mapping_objects: - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Directly installed or inserted by threat agent (after system access) capability_group: action.malware capability_id: action.malware.vector.Direct install comments: '' mapping_type: related_to references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1053.001 attack_object_name: 'Scheduled Task/Job: At (Linux)' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1053.002 attack_object_name: 'Scheduled Task/Job: At (Windows)' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1053.003 attack_object_name: 'Scheduled Task/Job: Cron' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1053.004 attack_object_name: 'Scheduled Task/Job: Launchd' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1053.005 attack_object_name: 'Scheduled Task/Job: Scheduled Task' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1053.006 attack_object_name: 'Scheduled Task/Job: Systemd Timers' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1053.007 attack_object_name: 'Scheduled Task/Job: Container Orchestration Job' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.001 attack_object_name: 'Command and Scripting Interpreter: PowerShell' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.001 attack_object_name: 'Command and Scripting Interpreter: PowerShell' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.002 attack_object_name: 'Command and Scripting Interpreter: AppleScript' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.002 attack_object_name: 'Command and Scripting Interpreter: AppleScript' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.003 attack_object_name: 'Command and Scripting Interpreter: Windows Command Shell' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.003 attack_object_name: 'Command and Scripting Interpreter: Windows Command Shell' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.004 attack_object_name: 'Command and Scripting Interpreter: Unix Shell' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.004 attack_object_name: 'Command and Scripting Interpreter: Unix Shell' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.005 attack_object_name: 'Command and Scripting Interpreter: Visual Basic' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.005 attack_object_name: 'Command and Scripting Interpreter: Visual Basic' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.005 attack_object_name: 'Command and Scripting Interpreter: Visual Basic' capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.006 attack_object_name: 'Command and Scripting Interpreter: Python' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.006 attack_object_name: 'Command and Scripting Interpreter: Python' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.007 attack_object_name: 'Command and Scripting Interpreter: JavaScript' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.007 attack_object_name: 'Command and Scripting Interpreter: JavaScript' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.007 attack_object_name: 'Command and Scripting Interpreter: JavaScript' capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.008 attack_object_name: 'Command and Scripting Interpreter: Network Device CLI' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1059.008 attack_object_name: 'Command and Scripting Interpreter: Network Device CLI' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: System or network utilities (e.g., PsTools, Netcat) capability_group: action.malware capability_id: action.malware.variety.Adminware comments: '' mapping_type: related_to references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Included in automated software update capability_group: action.malware capability_id: action.malware.vector.Software update comments: '' mapping_type: related_to references: [] - attack_object_id: T1106 attack_object_name: Native API capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1112 attack_object_name: Modify Registry capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1127 attack_object_name: Trusted Developer Utilities Proxy Execution capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1127 attack_object_name: Trusted Developer Utilities Proxy Execution capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1127.001 attack_object_name: 'Tursted Developer Utilities Proxy Execution: MSBuild' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1127.001 attack_object_name: 'Tursted Developer Utilities Proxy Execution: MSBuild' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1129 attack_object_name: Shared Modules capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1137.001 attack_object_name: 'Office Application Startup: Office Template Macros' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1137.002 attack_object_name: 'Office Application Startup: Office Test' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1137.003 attack_object_name: 'Office Application Startup: Outlook Forms' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1137.004 attack_object_name: 'Office Application Startup: Outlook Home Page' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1137.005 attack_object_name: 'Office Application Startup: Outlook Rules' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Man-in-the-middle attack. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.MitM comments: '' mapping_type: related_to references: [] - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1216 attack_object_name: Signed Script Proxy Execution capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1216.001 attack_object_name: 'Signed Script Proxy Execution: PubPrn' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218 attack_object_name: Signed Binary Proxy Execution capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.001 attack_object_name: 'Signed Binary Proxy Execution: Compiled HTML File' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.002 attack_object_name: 'Signed Binary Proxy Execution: Control Panel' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.003 attack_object_name: 'Signed Binary Proxy Execution: CMSTP' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.004 attack_object_name: 'Signed Binary Proxy Execution: InstallUtil' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.005 attack_object_name: 'Signed Binary Proxy Execution: Mshta' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.007 attack_object_name: 'Signed Binary Proxy Execution: Msiexec' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.008 attack_object_name: 'Signed Binary Proxy Execution: Odbcconf' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.009 attack_object_name: 'Signed Binary Proxy Execution: Regsvcs/Regasm' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.010 attack_object_name: 'Signed Binary Proxy Execution: Regsvr32' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.011 attack_object_name: 'Signed Binary Proxy Execution: Rundll32' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1218.012 attack_object_name: 'Signed Binary Proxy Execution: Verclsid' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1220 attack_object_name: XSL Script Processing capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.001 attack_object_name: 'Server Software Component: SQL Stored Procedures' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.001 attack_object_name: 'Server Software Component: SQL Stored Procedures' capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.001 attack_object_name: 'Server Software Component: SQL Stored Procedures' capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.001 attack_object_name: 'Server Software Component: SQL Stored Procedures' capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.002 attack_object_name: 'Server Software Component: Transport Agent' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.002 attack_object_name: 'Server Software Component: Transport Agent' capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.002 attack_object_name: 'Server Software Component: Transport Agent' capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.002 attack_object_name: 'Server Software Component: Transport Agent' capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1529 attack_object_name: System Shutdown/Reboot capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit comments: '' mapping_type: related_to references: [] - attack_object_id: T1543.001 attack_object_name: 'Create or Modify System Process: Launch Agent' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1543.002 attack_object_name: 'Create or Modify System Process: Systemd Service' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1543.003 attack_object_name: 'Create or Modify System Process: Windows Service' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1543.003 attack_object_name: 'Create or Modify System Process: Windows Service' capability_description: Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' capability_group: action.malware capability_id: action.malware.variety.RAT comments: '' mapping_type: related_to references: [] - attack_object_id: T1543.004 attack_object_name: 'Create or Modify System Process: Launch Daemon' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1548.001 attack_object_name: 'Abuse Elevation Control Mechanism: Setuid and Setgid' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1548.002 attack_object_name: 'Abuse Elevation Control Mechanism: Bypass User Account Control' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1548.002 attack_object_name: 'Abuse Elevation Control Mechanism: Bypass User Account Control' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1548.002 attack_object_name: 'Abuse Elevation Control Mechanism: Bypass User Account Control' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.malware capability_id: action.malware.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1548.003 attack_object_name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1548.003 attack_object_name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1548.003 attack_object_name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching' capability_description: Client-side or browser attack (e.g., redirection, XSS, MitB) capability_group: action.malware capability_id: action.malware.variety.Client-side attack comments: '' mapping_type: related_to references: [] - attack_object_id: T1548.004 attack_object_name: 'Abuse Elevation Control Mechanism: Elevated Execution with Prompt' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1548.004 attack_object_name: 'Abuse Elevation Control Mechanism: Elevated Execution with Prompt' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1559.001 attack_object_name: 'Inter-Process Communication: Component Object Model' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1559.002 attack_object_name: 'Inter-Process Communication: Dynamic Data Exchange' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation comments: '' mapping_type: related_to references: [] - attack_object_id: T1563.001 attack_object_name: 'Remote Service Session Hijacking: SSH Hijacking' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1563.001 attack_object_name: 'Remote Service Session Hijacking: SSH Hijacking' capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation comments: '' mapping_type: related_to references: [] - attack_object_id: T1563.002 attack_object_name: 'Remote Service Session Hijacking: RDP Hijacking' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1563.002 attack_object_name: 'Remote Service Session Hijacking: RDP Hijacking' capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation comments: '' mapping_type: related_to references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1564.001 attack_object_name: 'Hide Artifacts: Hidden Files and Directories' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1564.002 attack_object_name: 'Hide Artifacts: Hidden Users' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1564.003 attack_object_name: 'Hide Artifacts: Hidden Window' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1564.004 attack_object_name: 'Hide Artifacts: NTFS File Attributes' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1564.005 attack_object_name: 'Hide Artifacts: Hidden File System' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1564.006 attack_object_name: 'Hide Artifacts: Run Virtual Instance' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1564.007 attack_object_name: 'Hide Artifacts: VBA Stomping' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1564.007 attack_object_name: 'Hide Artifacts: VBA Stomping' capability_description: An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' capability_group: action.malware capability_id: action.malware.variety.Trojan comments: '' mapping_type: related_to references: [] - attack_object_id: T1569 attack_object_name: System Services capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1569.001 attack_object_name: 'System Services: Launchctl' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1569.002 attack_object_name: 'System Services: Service Execution' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1569.002 attack_object_name: 'System Services: Service Execution' capability_description: Directly installed or inserted by threat agent (after system access) capability_group: action.malware capability_id: action.malware.vector.Direct install comments: '' mapping_type: related_to references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Computer Infrastructure capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Computer Infrastructure capability_description: Hypervisor break-out attack capability_group: action.hacking capability_id: action.hacking.vector.Hypervisor comments: '' mapping_type: related_to references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Computer Infrastructure capability_description: Penetration of another VM or web site on shared device or infrastructure capability_group: action.hacking capability_id: action.hacking.vector.Inter-tenant comments: '' mapping_type: related_to references: [] - attack_object_id: T1578.001 attack_object_name: 'Modify Cloud Computer Infrastructure: Create Snapshot' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1578.002 attack_object_name: 'Modify Cloud Computer Infrastructure: Create Cloud Instance' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1578.003 attack_object_name: 'Modify Cloud Computer Infrastructure: Delete Cloud Instance' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1578.004 attack_object_name: 'Modify Cloud Computer Infrastructure: Revert Cloud Instance' capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Abuse of functionality capability_group: action.hacking capability_id: action.hacking.variety.Abuse of functionality comments: '' mapping_type: related_to references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Brute force or password guessing attacks capability_group: action.hacking capability_id: action.hacking.variety.Brute force comments: '' mapping_type: related_to references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Brute force attack capability_group: action.malware capability_id: action.malware.variety.Brute force comments: '' mapping_type: related_to references: [] - attack_object_id: T1110.001 attack_object_name: 'Brute Force: Password Guessing' capability_description: Brute force or password guessing attacks capability_group: action.hacking capability_id: action.hacking.variety.Brute force comments: '' mapping_type: related_to references: [] - attack_object_id: T1110.001 attack_object_name: 'Brute Force: Password Guessing' capability_description: Brute force attack capability_group: action.malware capability_id: action.malware.variety.Brute force comments: '' mapping_type: related_to references: [] - attack_object_id: T1110.002 attack_object_name: 'Brute Force: Password Cracking' capability_description: Brute force or password guessing attacks capability_group: action.hacking capability_id: action.hacking.variety.Brute force comments: '' mapping_type: related_to references: [] - attack_object_id: T1110.002 attack_object_name: 'Brute Force: Password Cracking' capability_description: Offline password or key cracking (e.g., rainbow tables, Hashcat, JtR) capability_group: action.hacking capability_id: action.hacking.variety.Offline cracking comments: '' mapping_type: related_to references: [] - attack_object_id: T1110.002 attack_object_name: 'Brute Force: Password Cracking' capability_description: Brute force attack capability_group: action.malware capability_id: action.malware.variety.Brute force comments: '' mapping_type: related_to references: [] - attack_object_id: T1110.003 attack_object_name: 'Brute Force: Password Spraying' capability_description: Brute force or password guessing attacks capability_group: action.hacking capability_id: action.hacking.variety.Brute force comments: '' mapping_type: related_to references: [] - attack_object_id: T1110.003 attack_object_name: 'Brute Force: Password Spraying' capability_description: Brute force attack capability_group: action.malware capability_id: action.malware.variety.Brute force comments: '' mapping_type: related_to references: [] - attack_object_id: T1110.004 attack_object_name: 'Brute Force: Credential Stuffing' capability_description: Brute force or password guessing attacks capability_group: action.hacking capability_id: action.hacking.variety.Brute force comments: '' mapping_type: related_to references: [] - attack_object_id: T1110.004 attack_object_name: 'Brute Force: Credential Stuffing' capability_description: Brute force attack capability_group: action.malware capability_id: action.malware.variety.Brute force comments: '' mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Buffer overflow. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Buffer overflow comments: '' mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: HTTP Response Splitting. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP Response Splitting comments: '' mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: HTTP request smuggling. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP request smuggling comments: '' mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: HTTP request splitting. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP request splitting comments: '' mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: HTTP response smuggling. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP response smuggling comments: '' mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Client-side or browser attack (e.g., redirection, XSS, MitB) capability_group: action.malware capability_id: action.malware.variety.Client-side attack comments: '' mapping_type: related_to references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment comments: '' mapping_type: related_to references: [] - attack_object_id: T1600 attack_object_name: Weaken Encryption capability_description: Cryptanalysis. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Cryptanalysis comments: '' mapping_type: related_to references: [] - attack_object_id: T1600 attack_object_name: Weaken Encryption capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1498.001 attack_object_name: 'Network Denial of Service: Direct Network Flood' capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1498.001 attack_object_name: 'Network Denial of Service: Direct Network Flood' capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1498.002 attack_object_name: 'Network Denial of Service: Reflection Amplification' capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1498.002 attack_object_name: 'Network Denial of Service: Reflection Amplification' capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Soap array abuse. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Soap array abuse comments: '' mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: XML attribute blowup. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XML attribute blowup comments: '' mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: XML entity expansion. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XML entity expansion comments: '' mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: XML external entities. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XML external entities comments: '' mapping_type: related_to references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1499.001 attack_object_name: 'Endpoint Denial of Service: OS Exhaustion Flood' capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1499.001 attack_object_name: 'Endpoint Denial of Service: OS Exhaustion Flood' capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1499.002 attack_object_name: 'Endpoint Denial of Service: Service Exhaustion Flood' capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1499.002 attack_object_name: 'Endpoint Denial of Service: Service Exhaustion Flood' capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1499.003 attack_object_name: 'Endpoint Denial of Service: Application Exhaustion Flood' capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1499.003 attack_object_name: 'Endpoint Denial of Service: Application Exhaustion Flood' capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1499.004 attack_object_name: 'Endpoint Denial of Service: Application or System Exploitation' capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1499.004 attack_object_name: 'Endpoint Denial of Service: Application or System Exploitation' capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.005 attack_object_name: 'Acquire Infrastructure: Botnet' capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.005 attack_object_name: 'Acquire Infrastructure: Botnet' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.005 attack_object_name: 'Acquire Infrastructure: Botnet' capability_description: A small program that can be distributed, installed, and controlled en mass. capability_group: value_chain.development capability_id: value_chain.development.variety.Bot comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.005 attack_object_name: 'Acquire Infrastructure: Botnet' capability_description: For content distributed from a collection of bots. capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Botnet comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.005 attack_object_name: 'Compromise Infrastructure: Botnet' capability_description: Denial of service capability_group: action.hacking capability_id: action.hacking.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.005 attack_object_name: 'Compromise Infrastructure: Botnet' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.005 attack_object_name: 'Compromise Infrastructure: Botnet' capability_description: The variety of distribution was known, but is not listed capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.005 attack_object_name: 'Compromise Infrastructure: Botnet' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Format string attack. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Format string attack comments: '' mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Fuzz testing. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Fuzz testing comments: '' mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Insecure deserialization comments: '' mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Integer overflows. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Integer overflows comments: '' mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: LDAP injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.LDAP injection comments: '' mapping_type: related_to references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.malware capability_id: action.malware.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) capability_group: action.malware capability_id: action.malware.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) capability_group: action.malware capability_id: action.malware.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Session fixation. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Session fixation comments: '' mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) capability_group: action.malware capability_id: action.malware.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Web via auto-executed or "drive-by" infection. Child of 'Web application'. capability_group: action.malware capability_id: action.malware.vector.Web application - drive-by comments: '' mapping_type: related_to references: [] - attack_object_id: T1558.004 attack_object_name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1558.004 attack_object_name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1558.004 attack_object_name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.malware capability_id: action.malware.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.001 attack_object_name: 'Hijack Execution Flow: DLL Search Order Hijacking' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.001 attack_object_name: 'Hijack Execution Flow: DLL Search Order Hijacking' capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.001 attack_object_name: 'Hijack Execution Flow: DLL Search Order Hijacking' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.002 attack_object_name: 'Hijack Execution Flow: DLL Side-Loading' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.002 attack_object_name: 'Hijack Execution Flow: DLL Side-Loading' capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.002 attack_object_name: 'Hijack Execution Flow: DLL Side-Loading' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.005 attack_object_name: 'Hijack Execution Flow: Executable Installer File Permissions Weakness' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.005 attack_object_name: 'Hijack Execution Flow: Executable Installer File Permissions Weakness' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.010 attack_object_name: 'Hijack Execution Flow: Services File Permissions Weakness' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.011 attack_object_name: 'Hijack Execution Flow: Services Registry Permissions Weakness' capability_description: Exploit a misconfiguration (vs vuln or weakness) capability_group: action.hacking capability_id: action.hacking.variety.Exploit misconfig comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.004 attack_object_name: 'Hijack Execution Flow: Dylib Hijacking' capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.004 attack_object_name: 'Hijack Execution Flow: Dylib Hijacking' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1595.002 attack_object_name: 'Active Scanning: Vulnerability Scanning' capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. capability_group: action.hacking capability_id: action.hacking.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1595.002 attack_object_name: 'Active Scanning: Vulnerability Scanning' capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) capability_group: action.malware capability_id: action.malware.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1595.002 attack_object_name: 'Active Scanning: Vulnerability Scanning' capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1595.002 attack_object_name: 'Active Scanning: Vulnerability Scanning' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1007 attack_object_name: System Service Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1012 attack_object_name: Query Registry capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1057 attack_object_name: Process Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1069 attack_object_name: Permission Groups Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1069.001 attack_object_name: 'Permission Groups Discovery: Local Groups' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1069.002 attack_object_name: 'Permission Groups Discovery: Domain Groups' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1069.003 attack_object_name: 'Permission Groups Discovery: Cloud Groups' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1082 attack_object_name: System Information Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1087.001 attack_object_name: 'Account Discovery: Local Account' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1087.002 attack_object_name: 'Account Discovery: Domain Account' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1087.003 attack_object_name: 'Account Discovery: Email Account' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1087.004 attack_object_name: 'Account Discovery: Cloud Account' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1120 attack_object_name: Peripheral Device Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1124 attack_object_name: System Time Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1201 attack_object_name: Password Policy Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1480 attack_object_name: Execution Guardrails capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1480.001 attack_object_name: 'Execution Guardrails: Environmental Keying' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1518 attack_object_name: Software Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1518.001 attack_object_name: 'Software Discovery: Security Software Discovery' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1526 attack_object_name: Cloud Service Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1580 attack_object_name: Cloud Infrastructure Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1589 attack_object_name: Gather Victim Identity Information capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1589 attack_object_name: Gather Victim Identity Information capability_description: Information on individuals such as title, interests, physical location, etc, used to pick an organization as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Personal Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1589.001 attack_object_name: 'Gather Victim Identity Information: Credentials' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1589.001 attack_object_name: 'Gather Victim Identity Information: Credentials' capability_description: lost or stolen credentials, including credental stuffing, used to pick an organization as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Lost or stolen credentials comments: '' mapping_type: related_to references: [] - attack_object_id: T1589.001 attack_object_name: 'Gather Victim Identity Information: Credentials' capability_description: Information on individuals such as title, interests, physical location, etc, used to pick an organization as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Personal Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1589.002 attack_object_name: 'Gather Victim Identity Information: Email Addresses' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1589.002 attack_object_name: 'Gather Victim Identity Information: Email Addresses' capability_description: Email addresses capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Email addresses comments: '' mapping_type: related_to references: [] - attack_object_id: T1589.002 attack_object_name: 'Gather Victim Identity Information: Email Addresses' capability_description: Information on individuals such as title, interests, physical location, etc, used to pick an organization as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Personal Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1589.003 attack_object_name: 'Gather Victim Identity Information: Employee Names' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1589.003 attack_object_name: 'Gather Victim Identity Information: Employee Names' capability_description: Information on individuals such as title, interests, physical location, etc, used to pick an organization as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Personal Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1590 attack_object_name: Gather Victim Network Information capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1590 attack_object_name: Gather Victim Network Information capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.001 attack_object_name: 'Gather Victim Network Information: Domain Properties' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.001 attack_object_name: 'Gather Victim Network Information: Domain Properties' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.002 attack_object_name: 'Gather Victim Network Information: DNS' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.002 attack_object_name: 'Gather Victim Network Information: DNS' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.003 attack_object_name: 'Gather Victim Network Information: Network Trust Dependencies' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.003 attack_object_name: 'Gather Victim Network Information: Network Trust Dependencies' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.004 attack_object_name: 'Gather Victim Network Information: Network Topology' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.004 attack_object_name: 'Gather Victim Network Information: Network Topology' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.005 attack_object_name: 'Gather Victim Network Information: IP Addresses' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.005 attack_object_name: 'Gather Victim Network Information: IP Addresses' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.006 attack_object_name: 'Gather Victim Network Information: Network Security Appliances' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1590.006 attack_object_name: 'Gather Victim Network Information: Network Security Appliances' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1591 attack_object_name: Gather Victim Org Information capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1591 attack_object_name: Gather Victim Org Information capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1591.001 attack_object_name: 'Gather Victim Org Information: Determine Physical Locations' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1591.001 attack_object_name: 'Gather Victim Org Information: Determine Physical Locations' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1591.002 attack_object_name: 'Gather Victim Org Information: Business Relationships' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1591.002 attack_object_name: 'Gather Victim Org Information: Business Relationships' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1591.003 attack_object_name: 'Gather Victim Org Information: Identify Business Tempo' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1591.003 attack_object_name: 'Gather Victim Org Information: Identify Business Tempo' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1591.004 attack_object_name: 'Gather Victim Org Information: Identify Roles' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1591.004 attack_object_name: 'Gather Victim Org Information: Identify Roles' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1592 attack_object_name: Gather Victim Host Information capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1592 attack_object_name: Gather Victim Host Information capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1592.001 attack_object_name: 'Gather Victim Host Information: Hardware' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1592.001 attack_object_name: 'Gather Victim Host Information: Hardware' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1592.002 attack_object_name: 'Gather Victim Host Information: Software' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1592.002 attack_object_name: 'Gather Victim Host Information: Software' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1592.003 attack_object_name: 'Gather Victim Host Information: Firmware' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1592.003 attack_object_name: 'Gather Victim Host Information: Firmware' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1592.004 attack_object_name: 'Gather Victim Host Information: Client Configurations' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1592.004 attack_object_name: 'Gather Victim Host Information: Client Configurations' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1593 attack_object_name: Search Open Websites/Domains capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1593 attack_object_name: Search Open Websites/Domains capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1593.001 attack_object_name: 'Search Open Websites/Domains: Social Media' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1593.001 attack_object_name: 'Search Open Websites/Domains: Social Media' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1593.002 attack_object_name: 'Search Open Websites/Domains: Search Engines' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1593.002 attack_object_name: 'Search Open Websites/Domains: Search Engines' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1594 attack_object_name: Search Victim-Owned Websites capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1594 attack_object_name: Search Victim-Owned Websites capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1596 attack_object_name: Search Open Technical Databases capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1596 attack_object_name: Search Open Technical Databases capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1596.001 attack_object_name: 'Search Open Technical Databases: DNS/Passive DNS' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1596.001 attack_object_name: 'Search Open Technical Databases: DNS/Passive DNS' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1596.002 attack_object_name: 'Search Open Technical Databases: WHOIS' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1596.002 attack_object_name: 'Search Open Technical Databases: WHOIS' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1596.003 attack_object_name: 'Search Open Technical Databases: Digital Certificates' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1596.003 attack_object_name: 'Search Open Technical Databases: Digital Certificates' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1596.004 attack_object_name: 'Search Open Technical Databases: CDNs' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1596.004 attack_object_name: 'Search Open Technical Databases: CDNs' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1596.005 attack_object_name: 'Search Open Technical Databases: Scan Databases' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1596.005 attack_object_name: 'Search Open Technical Databases: Scan Databases' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1597 attack_object_name: Search Closed Sources capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1597 attack_object_name: Search Closed Sources capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1597.001 attack_object_name: 'Search Closed Sources: Threat Intel Vendors' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1597.001 attack_object_name: 'Search Closed Sources: Threat Intel Vendors' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1597.002 attack_object_name: 'Search Closed Sources: Purchase Technical Data' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1597.002 attack_object_name: 'Search Closed Sources: Purchase Technical Data' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1602.001 attack_object_name: 'Data from Configuration Repository: SNMP (MIB Dump)' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1602.002 attack_object_name: 'Data from Configuration Repository: Network Device Configuration Dump' capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1613 attack_object_name: Container and Resource Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1614 attack_object_name: System Location Discovery capability_description: Footprinting and fingerprinting capability_group: action.hacking capability_id: action.hacking.variety.Footprinting comments: '' mapping_type: related_to references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Forced browsing or predictable resource location. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Forced browsing comments: '' mapping_type: related_to references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Man-in-the-middle attack. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.MitM comments: '' mapping_type: related_to references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.003 attack_object_name: 'Acquire Infrastructure: Virtual Private Server' capability_description: Forced browsing or predictable resource location. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Forced browsing comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.003 attack_object_name: 'Acquire Infrastructure: Virtual Private Server' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.003 attack_object_name: 'Acquire Infrastructure: Virtual Private Server' capability_description: The variety of distribution was known, but is not listed capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.003 attack_object_name: 'Acquire Infrastructure: Virtual Private Server' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.004 attack_object_name: 'Acquire Infrastructure: Server' capability_description: Forced browsing or predictable resource location. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Forced browsing comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.004 attack_object_name: 'Acquire Infrastructure: Server' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.004 attack_object_name: 'Acquire Infrastructure: Server' capability_description: The variety of distribution was known, but is not listed capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.004 attack_object_name: 'Acquire Infrastructure: Server' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: 'Acquire Infrastructure: Web Services' capability_description: Forced browsing or predictable resource location. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Forced browsing comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: 'Acquire Infrastructure: Web Services' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: 'Acquire Infrastructure: Web Services' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: 'Acquire Infrastructure: Web Services' capability_description: Development of any full website controlled by the attacker capability_group: value_chain.development capability_id: value_chain.development.variety.Website comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: 'Acquire Infrastructure: Web Services' capability_description: The variety of distribution was known, but is not listed capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.006 attack_object_name: 'Acquire Infrastructure: Web Services' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Man in the Browser capability_description: HTTP Response Splitting. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP Response Splitting comments: '' mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Man in the Browser capability_description: HTTP request smuggling. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP request smuggling comments: '' mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Man in the Browser capability_description: HTTP request splitting. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP request splitting comments: '' mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Man in the Browser capability_description: HTTP response smuggling. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.HTTP response smuggling comments: '' mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Man in the Browser capability_description: Man-in-the-middle attack. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.MitM comments: '' mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Man in the Browser capability_description: Session fixation. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Session fixation comments: '' mapping_type: related_to references: [] - attack_object_id: T1185 attack_object_name: Man in the Browser capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1557 attack_object_name: Man-in-the-Middle capability_description: Man-in-the-middle attack. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.MitM comments: '' mapping_type: related_to references: [] - attack_object_id: T1557 attack_object_name: Man-in-the-Middle capability_description: Routing detour. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Routing detour comments: '' mapping_type: related_to references: [] - attack_object_id: T1557.001 attack_object_name: 'Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay' capability_description: Man-in-the-middle attack. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.MitM comments: '' mapping_type: related_to references: [] - attack_object_id: T1557.002 attack_object_name: 'Man-in-the-Middle: ARP Cache Poisoning' capability_description: Man-in-the-middle attack. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.MitM comments: '' mapping_type: related_to references: [] - attack_object_id: T1550.002 attack_object_name: 'Use Alternate Authentication Material: Pass the Hash' capability_description: Pass-the-hash capability_group: action.hacking capability_id: action.hacking.variety.Pass-the-hash comments: '' mapping_type: related_to references: [] - attack_object_id: T1550.002 attack_object_name: 'Use Alternate Authentication Material: Pass the Hash' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1550.002 attack_object_name: 'Use Alternate Authentication Material: Pass the Hash' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1001 attack_object_name: Data Obfuscation capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1001 attack_object_name: Data Obfuscation capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1001 attack_object_name: Data Obfuscation capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1132 attack_object_name: Data Encoding capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1132 attack_object_name: Data Encoding capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1132 attack_object_name: Data Encoding capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: 3rd party online desktop sharing (LogMeIn, Go2Assist) capability_group: action.hacking capability_id: action.hacking.vector.3rd party desktop comments: '' mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two capability_group: action.hacking capability_id: action.hacking.vector.Desktop sharing software comments: '' mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) capability_group: action.malware capability_id: action.malware.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Remotely injected by agent (i.e. via SQLi) capability_group: action.malware capability_id: action.malware.vector.Remote injection comments: '' mapping_type: related_to references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Web application. Parent of 'Web application - download' and 'Web application - drive-by. capability_group: action.malware capability_id: action.malware.vector.Web application comments: '' mapping_type: related_to references: [] - attack_object_id: T1205 attack_object_name: Traffic Signaling capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1205 attack_object_name: Traffic Signaling capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1205 attack_object_name: Traffic Signaling capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.003 attack_object_name: 'Server Software Component: Web Shell' capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.003 attack_object_name: 'Server Software Component: Web Shell' capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1505.003 attack_object_name: 'Server Software Component: Web Shell' capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Container Image capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Container Image capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Container Image capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Container Image capability_description: Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' capability_group: action.malware capability_id: action.malware.variety.RAT comments: '' mapping_type: related_to references: [] - attack_object_id: T1525 attack_object_name: Implant Container Image capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Downloaded and installed by local malware capability_group: action.malware capability_id: action.malware.vector.Download by malware comments: '' mapping_type: related_to references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channels capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channels capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channels capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1573.001 attack_object_name: 'Encrypted Channels: Symmetric Cryptography' capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1573.001 attack_object_name: 'Encrypted Channels: Symmetric Cryptography' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1573.002 attack_object_name: 'Encrypted Channels: Asymmetric Cryptography' capability_description: Use of Backdoor or C2 channel capability_group: action.hacking capability_id: action.hacking.variety.Use of backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1573.002 attack_object_name: 'Encrypted Channels: Asymmetric Cryptography' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.001 attack_object_name: 'Remote Services: Remote Desktop Protocol' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.001 attack_object_name: 'Remote Services: Remote Desktop Protocol' capability_description: Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two capability_group: action.hacking capability_id: action.hacking.vector.Desktop sharing software comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.002 attack_object_name: 'Remote Services: SMB/Windows Admin Shares' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.002 attack_object_name: 'Remote Services: SMB/Windows Admin Shares' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.003 attack_object_name: 'Remote Services: Distributed Component Object Model' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.003 attack_object_name: 'Remote Services: Distributed Component Object Model' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.004 attack_object_name: 'Remote Services: SSH' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.004 attack_object_name: 'Remote Services: SSH' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.005 attack_object_name: 'Remote Services: VNC' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.005 attack_object_name: 'Remote Services: VNC' capability_description: Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two capability_group: action.hacking capability_id: action.hacking.vector.Desktop sharing software comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.006 attack_object_name: 'Remote Services: Windows Remote Management' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1021.006 attack_object_name: 'Remote Services: Windows Remote Management' capability_description: Remote shell capability_group: action.hacking capability_id: action.hacking.vector.Command shell comments: '' mapping_type: related_to references: [] - attack_object_id: T1078.001 attack_object_name: 'Valid Accounts: Default Accounts' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1078.002 attack_object_name: 'Valid Accounts: Domain Accounts' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1078.003 attack_object_name: 'Valid Accounts: Local Accounts' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1078.004 attack_object_name: 'Valid Accounts: Cloud Accounts' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1134.001 attack_object_name: 'Access Token Manipulation: Token Impersonation/Theft' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1134.002 attack_object_name: 'Access Token Manipulation: Create Process with Token' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1134.003 attack_object_name: 'Access Token Manipulation: Make and Impersonate Token' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1134.004 attack_object_name: 'Access Token Manipulation: Parent PID Spoofing' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1134.005 attack_object_name: 'Access Token Manipulation: SID-History Injection' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation comments: '' mapping_type: related_to references: [] - attack_object_id: T1550.001 attack_object_name: 'Use Alternate Authentication Material: Application Access Token' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1550.003 attack_object_name: 'Use Alternate Authentication Material: Pass the Ticket' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1550.004 attack_object_name: 'Use Alternate Authentication Material: Web Session Cookies' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1558.001 attack_object_name: 'Steal or Forge Kerberos Tickets: Golden Ticket' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1558.002 attack_object_name: 'Steal or Forge Kerberos Tickets: Silver Ticket' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1558.003 attack_object_name: 'Steal or Forge Kerberos Tickets: Kerberoasting' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1586 attack_object_name: Compromise Account capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1586.001 attack_object_name: 'Compromise Account: Social Media Accounts' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1586.001 attack_object_name: 'Compromise Account: Social Media Accounts' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1586.001 attack_object_name: 'Compromise Account: Social Media Accounts' capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1586.002 attack_object_name: 'Compromise Account: Email Accounts' capability_description: Use of stolen authentication credentials (including credential stuffing) capability_group: action.hacking capability_id: action.hacking.variety.Use of stolen creds comments: '' mapping_type: related_to references: [] - attack_object_id: T1611 attack_object_name: Escape to Host capability_description: Virtual machine escape. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Virtual machine escape comments: '' mapping_type: related_to references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repository capability_description: XML external entities. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XML external entities comments: '' mapping_type: related_to references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repository capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: XML injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XML injection comments: '' mapping_type: related_to references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: XML injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XML injection comments: '' mapping_type: related_to references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1010 attack_object_name: Application Window Discovery capability_description: XPath injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XPath injection comments: '' mapping_type: related_to references: [] - attack_object_id: T1010 attack_object_name: Application Window Discovery capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1111 attack_object_name: Two-Factor Authentication Interception capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1583 attack_object_name: Acquire Infrastructure capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1583 attack_object_name: Acquire Infrastructure capability_description: Web via user-executed or downloaded content. Child of 'Web application'. capability_group: action.malware capability_id: action.malware.vector.Web application - download comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.001 attack_object_name: 'Acquire Infrastructure: Domains' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.001 attack_object_name: 'Acquire Infrastructure: Domains' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.001 attack_object_name: 'Acquire Infrastructure: Domains' capability_description: The variety of distribution was known, but is not listed capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.001 attack_object_name: 'Acquire Infrastructure: Domains' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.002 attack_object_name: 'Acquire Infrastructure: DNS Server' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.002 attack_object_name: 'Acquire Infrastructure: DNS Server' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.002 attack_object_name: 'Acquire Infrastructure: DNS Server' capability_description: The variety of distribution was known, but is not listed capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1583.002 attack_object_name: 'Acquire Infrastructure: DNS Server' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1584 attack_object_name: Compromise Infrastructure capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1584 attack_object_name: Compromise Infrastructure capability_description: Web via user-executed or downloaded content. Child of 'Web application'. capability_group: action.malware capability_id: action.malware.vector.Web application - download comments: '' mapping_type: related_to references: [] - attack_object_id: T1584 attack_object_name: Compromise Infrastructure capability_description: The variety of distribution was known, but is not listed capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1584 attack_object_name: Compromise Infrastructure capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.001 attack_object_name: 'Compromise Infrastructure: Domains' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.001 attack_object_name: 'Compromise Infrastructure: Domains' capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.001 attack_object_name: 'Compromise Infrastructure: Domains' capability_description: The variety of distribution was known, but is not listed capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.001 attack_object_name: 'Compromise Infrastructure: Domains' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.002 attack_object_name: 'Compromise Infrastructure: DNS Server' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.002 attack_object_name: 'Compromise Infrastructure: DNS Server' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.002 attack_object_name: 'Compromise Infrastructure: DNS Server' capability_description: "malicious content added to a benign server, such as a webserver,\ \ by the actor, without the permission or necessarily knowledge of the server\u2019\ s owner" capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Compromised server comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.002 attack_object_name: 'Compromise Infrastructure: DNS Server' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.003 attack_object_name: 'Compromise Infrastructure: Virtual Private Server' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.003 attack_object_name: 'Compromise Infrastructure: Virtual Private Server' capability_description: "malicious content added to a benign server, such as a webserver,\ \ by the actor, without the permission or necessarily knowledge of the server\u2019\ s owner" capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Compromised server comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.003 attack_object_name: 'Compromise Infrastructure: Virtual Private Server' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.004 attack_object_name: 'Compromise Infrastructure: Server' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.004 attack_object_name: 'Compromise Infrastructure: Server' capability_description: "malicious content added to a benign server, such as a webserver,\ \ by the actor, without the permission or necessarily knowledge of the server\u2019\ s owner" capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Compromised server comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.004 attack_object_name: 'Compromise Infrastructure: Server' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.006 attack_object_name: 'Compromise Infrastructure: Web Services' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.006 attack_object_name: 'Compromise Infrastructure: Web Services' capability_description: The variety of distribution was known, but is not listed capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1584.006 attack_object_name: 'Compromise Infrastructure: Web Services' capability_description: The variety of non-distribution service required is known, but is not listed capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1587 attack_object_name: Develop Capabilities capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1587 attack_object_name: Develop Capabilities capability_description: Nothing is known about the need for or type of development investment other than it was present. capability_group: value_chain.development capability_id: value_chain.development.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: 'Develop Capabilities: Malware' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: 'Develop Capabilities: Malware' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: 'Develop Capabilities: Malware' capability_description: A small program that can be distributed, installed, and controlled en mass. capability_group: value_chain.development capability_id: value_chain.development.variety.Bot comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: 'Develop Capabilities: Malware' capability_description: The portion a program that causes a negative effect. capability_group: value_chain.development capability_id: value_chain.development.variety.Payload comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: 'Develop Capabilities: Malware' capability_description: Ransomware (encrypt or seize stored data) capability_group: value_chain.development capability_id: value_chain.development.variety.Ransomware comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.001 attack_object_name: 'Develop Capabilities: Malware' capability_description: A program which masquerades as another program to get a target to execute malicious content capability_group: value_chain.development capability_id: value_chain.development.variety.Trojan comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.002 attack_object_name: 'Develop Capabilities: Code Signing Certificates' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.002 attack_object_name: 'Develop Capabilities: Code Signing Certificates' capability_description: The variety of development required is known, but is not listed. capability_group: value_chain.development capability_id: value_chain.development.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.003 attack_object_name: 'Develop Capabilities: Digital Certificates' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.003 attack_object_name: 'Develop Capabilities: Digital Certificates' capability_description: The variety of development required is known, but is not listed. capability_group: value_chain.development capability_id: value_chain.development.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.004 attack_object_name: 'Develop Capabilities: Exploits' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.004 attack_object_name: 'Develop Capabilities: Exploits' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.004 attack_object_name: 'Develop Capabilities: Exploits' capability_description: Code to exploit a vulnerability, including web injects. capability_group: value_chain.development capability_id: value_chain.development.variety.Exploit comments: '' mapping_type: related_to references: [] - attack_object_id: T1587.004 attack_object_name: 'Develop Capabilities: Exploits' capability_description: Code sets capable of selecting and trying multiple exploits against a target. capability_group: value_chain.development capability_id: value_chain.development.variety.Exploit Kits comments: '' mapping_type: related_to references: [] - attack_object_id: T1588 attack_object_name: Obtain Capabilities capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1588 attack_object_name: Obtain Capabilities capability_description: Nothing is known about the need for or type of development investment other than it was present. capability_group: value_chain.development capability_id: value_chain.development.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: 'Obtain Capabilities: Malware' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: 'Obtain Capabilities: Malware' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: 'Obtain Capabilities: Malware' capability_description: A small program that can be distributed, installed, and controlled en mass. capability_group: value_chain.development capability_id: value_chain.development.variety.Bot comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: 'Obtain Capabilities: Malware' capability_description: The portion a program that causes a negative effect. capability_group: value_chain.development capability_id: value_chain.development.variety.Payload comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: 'Obtain Capabilities: Malware' capability_description: Ransomware (encrypt or seize stored data) capability_group: value_chain.development capability_id: value_chain.development.variety.Ransomware comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.001 attack_object_name: 'Obtain Capabilities: Malware' capability_description: A program which masquerades as another program to get a target to execute malicious content capability_group: value_chain.development capability_id: value_chain.development.variety.Trojan comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.002 attack_object_name: 'Obtain Capabilities: Tool' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.003 attack_object_name: 'Obtain Capabilities: Code Signing Certificates' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.003 attack_object_name: 'Obtain Capabilities: Code Signing Certificates' capability_description: The variety of development required is known, but is not listed. capability_group: value_chain.development capability_id: value_chain.development.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.004 attack_object_name: 'Obtain Capabilities: Digital Certificates' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.004 attack_object_name: 'Obtain Capabilities: Digital Certificates' capability_description: The variety of development required is known, but is not listed. capability_group: value_chain.development capability_id: value_chain.development.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.005 attack_object_name: 'Obtain Capabilities: Exploits' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.005 attack_object_name: 'Obtain Capabilities: Exploits' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.005 attack_object_name: 'Obtain Capabilities: Exploits' capability_description: Code to exploit a vulnerability, including web injects. capability_group: value_chain.development capability_id: value_chain.development.variety.Exploit comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.005 attack_object_name: 'Obtain Capabilities: Exploits' capability_description: Code sets capable of selecting and trying multiple exploits against a target. capability_group: value_chain.development capability_id: value_chain.development.variety.Exploit Kits comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.006 attack_object_name: 'Obtain Capabilities: Vulnerabilities' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1588.006 attack_object_name: 'Obtain Capabilities: Vulnerabilities' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1599 attack_object_name: Network Boundry Bridging capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1599.001 attack_object_name: 'Network Boundry Bridging: Network Address Translation Traversal' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1606.001 attack_object_name: 'Forge Web Credentials: Web Cookies' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1606.002 attack_object_name: 'Forge Web Credentials: SAML Tokens' capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Unknown capability_group: attribute.integrity capability_id: attribute.integrity.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1037 attack_object_name: Boot or Logon Initialization Script capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1037 attack_object_name: Boot or Logon Initialization Script capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1037 attack_object_name: Boot or Logon Initialization Script capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Malware which compromises a legitimate file rather than creating new filess capability_group: action.malware capability_id: action.malware.variety.Modify data comments: '' mapping_type: related_to references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Created new user account capability_group: attribute.integrity capability_id: attribute.integrity.variety.Created account comments: '' mapping_type: related_to references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit comments: '' mapping_type: related_to references: [] - attack_object_id: T1554 attack_object_name: Compromise Client Software Binary capability_description: Backdoor or command and control channel capability_group: action.hacking capability_id: action.hacking.vector.Backdoor or C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1554 attack_object_name: Compromise Client Software Binary capability_description: System or network utilities (e.g., PsTools, Netcat) capability_group: action.malware capability_id: action.malware.variety.Adminware comments: '' mapping_type: related_to references: [] - attack_object_id: T1554 attack_object_name: Compromise Client Software Binary capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1554 attack_object_name: Compromise Client Software Binary capability_description: An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' capability_group: action.malware capability_id: action.malware.variety.Trojan comments: '' mapping_type: related_to references: [] - attack_object_id: T1219 attack_object_name: Remote Access Software capability_description: Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two capability_group: action.hacking capability_id: action.hacking.vector.Desktop sharing software comments: '' mapping_type: related_to references: [] - attack_object_id: T1219 attack_object_name: Remote Access Software capability_description: System or network utilities (e.g., PsTools, Netcat) capability_group: action.malware capability_id: action.malware.variety.Adminware comments: '' mapping_type: related_to references: [] - attack_object_id: T1497 attack_object_name: Virtualization/Sandbox Evasion capability_description: Hypervisor break-out attack capability_group: action.hacking capability_id: action.hacking.vector.Hypervisor comments: '' mapping_type: related_to references: [] - attack_object_id: T1497 attack_object_name: Virtualization/Sandbox Evasion capability_description: Penetration of another VM or web site on shared device or infrastructure capability_group: action.hacking capability_id: action.hacking.vector.Inter-tenant comments: '' mapping_type: related_to references: [] - attack_object_id: T1497 attack_object_name: Virtualization/Sandbox Evasion capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Partner connection or credential capability_group: action.hacking capability_id: action.hacking.vector.Partner comments: '' mapping_type: related_to references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Adware capability_group: action.malware capability_id: action.malware.variety.Adware comments: '' mapping_type: related_to references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Partner connection or credential capability_group: action.hacking capability_id: action.hacking.vector.Partner comments: '' mapping_type: related_to references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Included in automated software update capability_group: action.malware capability_id: action.malware.vector.Software update comments: '' mapping_type: related_to references: [] - attack_object_id: T1195.001 attack_object_name: 'Supply Chain Compromise: Compromise Software Dependencies and Development Tools' capability_description: Partner connection or credential capability_group: action.hacking capability_id: action.hacking.vector.Partner comments: '' mapping_type: related_to references: [] - attack_object_id: T1195.002 attack_object_name: 'Supply Chain Compromise: Compromise Software Supply Chain' capability_description: Partner connection or credential capability_group: action.hacking capability_id: action.hacking.vector.Partner comments: '' mapping_type: related_to references: [] - attack_object_id: T1195.003 attack_object_name: 'Supply Chain Compromise: Compromise Hardware Supply Chain' capability_description: Partner connection or credential capability_group: action.hacking capability_id: action.hacking.vector.Partner comments: '' mapping_type: related_to references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Physical access or connection (i.e., at keyboard or via cable) capability_group: action.hacking capability_id: action.hacking.vector.Physical access comments: '' mapping_type: related_to references: [] - attack_object_id: T1205.001 attack_object_name: 'Traffic Signaling: Port Knocking' capability_description: Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' capability_group: action.malware capability_id: action.malware.variety.Backdoor comments: '' mapping_type: related_to references: [] - attack_object_id: T1205.001 attack_object_name: 'Traffic Signaling: Port Knocking' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1001.001 attack_object_name: 'Data Obfuscation: Junk Data' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1001.001 attack_object_name: 'Data Obfuscation: Junk Data' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1071.001 attack_object_name: 'Application Layer Protocol: Web Protocols' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1071.001 attack_object_name: 'Application Layer Protocol: Web Protocols' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1071.002 attack_object_name: 'Application Layer Protocol: File Transfer Protocol' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1071.002 attack_object_name: 'Application Layer Protocol: File Transfer Protocol' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1071.003 attack_object_name: 'Application Layer Protocol: Mail Protocols' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1071.003 attack_object_name: 'Application Layer Protocol: Mail Protocols' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1071.004 attack_object_name: 'Application Layer Protocol: DNS' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1071.004 attack_object_name: 'Application Layer Protocol: DNS' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1090.001 attack_object_name: 'Proxy: Internal Proxy' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1090.002 attack_object_name: 'Proxy: External Proxy' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1090.003 attack_object_name: 'Proxy: Multi-hop Proxy' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1090.004 attack_object_name: 'Proxy: Domain Fronting' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1102.001 attack_object_name: 'Web Service: Dead Drop Resolver' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1102.002 attack_object_name: 'Web Service: Bidirectional Communication' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1102.003 attack_object_name: 'Web Service: One-Way Communication' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1132.001 attack_object_name: 'Data Encoding: Standard Encoding' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1132.002 attack_object_name: 'Data Encoding: Non-Standard Encoding' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1568.001 attack_object_name: 'Dynamic Resolution: Fast Flux DNS' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1568.002 attack_object_name: 'Dynamic Resolution: Domain Generation Algorithms' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1568.003 attack_object_name: 'Dynamic Resolution: DNS Calculation' capability_description: Command and control (C2) capability_group: action.malware capability_id: action.malware.variety.C2 comments: '' mapping_type: related_to references: [] - attack_object_id: T1056 attack_object_name: Input Capture capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1056.001 attack_object_name: 'Input Capture: Keylogging' capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1056.002 attack_object_name: 'Input Capture: GUI Input Capture' capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1056.003 attack_object_name: 'Input Capture: Web Portal Capture' capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1056.004 attack_object_name: 'Input Capture: Credential API Hooking' capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1056.004 attack_object_name: 'Input Capture: Credential API Hooking' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1056.004 attack_object_name: 'Input Capture: Credential API Hooking' capability_description: Spyware, keylogger or form-grabber (capture user input or activity) capability_group: action.malware capability_id: action.malware.variety.Spyware/Keylogger comments: '' mapping_type: related_to references: [] - attack_object_id: T1113 attack_object_name: Screen Capture capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1114.001 attack_object_name: 'Email Collection: Local Email Collection' capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1114.002 attack_object_name: 'Email Collection: Remote Email Collection' capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1114.003 attack_object_name: 'Email Collection: Email Forwarding Rule' capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1114.003 attack_object_name: 'Email Collection: Email Forwarding Rule' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1123 attack_object_name: Audio Capture capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1125 attack_object_name: Video Capture capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1176 attack_object_name: Browser Extensions capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1176 attack_object_name: Browser Extensions capability_description: Web via auto-executed or "drive-by" infection. Child of 'Web application'. capability_group: action.malware capability_id: action.malware.vector.Web application - drive-by comments: '' mapping_type: related_to references: [] - attack_object_id: T1207 attack_object_name: Rogue Domain Controller capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1217 attack_object_name: Browser Bookmark Discovery capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Capture data from application or system process capability_group: action.malware capability_id: action.malware.variety.Capture app data comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.002 attack_object_name: 'OS Credential Dumping: Security Account Manager' capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.002 attack_object_name: 'OS Credential Dumping: Security Account Manager' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.002 attack_object_name: 'OS Credential Dumping: Security Account Manager' capability_description: RAM scraper or memory parser (capture data from volatile memory) capability_group: action.malware capability_id: action.malware.variety.RAM scraper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.003 attack_object_name: 'OS Credential Dumping: NTDS' capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.003 attack_object_name: 'OS Credential Dumping: NTDS' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.006 attack_object_name: 'OS Credential Dumping: DCSync' capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.006 attack_object_name: 'OS Credential Dumping: DCSync' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.006 attack_object_name: 'OS Credential Dumping: DCSync' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.008 attack_object_name: 'OS Credential Dumping: /etc/passwd and /etc/shadow' capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.008 attack_object_name: 'OS Credential Dumping: /etc/passwd and /etc/shadow' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1025 attack_object_name: Data from Removable Media capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1033 attack_object_name: System Owner/User Discovery capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1039 attack_object_name: Data from Network Shared Drive capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1083 attack_object_name: File and Directory Discovery capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1213.001 attack_object_name: 'Data from Information Repositories: Confluence' capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1213.002 attack_object_name: 'Data from Information Repositories: Sharepoint' capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage Object capability_description: Capture data stored on system disk capability_group: action.malware capability_id: action.malware.variety.Capture stored data comments: '' mapping_type: related_to references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. capability_group: action.malware capability_id: action.malware.variety.Click fraud comments: '' mapping_type: related_to references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. capability_group: action.malware capability_id: action.malware.variety.Click fraud and cryptocurrency mining comments: '' mapping_type: related_to references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. capability_group: action.malware capability_id: action.malware.variety.Cryptocurrency mining comments: '' mapping_type: related_to references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Client-side or browser attack (e.g., redirection, XSS, MitB) capability_group: action.malware capability_id: action.malware.variety.Client-side attack comments: '' mapping_type: related_to references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal on Host capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1070.001 attack_object_name: 'Indicator Removal on Host: Clear Windows Event Logs' capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1070.001 attack_object_name: 'Indicator Removal on Host: Clear Windows Event Logs' capability_description: Log tampering or modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Log tampering comments: '' mapping_type: related_to references: [] - attack_object_id: T1070.002 attack_object_name: 'Indicator Removal on Host: Clear Linux or Mac System Logs' capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1070.002 attack_object_name: 'Indicator Removal on Host: Clear Linux or Mac System Logs' capability_description: Log tampering or modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Log tampering comments: '' mapping_type: related_to references: [] - attack_object_id: T1070.003 attack_object_name: 'Indicator Removal on Host: Clear Command History' capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1070.004 attack_object_name: 'Indicator Removal on Host: File Deletion' capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1070.005 attack_object_name: 'Indicator Removal on Host: Network Share Connection Removal' capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1070.006 attack_object_name: 'Indicator Removal on Host: Timestomp' capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1561.001 attack_object_name: 'Disk Wipe: Disk Content Wipe' capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1561.002 attack_object_name: 'Disk Wipe: Disk Structure Wipe' capability_description: Destroy or corrupt stored data capability_group: action.malware capability_id: action.malware.variety.Destroy data comments: '' mapping_type: related_to references: [] - attack_object_id: T1006 attack_object_name: Direct Volume Access capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1027.001 attack_object_name: 'Obfuscated Files or Information: Binary Padding' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1027.002 attack_object_name: 'Obfuscated Files or Information: Software Packaging' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1027.003 attack_object_name: 'Obfuscated Files or Information: Steganography' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1027.004 attack_object_name: 'Obfuscated Files or Information: Compile After Dilevery' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1027.005 attack_object_name: 'Obfuscated Files or Information: Indicator Removal from Tools' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment comments: '' mapping_type: related_to references: [] - attack_object_id: T1036.001 attack_object_name: 'Masquerading: Invalid Code Signature' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1036.002 attack_object_name: 'Masquerading: Right-to-Left Override' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1036.002 attack_object_name: 'Masquerading: Right-to-Left Override' capability_description: Forgery or counterfeiting (fake hardware, software, documents, etc) capability_group: action.social capability_id: action.social.variety.Forgery comments: '' mapping_type: related_to references: [] - attack_object_id: T1036.002 attack_object_name: 'Masquerading: Right-to-Left Override' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1036.003 attack_object_name: 'Masquerading: Rename System Utilities' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1036.003 attack_object_name: 'Masquerading: Rename System Utilities' capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit comments: '' mapping_type: related_to references: [] - attack_object_id: T1036.004 attack_object_name: 'Masquerading: Masquerade Task or Service' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1036.005 attack_object_name: 'Masquerading: Match Legitimate Name or Location' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1036.006 attack_object_name: 'Masquerading: Space after Filename' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1222 attack_object_name: File and Directory Permissions Modification capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1222.001 attack_object_name: 'File and Directory Permissions Modification: Windows File and Directory Permissions Modification' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1222.002 attack_object_name: 'File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Ransomware (encrypt or seize stored data) capability_group: action.malware capability_id: action.malware.variety.Ransomware comments: '' mapping_type: related_to references: [] - attack_object_id: T1497.001 attack_object_name: 'Virtualization/Sandbox Evasion: System Checks' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1497.002 attack_object_name: 'Virtualization/Sandbox Evasion: User Activity Based Checks' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1497.003 attack_object_name: 'Virtualization/Sandbox Evasion: Time Based Evasion' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1553 attack_object_name: Subvert Trust Contols capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1553.001 attack_object_name: 'Subvert Trust Contols: Gatekeeper Bypass' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1553.002 attack_object_name: 'Subvert Trust Contols: Code Signing' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1553.003 attack_object_name: 'Subvert Trust Contols: SIP and Trust Provider Hijacking' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1553.004 attack_object_name: 'Subvert Trust Contols: Install Root Certificate' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1553.005 attack_object_name: 'Subvert Trust Contols: Mark-of-the-Web Bypass' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1553.006 attack_object_name: 'Subvert Trust Contols: Code Signing Policy Modification' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Malware which compromises a legitimate file rather than creating new filess capability_group: action.malware capability_id: action.malware.variety.Modify data comments: '' mapping_type: related_to references: [] - attack_object_id: T1562.001 attack_object_name: 'Impair Defenses: Disable or Modify Tools' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1562.002 attack_object_name: 'Impair Defenses: Disable Windows Event Logging' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1562.003 attack_object_name: 'Impair Defenses: Impair Command History Logging' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1562.004 attack_object_name: 'Impair Defenses: Disable or Modify System Firewall' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1562.006 attack_object_name: 'Impair Defenses: Indicator Blocking' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1562.007 attack_object_name: 'Impair Defenses: Disable or Modify Cloud Firewall' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1562.008 attack_object_name: 'Impair Defenses: Disable Cloud Logs' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1574.012 attack_object_name: 'Hijack Execution Flow: COR_PROFILER' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1600.001 attack_object_name: 'Weaken Encryption: Reduce Key Space' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1600.002 attack_object_name: 'Weaken Encryption: Disable Crypto Hardware' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1601.001 attack_object_name: 'Modify System Image: Patch System Image' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1601.002 attack_object_name: 'Modify System Image: Downgrade System Image' capability_description: Disable or interfere with security controls capability_group: action.malware capability_id: action.malware.variety.Disable controls comments: '' mapping_type: related_to references: [] - attack_object_id: T1489 attack_object_name: Service Stop capability_description: DoS attack capability_group: action.malware capability_id: action.malware.variety.DoS comments: '' mapping_type: related_to references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) capability_group: action.malware capability_id: action.malware.variety.Exploit vuln comments: '' mapping_type: related_to references: [] - attack_object_id: T1011 attack_object_name: Exfiltration Over Other Network Medium capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1011.001 attack_object_name: 'Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1020.001 attack_object_name: 'Automated Exfiltration: Traffic Duplication' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1029 attack_object_name: Scheduled Transfer capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1030 attack_object_name: Data Transfer Size Limits capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channels capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1048.001 attack_object_name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1048.002 attack_object_name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1048.003 attack_object_name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1052.001 attack_object_name: 'Exfiltration Over Physical Medium: Exfiltration over USB' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1074 attack_object_name: Data Staged capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1074.001 attack_object_name: 'Data Staged: Local Data Staging' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1074.002 attack_object_name: 'Data Staged: Remote Data Staging' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1560 attack_object_name: Archive Collected Data capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1560.001 attack_object_name: 'Archive Collected Data: Archive via Utility' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1560.002 attack_object_name: 'Archive Collected Data: Archive via Library' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1560.003 attack_object_name: 'Archive Collected Data: Archive via Custom Method' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1567.001 attack_object_name: 'Exfiltration Over Web Service: Exfiltration to Code Repository' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1567.002 attack_object_name: 'Exfiltration Over Web Service: Exfiltration to Cloud Storage' capability_description: Export data to another site or system capability_group: action.malware capability_id: action.malware.variety.Export data comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.007 attack_object_name: 'OS Credential Dumping: Proc Filesystem' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.007 attack_object_name: 'OS Credential Dumping: Proc Filesystem' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1055 attack_object_name: Process Injection capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.001 attack_object_name: 'Process Injection: Dynamic-link Library Injection' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.002 attack_object_name: 'Process Injection: Portable Executable Injection' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.003 attack_object_name: 'Process Injection: Thread Execution Hijacking' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.004 attack_object_name: 'Process Injection: Asynchronous Procedure Call' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.005 attack_object_name: 'Process Injection: Thread Local Storage' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.008 attack_object_name: 'Process Injection: Ptrace System Calls' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.009 attack_object_name: 'Process Injection: Proc Memory' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.011 attack_object_name: 'Process Injection: Extra Window Memory Injection' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.012 attack_object_name: 'Process Injection: Process Hollowing' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.013 attack_object_name: 'Process Injection: Process Doppelganging' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1055.014 attack_object_name: 'Process Injection: VDSO Hijacking' capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1115 attack_object_name: Clipboard Data capability_description: (malware never stored to persistent storage) capability_group: action.malware capability_id: action.malware.variety.In-memory comments: '' mapping_type: related_to references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Packet sniffer (capture data from network) capability_group: action.malware capability_id: action.malware.variety.Packet sniffer comments: '' mapping_type: related_to references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.001 attack_object_name: 'OS Credential Dumping: LSASS Memory' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.001 attack_object_name: 'OS Credential Dumping: LSASS Memory' capability_description: RAM scraper or memory parser (capture data from volatile memory) capability_group: action.malware capability_id: action.malware.variety.RAM scraper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.004 attack_object_name: 'OS Credential Dumping: LSA Secrets' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.004 attack_object_name: 'OS Credential Dumping: LSA Secrets' capability_description: RAM scraper or memory parser (capture data from volatile memory) capability_group: action.malware capability_id: action.malware.variety.RAM scraper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.005 attack_object_name: 'OS Credential Dumping: Cached Domain Credentials' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.005 attack_object_name: 'OS Credential Dumping: Cached Domain Credentials' capability_description: RAM scraper or memory parser (capture data from volatile memory) capability_group: action.malware capability_id: action.malware.variety.RAM scraper comments: '' mapping_type: related_to references: [] - attack_object_id: T1003.005 attack_object_name: 'OS Credential Dumping: Cached Domain Credentials' capability_description: Email via embedded link. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email link comments: '' mapping_type: related_to references: [] - attack_object_id: T1552.001 attack_object_name: 'Unsecured Credentials: Credentials in Files' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1552.002 attack_object_name: 'Unsecured Credentials: Credentials in Registry' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1552.003 attack_object_name: 'Unsecured Credentials: Bash History' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1552.004 attack_object_name: 'Unsecured Credentials: Private Keys' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1552.005 attack_object_name: 'Unsecured Credentials: Cloud Instance Metadata API' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1552.006 attack_object_name: 'Unsecured Credentials: Group Policy Preferences' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1555.001 attack_object_name: 'Credentials from Password Stores: Keychain' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1555.002 attack_object_name: 'Credentials from Password Stores: Securityd Memory' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1555.002 attack_object_name: 'Credentials from Password Stores: Securityd Memory' capability_description: RAM scraper or memory parser (capture data from volatile memory) capability_group: action.malware capability_id: action.malware.variety.RAM scraper comments: '' mapping_type: related_to references: [] - attack_object_id: T1555.003 attack_object_name: 'Credentials from Password Stores: Credentials from Web Browser' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1555.004 attack_object_name: 'Credentials from Password Stores: Windows Credential Manager' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1555.005 attack_object_name: 'Credentials from Password Stores: Password Managers' capability_description: Password dumper (extract credential hashes) capability_group: action.malware capability_id: action.malware.variety.Password dumper comments: '' mapping_type: related_to references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Ransomware (encrypt or seize stored data) capability_group: action.malware capability_id: action.malware.variety.Ransomware comments: '' mapping_type: related_to references: [] - attack_object_id: T1014 attack_object_name: Rootkit capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit comments: '' mapping_type: related_to references: [] - attack_object_id: T1542.001 attack_object_name: 'Pre-OS Boot: System Firmware' capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit comments: '' mapping_type: related_to references: [] - attack_object_id: T1542.002 attack_object_name: 'Pre-OS Boot: Component Firmware' capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit comments: '' mapping_type: related_to references: [] - attack_object_id: T1542.003 attack_object_name: 'Pre-OS Boot: Bootkit' capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit comments: '' mapping_type: related_to references: [] - attack_object_id: T1542.004 attack_object_name: 'Pre-OS Boot: ROMMONkit' capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit comments: '' mapping_type: related_to references: [] - attack_object_id: T1542.005 attack_object_name: 'Pre-OS Boot: TFTP Boot' capability_description: Rootkit (maintain local privileges and stealth) capability_group: action.malware capability_id: action.malware.variety.Rootkit comments: '' mapping_type: related_to references: [] - attack_object_id: T1016 attack_object_name: System Network Configuration Discovery capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1016.001 attack_object_name: 'System Network Configuration Discovery: Internet Connection Discovery' capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1018 attack_object_name: Remote System Discovery capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1046 attack_object_name: Network Service Scanning capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1049 attack_object_name: System Network Connections Discovery capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1135 attack_object_name: Network Share Discovery capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1482 attack_object_name: Domain Trust Discovery capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1595 attack_object_name: Active Scanning capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1595 attack_object_name: Active Scanning capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1595.001 attack_object_name: 'Active Scanning: Scanning IP Blocks' capability_description: Scan or footprint network capability_group: action.malware capability_id: action.malware.variety.Scan network comments: '' mapping_type: related_to references: [] - attack_object_id: T1595.001 attack_object_name: 'Active Scanning: Scanning IP Blocks' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1204.003 attack_object_name: 'User Execution: Malicious Image' capability_description: An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' capability_group: action.malware capability_id: action.malware.variety.Trojan comments: '' mapping_type: related_to references: [] - attack_object_id: T1204.003 attack_object_name: 'User Execution: Malicious Image' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1204.003 attack_object_name: 'User Execution: Malicious Image' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1204.003 attack_object_name: 'User Execution: Malicious Image' capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Worm (propagate to other systems or devices) capability_group: action.malware capability_id: action.malware.variety.Worm comments: '' mapping_type: related_to references: [] - attack_object_id: T1091 attack_object_name: Replication Through Removable Media capability_description: Worm (propagate to other systems or devices) capability_group: action.malware capability_id: action.malware.variety.Worm comments: '' mapping_type: related_to references: [] - attack_object_id: T1091 attack_object_name: Replication Through Removable Media capability_description: Removable storage media or devices capability_group: action.malware capability_id: action.malware.vector.Removable media comments: '' mapping_type: related_to references: [] - attack_object_id: T1001.002 attack_object_name: 'Data Obfuscation: Steganography' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1001.003 attack_object_name: 'Data Obfuscation: Protocol Impersonation' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1140 attack_object_name: Deobfuscate/Decode Files or Information capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1204.001 attack_object_name: 'User Execution: Malicious Link' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1204.001 attack_object_name: 'User Execution: Malicious Link' capability_description: Email via embedded link. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email link comments: '' mapping_type: related_to references: [] - attack_object_id: T1204.001 attack_object_name: 'User Execution: Malicious Link' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1204.002 attack_object_name: 'User Execution: Malicious File' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1204.002 attack_object_name: 'User Execution: Malicious File' capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment comments: '' mapping_type: related_to references: [] - attack_object_id: T1204.002 attack_object_name: 'User Execution: Malicious File' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1608 attack_object_name: Stage Capabilities capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1608 attack_object_name: Stage Capabilities capability_description: Nothing is known about the need for or type of distribution investment other than it was present. capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1608.001 attack_object_name: 'Stage Capabilities: Upload Malware' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1608.001 attack_object_name: 'Stage Capabilities: Upload Malware' capability_description: Malicious content shared intentionally, including bullet-proof hosting capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Website comments: '' mapping_type: related_to references: [] - attack_object_id: T1608.002 attack_object_name: 'Stage Capabilities: Upload Tools' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1608.002 attack_object_name: 'Stage Capabilities: Upload Tools' capability_description: Malicious content shared intentionally, including bullet-proof hosting capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Website comments: '' mapping_type: related_to references: [] - attack_object_id: T1608.003 attack_object_name: 'Stage Capabilities: Install Digital Certificate' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1608.003 attack_object_name: 'Stage Capabilities: Install Digital Certificate' capability_description: The variety of distribution was known, but is not listed capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Other comments: '' mapping_type: related_to references: [] - attack_object_id: T1608.004 attack_object_name: 'Stage Capabilities: Drive-by Target' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1608.004 attack_object_name: 'Stage Capabilities: Drive-by Target' capability_description: Malicious content shared intentionally, including bullet-proof hosting capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Website comments: '' mapping_type: related_to references: [] - attack_object_id: T1608.005 attack_object_name: 'Stage Capabilities: Link Target' capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1612 attack_object_name: Build Image on Host capability_description: Unknown capability_group: action.malware capability_id: action.malware.variety.Unknown comments: '' mapping_type: related_to references: [] - attack_object_id: T1566.001 attack_object_name: 'Phishing: Spearphishing Attachment' capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment comments: '' mapping_type: related_to references: [] - attack_object_id: T1566.001 attack_object_name: 'Phishing: Spearphishing Attachment' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1566.001 attack_object_name: 'Phishing: Spearphishing Attachment' capability_description: Email capability_group: action.social capability_id: action.social.vector.Email comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.002 attack_object_name: 'Phishing for Information: Spearphishing Attachment' capability_description: Email via user-executed attachment. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email attachment comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.002 attack_object_name: 'Phishing for Information: Spearphishing Attachment' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.002 attack_object_name: 'Phishing for Information: Spearphishing Attachment' capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.002 attack_object_name: 'Phishing for Information: Spearphishing Attachment' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1556.002 attack_object_name: 'Phishing: Spearphishing Link' capability_description: Email via embedded link. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email link comments: '' mapping_type: related_to references: [] - attack_object_id: T1556.002 attack_object_name: 'Phishing: Spearphishing Link' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1556.002 attack_object_name: 'Phishing: Spearphishing Link' capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.003 attack_object_name: 'Phishing for Information: Spearphishing Link' capability_description: Email via embedded link. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email link comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.003 attack_object_name: 'Phishing for Information: Spearphishing Link' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.003 attack_object_name: 'Phishing for Information: Spearphishing Link' capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.003 attack_object_name: 'Phishing for Information: Spearphishing Link' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Instant Messaging capability_group: action.malware capability_id: action.malware.vector.Instant messaging comments: '' mapping_type: related_to references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1570 attack_object_name: Lateral Tool Transfer capability_description: Network propagation capability_group: action.malware capability_id: action.malware.vector.Network propagation comments: '' mapping_type: related_to references: [] - attack_object_id: T1092 attack_object_name: Communication Through Removable Media capability_description: Removable storage media or devices capability_group: action.malware capability_id: action.malware.vector.Removable media comments: '' mapping_type: related_to references: [] - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Web via auto-executed or "drive-by" infection. Child of 'Web application'. capability_group: action.malware capability_id: action.malware.vector.Web application - drive-by comments: '' mapping_type: related_to references: [] - attack_object_id: T1566.002 attack_object_name: 'Phishing: Spearphishing Link' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1566.002 attack_object_name: 'Phishing: Spearphishing Link' capability_description: Email capability_group: action.social capability_id: action.social.vector.Email comments: '' mapping_type: related_to references: [] - attack_object_id: T1566.003 attack_object_name: 'Phishing: Spearphishing via Service' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1566.003 attack_object_name: 'Phishing: Spearphishing via Service' capability_description: Email capability_group: action.social capability_id: action.social.vector.Email comments: '' mapping_type: related_to references: [] - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.001 attack_object_name: 'Phishing for Information: Spearphishing Service' capability_description: Phishing (or any type of *ishing) capability_group: action.social capability_id: action.social.variety.Phishing comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.001 attack_object_name: 'Phishing for Information: Spearphishing Service' capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1598.001 attack_object_name: 'Phishing for Information: Spearphishing Service' capability_description: Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Organizational Information comments: '' mapping_type: related_to references: [] - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: compromise of authenticity (e.g. masquerading as the legitimate owner of an account) capability_group: attribute.integrity capability_id: attribute.integrity.variety.Misrepresentation comments: '' mapping_type: related_to references: [] - attack_object_id: T1585 attack_object_name: Establish Accounts capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1585 attack_object_name: Establish Accounts capability_description: A fake representation of a person, such as fake social media profiles capability_group: value_chain.development capability_id: value_chain.development.variety.Persona comments: '' mapping_type: related_to references: [] - attack_object_id: T1585.001 attack_object_name: 'Establish Accounts: Social Media Accounts' capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1585.001 attack_object_name: 'Establish Accounts: Social Media Accounts' capability_description: A fake representation of a person, such as fake social media profiles capability_group: value_chain.development capability_id: value_chain.development.variety.Persona comments: '' mapping_type: related_to references: [] - attack_object_id: T1585.002 attack_object_name: 'Establish Accounts: Email Account' capability_description: Pretexting (dialogue leveraging invented scenario) capability_group: action.social capability_id: action.social.variety.Pretexting comments: '' mapping_type: related_to references: [] - attack_object_id: T1585.002 attack_object_name: 'Establish Accounts: Email Account' capability_description: A fake representation of a person, such as fake social media profiles capability_group: value_chain.development capability_id: value_chain.development.variety.Persona comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.001 attack_object_name: 'Event Triggered Execution: Change Default File Association' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.002 attack_object_name: Event Triggered Execution Screensaver capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.003 attack_object_name: 'Event Triggered Execution: Windows Management Instrumentation Event Subscription' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.004 attack_object_name: 'Event Triggered Execution: Unix Shell Configuration Modification' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.005 attack_object_name: 'Event Triggered Execution: Trap' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.006 attack_object_name: 'Event Triggered Execution: LC_LOAD_DYLIB Addition' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.007 attack_object_name: 'Event Triggered Execution: Netsh Helper DLL' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.008 attack_object_name: 'Event Triggered Execution: Accessibility Features' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.009 attack_object_name: 'Event Triggered Execution: AppCert DLLs' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.010 attack_object_name: 'Event Triggered Execution: AppInit DLLs' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.011 attack_object_name: 'Event Triggered Execution: Application Shimming' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.012 attack_object_name: 'Event Triggered Execution: Image File Execution Options Injection' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.013 attack_object_name: 'Event Triggered Execution: PowerShell Profile' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.014 attack_object_name: 'Event Triggered Execution: Emond' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1546.015 attack_object_name: 'Event Triggered Execution: Component Object Model Hijacking' capability_description: Influence or alter human behavior capability_group: attribute.integrity capability_id: attribute.integrity.variety.Alter behavior comments: '' mapping_type: related_to references: [] - attack_object_id: T1136.001 attack_object_name: 'Create Account: Local Account' capability_description: Created new user account capability_group: attribute.integrity capability_id: attribute.integrity.variety.Created account comments: '' mapping_type: related_to references: [] - attack_object_id: T1136.002 attack_object_name: 'Create Account: Domain Account' capability_description: Created new user account capability_group: attribute.integrity capability_id: attribute.integrity.variety.Created account comments: '' mapping_type: related_to references: [] - attack_object_id: T1136.003 attack_object_name: 'Create Account: Cloud Account' capability_description: Created new user account capability_group: attribute.integrity capability_id: attribute.integrity.variety.Created account comments: '' mapping_type: related_to references: [] - attack_object_id: T1491 attack_object_name: Defacement capability_description: Deface content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Defacement comments: '' mapping_type: related_to references: [] - attack_object_id: T1491.001 attack_object_name: 'Defacement: Internal Defacement' capability_description: Deface content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Defacement comments: '' mapping_type: related_to references: [] - attack_object_id: T1491.002 attack_object_name: 'Defacement: External Defacement' capability_description: Deface content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Defacement comments: '' mapping_type: related_to references: [] - attack_object_id: T1037.001 attack_object_name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1037.002 attack_object_name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1037.003 attack_object_name: 'Boot or Logon Initialization Scripts: Network Logon Script' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1037.004 attack_object_name: 'Boot or Logon Initialization Scripts: RC Scripts' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1037.005 attack_object_name: 'Boot or Logon Initialization Scripts: Startup Items' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1484 attack_object_name: Domain Policy Modification capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1484.001 attack_object_name: 'Domain Policy Modification: Group Policy Modification' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1484.002 attack_object_name: 'Domain Policy Modification: Domain Trust Modification' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.001 attack_object_name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.002 attack_object_name: 'Boot or Logon Autostart Execution: Authentication Package' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.003 attack_object_name: 'Boot or Logon Autostart Execution: Time Providers' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.004 attack_object_name: 'Boot or Logon Autostart Execution: Winlogon Helper DLL' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.005 attack_object_name: 'Boot or Logon Autostart Execution: Security Support Provider' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.006 attack_object_name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.007 attack_object_name: 'Boot or Logon Autostart Execution: Re-opened Applications' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.008 attack_object_name: 'Boot or Logon Autostart Execution: LSASS Driver' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.009 attack_object_name: 'Boot or Logon Autostart Execution: Shortcut Modification' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.010 attack_object_name: 'Boot or Logon Autostart Execution: Port Monitors' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.011 attack_object_name: 'Boot or Logon Autostart Execution: Plist Modification' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.012 attack_object_name: 'Boot or Logon Autostart Execution: Print Processors' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.013 attack_object_name: 'Boot or Logon Autostart Execution: XDG Autostart Entries' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1556.001 attack_object_name: 'Modify Authentication Process: Domain Controller Authentication' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1556.001 attack_object_name: 'Modify Authentication Process: Domain Controller Authentication' capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1556.003 attack_object_name: 'Modify Authentication Process: Pluggable Authentication Modules' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1556.003 attack_object_name: 'Modify Authentication Process: Pluggable Authentication Modules' capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1556.004 attack_object_name: 'Modify Authentication Process: Network Device Authentication' capability_description: Modified configuration or services capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify configuration comments: '' mapping_type: related_to references: [] - attack_object_id: T1556.004 attack_object_name: 'Modify Authentication Process: Network Device Authentication' capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Modified stored data or content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify data comments: '' mapping_type: related_to references: [] - attack_object_id: T1565.001 attack_object_name: 'Data Manipulation: Stored Data Manipulation' capability_description: Modified stored data or content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify data comments: '' mapping_type: related_to references: [] - attack_object_id: T1565.002 attack_object_name: 'Data Manipulation: Transmitted Data Manipulation' capability_description: Modified stored data or content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify data comments: '' mapping_type: related_to references: [] - attack_object_id: T1565.003 attack_object_name: 'Data Manipulation: Runtime Data Manipulation' capability_description: Modified stored data or content capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify data comments: '' mapping_type: related_to references: [] - attack_object_id: T1098.001 attack_object_name: 'Account Manipulation: Additional Cloud Credentials' capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1098.002 attack_object_name: 'Account Manipulation: Exchange Email Delegate Permissions' capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1098.003 attack_object_name: 'Account Manipulation: Add Office 365 Global Administrator Role' capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1098.004 attack_object_name: 'Account Manipulation: SSH Authorized Keys' capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1547.014 attack_object_name: 'Boot or Logon Autostart Execution: Active Setup' capability_description: Modified privileges or permissions capability_group: attribute.integrity capability_id: attribute.integrity.variety.Modify privileges comments: '' mapping_type: related_to references: [] - attack_object_id: T1535 attack_object_name: Unused/Unsupported Cloud Regions capability_description: Repurposed asset for unauthorized function capability_group: attribute.integrity capability_id: attribute.integrity.variety.Repurpose comments: '' mapping_type: related_to references: [] - attack_object_id: null attack_object_name: null capability_description: Cache poisoning. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Cache poisoning comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Cross-site request forgery. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.CSRF comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Mail command injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Mail command injection comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Null byte injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Null byte injection comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: OS commanding. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.OS commanding comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Path traversal. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Path traversal comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Reverse engineering. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Reverse engineering comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Remote file inclusion. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.RFI comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Credential or session prediction. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Session prediction comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Session replay. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Session replay comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Special element injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.Special element injection comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: SQL injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.SQLi comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: SSI injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.SSI injection comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: URL redirector abuse. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.URL redirector abuse comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Elevation of privilege by another customer in shared environment. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.User breakout comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: XQuery injection. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XQuery injection comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Cross-site scripting. Child of 'Exploit vuln'. capability_group: action.hacking capability_id: action.hacking.variety.XSS comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.hacking capability_id: action.hacking.variety.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Graphical desktop sharing (RDP, VNC, PCAnywhere, Citrix) capability_group: action.hacking capability_id: action.hacking.vector.Desktop sharing comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.hacking capability_id: action.hacking.vector.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: VPN capability_group: action.hacking capability_id: action.hacking.vector.VPN comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Web application capability_group: action.hacking capability_id: action.hacking.vector.Web application comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: action.hacking capability_id: action.hacking.vector.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The hacking action resulted in additional security access capability_group: action.hacking capability_id: action.hacking.result.Infiltrate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The hacking action exfiltrated data from the victim capability_group: action.hacking capability_id: action.hacking.result.Exfiltrate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The hacking action resulted in additional security permissions capability_group: action.hacking capability_id: action.hacking.result.Elevate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The hacking action used security access or permissions already acuired capability_group: action.hacking capability_id: action.hacking.result.Lateral movement comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: e.g. cryptomining, ransomware, etc capability_group: action.hacking capability_id: action.hacking.result.Deploy payload comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The result of the hacking action is not listed capability_group: action.hacking capability_id: action.hacking.result.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The result of the hacking action is unknown capability_group: action.hacking capability_id: action.hacking.result.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The hacking action did not have a result capability_group: action.hacking capability_id: action.hacking.result.NA comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Downloader (pull updates or other malware) capability_group: action.malware capability_id: action.malware.variety.Downloader comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Send spam capability_group: action.malware capability_id: action.malware.variety.Spam comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: SQL injection attack capability_group: action.malware capability_id: action.malware.variety.SQL injection comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.malware capability_id: action.malware.variety.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown' capability_group: action.malware capability_id: action.malware.vector.Email comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Email via automatic execution. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email autoexecute comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Email but sub-variety (attachment, autoexecute, link, etc) not known. Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Email sub-variety known, but not one of those listed (attachment, link, autoexecute, etc). Child of 'Email' capability_group: action.malware capability_id: action.malware.vector.Email other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.malware capability_id: action.malware.vector.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: action.malware capability_id: action.malware.vector.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The malware action resulted in additional security access capability_group: action.malware capability_id: action.malware.result.Infiltrate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The malware action exfiltrated data from the victim capability_group: action.malware capability_id: action.malware.result.Exfiltrate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The malware action resulted in additional security permissions capability_group: action.malware capability_id: action.malware.result.Elevate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The malware action used security access or permissions already acuired capability_group: action.malware capability_id: action.malware.result.Lateral movement comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: e.g. cryptomining, ransomware, etc capability_group: action.malware capability_id: action.malware.result.Deploy payload comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The result of the malware action is not listed capability_group: action.malware capability_id: action.malware.result.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The result of the malware action is unknown capability_group: action.malware capability_id: action.malware.result.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The malware action did not have a result capability_group: action.malware capability_id: action.malware.result.NA comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Handling of data in an unapproved manner capability_group: action.misuse capability_id: action.misuse.variety.Data mishandling comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Inappropriate use of email or IM capability_group: action.misuse capability_id: action.misuse.variety.Email misuse comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Storage or distribution of illicit content capability_group: action.misuse capability_id: action.misuse.variety.Illicit content comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Abuse of private or entrusted knowledge capability_group: action.misuse capability_id: action.misuse.variety.Knowledge abuse comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Inappropriate use of network or Web access including cloud services capability_group: action.misuse capability_id: action.misuse.variety.Net misuse comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Abuse of physical access to asset capability_group: action.misuse capability_id: action.misuse.variety.Possession abuse comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Abuse of system access privileges capability_group: action.misuse capability_id: action.misuse.variety.Privilege abuse comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Actor photographs the confidentiality data variety. capability_group: action.misuse capability_id: action.misuse.variety.Snap picture comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Use of unapproved hardware or devices capability_group: action.misuse capability_id: action.misuse.variety.Unapproved hardware comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Use of unapproved software or services capability_group: action.misuse capability_id: action.misuse.variety.Unapproved software comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Unapproved workaround or shortcut capability_group: action.misuse capability_id: action.misuse.variety.Unapproved workaround comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.misuse capability_id: action.misuse.variety.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: action.misuse capability_id: action.misuse.variety.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Local network access within corporate facility capability_group: action.misuse capability_id: action.misuse.vector.LAN access comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Non-corporate facilities or networks capability_group: action.misuse capability_id: action.misuse.vector.Non-corporate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Physical access within corporate facility capability_group: action.misuse capability_id: action.misuse.vector.Physical access comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Remote access connection to corporate network (i.e. VPN) capability_group: action.misuse capability_id: action.misuse.vector.Remote access comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Web application capability_group: action.misuse capability_id: action.misuse.vector.Web application comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.misuse capability_id: action.misuse.vector.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: action.misuse capability_id: action.misuse.vector.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Do not use. Misuse inherently implies having permission so none can be gained. capability_group: action.misuse capability_id: action.misuse.result.Infiltrate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The misuse action exfiltrated data from the victim capability_group: action.misuse capability_id: action.misuse.result.Exfiltrate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Do not use. Misuse inherently implies having permission so none can be elevated. capability_group: action.misuse capability_id: action.misuse.result.Elevate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The misuse action used security access or permissions already acuired capability_group: action.misuse capability_id: action.misuse.result.Lateral movement comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: e.g. cryptomining, ransomware, etc capability_group: action.misuse capability_id: action.misuse.result.Deploy payload comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The result of the misuse action is not listed capability_group: action.misuse capability_id: action.misuse.result.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The result of the misuse action is unknown capability_group: action.misuse capability_id: action.misuse.result.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The misuse action did not have a result capability_group: action.misuse capability_id: action.misuse.result.NA comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Baiting (planting infected media) capability_group: action.social capability_id: action.social.variety.Baiting comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Bribery or solicitation capability_group: action.social capability_id: action.social.variety.Bribery comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Elicitation (subtle extraction of info through conversation) capability_group: action.social capability_id: action.social.variety.Elicitation comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Extortion or blackmail capability_group: action.social capability_id: action.social.variety.Extortion comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Influence tactics (Leveraging authority or obligation, framing, etc) capability_group: action.social capability_id: action.social.variety.Influence comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Propaganda or disinformation capability_group: action.social capability_id: action.social.variety.Propaganda comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Online scam or hoax (e.g., scareware, 419 scam, auction fraud) capability_group: action.social capability_id: action.social.variety.Scam comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Spam (unsolicited or undesired email and advertisements) capability_group: action.social capability_id: action.social.variety.Spam comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.social capability_id: action.social.variety.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: action.social capability_id: action.social.variety.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Documents capability_group: action.social capability_id: action.social.vector.Documents comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Instant messaging capability_group: action.social capability_id: action.social.vector.IM comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: In-person capability_group: action.social capability_id: action.social.vector.In-person comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Phone capability_group: action.social capability_id: action.social.vector.Phone comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Removable storage media capability_group: action.social capability_id: action.social.vector.Removable media comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: SMS or texting capability_group: action.social capability_id: action.social.vector.SMS comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Social media or networking capability_group: action.social capability_id: action.social.vector.Social media comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Software capability_group: action.social capability_id: action.social.vector.Software comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Website capability_group: action.social capability_id: action.social.vector.Website comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.social capability_id: action.social.vector.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: action.social capability_id: action.social.vector.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Auditor capability_group: action.social capability_id: action.social.target.Auditor comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Call center staff capability_group: action.social capability_id: action.social.target.Call center comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Cashier, teller or waiter capability_group: action.social capability_id: action.social.target.Cashier comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Customer (B2C) capability_group: action.social capability_id: action.social.target.Customer comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Software developer capability_group: action.social capability_id: action.social.target.Developer comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: End-user of the victim's products and/or services. Child of 'End-user or employee' capability_group: action.social capability_id: action.social.target.End-user comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: End-user or regular employee not otherwise listed. Parent of 'End-user' or 'Other employee' capability_group: action.social capability_id: action.social.target.End-user or employee comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Senior staff with legal responsibility such as board members and corporate officers capability_group: action.social capability_id: action.social.target.Executive comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Finance or accounting staff capability_group: action.social capability_id: action.social.target.Finance comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Former employee capability_group: action.social capability_id: action.social.target.Former employee comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Security guard capability_group: action.social capability_id: action.social.target.Guard comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Helpdesk staff capability_group: action.social capability_id: action.social.target.Helpdesk comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Human resources staff capability_group: action.social capability_id: action.social.target.Human resources comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Maintenance or janitorial staff capability_group: action.social capability_id: action.social.target.Maintenance comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Manager or supervisor capability_group: action.social capability_id: action.social.target.Manager comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Regular employee not otherwise listed. Child of 'End-user or employee' capability_group: action.social capability_id: action.social.target.Other employee comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Partner (B2B) capability_group: action.social capability_id: action.social.target.Partner comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: System or network administrator capability_group: action.social capability_id: action.social.target.System admin comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Other capability_group: action.social capability_id: action.social.target.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Unknown capability_group: action.social capability_id: action.social.target.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The social action resulted in additional security access capability_group: action.social capability_id: action.social.result.Infiltrate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The social action exfiltrated data from the victim capability_group: action.social capability_id: action.social.result.Exfiltrate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The social action resulted in additional security permissions capability_group: action.social capability_id: action.social.result.Elevate comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The social action used security access or permissions already acuired capability_group: action.social capability_id: action.social.result.Lateral movement comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: e.g. cryptomining, ransomware, etc capability_group: action.social capability_id: action.social.result.Deploy payload comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The result of the social action is not listed capability_group: action.social capability_id: action.social.result.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The result of the social action is unknown capability_group: action.social capability_id: action.social.result.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The social action did not have a result capability_group: action.social capability_id: action.social.result.NA comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Initiate fraudulent transaction capability_group: attribute.integrity capability_id: attribute.integrity.variety.Fraudulent transaction comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Hardware tampering or physical alteration capability_group: attribute.integrity capability_id: attribute.integrity.variety.Hardware tampering comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Software installation or code modification capability_group: attribute.integrity capability_id: attribute.integrity.variety.Software installation comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Other capability_group: attribute.integrity capability_id: attribute.integrity.variety.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: No type of development was necessary capability_group: value_chain.development capability_id: value_chain.development.variety.NA comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Command and control. Separate from distribution of mawlare or bots, this is how they are maintained capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.C2 comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Services for testing if malware is detected by anti-virus capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Counter AV comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: DNS services including fast flux capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.DNS comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Something kept in the custody of a third party until a condition has been fulfilled. capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Escrow comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: i.e. converting hashes into the text that produce them capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Hashcracking comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Use of a marketplace was required as part of this incident. capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Marketplace comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: A proxy service (either formally or informally hosted) is used by the actor to obscure their source capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Proxy comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: A VPN service (either formally or informally hosted) is used by the actor to obscure their source capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.VPN comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: No type of non-distribution service was necessary capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.NA comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Nothing is known about the need for or type of non-distribution service investment other than it was present. capability_group: value_chain.non-distribution_services capability_id: value_chain.non-distribution services.variety.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Credentials the system came with capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Default credentials comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Knowledge of system misconfigurations used to pick an organization as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Misconfigurations comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The actor used access to a partner to target the victim. capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Partner comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Knowledge of software vulnerabilities, both at an organization or associated with a specific vendor's product, used to pick them as a target. capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Vulnerabilities comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Knowledge of weaknesses other than vulnerability and misconfigurations used to pick an organization as a target capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Weaknesses comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: No type of targeting was necessary. (This includes targeted.Targeted since the victim was chosen without targeting. capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.NA comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The variety of targeting was known, but is not listed capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Other comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Nothing is known about the need for or type of targeting investment other than it was present. capability_group: value_chain.targeting capability_id: value_chain.targeting.variety.Unknown comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Distributed directly from the actor's computer capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Direct comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Distribution by email including anonymous/one time and spam capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Email comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: malware that loads other malware capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Loader comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: The actor distributed the attack to the victim through a partner, (i.e. supply chain attack). capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Partner comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: Distribution over the Plain Old Telephone System (POTS). capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.Phone comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: No type of distribution was necessary capability_group: value_chain.distribution capability_id: value_chain.distribution.variety.NA comments: '' mapping_type: non_mappable references: null - attack_object_id: null attack_object_name: null capability_description: '' capability_group: attribute.confidentiality capability_id: attribute.confidentiality.data_disclosure comments: '' mapping_type: non_mappable references: null metadata: attack_version: '9.0' author: '' capability_groups: action.hacking: action.hacking action.malware: action.malware action.misuse: action.misuse action.social: action.social attribute.confidentiality: attribute.confidentiality attribute.integrity: attribute.integrity value_chain.development: value_chain.development value_chain.distribution: value_chain.distribution value_chain.non-distribution_services: value_chain.non-distribution_services value_chain.targeting: value_chain.targeting contact: '' creation_date: 08/26/2021 last_update: 08/26/2021 mapping_framework: veris mapping_framework_version: 1.3.5 mapping_types: related_to: description: '' name: related-to mapping_version: '1.9' organization: '' technology_domain: enterprise