials capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.hacking capability_id: action.hacking.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.hacking capability_id: action.hacking.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.hacking capability_id: action.hacking.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1219.003 attack_object_name: Remote Access Hardware capability_description: Physical access or connection (i.e., at keyboard or via cable) capability_group: action.hacking capability_id: action.hacking.vector.Physical access mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: VPN capability_group: action.hacking capability_id: action.hacking.vector.VPN mapping_type: related_to references: [] - attack_object_id: T1090.002 attack_object_name: External Proxy capability_description: Web application capability_group: action.hacking capability_id: action.hacking.vector.Web application mapping_type: related_to references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: System or network utilities (e.g., PsTools, Netcat) capability_group: action.malware capability_id: action.malware.variety.Adminware mapping_type: related_to references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Adware capability_group: action.malware capability_id: action.malware.variety.Adware mapping_type: related_to references: [] - attack_object_id: T1037 attack_object_name: Boot or Logon Initialization Scripts capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Brute force attack capability_group: action.malware capability_id: action.malware.variety.Brute force mapping_type: related_to references: [] - attack_object_id: T1222.002 attack_object_name: Linux and Mac Permissions capability_description: Brute force attack capability_group: action.malware capability_id: action.malware.variety.Brute force mapping_type: related_to references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Brute force attack capability_group: action.malware capability_id: action.malware.variety.Brute force mapping_type: related_to references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Brute force attack capability_group: action.malware capability_id: action.malware.variety.Brute force mapping_type: related_to references: [] - attack_object_id: T1102.001 attack_object_name: Dead Drop Resolver capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1584.007 attack_object_name: Serverless capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1055.014 attack_object_name: VDSO Hijacking capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1566.003 attack_object_name: Spearphishing via Service capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1070.005 attack_object_name: Network Share Connection Removal capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1578.005 attack_object_name: Modify Cloud Compute Configurations capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1216 attack_object_name: System Script Proxy Execution capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1036.003 attack_object_name: Rename Legitimate Utilities capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1546.014 attack_object_name: Emond capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1132 attack_object_name: Data Encoding capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1583.007 attack_object_name: Serverless capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1056 attack_object_name: Input Capture capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1596.003 attack_object_name: Digital Certificates capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1090.002 attack_object_name: External Proxy capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1546.017 attack_object_name: Udev Rules capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1113 attack_object_name: Screen Capture capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1546.009 attack_object_name: AppCert DLLs capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1123 attack_object_name: Audio Capture capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1125 attack_object_name: Video Capture capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1176 attack_object_name: Software Extensions capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1587 attack_object_name: Develop Capabilities capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1010 attack_object_name: Application Window Discovery capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1025 attack_object_name: Data from Removable Media capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1033 attack_object_name: System Owner/User Discovery capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1039 attack_object_name: Data from Network Shared Drive capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1083 attack_object_name: File and Directory Discovery capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Client-side or browser attack (e.g., redirection, XSS, AitB) capability_group: action.malware capability_id: action.malware.variety.Client-side attack mapping_type: related_to references: [] - attack_object_id: T1542.002 attack_object_name: Component Firmware capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1092 attack_object_name: Communication Through Removable Media capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1600.001 attack_object_name: Reduce Key Space capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1027.010 attack_object_name: Command Obfuscation capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1496.001 attack_object_name: Compute Hijacking capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1006 attack_object_name: Direct Volume Access capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1111 attack_object_name: Multi-Factor Authentication Interception capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1059.011 attack_object_name: Lua capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1505.004 attack_object_name: IIS Components capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1074.001 attack_object_name: Local Data Staging capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1622 attack_object_name: Debugger Evasion capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Downloader (pull updates or other malware) capability_group: action.malware capability_id: action.malware.variety.Downloader mapping_type: related_to references: [] - attack_object_id: T1001.002 attack_object_name: Steganography capability_description: Downloader (pull updates or other malware) capability_group: action.malware capability_id: action.malware.variety.Downloader mapping_type: related_to references: [] - attack_object_id: T1559.002 attack_object_name: Dynamic Data Exchange capability_description: Downloader (pull updates or other malware) capability_group: action.malware capability_id: action.malware.variety.Downloader mapping_type: related_to references: [] - attack_object_id: T1027.005 attack_object_name: Indicator Removal from Tools capability_description: Downloader (pull updates or other malware) capability_group: action.malware capability_id: action.malware.variety.Downloader mapping_type: related_to references: [] - attack_object_id: T1014 attack_object_name: Rootkit capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.malware capability_id: action.malware.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1011 attack_object_name: Exfiltration Over Other Network Medium capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1021.006 attack_object_name: Windows Remote Management capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1055.004 attack_object_name: Asynchronous Procedure Call capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1029 attack_object_name: Scheduled Transfer capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1030 attack_object_name: Data Transfer Size Limits capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1552.006 attack_object_name: Group Policy Preferences capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1213.005 attack_object_name: Messaging Applications capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1074 attack_object_name: Data Staged capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1218.013 attack_object_name: Mavinject capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1574.014 attack_object_name: AppDomainManager capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1115 attack_object_name: Clipboard Data capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1055 attack_object_name: Process Injection capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1053.002 attack_object_name: At capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1612 attack_object_name: Build Image on Host capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1560.002 attack_object_name: Archive via Library capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1548.006 attack_object_name: TCC Manipulation capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1059.003 attack_object_name: Windows Command Shell capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1585.001 attack_object_name: Social Media Accounts capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1125 attack_object_name: Video Capture capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1546.001 attack_object_name: Change Default File Association capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory mapping_type: related_to references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Malware which compromises a legitimate file rather than creating new filess capability_group: action.malware capability_id: action.malware.variety.Modify data mapping_type: related_to references: [] - attack_object_id: T1007 attack_object_name: System Service Discovery capability_description: Packet sniffer (capture data from network) capability_group: action.malware capability_id: action.malware.variety.Packet sniffer mapping_type: related_to references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1222 attack_object_name: File and Directory Permissions Modification capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1587 attack_object_name: Develop Capabilities capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1598.004 attack_object_name: Spearphishing Voice capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1115 attack_object_name: Clipboard Data capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1546.017 attack_object_name: Udev Rules capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1007 attack_object_name: System Service Discovery capability_description: Enumerating the state of the current host capability_group: action.malware capability_id: action.malware.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1012 attack_object_name: Query Registry capability_description: Enumerating the state of the current host capability_group: action.malware capability_id: action.malware.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1033 attack_object_name: System Owner/User Discovery capability_description: Enumerating the state of the current host capability_group: action.malware capability_id: action.malware.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1082 attack_object_name: System Information Discovery capability_description: Enumerating the state of the current host capability_group: action.malware capability_id: action.malware.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1083 attack_object_name: File and Directory Discovery capability_description: Enumerating the state of the current host capability_group: action.malware capability_id: action.malware.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1222 attack_object_name: File and Directory Permissions Modification capability_description: RAM scraper or memory parser (capture data from volatile memory) capability_group: action.malware capability_id: action.malware.variety.RAM scraper mapping_type: related_to references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: RAM scraper or memory parser (capture data from volatile memory) capability_group: action.malware capability_id: action.malware.variety.RAM scraper mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: RAM scraper or memory parser (capture data from volatile memory) capability_group: action.malware capability_id: action.malware.variety.RAM scraper mapping_type: related_to references: [] - attack_object_id: T1598.004 attack_object_name: Spearphishing Voice capability_description: RAM scraper or memory parser (capture data from volatile memory) capability_group: action.malware capability_id: action.malware.variety.RAM scraper mapping_type: related_to references: [] - attack_object_id: T1014 attack_object_name: Rootkit capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit mapping_type: related_to references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit mapping_type: related_to references: [] - attack_object_id: T1016 attack_object_name: System Network Configuration Discovery capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1496.003 attack_object_name: SMS Pumping capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1018 attack_object_name: Remote System Discovery capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1007 attack_object_name: System Service Discovery capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1049 attack_object_name: System Network Connections Discovery capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1135 attack_object_name: Network Share Discovery capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1546.017 attack_object_name: Udev Rules capability_description: Spyware, keylogger or form-grabber (capture user input or activity) capability_group: action.malware capability_id: action.malware.variety.Spyware/Keylogger mapping_type: related_to references: [] - attack_object_id: T1027.005 attack_object_name: Indicator Removal from Tools capability_description: An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' capability_group: action.malware capability_id: action.malware.variety.Trojan mapping_type: related_to references: [] - attack_object_id: T1140 attack_object_name: Deobfuscate/Decode Files or Information capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Worm (propagate to other systems or devices) capability_group: action.malware capability_id: action.malware.variety.Worm mapping_type: related_to references: [] - attack_object_id: T1091 attack_object_name: Replication Through Removable Media capability_description: Worm (propagate to other systems or devices) capability_group: action.malware capability_id: action.malware.variety.Worm mapping_type: related_to references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Directly installed or inserted by threat agent (after system access) capability_group: action.malware capability_id: action.malware.vector.Direct install mapping_type: related_to references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment mapping_type: related_to references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment mapping_type: related_to references: [] - attack_object_id: T1546.013 attack_object_name: PowerShell Profile capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment mapping_type: related_to references: [] - attack_object_id: T1559.002 attack_object_name: Dynamic Data Exchange capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment mapping_type: related_to references: [] - attack_object_id: T1598.004 attack_object_name: Spearphishing Voice capability_description: Email via embedded link. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email link mapping_type: related_to references: [] - attack_object_id: T1001.002 attack_object_name: Steganography capability_description: Email via embedded link. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email link mapping_type: related_to references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation mapping_type: related_to references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.malware capability_id: action.malware.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.malware capability_id: action.malware.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Remotely injected by agent (i.e. via SQLi) capability_group: action.malware capability_id: action.malware.vector.Remote injection mapping_type: related_to references: [] - attack_object_id: T1091 attack_object_name: Replication Through Removable Media capability_description: Removable storage media or devices capability_group: action.malware capability_id: action.malware.vector.Removable media mapping_type: related_to references: [] - attack_object_id: T1092 attack_object_name: Communication Through Removable Media capability_description: Removable storage media or devices capability_group: action.malware capability_id: action.malware.vector.Removable media mapping_type: related_to references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Included in automated software update capability_group: action.malware capability_id: action.malware.vector.Software update mapping_type: related_to references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Included in automated software update capability_group: action.malware capability_id: action.malware.vector.Software update mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Web application. Parent of 'Web application - download' and 'Web application - drive-by. capability_group: action.malware capability_id: action.malware.vector.Web application mapping_type: related_to references: [] - attack_object_id: T1176 attack_object_name: Software Extensions capability_description: Web via auto-executed or "drive-by" infection. Child of 'Web application'. capability_group: action.malware capability_id: action.malware.vector.Web application - drive-by mapping_type: related_to references: [] - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Web via auto-executed or "drive-by" infection. Child of 'Web application'. capability_group: action.malware capability_id: action.malware.vector.Web application - drive-by mapping_type: related_to references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1686.001 attack_object_name: Cloud Firewall capability_description: Forgery or counterfeiting (fake hardware, software, documents, etc) capability_group: action.social capability_id: action.social.variety.Forgery mapping_type: related_to references: [] - attack_object_id: T1686.001 attack_object_name: Cloud Firewall capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1001.002 attack_object_name: Steganography capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1559.002 attack_object_name: Dynamic Data Exchange capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1027.005 attack_object_name: Indicator Removal from Tools capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1027.005 attack_object_name: Indicator Removal from Tools capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Email capability_group: action.social capability_id: action.social.vector.Email mapping_type: related_to references: [] - attack_object_id: T1001.002 attack_object_name: Steganography capability_description: Email capability_group: action.social capability_id: action.social.vector.Email mapping_type: related_to references: [] - attack_object_id: T1559.002 attack_object_name: Dynamic Data Exchange capability_description: Email capability_group: action.social capability_id: action.social.vector.Email mapping_type: related_to references: [] - attack_object_id: T1027.005 attack_object_name: Indicator Removal from Tools capability_description: Email capability_group: action.social capability_id: action.social.vector.Email mapping_type: related_to references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.social capability_id: action.social.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.social capability_id: action.social.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1091 attack_object_name: Replication Through Removable Media capability_description: Removable storage media capability_group: action.social capability_id: action.social.vector.Removable media mapping_type: related_to references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Social media or networking capability_group: action.social capability_id: action.social.vector.Social media mapping_type: related_to references: [] - attack_object_id: T1001.002 attack_object_name: Steganography capability_description: Social media or networking capability_group: action.social capability_id: action.social.vector.Social media mapping_type: related_to references: [] - attack_object_id: T1559.002 attack_object_name: Dynamic Data Exchange capability_description: Social media or networking capability_group: action.social capability_id: action.social.vector.Social media mapping_type: related_to references: [] - attack_object_id: T1027.005 attack_object_name: Indicator Removal from Tools capability_description: Social media or networking capability_group: action.social capability_id: action.social.vector.Social media mapping_type: related_to references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Software capability_group: action.social capability_id: action.social.vector.Software mapping_type: related_to references: [] - attack_object_id: T1589.001 attack_object_name: Credentials capability_description: Software capability_group: action.social capability_id: action.social.vector.Software mapping_type: related_to references: [] - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Web application capability_group: action.social capability_id: action.social.vector.Web application mapping_type: related_to references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1222 attack_object_name: File and Directory Permissions Modification capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1587 attack_object_name: Develop Capabilities capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1598.004 attack_object_name: Spearphishing Voice capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1003.008 attack_object_name: /etc/passwd and /etc/shadow capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1011 attack_object_name: Exfiltration Over Other Network Medium capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1011.001 attack_object_name: Exfiltration Over Bluetooth capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1025 attack_object_name: Data from Removable Media capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1029 attack_object_name: Scheduled Transfer capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1030 attack_object_name: Data Transfer Size Limits capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1039 attack_object_name: Data from Network Shared Drive capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1052.001 attack_object_name: Exfiltration over USB capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1056 attack_object_name: Input Capture capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1056.001 attack_object_name: Keylogging capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1056.002 attack_object_name: GUI Input Capture capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1056.003 attack_object_name: Web Portal Capture capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1056.004 attack_object_name: Credential API Hooking capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1113 attack_object_name: Screen Capture capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1114.001 attack_object_name: Local Email Collection capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1115 attack_object_name: Clipboard Data capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1123 attack_object_name: Audio Capture capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1125 attack_object_name: Video Capture capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Created new user account capability_group: attribute.integrity capability_id: attribute.integrity.variety.Created account mapping_type: related_to references: [] - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Created new user account capability_group: attribute.integrity capability_id: attribute.integrity.variety.Created account mapping_type: related_to references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Created new user account capability_group: attribute.integrity capability_id: attribute.integrity.variety.Created account mapping_type: related_to references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Created new user account capability_group: attribute.integrity capability_id: attribute.integrity.variety.Created account mapping_type: related_to references: [] - attack_object_id: T1685.005 attack_object_name: Clear Windows Event Logs capability_description: Log tampering or modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Log tampering comments: 'see T1685.005 Disable or Modify Tools: Clear Windows Event Logs' mapping_type: related_to references: [] - attack_object_id: T1685.006 attack_object_name: Clear Linux or Mac System Logs capability_description: Log tampering or modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Log tampering mapping_type: related_to references: [] - attack_object_id: T1037 attack_object_name: Boot or Logon Initialization Scripts capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1037.001 attack_object_name: Logon Script (Windows) capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1037.002 attack_object_name: Login Hook capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1037.003 attack_object_name: Network Logon Script capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1037.004 attack_object_name: RC Scripts capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1037.005 attack_object_name: Startup Items capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation mapping_type: related_to references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation mapping_type: related_to references: [] - attack_object_id: T1205 attack_object_name: Traffic Signaling capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1205 attack_object_name: Traffic Signaling capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1218.011 attack_object_name: Rundll32 capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1205.001 attack_object_name: Port Knocking capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1205.001 attack_object_name: Port Knocking capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1205.001 attack_object_name: Port Knocking capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1218.012 attack_object_name: Verclsid capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1207 attack_object_name: Rogue Domain Controller capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1218.013 attack_object_name: Mavinject capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Stealth capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Stealth capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1218.014 attack_object_name: MMC capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1218.015 attack_object_name: Electron Applications capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1219.002 attack_object_name: Remote Desktop Software capability_description: Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two capability_group: action.hacking capability_id: action.hacking.vector.Desktop sharing software mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Web via auto-executed or "drive-by" infection. Child of 'Web application'. capability_group: action.malware capability_id: action.malware.vector.Web application - drive-by mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1220 attack_object_name: XSL Script Processing capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1213.006 attack_object_name: Databases capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1213.001 attack_object_name: Confluence capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1213.001 attack_object_name: Confluence capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1213.003 attack_object_name: Code Repositories capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1213.005 attack_object_name: Messaging Applications capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1480 attack_object_name: Execution Guardrails capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1480 attack_object_name: Execution Guardrails capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1480.001 attack_object_name: Environmental Keying capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1480.001 attack_object_name: Environmental Keying capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1480.002 attack_object_name: Mutual Exclusion capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1688 attack_object_name: Safe Mode Boot capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1496.001 attack_object_name: Compute Hijacking capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1496.002 attack_object_name: Bandwidth Hijacking capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1496.003 attack_object_name: SMS Pumping capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1496.004 attack_object_name: Cloud Service Hijacking capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1497 attack_object_name: Virtualization/Sandbox Evasion capability_description: Hypervisor break-out attack capability_group: action.hacking capability_id: action.hacking.vector.Hypervisor mapping_type: related_to references: [] - attack_object_id: T1497 attack_object_name: Virtualization/Sandbox Evasion capability_description: Penetration of another VM or web site on shared device or infrastructure capability_group: action.hacking capability_id: action.hacking.vector.Inter-tenant mapping_type: related_to references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Soap array abuse. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Soap array abuse mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: XML external entities. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XML external entities mapping_type: related_to references: [] - attack_object_id: T1219.001 attack_object_name: IDE Tunneling capability_description: System or network utilities (e.g., PsTools, Netcat) capability_group: action.malware capability_id: action.malware.variety.Adminware mapping_type: related_to references: [] - attack_object_id: T1499.001 attack_object_name: OS Exhaustion Flood capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Client-side or browser attack (e.g., redirection, XSS, AitB) capability_group: action.malware capability_id: action.malware.variety.Client-side attack mapping_type: related_to references: [] - attack_object_id: T1222 attack_object_name: File and Directory Permissions Modification capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1222.001 attack_object_name: Windows Permissions capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1222.002 attack_object_name: Linux and Mac Permissions capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1505.006 attack_object_name: vSphere Installation Bundles capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1505.002 attack_object_name: Transport Agent capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1482 attack_object_name: Domain Trust Discovery capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1484.001 attack_object_name: Group Policy Modification capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Destruction capability_group: attribute.availability capability_id: attribute.availability.variety.Destruction mapping_type: related_to references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Interruption capability_group: attribute.availability capability_id: attribute.availability.variety.Interruption mapping_type: related_to references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Destruction capability_group: attribute.availability capability_id: attribute.availability.variety.Destruction mapping_type: related_to references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Interruption capability_group: attribute.availability capability_id: attribute.availability.variety.Interruption mapping_type: related_to references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Ransomware (encrypt or seize stored data) capability_group: action.malware capability_id: action.malware.variety.Ransomware mapping_type: related_to references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Interruption capability_group: attribute.availability capability_id: attribute.availability.variety.Interruption mapping_type: related_to references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Conversion or obscuration (ransomware) capability_group: attribute.availability capability_id: attribute.availability.variety.Obscuration mapping_type: related_to references: [] - attack_object_id: T1518 attack_object_name: Software Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1489 attack_object_name: Service Stop capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1489 attack_object_name: Service Stop capability_description: Interruption capability_group: attribute.availability capability_id: attribute.availability.variety.Interruption mapping_type: related_to references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Ransomware (encrypt or seize stored data) capability_group: action.malware capability_id: action.malware.variety.Ransomware mapping_type: related_to references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1491 attack_object_name: Defacement capability_description: Conversion or obscuration (ransomware) capability_group: attribute.availability capability_id: attribute.availability.variety.Obscuration mapping_type: related_to references: [] - attack_object_id: T1491 attack_object_name: Defacement capability_description: Deface content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Defacement mapping_type: related_to references: [] - attack_object_id: T1491.001 attack_object_name: Internal Defacement capability_description: Conversion or obscuration (ransomware) capability_group: attribute.availability capability_id: attribute.availability.variety.Obscuration mapping_type: related_to references: [] - attack_object_id: T1491.001 attack_object_name: Internal Defacement capability_description: Deface content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Defacement mapping_type: related_to references: [] - attack_object_id: T1491.002 attack_object_name: External Defacement capability_description: Conversion or obscuration (ransomware) capability_group: attribute.availability capability_id: attribute.availability.variety.Obscuration mapping_type: related_to references: [] - attack_object_id: T1491.002 attack_object_name: External Defacement capability_description: Deface content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Defacement mapping_type: related_to references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Destruction capability_group: attribute.availability capability_id: attribute.availability.variety.Destruction mapping_type: related_to references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Interruption capability_group: attribute.availability capability_id: attribute.availability.variety.Interruption mapping_type: related_to references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1518.002 attack_object_name: Backup Software Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. capability_group: action.malware capability_id: action.malware.variety.Click fraud mapping_type: related_to references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. capability_group: action.malware capability_id: action.malware.variety.Click fraud and cryptocurrency mining mapping_type: related_to references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. capability_group: action.malware capability_id: action.malware.variety.Cryptocurrency mining mapping_type: related_to references: [] - attack_object_id: T1496.001 attack_object_name: Compute Hijacking capability_description: Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. capability_group: action.malware capability_id: action.malware.variety.Click fraud and cryptocurrency mining mapping_type: related_to references: [] - attack_object_id: T1496.001 attack_object_name: Compute Hijacking capability_description: Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. capability_group: action.malware capability_id: action.malware.variety.Cryptocurrency mining mapping_type: related_to references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Performance degradation capability_group: attribute.availability capability_id: attribute.availability.variety.Degradation mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1526 attack_object_name: Cloud Service Discovery capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1529 attack_object_name: System Shutdown/Reboot capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Forced browsing or predictable resource location. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Forced browsing mapping_type: related_to references: [] - attack_object_id: T1497 attack_object_name: Virtualization/Sandbox Evasion capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1497.001 attack_object_name: System Checks capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1497.002 attack_object_name: User Activity Based Checks capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1497.003 attack_object_name: Time Based Checks capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Adversary-in-the-middle attack. Child of 'Exploit vuln' capability_group: action.hacking capability_id: action.hacking.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Performance degradation capability_group: attribute.availability capability_id: attribute.availability.variety.Degradation mapping_type: related_to references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Session replay. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Session replay mapping_type: related_to references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: Performance degradation capability_group: attribute.availability capability_id: attribute.availability.variety.Degradation mapping_type: related_to references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Performance degradation capability_group: attribute.availability capability_id: attribute.availability.variety.Degradation mapping_type: related_to references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1543.001 attack_object_name: Launch Agent capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Performance degradation capability_group: attribute.availability capability_id: attribute.availability.variety.Degradation mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1543.002 attack_object_name: Systemd Service capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1499.001 attack_object_name: OS Exhaustion Flood capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1499.001 attack_object_name: OS Exhaustion Flood capability_description: Performance degradation capability_group: attribute.availability capability_id: attribute.availability.variety.Degradation mapping_type: related_to references: [] - attack_object_id: T1499.001 attack_object_name: OS Exhaustion Flood capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1543.003 attack_object_name: Windows Service capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Performance degradation capability_group: attribute.availability capability_id: attribute.availability.variety.Degradation mapping_type: related_to references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1543.004 attack_object_name: Launch Daemon capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Performance degradation capability_group: attribute.availability capability_id: attribute.availability.variety.Degradation mapping_type: related_to references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1543.005 attack_object_name: Container Service capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: Performance degradation capability_group: attribute.availability capability_id: attribute.availability.variety.Degradation mapping_type: related_to references: [] - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1505.001 attack_object_name: SQL Stored Procedures capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1505.001 attack_object_name: SQL Stored Procedures capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: XML injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XML injection mapping_type: related_to references: [] - attack_object_id: T1505.002 attack_object_name: Transport Agent capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1505.002 attack_object_name: Transport Agent capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' capability_group: action.malware capability_id: action.malware.variety.RAT mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1548.001 attack_object_name: Setuid and Setgid capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1529 attack_object_name: System Shutdown/Reboot capability_description: Interruption capability_group: attribute.availability capability_id: attribute.availability.variety.Interruption mapping_type: related_to references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Destruction capability_group: attribute.availability capability_id: attribute.availability.variety.Destruction mapping_type: related_to references: [] - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Interruption capability_group: attribute.availability capability_id: attribute.availability.variety.Interruption mapping_type: related_to references: [] - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: compromise of authenticity (e.g. masquerading as the legitimate owner of an account) capability_group: attribute.integrity capability_id: attribute.integrity.variety.Misrepresentation mapping_type: related_to references: [] - attack_object_id: T1535 attack_object_name: Unused/Unsupported Cloud Regions capability_description: Repurposed asset for unauthorized function capability_group: attribute.integrity capability_id: attribute.integrity.variety.Repurpose mapping_type: related_to references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data mapping_type: related_to references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit mapping_type: related_to references: [] - attack_object_id: T1542.001 attack_object_name: System Firmware capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit mapping_type: related_to references: [] - attack_object_id: T1542.002 attack_object_name: Component Firmware capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit mapping_type: related_to references: [] - attack_object_id: T1542.003 attack_object_name: Bootkit capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit mapping_type: related_to references: [] - attack_object_id: T1542.004 attack_object_name: ROMMONkit capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit mapping_type: related_to references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit mapping_type: related_to references: [] - attack_object_id: T1548.004 attack_object_name: Elevated Execution with Prompt capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation mapping_type: related_to references: [] - attack_object_id: T1548.004 attack_object_name: Elevated Execution with Prompt capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1543.001 attack_object_name: Launch Agent capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation mapping_type: related_to references: [] - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1543.002 attack_object_name: Systemd Service capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation mapping_type: related_to references: [] - attack_object_id: T1548.006 attack_object_name: TCC Manipulation capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1543.003 attack_object_name: Windows Service capability_description: Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' capability_group: action.malware capability_id: action.malware.variety.RAT mapping_type: related_to references: [] - attack_object_id: T1543.003 attack_object_name: Windows Service capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation mapping_type: related_to references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1543.004 attack_object_name: Launch Daemon capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation mapping_type: related_to references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Pass-the-hash capability_group: action.hacking capability_id: action.hacking.variety.Pass-the-hash mapping_type: related_to references: [] - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1550.003 attack_object_name: Pass the Ticket capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.001 attack_object_name: Change Default File Association capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.002 attack_object_name: Screensaver capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.003 attack_object_name: Windows Management Instrumentation Event Subscription capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.004 attack_object_name: Unix Shell Configuration Modification capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.005 attack_object_name: Trap capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.006 attack_object_name: LC_LOAD_DYLIB Addition capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.007 attack_object_name: Netsh Helper DLL capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.008 attack_object_name: Accessibility Features capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.009 attack_object_name: AppCert DLLs capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.010 attack_object_name: AppInit DLLs capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.011 attack_object_name: Application Shimming capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.012 attack_object_name: Image File Execution Options Injection capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.013 attack_object_name: PowerShell Profile capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.014 attack_object_name: Emond capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.015 attack_object_name: Component Object Model Hijacking capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior mapping_type: related_to references: [] - attack_object_id: T1546.016 attack_object_name: Installer Packages capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation mapping_type: related_to references: [] - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Session replay. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Session replay mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.001 attack_object_name: Registry Run Keys / Startup Folder capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.002 attack_object_name: Authentication Package capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.003 attack_object_name: Time Providers capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.004 attack_object_name: Winlogon Helper DLL capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.005 attack_object_name: Security Support Provider capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.007 attack_object_name: Re-opened Applications capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.008 attack_object_name: LSASS Driver capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.009 attack_object_name: Shortcut Modification capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.010 attack_object_name: Port Monitors capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.012 attack_object_name: Print Processors capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.013 attack_object_name: XDG Autostart Entries capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1547.014 attack_object_name: Active Setup capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.malware capability_id: action.malware.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Client-side or browser attack (e.g., redirection, XSS, AitB) capability_group: action.malware capability_id: action.malware.variety.Client-side attack mapping_type: related_to references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Hacking action that creates a backdoor for use. capability_group: action.hacking capability_id: action.hacking.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Hacking actions taken through a backdoor. C2 is only used by malware. capability_group: action.hacking capability_id: action.hacking.vector.Backdoor mapping_type: related_to references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Adversary-in-the-middle attack. Child of 'Exploit vuln' capability_group: action.hacking capability_id: action.hacking.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Routing detour. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Routing detour mapping_type: related_to references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Pass-the-hash capability_group: action.malware capability_id: action.malware.variety.Pass-the-hash mapping_type: related_to references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation mapping_type: related_to references: [] - attack_object_id: T1557.001 attack_object_name: Name Resolution Poisoning and SMB Relay capability_description: Adversary-in-the-middle attack. Child of 'Exploit vuln' capability_group: action.hacking capability_id: action.hacking.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Cache poisoning. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Cache poisoning mapping_type: related_to references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Adversary-in-the-middle attack. Child of 'Exploit vuln' capability_group: action.hacking capability_id: action.hacking.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Pass-the-hash capability_group: action.malware capability_id: action.malware.variety.Pass-the-hash mapping_type: related_to references: [] - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1558.001 attack_object_name: Golden Ticket capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1558.002 attack_object_name: Silver Ticket capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1552.001 attack_object_name: Credentials In Files capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1552.001 attack_object_name: Credentials In Files capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1552.002 attack_object_name: Credentials in Registry capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1552.002 attack_object_name: Credentials in Registry capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1552.003 attack_object_name: Shell History capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1552.003 attack_object_name: Shell History capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1552.006 attack_object_name: Group Policy Preferences capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1552.006 attack_object_name: Group Policy Preferences capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1552.008 attack_object_name: Chat Messages capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1552.008 attack_object_name: Chat Messages capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1553.001 attack_object_name: Gatekeeper Bypass capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1553.002 attack_object_name: Code Signing capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1553.003 attack_object_name: SIP and Trust Provider Hijacking capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1553.004 attack_object_name: Install Root Certificate capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1553.005 attack_object_name: Mark-of-the-Web Bypass capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1553.006 attack_object_name: Code Signing Policy Modification capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1558.004 attack_object_name: AS-REP Roasting capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1558.004 attack_object_name: AS-REP Roasting capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: System or network utilities (e.g., PsTools, Netcat) capability_group: action.malware capability_id: action.malware.variety.Adminware mapping_type: related_to references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' capability_group: action.malware capability_id: action.malware.variety.Trojan mapping_type: related_to references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1555.001 attack_object_name: Keychain capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1555.001 attack_object_name: Keychain capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1555.002 attack_object_name: Securityd Memory capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1555.002 attack_object_name: Securityd Memory capability_description: RAM scraper or memory parser (capture data from volatile memory) capability_group: action.malware capability_id: action.malware.variety.RAM scraper mapping_type: related_to references: [] - attack_object_id: T1555.002 attack_object_name: Securityd Memory capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1555.003 attack_object_name: Credentials from Web Browsers capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1555.003 attack_object_name: Credentials from Web Browsers capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1555.004 attack_object_name: Windows Credential Manager capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1555.004 attack_object_name: Windows Credential Manager capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper mapping_type: related_to references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Email via embedded link. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email link mapping_type: related_to references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1556.003 attack_object_name: Pluggable Authentication Modules capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1556.003 attack_object_name: Pluggable Authentication Modules capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1556.004 attack_object_name: Network Device Authentication capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1556.004 attack_object_name: Network Device Authentication capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1559.001 attack_object_name: Component Object Model capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1559.002 attack_object_name: Dynamic Data Exchange capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Man-in-the-middle attack. Child of 'Exploit vuln'. capability_group: action.malware capability_id: action.malware.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1685.006 attack_object_name: Clear Linux or Mac System Logs capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1685 attack_object_name: Disable or Modify Tools capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1685 attack_object_name: Disable or Modify Tools capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Man-in-the-middle attack. Child of 'Exploit vuln'. capability_group: action.malware capability_id: action.malware.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1557.003 attack_object_name: DHCP Spoofing capability_description: Man-in-the-middle attack. Child of 'Exploit vuln'. capability_group: action.malware capability_id: action.malware.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1685.001 attack_object_name: Disable or Modify Windows Event Log capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1690 attack_object_name: Prevent Command History Logging capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1686.001 attack_object_name: Cloud Firewall capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1685.002 attack_object_name: Disable or Modify Cloud Log capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1685.003 attack_object_name: Modify or Spoof Tool UI capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1685.004 attack_object_name: Disable or Modify Linux Audit System Log capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1558.004 attack_object_name: AS-REP Roasting capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.malware capability_id: action.malware.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1563.001 attack_object_name: SSH Hijacking capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1560 attack_object_name: Archive Collected Data capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1560.001 attack_object_name: Archive via Utility capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1560.002 attack_object_name: Archive via Library capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1560.003 attack_object_name: Archive via Custom Method capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Destruction capability_group: attribute.availability capability_id: attribute.availability.variety.Destruction mapping_type: related_to references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Interruption capability_group: attribute.availability capability_id: attribute.availability.variety.Interruption mapping_type: related_to references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1561.001 attack_object_name: Disk Content Wipe capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1561.001 attack_object_name: Disk Content Wipe capability_description: Destruction capability_group: attribute.availability capability_id: attribute.availability.variety.Destruction mapping_type: related_to references: [] - attack_object_id: T1561.001 attack_object_name: Disk Content Wipe capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1561.002 attack_object_name: Disk Structure Wipe capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data mapping_type: related_to references: [] - attack_object_id: T1561.002 attack_object_name: Disk Structure Wipe capability_description: Destruction capability_group: attribute.availability capability_id: attribute.availability.variety.Destruction mapping_type: related_to references: [] - attack_object_id: T1561.002 attack_object_name: Disk Structure Wipe capability_description: Interruption capability_group: attribute.availability capability_id: attribute.availability.variety.Interruption mapping_type: related_to references: [] - attack_object_id: T1561.002 attack_object_name: Disk Structure Wipe capability_description: Loss capability_group: attribute.availability capability_id: attribute.availability.variety.Loss mapping_type: related_to references: [] - attack_object_id: T1563.001 attack_object_name: SSH Hijacking capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1685.001 attack_object_name: Disable or Modify Windows Event Log capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1690 attack_object_name: Prevent Command History Logging capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1564.001 attack_object_name: Hidden Files and Directories capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1686 attack_object_name: Disable or Modify System Firewall capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1685 attack_object_name: Disable or Modify Tools capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1564.001 attack_object_name: Hidden Files and Directories capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1686.001 attack_object_name: Cloud Firewall capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1564.002 attack_object_name: Hidden Users capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1685.002 attack_object_name: Disable or Modify Cloud Log capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1564.002 attack_object_name: Hidden Users capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.003 attack_object_name: Hidden Window capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1685.004 attack_object_name: Disable or Modify Linux Audit System Log capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1564.003 attack_object_name: Hidden Window capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation mapping_type: related_to references: [] - attack_object_id: T1564.004 attack_object_name: NTFS File Attributes capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1563.001 attack_object_name: SSH Hijacking capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation mapping_type: related_to references: [] - attack_object_id: T1564.004 attack_object_name: NTFS File Attributes capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation mapping_type: related_to references: [] - attack_object_id: T1564.005 attack_object_name: Hidden File System capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.005 attack_object_name: Hidden File System capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.001 attack_object_name: Hidden Files and Directories capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.001 attack_object_name: Hidden Files and Directories capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.006 attack_object_name: Run Virtual Instance capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1564.002 attack_object_name: Hidden Users capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.002 attack_object_name: Hidden Users capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.006 attack_object_name: Run Virtual Instance capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.003 attack_object_name: Hidden Window capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.003 attack_object_name: Hidden Window capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.007 attack_object_name: VBA Stomping capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1564.004 attack_object_name: NTFS File Attributes capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.004 attack_object_name: NTFS File Attributes capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.007 attack_object_name: VBA Stomping capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.005 attack_object_name: Hidden File System capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.005 attack_object_name: Hidden File System capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.006 attack_object_name: Run Virtual Instance capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.006 attack_object_name: Run Virtual Instance capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1564.007 attack_object_name: VBA Stomping capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.007 attack_object_name: VBA Stomping capability_description: An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' capability_group: action.malware capability_id: action.malware.variety.Trojan mapping_type: related_to references: [] - attack_object_id: T1564.007 attack_object_name: VBA Stomping capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Modified stored data or content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify data mapping_type: related_to references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Modified stored data or content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify data mapping_type: related_to references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Modified stored data or content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify data mapping_type: related_to references: [] - attack_object_id: T1565.003 attack_object_name: Runtime Data Manipulation capability_description: Modified stored data or content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify data mapping_type: related_to references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Instant Messaging capability_group: action.malware capability_id: action.malware.vector.Instant messaging mapping_type: related_to references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Email capability_group: action.social capability_id: action.social.vector.Email mapping_type: related_to references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown' capability_group: action.malware capability_id: action.malware.vector.Email mapping_type: related_to references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment mapping_type: related_to references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Email capability_group: action.social capability_id: action.social.vector.Email mapping_type: related_to references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Email capability_group: action.social capability_id: action.social.vector.Email mapping_type: related_to references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Web application capability_group: action.social capability_id: action.social.vector.Web application mapping_type: related_to references: [] - attack_object_id: T1566.003 attack_object_name: Spearphishing via Service capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1566.003 attack_object_name: Spearphishing via Service capability_description: Email capability_group: action.social capability_id: action.social.vector.Email mapping_type: related_to references: [] - attack_object_id: T1566.004 attack_object_name: Spearphishing Voice capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1567.001 attack_object_name: Exfiltration to Code Repository capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1567.001 attack_object_name: Exfiltration to Code Repository capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1567.002 attack_object_name: Exfiltration to Cloud Storage capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1567.002 attack_object_name: Exfiltration to Cloud Storage capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1567.003 attack_object_name: Exfiltration to Text Storage Sites capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1567.003 attack_object_name: Exfiltration to Text Storage Sites capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1567.004 attack_object_name: Exfiltration Over Webhook capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1567.004 attack_object_name: Exfiltration Over Webhook capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1568.001 attack_object_name: Fast Flux DNS capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1568.002 attack_object_name: Domain Generation Algorithms capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Downloaded and installed by local malware capability_group: action.malware capability_id: action.malware.vector.Download by malware mapping_type: related_to references: [] - attack_object_id: T1568.003 attack_object_name: DNS Calculation capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1568.001 attack_object_name: Fast Flux DNS capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1568.001 attack_object_name: Fast Flux DNS capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1569.003 attack_object_name: Systemctl capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1568.002 attack_object_name: Domain Generation Algorithms capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1568.002 attack_object_name: Domain Generation Algorithms capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1569.001 attack_object_name: Launchctl capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1568.003 attack_object_name: DNS Calculation capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1568.003 attack_object_name: DNS Calculation capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1569.002 attack_object_name: Service Execution capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1569.002 attack_object_name: Service Execution capability_description: Directly installed or inserted by threat agent (after system access) capability_group: action.malware capability_id: action.malware.vector.Direct install mapping_type: related_to references: [] - attack_object_id: T1570 attack_object_name: Lateral Tool Transfer capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation mapping_type: related_to references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channel capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channel capability_description: Network service that is not remote access or a web application. capability_group: action.hacking capability_id: action.hacking.vector.Other network service mapping_type: related_to references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1573.002 attack_object_name: Asymmetric Cryptography capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channel capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channel capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1573.002 attack_object_name: Asymmetric Cryptography capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1573.002 attack_object_name: Asymmetric Cryptography capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: XML injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XML injection mapping_type: related_to references: [] - attack_object_id: T1574.001 attack_object_name: DLL capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1574.001 attack_object_name: DLL capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln mapping_type: related_to references: [] - attack_object_id: T1574.001 attack_object_name: DLL capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1574.001 attack_object_name: DLL capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1574.004 attack_object_name: Dylib Hijacking capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln mapping_type: related_to references: [] - attack_object_id: T1574.004 attack_object_name: Dylib Hijacking capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1574.004 attack_object_name: Dylib Hijacking capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1574.005 attack_object_name: Executable Installer File Permissions Weakness capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1574.005 attack_object_name: Executable Installer File Permissions Weakness capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1574.005 attack_object_name: Executable Installer File Permissions Weakness capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1574.010 attack_object_name: Services File Permissions Weakness capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1574.011 attack_object_name: Services Registry Permissions Weakness capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig mapping_type: related_to references: [] - attack_object_id: T1668 attack_object_name: Exclusive Control capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Hypervisor break-out attack capability_group: action.hacking capability_id: action.hacking.vector.Hypervisor mapping_type: related_to references: [] - attack_object_id: T1574.012 attack_object_name: COR_PROFILER capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Penetration of another VM or web site on shared device or infrastructure capability_group: action.hacking capability_id: action.hacking.vector.Inter-tenant mapping_type: related_to references: [] - attack_object_id: T1578.001 attack_object_name: Create Snapshot capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1578.002 attack_object_name: Create Cloud Instance capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1578.003 attack_object_name: Delete Cloud Instance capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1578.004 attack_object_name: Revert Cloud Instance capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1578.005 attack_object_name: Modify Cloud Compute Configurations capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1580 attack_object_name: Cloud Infrastructure Discovery capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1583 attack_object_name: Acquire Infrastructure capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1583 attack_object_name: Acquire Infrastructure capability_description: Web via user-executed or downloaded content. Child of 'Web application'. capability_group: action.malware capability_id: action.malware.vector.Web application - download mapping_type: related_to references: [] - attack_object_id: T1583.001 attack_object_name: Domains capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1583.001 attack_object_name: Domains capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1583.001 attack_object_name: Domains capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1583.002 attack_object_name: DNS Server capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1583.002 attack_object_name: DNS Server capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1583.002 attack_object_name: DNS Server capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1583.003 attack_object_name: Virtual Private Server capability_description: Forced browsing or predictable resource location. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Forced browsing mapping_type: related_to references: [] - attack_object_id: T1583.003 attack_object_name: Virtual Private Server capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1583.004 attack_object_name: Server capability_description: Forced browsing or predictable resource location. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Forced browsing mapping_type: related_to references: [] - attack_object_id: T1583.004 attack_object_name: Server capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1583.005 attack_object_name: Botnet capability_description: A small program that can be distributed, installed, and controlled en mass. capability_group: value_chain.development capability_id: value_chain.development.variety.Bot mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: Web Services capability_description: Forced browsing or predictable resource location. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Forced browsing mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: Web Services capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: Web Services capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: Web Services capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: Web Services capability_description: Development of any full website controlled by the attacker capability_group: value_chain.development capability_id: value_chain.development.variety.Website mapping_type: related_to references: [] - attack_object_id: T1584 attack_object_name: Compromise Infrastructure capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1584 attack_object_name: Compromise Infrastructure capability_description: Web via user-executed or downloaded content. Child of 'Web application'. capability_group: action.malware capability_id: action.malware.vector.Web application - download mapping_type: related_to references: [] - attack_object_id: T1584.001 attack_object_name: Domains capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1584.001 attack_object_name: Domains capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1584.002 attack_object_name: DNS Server capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1584.002 attack_object_name: DNS Server capability_description: Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. capability_group: action.malware capability_id: action.malware.variety.Backdoor or C2 mapping_type: related_to references: [] - attack_object_id: T1584.002 attack_object_name: DNS Server capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1584.003 attack_object_name: Virtual Private Server capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1584.004 attack_object_name: Server capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1584.005 attack_object_name: Botnet capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1584.005 attack_object_name: Botnet capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1584.006 attack_object_name: Web Services capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1585 attack_object_name: Establish Accounts capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1585 attack_object_name: Establish Accounts capability_description: A fake representation of a person, such as fake social media profiles capability_group: value_chain.development capability_id: value_chain.development.variety.Persona mapping_type: related_to references: [] - attack_object_id: T1585.001 attack_object_name: Social Media Accounts capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1585.001 attack_object_name: Social Media Accounts capability_description: A fake representation of a person, such as fake social media profiles capability_group: value_chain.development capability_id: value_chain.development.variety.Persona mapping_type: related_to references: [] - attack_object_id: T1585.002 attack_object_name: Email Accounts capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1585.002 attack_object_name: Email Accounts capability_description: A fake representation of a person, such as fake social media profiles capability_group: value_chain.development capability_id: value_chain.development.variety.Persona mapping_type: related_to references: [] - attack_object_id: T1586 attack_object_name: Compromise Accounts capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1586.001 attack_object_name: Social Media Accounts capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1586.001 attack_object_name: Social Media Accounts capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1586.001 attack_object_name: Social Media Accounts capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1586.002 attack_object_name: Email Accounts capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1587 attack_object_name: Develop Capabilities capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1587 attack_object_name: Develop Capabilities capability_description: Nothing is known about the need for or type of development investment other than it was present. capability_group: value_chain.development capability_id: value_chain.development.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: Malware capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: Malware capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: Malware capability_description: A small program that can be distributed, installed, and controlled en mass. capability_group: value_chain.development capability_id: value_chain.development.variety.Bot mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: Malware capability_description: The portion a program that causes a negative effect. capability_group: value_chain.development capability_id: value_chain.development.variety.Payload mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: Malware capability_description: Ransomware (encrypt or seize stored data) capability_group: value_chain.development capability_id: value_chain.development.variety.Ransomware mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: Malware capability_description: A program which masquerades as another program to get a target to execute malicious content capability_group: value_chain.development capability_id: value_chain.development.variety.Trojan mapping_type: related_to references: [] - attack_object_id: T1587.002 attack_object_name: Code Signing Certificates capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1587.002 attack_object_name: Code Signing Certificates capability_description: The variety of development required is known, but is not listed. capability_group: value_chain.development capability_id: value_chain.development.variety.Other mapping_type: related_to references: [] - attack_object_id: T1587.003 attack_object_name: Digital Certificates capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1587.003 attack_object_name: Digital Certificates capability_description: The variety of development required is known, but is not listed. capability_group: value_chain.development capability_id: value_chain.development.variety.Other mapping_type: related_to references: [] - attack_object_id: T1587.004 attack_object_name: Exploits capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1587.004 attack_object_name: Exploits capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1587.004 attack_object_name: Exploits capability_description: Code to exploit a vulnerability, including web injects. capability_group: value_chain.development capability_id: value_chain.development.variety.Exploit mapping_type: related_to references: [] - attack_object_id: T1587.004 attack_object_name: Exploits capability_description: Code sets capable of selecting and trying multiple exploits against a target. capability_group: value_chain.development capability_id: value_chain.development.variety.Exploit Kits mapping_type: related_to references: [] - attack_object_id: T1588 attack_object_name: Obtain Capabilities capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588 attack_object_name: Obtain Capabilities capability_description: Nothing is known about the need for or type of development investment other than it was present. capability_group: value_chain.development capability_id: value_chain.development.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: Malware capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: Malware capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: Malware capability_description: A small program that can be distributed, installed, and controlled en mass. capability_group: value_chain.development capability_id: value_chain.development.variety.Bot mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: Malware capability_description: The portion a program that causes a negative effect. capability_group: value_chain.development capability_id: value_chain.development.variety.Payload mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: Malware capability_description: Ransomware (encrypt or seize stored data) capability_group: value_chain.development capability_id: value_chain.development.variety.Ransomware mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: Malware capability_description: A program which masquerades as another program to get a target to execute malicious content capability_group: value_chain.development capability_id: value_chain.development.variety.Trojan mapping_type: related_to references: [] - attack_object_id: T1588.003 attack_object_name: Code Signing Certificates capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.003 attack_object_name: Code Signing Certificates capability_description: The variety of development required is known, but is not listed. capability_group: value_chain.development capability_id: value_chain.development.variety.Other mapping_type: related_to references: [] - attack_object_id: T1588.004 attack_object_name: Digital Certificates capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.004 attack_object_name: Digital Certificates capability_description: The variety of development required is known, but is not listed. capability_group: value_chain.development capability_id: value_chain.development.variety.Other mapping_type: related_to references: [] - attack_object_id: T1588.005 attack_object_name: Exploits capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.005 attack_object_name: Exploits capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.005 attack_object_name: Exploits capability_description: Code to exploit a vulnerability, including web injects. capability_group: value_chain.development capability_id: value_chain.development.variety.Exploit mapping_type: related_to references: [] - attack_object_id: T1588.005 attack_object_name: Exploits capability_description: Code sets capable of selecting and trying multiple exploits against a target. capability_group: value_chain.development capability_id: value_chain.development.variety.Exploit Kits mapping_type: related_to references: [] - attack_object_id: T1588.006 attack_object_name: Vulnerabilities capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.006 attack_object_name: Vulnerabilities capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.007 attack_object_name: Artificial Intelligence capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.007 attack_object_name: Artificial Intelligence capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1589 attack_object_name: Gather Victim Identity Information capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1589.001 attack_object_name: Credentials capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1589.002 attack_object_name: Email Addresses capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1589.003 attack_object_name: Employee Names capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1590 attack_object_name: Gather Victim Network Information capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1590.001 attack_object_name: Domain Properties capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1590.002 attack_object_name: DNS capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1590.003 attack_object_name: Network Trust Dependencies capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1590.004 attack_object_name: Network Topology capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1590.005 attack_object_name: IP Addresses capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1590.006 attack_object_name: Network Security Appliances capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1592 attack_object_name: Gather Victim Host Information capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1592.001 attack_object_name: Hardware capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1592.002 attack_object_name: Software capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1592.003 attack_object_name: Firmware capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1592.004 attack_object_name: Client Configurations capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1595 attack_object_name: Active Scanning capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1595.001 attack_object_name: Scanning IP Blocks capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1595.002 attack_object_name: Vulnerability Scanning capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln mapping_type: related_to references: [] - attack_object_id: T1595.002 attack_object_name: Vulnerability Scanning capability_description: Enumerating the state of the network capability_group: action.malware capability_id: action.malware.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1598.001 attack_object_name: Spearphishing Service capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1598.001 attack_object_name: Spearphishing Service capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment mapping_type: related_to references: [] - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: Email via embedded link. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email link mapping_type: related_to references: [] - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. capability_group: action.social capability_id: action.social.variety.Pretexting mapping_type: related_to references: [] - attack_object_id: T1598.004 attack_object_name: Spearphishing Voice capability_description: "Any type of *ishing. Phishing always involves getting\ \ data from the victim. Phishing usually has some element of pretexting, but often\ \ it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google\ \ login page isn\u2019t really pretexting." capability_group: action.social capability_id: action.social.variety.Phishing mapping_type: related_to references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1599.001 attack_object_name: Network Address Translation Traversal capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1600 attack_object_name: Weaken Encryption capability_description: Cryptanalysis. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Cryptanalysis mapping_type: related_to references: [] - attack_object_id: T1600 attack_object_name: Weaken Encryption capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1600.001 attack_object_name: Reduce Key Space capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1600.002 attack_object_name: Disable Crypto Hardware capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation mapping_type: related_to references: [] - attack_object_id: T1601.001 attack_object_name: Patch System Image capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1601.001 attack_object_name: Patch System Image capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation mapping_type: related_to references: [] - attack_object_id: T1601.002 attack_object_name: Downgrade System Image capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data mapping_type: related_to references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Confirmed or potential data disclosure capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure mapping_type: related_to references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Credential or session prediction. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Session prediction mapping_type: related_to references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1606.001 attack_object_name: Web Cookies capability_description: Credential or session prediction. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Session prediction mapping_type: related_to references: [] - attack_object_id: T1606.001 attack_object_name: Web Cookies capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1608 attack_object_name: Stage Capabilities capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1608.001 attack_object_name: Upload Malware capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1608.002 attack_object_name: Upload Tool capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1608.003 attack_object_name: Install Digital Certificate capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1608.004 attack_object_name: Drive-by Target capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1608.005 attack_object_name: Link Target capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Downloader (pull updates or other malware) capability_group: action.malware capability_id: action.malware.variety.Downloader mapping_type: related_to references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1611 attack_object_name: Escape to Host capability_description: Virtual machine escape. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Virtual machine escape mapping_type: related_to references: [] - attack_object_id: T1612 attack_object_name: Build Image on Host capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1613 attack_object_name: Container and Resource Discovery capability_description: Enumerating the state of the network capability_group: action.hacking capability_id: action.hacking.variety.Scan network mapping_type: related_to references: [] - attack_object_id: T1614 attack_object_name: System Location Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1614.001 attack_object_name: System Language Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1622 attack_object_name: Debugger Evasion capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1622 attack_object_name: Debugger Evasion capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1622 attack_object_name: Debugger Evasion capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.social capability_id: action.social.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1546.017 attack_object_name: Udev Rules capability_description: Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.Backdoor mapping_type: related_to references: [] - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Brute force attack capability_group: action.malware capability_id: action.malware.variety.Brute force mapping_type: related_to references: [] - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. capability_group: action.malware capability_id: action.malware.variety.C2 mapping_type: related_to references: [] - attack_object_id: T1588.002 attack_object_name: Tool capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data mapping_type: related_to references: [] - attack_object_id: T1557.001 attack_object_name: Name Resolution Poisoning and SMB Relay capability_description: Man-in-the-middle attack. Child of 'Exploit vuln'. capability_group: action.malware capability_id: action.malware.variety.AiTM mapping_type: related_to references: [] - attack_object_id: T1685 attack_object_name: Disable or Modify Tools capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.malware capability_id: action.malware.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1685 attack_object_name: Disable or Modify Tools capability_description: Malware which compromises a legitimate file rather than creating new filess capability_group: action.malware capability_id: action.malware.variety.Modify data mapping_type: related_to references: [] - attack_object_id: T1685.003 attack_object_name: Modify or Spoof Tool UI capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1584.008 attack_object_name: Network Devices capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.malware capability_id: action.malware.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1659 attack_object_name: Content Injection capability_description: Remotely injected by agent (i.e. via SQLi) capability_group: action.malware capability_id: action.malware.vector.remote injection mapping_type: related_to references: [] - attack_object_id: T1556.008 attack_object_name: Network Provider DLL capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1556.008 attack_object_name: Network Provider DLL capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1556.009 attack_object_name: Conditional Access Policies capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration mapping_type: related_to references: [] - attack_object_id: T1556.009 attack_object_name: Conditional Access Policies capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges mapping_type: related_to references: [] - attack_object_id: T1543.005 attack_object_name: Container Service capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1548.006 attack_object_name: TCC Manipulation capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1558.005 attack_object_name: Ccache Files capability_description: Use of stolen or default authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds mapping_type: related_to references: [] - attack_object_id: T1564.011 attack_object_name: Ignore Process Interrupts capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.012 attack_object_name: File/Path Exclusions capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1564.012 attack_object_name: File/Path Exclusions capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1574.014 attack_object_name: AppDomainManager capability_description: To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) capability_group: action.hacking capability_id: action.hacking.variety.Hijack mapping_type: related_to references: [] - attack_object_id: T1584.008 attack_object_name: Network Devices capability_description: Partner connection or credential. (Indicates supply chain breach.) capability_group: action.hacking capability_id: action.hacking.vector.Partner mapping_type: related_to references: [] - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1652 attack_object_name: Device Driver Discovery capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1653 attack_object_name: Power Settings capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1654 attack_object_name: Log Enumeration capability_description: Enumerating the state of the current host capability_group: action.hacking capability_id: action.hacking.variety.Profile host mapping_type: related_to references: [] - attack_object_id: T1665 attack_object_name: Hide Infrastructure capability_description: Abuse of functionality. capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality mapping_type: related_to references: [] - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. capability_group: action.hacking capability_id: action.hacking.variety.Evade Defenses mapping_type: related_to references: [] - attack_object_id: T1686.002 attack_object_name: Network Device Firewall capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1686 attack_object_name: Disable or Modify System Firewall capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Brute force or password guessing attacks. capability_group: action.hacking capability_id: action.hacking.variety.Brute force mapping_type: related_to references: [] - attack_object_id: T1686.003 attack_object_name: Windows Host Firewall capability_description: Disable or interfere with security controls capability_group: action.hacking capability_id: action.hacking.variety.Disable controls mapping_type: related_to references: [] - attack_object_id: T1583.005 attack_object_name: Botnet capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS mapping_type: related_to references: [] - attack_object_id: T1583.005 attack_object_name: Botnet capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1588.002 attack_object_name: Tool capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown mapping_type: related_to references: [] - attack_object_id: T1689 attack_object_name: Downgrade Attack capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other mapping_type: related_to references: [] - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: action.hacking capability_id: Action.Hacking.Vector.Unknown mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.malware capability_id: Action.Malware.Variety.Other mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Email sub-variety known, but not one of those listed (attachment, link, autoexecute, etc). Child of 'Email' capability_group: action.malware capability_id: Action.Malware.Vector.Email other mapping_type: non_mappable references: [] - attack_object_id: T1684 attack_object_name: Social Engineering capability_description: 'Prepare malicious content in a location where a victim is likely to interact with it. (e.g. SEO - vect: websites, left usbs- vect: removable media, etc)' capability_group: action.social capability_id: Action.Social.Variety.Baiting mapping_type: related_to references: [] - attack_object_id: null attack_object_name: null capability_description: Influence tactics (Leveraging authority or obligation, framing, etc) capability_group: action.social capability_id: Action.Social.Variety.Influence mapping_type: non_mappable references: [] - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: action.social capability_id: Action.Social.Vector.Unknown mapping_type: non_mappable references: [] - attack_object_id: T1098.005 attack_object_name: Device Registration capability_description: Registers an attacker controlled MFA device to an account capability_group: attribute.integrity capability_id: attribute.integrity.variety.Register MFA device mapping_type: related_to references: [] metadata: attack_version: '19.1' author: null capability_groups: action.hacking: action.hacking action.malware: action.malware action.social: action.social attribute.availability: attribute.availability attribute.confidentiality: attribute.confidentiality attribute.integrity: attribute.integrity value_chain.development: value_chain.development contact: null creation_date: 01/23/2025 last_update: 06/05/2026 mapping_framework: veris mapping_framework_version: 1.4.1 mapping_types: related_to: description: '' name: related-to mapping_version: '' organization: null technology_domain: enterprise