| AC-10 |
Concurrent Session Control |
Protects |
T1137 |
Office Application Startup |
| AC-10 |
Concurrent Session Control |
Protects |
T1137.002 |
Office Test |
| AC-10 |
Concurrent Session Control |
Protects |
T1528 |
Steal Application Access Token |
| AC-11 |
Device Lock |
Protects |
T1021.001 |
Remote Desktop Protocol |
| AC-11 |
Device Lock |
Protects |
T1563.002 |
RDP Hijacking |
| AC-12 |
Session Termination |
Protects |
T1021.001 |
Remote Desktop Protocol |
| AC-12 |
Session Termination |
Protects |
T1072 |
Software Deployment Tools |
| AC-12 |
Session Termination |
Protects |
T1563.002 |
RDP Hijacking |
| AC-14 |
Permitted Actions Without Identification or Authentication |
Protects |
T1137.002 |
Office Test |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1003 |
OS Credential Dumping |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1003.003 |
NTDS |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1020.001 |
Traffic Duplication |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1040 |
Network Sniffing |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1070 |
Indicator Removal on Host |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1070.001 |
Clear Windows Event Logs |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1114 |
Email Collection |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1114.001 |
Local Email Collection |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1114.002 |
Remote Email Collection |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1114.003 |
Email Forwarding Rule |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1119 |
Automated Collection |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1213 |
Data from Information Repositories |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1213.001 |
Confluence |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1213.002 |
Sharepoint |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1222 |
File and Directory Permissions Modification |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1537 |
Transfer Data to Cloud Account |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1547.007 |
Re-opened Applications |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1547.011 |
Plist Modification |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1550.001 |
Application Access Token |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1552 |
Unsecured Credentials |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1552.004 |
Private Keys |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1557 |
Man-in-the-Middle |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1557.002 |
ARP Cache Poisoning |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1558.002 |
Silver Ticket |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1558.003 |
Kerberoasting |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1558.004 |
AS-REP Roasting |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1564.004 |
NTFS File Attributes |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1565 |
Data Manipulation |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1565.001 |
Stored Data Manipulation |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1602 |
Data from Configuration Repository |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| AC-16 |
Security and Privacy Attributes |
Protects |
T1602.002 |
Network Device Configuration Dump |
| AC-17 |
Remote Access |
Protects |
T1020.001 |
Traffic Duplication |
| AC-17 |
Remote Access |
Protects |
T1021 |
Remote Services |
| AC-17 |
Remote Access |
Protects |
T1021.001 |
Remote Desktop Protocol |
| AC-17 |
Remote Access |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| AC-17 |
Remote Access |
Protects |
T1021.003 |
Distributed Component Object Model |
| AC-17 |
Remote Access |
Protects |
T1021.004 |
SSH |
| AC-17 |
Remote Access |
Protects |
T1021.005 |
VNC |
| AC-17 |
Remote Access |
Protects |
T1021.006 |
Windows Remote Management |
| AC-17 |
Remote Access |
Protects |
T1037 |
Boot or Logon Initialization Scripts |
| AC-17 |
Remote Access |
Protects |
T1037.001 |
Logon Script (Windows) |
| AC-17 |
Remote Access |
Protects |
T1040 |
Network Sniffing |
| AC-17 |
Remote Access |
Protects |
T1047 |
Windows Management Instrumentation |
| AC-17 |
Remote Access |
Protects |
T1070 |
Indicator Removal on Host |
| AC-17 |
Remote Access |
Protects |
T1070.001 |
Clear Windows Event Logs |
| AC-17 |
Remote Access |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| AC-17 |
Remote Access |
Protects |
T1114 |
Email Collection |
| AC-17 |
Remote Access |
Protects |
T1114.001 |
Local Email Collection |
| AC-17 |
Remote Access |
Protects |
T1114.002 |
Remote Email Collection |
| AC-17 |
Remote Access |
Protects |
T1114.003 |
Email Forwarding Rule |
| AC-17 |
Remote Access |
Protects |
T1119 |
Automated Collection |
| AC-17 |
Remote Access |
Protects |
T1133 |
External Remote Services |
| AC-17 |
Remote Access |
Protects |
T1137 |
Office Application Startup |
| AC-17 |
Remote Access |
Protects |
T1137.002 |
Office Test |
| AC-17 |
Remote Access |
Protects |
T1213 |
Data from Information Repositories |
| AC-17 |
Remote Access |
Protects |
T1213.001 |
Confluence |
| AC-17 |
Remote Access |
Protects |
T1213.002 |
Sharepoint |
| AC-17 |
Remote Access |
Protects |
T1219 |
Remote Access Software |
| AC-17 |
Remote Access |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-17 |
Remote Access |
Protects |
T1537 |
Transfer Data to Cloud Account |
| AC-17 |
Remote Access |
Protects |
T1543 |
Create or Modify System Process |
| AC-17 |
Remote Access |
Protects |
T1543.003 |
Windows Service |
| AC-17 |
Remote Access |
Protects |
T1547.003 |
Time Providers |
| AC-17 |
Remote Access |
Protects |
T1547.004 |
Winlogon Helper DLL |
| AC-17 |
Remote Access |
Protects |
T1547.009 |
Shortcut Modification |
| AC-17 |
Remote Access |
Protects |
T1547.011 |
Plist Modification |
| AC-17 |
Remote Access |
Protects |
T1547.012 |
Print Processors |
| AC-17 |
Remote Access |
Protects |
T1547.013 |
XDG Autostart Entries |
| AC-17 |
Remote Access |
Protects |
T1550.001 |
Application Access Token |
| AC-17 |
Remote Access |
Protects |
T1552 |
Unsecured Credentials |
| AC-17 |
Remote Access |
Protects |
T1552.002 |
Credentials in Registry |
| AC-17 |
Remote Access |
Protects |
T1552.004 |
Private Keys |
| AC-17 |
Remote Access |
Protects |
T1552.007 |
Container API |
| AC-17 |
Remote Access |
Protects |
T1557 |
Man-in-the-Middle |
| AC-17 |
Remote Access |
Protects |
T1557.002 |
ARP Cache Poisoning |
| AC-17 |
Remote Access |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| AC-17 |
Remote Access |
Protects |
T1558.002 |
Silver Ticket |
| AC-17 |
Remote Access |
Protects |
T1558.003 |
Kerberoasting |
| AC-17 |
Remote Access |
Protects |
T1558.004 |
AS-REP Roasting |
| AC-17 |
Remote Access |
Protects |
T1563 |
Remote Service Session Hijacking |
| AC-17 |
Remote Access |
Protects |
T1563.001 |
SSH Hijacking |
| AC-17 |
Remote Access |
Protects |
T1563.002 |
RDP Hijacking |
| AC-17 |
Remote Access |
Protects |
T1565 |
Data Manipulation |
| AC-17 |
Remote Access |
Protects |
T1565.001 |
Stored Data Manipulation |
| AC-17 |
Remote Access |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| AC-17 |
Remote Access |
Protects |
T1602 |
Data from Configuration Repository |
| AC-17 |
Remote Access |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| AC-17 |
Remote Access |
Protects |
T1602.002 |
Network Device Configuration Dump |
| AC-17 |
Remote Access |
Protects |
T1609 |
Container Administration Command |
| AC-17 |
Remote Access |
Protects |
T1610 |
Deploy Container |
| AC-17 |
Remote Access |
Protects |
T1612 |
Build Image on Host |
| AC-17 |
Remote Access |
Protects |
T1613 |
Container and Resource Discovery |
| AC-18 |
Wireless Access |
Protects |
T1011 |
Exfiltration Over Other Network Medium |
| AC-18 |
Wireless Access |
Protects |
T1011.001 |
Exfiltration Over Bluetooth |
| AC-18 |
Wireless Access |
Protects |
T1020.001 |
Traffic Duplication |
| AC-18 |
Wireless Access |
Protects |
T1040 |
Network Sniffing |
| AC-18 |
Wireless Access |
Protects |
T1070 |
Indicator Removal on Host |
| AC-18 |
Wireless Access |
Protects |
T1070.001 |
Clear Windows Event Logs |
| AC-18 |
Wireless Access |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| AC-18 |
Wireless Access |
Protects |
T1119 |
Automated Collection |
| AC-18 |
Wireless Access |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-18 |
Wireless Access |
Protects |
T1552 |
Unsecured Credentials |
| AC-18 |
Wireless Access |
Protects |
T1552.004 |
Private Keys |
| AC-18 |
Wireless Access |
Protects |
T1557 |
Man-in-the-Middle |
| AC-18 |
Wireless Access |
Protects |
T1557.002 |
ARP Cache Poisoning |
| AC-18 |
Wireless Access |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| AC-18 |
Wireless Access |
Protects |
T1558.002 |
Silver Ticket |
| AC-18 |
Wireless Access |
Protects |
T1558.003 |
Kerberoasting |
| AC-18 |
Wireless Access |
Protects |
T1558.004 |
AS-REP Roasting |
| AC-18 |
Wireless Access |
Protects |
T1565 |
Data Manipulation |
| AC-18 |
Wireless Access |
Protects |
T1565.001 |
Stored Data Manipulation |
| AC-18 |
Wireless Access |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| AC-18 |
Wireless Access |
Protects |
T1602 |
Data from Configuration Repository |
| AC-18 |
Wireless Access |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| AC-18 |
Wireless Access |
Protects |
T1602.002 |
Network Device Configuration Dump |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1020.001 |
Traffic Duplication |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1040 |
Network Sniffing |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1070 |
Indicator Removal on Host |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1070.001 |
Clear Windows Event Logs |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1114 |
Email Collection |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1114.001 |
Local Email Collection |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1114.002 |
Remote Email Collection |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1114.003 |
Email Forwarding Rule |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1119 |
Automated Collection |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1550.001 |
Application Access Token |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1552 |
Unsecured Credentials |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1552.004 |
Private Keys |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1557 |
Man-in-the-Middle |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1557.002 |
ARP Cache Poisoning |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1558.002 |
Silver Ticket |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1558.003 |
Kerberoasting |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1558.004 |
AS-REP Roasting |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1565 |
Data Manipulation |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1565.001 |
Stored Data Manipulation |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1602 |
Data from Configuration Repository |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| AC-19 |
Access Control for Mobile Devices |
Protects |
T1602.002 |
Network Device Configuration Dump |
| AC-2 |
Account Management |
Protects |
T1003 |
OS Credential Dumping |
| AC-2 |
Account Management |
Protects |
T1003.001 |
LSASS Memory |
| AC-2 |
Account Management |
Protects |
T1003.002 |
Security Account Manager |
| AC-2 |
Account Management |
Protects |
T1003.003 |
NTDS |
| AC-2 |
Account Management |
Protects |
T1003.004 |
LSA Secrets |
| AC-2 |
Account Management |
Protects |
T1003.005 |
Cached Domain Credentials |
| AC-2 |
Account Management |
Protects |
T1003.006 |
DCSync |
| AC-2 |
Account Management |
Protects |
T1003.007 |
Proc Filesystem |
| AC-2 |
Account Management |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| AC-2 |
Account Management |
Protects |
T1021 |
Remote Services |
| AC-2 |
Account Management |
Protects |
T1021.001 |
Remote Desktop Protocol |
| AC-2 |
Account Management |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| AC-2 |
Account Management |
Protects |
T1021.003 |
Distributed Component Object Model |
| AC-2 |
Account Management |
Protects |
T1021.004 |
SSH |
| AC-2 |
Account Management |
Protects |
T1021.005 |
VNC |
| AC-2 |
Account Management |
Protects |
T1021.006 |
Windows Remote Management |
| AC-2 |
Account Management |
Protects |
T1036 |
Masquerading |
| AC-2 |
Account Management |
Protects |
T1036.003 |
Rename System Utilities |
| AC-2 |
Account Management |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| AC-2 |
Account Management |
Protects |
T1047 |
Windows Management Instrumentation |
| AC-2 |
Account Management |
Protects |
T1053 |
Scheduled Task/Job |
| AC-2 |
Account Management |
Protects |
T1053.001 |
At (Linux) |
| AC-2 |
Account Management |
Protects |
T1053.002 |
At (Windows) |
| AC-2 |
Account Management |
Protects |
T1053.003 |
Cron |
| AC-2 |
Account Management |
Protects |
T1053.004 |
Launchd |
| AC-2 |
Account Management |
Protects |
T1053.005 |
Scheduled Task |
| AC-2 |
Account Management |
Protects |
T1053.006 |
Systemd Timers |
| AC-2 |
Account Management |
Protects |
T1053.007 |
Container Orchestration Job |
| AC-2 |
Account Management |
Protects |
T1055 |
Process Injection |
| AC-2 |
Account Management |
Protects |
T1055.008 |
Ptrace System Calls |
| AC-2 |
Account Management |
Protects |
T1056.003 |
Web Portal Capture |
| AC-2 |
Account Management |
Protects |
T1059 |
Command and Scripting Interpreter |
| AC-2 |
Account Management |
Protects |
T1059.001 |
PowerShell |
| AC-2 |
Account Management |
Protects |
T1059.008 |
Network Device CLI |
| AC-2 |
Account Management |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| AC-2 |
Account Management |
Protects |
T1070 |
Indicator Removal on Host |
| AC-2 |
Account Management |
Protects |
T1070.001 |
Clear Windows Event Logs |
| AC-2 |
Account Management |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| AC-2 |
Account Management |
Protects |
T1070.003 |
Clear Command History |
| AC-2 |
Account Management |
Protects |
T1072 |
Software Deployment Tools |
| AC-2 |
Account Management |
Protects |
T1078 |
Valid Accounts |
| AC-2 |
Account Management |
Protects |
T1078.001 |
Default Accounts |
| AC-2 |
Account Management |
Protects |
T1078.002 |
Domain Accounts |
| AC-2 |
Account Management |
Protects |
T1078.003 |
Local Accounts |
| AC-2 |
Account Management |
Protects |
T1078.004 |
Cloud Accounts |
| AC-2 |
Account Management |
Protects |
T1087.004 |
Cloud Account |
| AC-2 |
Account Management |
Protects |
T1098 |
Account Manipulation |
| AC-2 |
Account Management |
Protects |
T1098.001 |
Additional Cloud Credentials |
| AC-2 |
Account Management |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| AC-2 |
Account Management |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| AC-2 |
Account Management |
Protects |
T1110 |
Brute Force |
| AC-2 |
Account Management |
Protects |
T1110.001 |
Password Guessing |
| AC-2 |
Account Management |
Protects |
T1110.002 |
Password Cracking |
| AC-2 |
Account Management |
Protects |
T1110.003 |
Password Spraying |
| AC-2 |
Account Management |
Protects |
T1110.004 |
Credential Stuffing |
| AC-2 |
Account Management |
Protects |
T1134 |
Access Token Manipulation |
| AC-2 |
Account Management |
Protects |
T1134.001 |
Token Impersonation/Theft |
| AC-2 |
Account Management |
Protects |
T1134.002 |
Create Process with Token |
| AC-2 |
Account Management |
Protects |
T1134.003 |
Make and Impersonate Token |
| AC-2 |
Account Management |
Protects |
T1136 |
Create Account |
| AC-2 |
Account Management |
Protects |
T1136.001 |
Local Account |
| AC-2 |
Account Management |
Protects |
T1136.002 |
Domain Account |
| AC-2 |
Account Management |
Protects |
T1136.003 |
Cloud Account |
| AC-2 |
Account Management |
Protects |
T1185 |
Man in the Browser |
| AC-2 |
Account Management |
Protects |
T1190 |
Exploit Public-Facing Application |
| AC-2 |
Account Management |
Protects |
T1197 |
BITS Jobs |
| AC-2 |
Account Management |
Protects |
T1210 |
Exploitation of Remote Services |
| AC-2 |
Account Management |
Protects |
T1212 |
Exploitation for Credential Access |
| AC-2 |
Account Management |
Protects |
T1213 |
Data from Information Repositories |
| AC-2 |
Account Management |
Protects |
T1213.001 |
Confluence |
| AC-2 |
Account Management |
Protects |
T1213.002 |
Sharepoint |
| AC-2 |
Account Management |
Protects |
T1218 |
Signed Binary Proxy Execution |
| AC-2 |
Account Management |
Protects |
T1218.007 |
Msiexec |
| AC-2 |
Account Management |
Protects |
T1222 |
File and Directory Permissions Modification |
| AC-2 |
Account Management |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| AC-2 |
Account Management |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| AC-2 |
Account Management |
Protects |
T1484 |
Domain Policy Modification |
| AC-2 |
Account Management |
Protects |
T1489 |
Service Stop |
| AC-2 |
Account Management |
Protects |
T1495 |
Firmware Corruption |
| AC-2 |
Account Management |
Protects |
T1505 |
Server Software Component |
| AC-2 |
Account Management |
Protects |
T1505.001 |
SQL Stored Procedures |
| AC-2 |
Account Management |
Protects |
T1505.002 |
Transport Agent |
| AC-2 |
Account Management |
Protects |
T1525 |
Implant Internal Image |
| AC-2 |
Account Management |
Protects |
T1528 |
Steal Application Access Token |
| AC-2 |
Account Management |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-2 |
Account Management |
Protects |
T1537 |
Transfer Data to Cloud Account |
| AC-2 |
Account Management |
Protects |
T1538 |
Cloud Service Dashboard |
| AC-2 |
Account Management |
Protects |
T1542 |
Pre-OS Boot |
| AC-2 |
Account Management |
Protects |
T1542.001 |
System Firmware |
| AC-2 |
Account Management |
Protects |
T1542.003 |
Bootkit |
| AC-2 |
Account Management |
Protects |
T1542.005 |
TFTP Boot |
| AC-2 |
Account Management |
Protects |
T1543 |
Create or Modify System Process |
| AC-2 |
Account Management |
Protects |
T1543.001 |
Launch Agent |
| AC-2 |
Account Management |
Protects |
T1543.002 |
Systemd Service |
| AC-2 |
Account Management |
Protects |
T1543.003 |
Windows Service |
| AC-2 |
Account Management |
Protects |
T1543.004 |
Launch Daemon |
| AC-2 |
Account Management |
Protects |
T1546.003 |
Windows Management Instrumentation Event Subscription |
| AC-2 |
Account Management |
Protects |
T1547.004 |
Winlogon Helper DLL |
| AC-2 |
Account Management |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| AC-2 |
Account Management |
Protects |
T1547.009 |
Shortcut Modification |
| AC-2 |
Account Management |
Protects |
T1547.012 |
Print Processors |
| AC-2 |
Account Management |
Protects |
T1547.013 |
XDG Autostart Entries |
| AC-2 |
Account Management |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| AC-2 |
Account Management |
Protects |
T1548.002 |
Bypass User Account Control |
| AC-2 |
Account Management |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| AC-2 |
Account Management |
Protects |
T1550 |
Use Alternate Authentication Material |
| AC-2 |
Account Management |
Protects |
T1550.002 |
Pass the Hash |
| AC-2 |
Account Management |
Protects |
T1550.003 |
Pass the Ticket |
| AC-2 |
Account Management |
Protects |
T1552 |
Unsecured Credentials |
| AC-2 |
Account Management |
Protects |
T1552.001 |
Credentials In Files |
| AC-2 |
Account Management |
Protects |
T1552.002 |
Credentials in Registry |
| AC-2 |
Account Management |
Protects |
T1552.004 |
Private Keys |
| AC-2 |
Account Management |
Protects |
T1552.006 |
Group Policy Preferences |
| AC-2 |
Account Management |
Protects |
T1552.007 |
Container API |
| AC-2 |
Account Management |
Protects |
T1556 |
Modify Authentication Process |
| AC-2 |
Account Management |
Protects |
T1556.001 |
Domain Controller Authentication |
| AC-2 |
Account Management |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| AC-2 |
Account Management |
Protects |
T1556.004 |
Network Device Authentication |
| AC-2 |
Account Management |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| AC-2 |
Account Management |
Protects |
T1558.001 |
Golden Ticket |
| AC-2 |
Account Management |
Protects |
T1558.002 |
Silver Ticket |
| AC-2 |
Account Management |
Protects |
T1558.003 |
Kerberoasting |
| AC-2 |
Account Management |
Protects |
T1558.004 |
AS-REP Roasting |
| AC-2 |
Account Management |
Protects |
T1559 |
Inter-Process Communication |
| AC-2 |
Account Management |
Protects |
T1559.001 |
Component Object Model |
| AC-2 |
Account Management |
Protects |
T1562 |
Impair Defenses |
| AC-2 |
Account Management |
Protects |
T1562.001 |
Disable or Modify Tools |
| AC-2 |
Account Management |
Protects |
T1562.002 |
Disable Windows Event Logging |
| AC-2 |
Account Management |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| AC-2 |
Account Management |
Protects |
T1562.006 |
Indicator Blocking |
| AC-2 |
Account Management |
Protects |
T1562.007 |
Disable or Modify Cloud Firewall |
| AC-2 |
Account Management |
Protects |
T1562.008 |
Disable Cloud Logs |
| AC-2 |
Account Management |
Protects |
T1563 |
Remote Service Session Hijacking |
| AC-2 |
Account Management |
Protects |
T1563.001 |
SSH Hijacking |
| AC-2 |
Account Management |
Protects |
T1563.002 |
RDP Hijacking |
| AC-2 |
Account Management |
Protects |
T1569 |
System Services |
| AC-2 |
Account Management |
Protects |
T1569.001 |
Launchctl |
| AC-2 |
Account Management |
Protects |
T1569.002 |
Service Execution |
| AC-2 |
Account Management |
Protects |
T1574 |
Hijack Execution Flow |
| AC-2 |
Account Management |
Protects |
T1574.004 |
Dylib Hijacking |
| AC-2 |
Account Management |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| AC-2 |
Account Management |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| AC-2 |
Account Management |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| AC-2 |
Account Management |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| AC-2 |
Account Management |
Protects |
T1574.010 |
Services File Permissions Weakness |
| AC-2 |
Account Management |
Protects |
T1574.012 |
COR_PROFILER |
| AC-2 |
Account Management |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| AC-2 |
Account Management |
Protects |
T1578.001 |
Create Snapshot |
| AC-2 |
Account Management |
Protects |
T1578.002 |
Create Cloud Instance |
| AC-2 |
Account Management |
Protects |
T1578.003 |
Delete Cloud Instance |
| AC-2 |
Account Management |
Protects |
T1580 |
Cloud Infrastructure Discovery |
| AC-2 |
Account Management |
Protects |
T1599 |
Network Boundary Bridging |
| AC-2 |
Account Management |
Protects |
T1599.001 |
Network Address Translation Traversal |
| AC-2 |
Account Management |
Protects |
T1601 |
Modify System Image |
| AC-2 |
Account Management |
Protects |
T1601.001 |
Patch System Image |
| AC-2 |
Account Management |
Protects |
T1601.002 |
Downgrade System Image |
| AC-2 |
Account Management |
Protects |
T1609 |
Container Administration Command |
| AC-2 |
Account Management |
Protects |
T1610 |
Deploy Container |
| AC-2 |
Account Management |
Protects |
T1611 |
Escape to Host |
| AC-2 |
Account Management |
Protects |
T1612 |
Build Image on Host |
| AC-2 |
Account Management |
Protects |
T1613 |
Container and Resource Discovery |
| AC-20 |
Use of External Systems |
Protects |
T1020.001 |
Traffic Duplication |
| AC-20 |
Use of External Systems |
Protects |
T1021 |
Remote Services |
| AC-20 |
Use of External Systems |
Protects |
T1021.001 |
Remote Desktop Protocol |
| AC-20 |
Use of External Systems |
Protects |
T1021.004 |
SSH |
| AC-20 |
Use of External Systems |
Protects |
T1072 |
Software Deployment Tools |
| AC-20 |
Use of External Systems |
Protects |
T1078.002 |
Domain Accounts |
| AC-20 |
Use of External Systems |
Protects |
T1078.004 |
Cloud Accounts |
| AC-20 |
Use of External Systems |
Protects |
T1098.001 |
Additional Cloud Credentials |
| AC-20 |
Use of External Systems |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| AC-20 |
Use of External Systems |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| AC-20 |
Use of External Systems |
Protects |
T1110 |
Brute Force |
| AC-20 |
Use of External Systems |
Protects |
T1110.001 |
Password Guessing |
| AC-20 |
Use of External Systems |
Protects |
T1110.002 |
Password Cracking |
| AC-20 |
Use of External Systems |
Protects |
T1110.003 |
Password Spraying |
| AC-20 |
Use of External Systems |
Protects |
T1110.004 |
Credential Stuffing |
| AC-20 |
Use of External Systems |
Protects |
T1114 |
Email Collection |
| AC-20 |
Use of External Systems |
Protects |
T1114.001 |
Local Email Collection |
| AC-20 |
Use of External Systems |
Protects |
T1114.002 |
Remote Email Collection |
| AC-20 |
Use of External Systems |
Protects |
T1114.003 |
Email Forwarding Rule |
| AC-20 |
Use of External Systems |
Protects |
T1119 |
Automated Collection |
| AC-20 |
Use of External Systems |
Protects |
T1133 |
External Remote Services |
| AC-20 |
Use of External Systems |
Protects |
T1134.005 |
SID-History Injection |
| AC-20 |
Use of External Systems |
Protects |
T1136 |
Create Account |
| AC-20 |
Use of External Systems |
Protects |
T1136.001 |
Local Account |
| AC-20 |
Use of External Systems |
Protects |
T1136.002 |
Domain Account |
| AC-20 |
Use of External Systems |
Protects |
T1136.003 |
Cloud Account |
| AC-20 |
Use of External Systems |
Protects |
T1200 |
Hardware Additions |
| AC-20 |
Use of External Systems |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-20 |
Use of External Systems |
Protects |
T1537 |
Transfer Data to Cloud Account |
| AC-20 |
Use of External Systems |
Protects |
T1539 |
Steal Web Session Cookie |
| AC-20 |
Use of External Systems |
Protects |
T1550.001 |
Application Access Token |
| AC-20 |
Use of External Systems |
Protects |
T1552 |
Unsecured Credentials |
| AC-20 |
Use of External Systems |
Protects |
T1552.004 |
Private Keys |
| AC-20 |
Use of External Systems |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| AC-20 |
Use of External Systems |
Protects |
T1556 |
Modify Authentication Process |
| AC-20 |
Use of External Systems |
Protects |
T1556.001 |
Domain Controller Authentication |
| AC-20 |
Use of External Systems |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| AC-20 |
Use of External Systems |
Protects |
T1556.004 |
Network Device Authentication |
| AC-20 |
Use of External Systems |
Protects |
T1557 |
Man-in-the-Middle |
| AC-20 |
Use of External Systems |
Protects |
T1557.002 |
ARP Cache Poisoning |
| AC-20 |
Use of External Systems |
Protects |
T1565 |
Data Manipulation |
| AC-20 |
Use of External Systems |
Protects |
T1565.001 |
Stored Data Manipulation |
| AC-20 |
Use of External Systems |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| AC-20 |
Use of External Systems |
Protects |
T1567 |
Exfiltration Over Web Service |
| AC-20 |
Use of External Systems |
Protects |
T1567.001 |
Exfiltration to Code Repository |
| AC-20 |
Use of External Systems |
Protects |
T1567.002 |
Exfiltration to Cloud Storage |
| AC-20 |
Use of External Systems |
Protects |
T1602 |
Data from Configuration Repository |
| AC-20 |
Use of External Systems |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| AC-20 |
Use of External Systems |
Protects |
T1602.002 |
Network Device Configuration Dump |
| AC-21 |
Information Sharing |
Protects |
T1213 |
Data from Information Repositories |
| AC-21 |
Information Sharing |
Protects |
T1213.001 |
Confluence |
| AC-21 |
Information Sharing |
Protects |
T1213.002 |
Sharepoint |
| AC-23 |
Data Mining Protection |
Protects |
T1133 |
External Remote Services |
| AC-23 |
Data Mining Protection |
Protects |
T1213 |
Data from Information Repositories |
| AC-23 |
Data Mining Protection |
Protects |
T1213.001 |
Confluence |
| AC-23 |
Data Mining Protection |
Protects |
T1213.002 |
Sharepoint |
| AC-23 |
Data Mining Protection |
Protects |
T1552.007 |
Container API |
| AC-3 |
Access Enforcement |
Protects |
T1003 |
OS Credential Dumping |
| AC-3 |
Access Enforcement |
Protects |
T1003.001 |
LSASS Memory |
| AC-3 |
Access Enforcement |
Protects |
T1003.002 |
Security Account Manager |
| AC-3 |
Access Enforcement |
Protects |
T1003.003 |
NTDS |
| AC-3 |
Access Enforcement |
Protects |
T1003.004 |
LSA Secrets |
| AC-3 |
Access Enforcement |
Protects |
T1003.005 |
Cached Domain Credentials |
| AC-3 |
Access Enforcement |
Protects |
T1003.006 |
DCSync |
| AC-3 |
Access Enforcement |
Protects |
T1003.007 |
Proc Filesystem |
| AC-3 |
Access Enforcement |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| AC-3 |
Access Enforcement |
Protects |
T1021 |
Remote Services |
| AC-3 |
Access Enforcement |
Protects |
T1021.001 |
Remote Desktop Protocol |
| AC-3 |
Access Enforcement |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| AC-3 |
Access Enforcement |
Protects |
T1021.003 |
Distributed Component Object Model |
| AC-3 |
Access Enforcement |
Protects |
T1021.004 |
SSH |
| AC-3 |
Access Enforcement |
Protects |
T1021.005 |
VNC |
| AC-3 |
Access Enforcement |
Protects |
T1021.006 |
Windows Remote Management |
| AC-3 |
Access Enforcement |
Protects |
T1036 |
Masquerading |
| AC-3 |
Access Enforcement |
Protects |
T1036.003 |
Rename System Utilities |
| AC-3 |
Access Enforcement |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| AC-3 |
Access Enforcement |
Protects |
T1037 |
Boot or Logon Initialization Scripts |
| AC-3 |
Access Enforcement |
Protects |
T1037.002 |
Logon Script (Mac) |
| AC-3 |
Access Enforcement |
Protects |
T1037.003 |
Network Logon Script |
| AC-3 |
Access Enforcement |
Protects |
T1037.004 |
RC Scripts |
| AC-3 |
Access Enforcement |
Protects |
T1037.005 |
Startup Items |
| AC-3 |
Access Enforcement |
Protects |
T1047 |
Windows Management Instrumentation |
| AC-3 |
Access Enforcement |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| AC-3 |
Access Enforcement |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| AC-3 |
Access Enforcement |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| AC-3 |
Access Enforcement |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| AC-3 |
Access Enforcement |
Protects |
T1052 |
Exfiltration Over Physical Medium |
| AC-3 |
Access Enforcement |
Protects |
T1052.001 |
Exfiltration over USB |
| AC-3 |
Access Enforcement |
Protects |
T1053 |
Scheduled Task/Job |
| AC-3 |
Access Enforcement |
Protects |
T1053.001 |
At (Linux) |
| AC-3 |
Access Enforcement |
Protects |
T1053.002 |
At (Windows) |
| AC-3 |
Access Enforcement |
Protects |
T1053.003 |
Cron |
| AC-3 |
Access Enforcement |
Protects |
T1053.004 |
Launchd |
| AC-3 |
Access Enforcement |
Protects |
T1053.005 |
Scheduled Task |
| AC-3 |
Access Enforcement |
Protects |
T1053.006 |
Systemd Timers |
| AC-3 |
Access Enforcement |
Protects |
T1053.007 |
Container Orchestration Job |
| AC-3 |
Access Enforcement |
Protects |
T1055 |
Process Injection |
| AC-3 |
Access Enforcement |
Protects |
T1055.008 |
Ptrace System Calls |
| AC-3 |
Access Enforcement |
Protects |
T1055.009 |
Proc Memory |
| AC-3 |
Access Enforcement |
Protects |
T1056.003 |
Web Portal Capture |
| AC-3 |
Access Enforcement |
Protects |
T1059 |
Command and Scripting Interpreter |
| AC-3 |
Access Enforcement |
Protects |
T1059.001 |
PowerShell |
| AC-3 |
Access Enforcement |
Protects |
T1059.008 |
Network Device CLI |
| AC-3 |
Access Enforcement |
Protects |
T1070 |
Indicator Removal on Host |
| AC-3 |
Access Enforcement |
Protects |
T1070.001 |
Clear Windows Event Logs |
| AC-3 |
Access Enforcement |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| AC-3 |
Access Enforcement |
Protects |
T1070.003 |
Clear Command History |
| AC-3 |
Access Enforcement |
Protects |
T1071.004 |
DNS |
| AC-3 |
Access Enforcement |
Protects |
T1072 |
Software Deployment Tools |
| AC-3 |
Access Enforcement |
Protects |
T1078 |
Valid Accounts |
| AC-3 |
Access Enforcement |
Protects |
T1078.002 |
Domain Accounts |
| AC-3 |
Access Enforcement |
Protects |
T1078.003 |
Local Accounts |
| AC-3 |
Access Enforcement |
Protects |
T1078.004 |
Cloud Accounts |
| AC-3 |
Access Enforcement |
Protects |
T1080 |
Taint Shared Content |
| AC-3 |
Access Enforcement |
Protects |
T1087.004 |
Cloud Account |
| AC-3 |
Access Enforcement |
Protects |
T1090 |
Proxy |
| AC-3 |
Access Enforcement |
Protects |
T1090.003 |
Multi-hop Proxy |
| AC-3 |
Access Enforcement |
Protects |
T1091 |
Replication Through Removable Media |
| AC-3 |
Access Enforcement |
Protects |
T1095 |
Non-Application Layer Protocol |
| AC-3 |
Access Enforcement |
Protects |
T1098 |
Account Manipulation |
| AC-3 |
Access Enforcement |
Protects |
T1098.001 |
Additional Cloud Credentials |
| AC-3 |
Access Enforcement |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| AC-3 |
Access Enforcement |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| AC-3 |
Access Enforcement |
Protects |
T1098.004 |
SSH Authorized Keys |
| AC-3 |
Access Enforcement |
Protects |
T1110 |
Brute Force |
| AC-3 |
Access Enforcement |
Protects |
T1110.001 |
Password Guessing |
| AC-3 |
Access Enforcement |
Protects |
T1110.002 |
Password Cracking |
| AC-3 |
Access Enforcement |
Protects |
T1110.003 |
Password Spraying |
| AC-3 |
Access Enforcement |
Protects |
T1110.004 |
Credential Stuffing |
| AC-3 |
Access Enforcement |
Protects |
T1114 |
Email Collection |
| AC-3 |
Access Enforcement |
Protects |
T1114.002 |
Remote Email Collection |
| AC-3 |
Access Enforcement |
Protects |
T1133 |
External Remote Services |
| AC-3 |
Access Enforcement |
Protects |
T1134 |
Access Token Manipulation |
| AC-3 |
Access Enforcement |
Protects |
T1134.001 |
Token Impersonation/Theft |
| AC-3 |
Access Enforcement |
Protects |
T1134.002 |
Create Process with Token |
| AC-3 |
Access Enforcement |
Protects |
T1134.003 |
Make and Impersonate Token |
| AC-3 |
Access Enforcement |
Protects |
T1134.005 |
SID-History Injection |
| AC-3 |
Access Enforcement |
Protects |
T1136 |
Create Account |
| AC-3 |
Access Enforcement |
Protects |
T1136.001 |
Local Account |
| AC-3 |
Access Enforcement |
Protects |
T1136.002 |
Domain Account |
| AC-3 |
Access Enforcement |
Protects |
T1136.003 |
Cloud Account |
| AC-3 |
Access Enforcement |
Protects |
T1185 |
Man in the Browser |
| AC-3 |
Access Enforcement |
Protects |
T1187 |
Forced Authentication |
| AC-3 |
Access Enforcement |
Protects |
T1190 |
Exploit Public-Facing Application |
| AC-3 |
Access Enforcement |
Protects |
T1197 |
BITS Jobs |
| AC-3 |
Access Enforcement |
Protects |
T1199 |
Trusted Relationship |
| AC-3 |
Access Enforcement |
Protects |
T1200 |
Hardware Additions |
| AC-3 |
Access Enforcement |
Protects |
T1205 |
Traffic Signaling |
| AC-3 |
Access Enforcement |
Protects |
T1205.001 |
Port Knocking |
| AC-3 |
Access Enforcement |
Protects |
T1210 |
Exploitation of Remote Services |
| AC-3 |
Access Enforcement |
Protects |
T1213 |
Data from Information Repositories |
| AC-3 |
Access Enforcement |
Protects |
T1213.001 |
Confluence |
| AC-3 |
Access Enforcement |
Protects |
T1213.002 |
Sharepoint |
| AC-3 |
Access Enforcement |
Protects |
T1218 |
Signed Binary Proxy Execution |
| AC-3 |
Access Enforcement |
Protects |
T1218.002 |
Control Panel |
| AC-3 |
Access Enforcement |
Protects |
T1218.007 |
Msiexec |
| AC-3 |
Access Enforcement |
Protects |
T1218.012 |
Verclsid |
| AC-3 |
Access Enforcement |
Protects |
T1219 |
Remote Access Software |
| AC-3 |
Access Enforcement |
Protects |
T1222 |
File and Directory Permissions Modification |
| AC-3 |
Access Enforcement |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| AC-3 |
Access Enforcement |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| AC-3 |
Access Enforcement |
Protects |
T1484 |
Domain Policy Modification |
| AC-3 |
Access Enforcement |
Protects |
T1485 |
Data Destruction |
| AC-3 |
Access Enforcement |
Protects |
T1486 |
Data Encrypted for Impact |
| AC-3 |
Access Enforcement |
Protects |
T1489 |
Service Stop |
| AC-3 |
Access Enforcement |
Protects |
T1490 |
Inhibit System Recovery |
| AC-3 |
Access Enforcement |
Protects |
T1491 |
Defacement |
| AC-3 |
Access Enforcement |
Protects |
T1491.001 |
Internal Defacement |
| AC-3 |
Access Enforcement |
Protects |
T1491.002 |
External Defacement |
| AC-3 |
Access Enforcement |
Protects |
T1495 |
Firmware Corruption |
| AC-3 |
Access Enforcement |
Protects |
T1498 |
Network Denial of Service |
| AC-3 |
Access Enforcement |
Protects |
T1498.001 |
Direct Network Flood |
| AC-3 |
Access Enforcement |
Protects |
T1498.002 |
Reflection Amplification |
| AC-3 |
Access Enforcement |
Protects |
T1499 |
Endpoint Denial of Service |
| AC-3 |
Access Enforcement |
Protects |
T1499.001 |
OS Exhaustion Flood |
| AC-3 |
Access Enforcement |
Protects |
T1499.002 |
Service Exhaustion Flood |
| AC-3 |
Access Enforcement |
Protects |
T1499.003 |
Application Exhaustion Flood |
| AC-3 |
Access Enforcement |
Protects |
T1499.004 |
Application or System Exploitation |
| AC-3 |
Access Enforcement |
Protects |
T1505 |
Server Software Component |
| AC-3 |
Access Enforcement |
Protects |
T1505.001 |
SQL Stored Procedures |
| AC-3 |
Access Enforcement |
Protects |
T1505.002 |
Transport Agent |
| AC-3 |
Access Enforcement |
Protects |
T1525 |
Implant Internal Image |
| AC-3 |
Access Enforcement |
Protects |
T1528 |
Steal Application Access Token |
| AC-3 |
Access Enforcement |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-3 |
Access Enforcement |
Protects |
T1537 |
Transfer Data to Cloud Account |
| AC-3 |
Access Enforcement |
Protects |
T1538 |
Cloud Service Dashboard |
| AC-3 |
Access Enforcement |
Protects |
T1539 |
Steal Web Session Cookie |
| AC-3 |
Access Enforcement |
Protects |
T1542 |
Pre-OS Boot |
| AC-3 |
Access Enforcement |
Protects |
T1542.001 |
System Firmware |
| AC-3 |
Access Enforcement |
Protects |
T1542.003 |
Bootkit |
| AC-3 |
Access Enforcement |
Protects |
T1542.004 |
ROMMONkit |
| AC-3 |
Access Enforcement |
Protects |
T1542.005 |
TFTP Boot |
| AC-3 |
Access Enforcement |
Protects |
T1543 |
Create or Modify System Process |
| AC-3 |
Access Enforcement |
Protects |
T1543.001 |
Launch Agent |
| AC-3 |
Access Enforcement |
Protects |
T1543.002 |
Systemd Service |
| AC-3 |
Access Enforcement |
Protects |
T1543.003 |
Windows Service |
| AC-3 |
Access Enforcement |
Protects |
T1543.004 |
Launch Daemon |
| AC-3 |
Access Enforcement |
Protects |
T1546.003 |
Windows Management Instrumentation Event Subscription |
| AC-3 |
Access Enforcement |
Protects |
T1546.004 |
Unix Shell Configuration Modification |
| AC-3 |
Access Enforcement |
Protects |
T1546.013 |
PowerShell Profile |
| AC-3 |
Access Enforcement |
Protects |
T1547.003 |
Time Providers |
| AC-3 |
Access Enforcement |
Protects |
T1547.004 |
Winlogon Helper DLL |
| AC-3 |
Access Enforcement |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| AC-3 |
Access Enforcement |
Protects |
T1547.007 |
Re-opened Applications |
| AC-3 |
Access Enforcement |
Protects |
T1547.009 |
Shortcut Modification |
| AC-3 |
Access Enforcement |
Protects |
T1547.011 |
Plist Modification |
| AC-3 |
Access Enforcement |
Protects |
T1547.012 |
Print Processors |
| AC-3 |
Access Enforcement |
Protects |
T1547.013 |
XDG Autostart Entries |
| AC-3 |
Access Enforcement |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| AC-3 |
Access Enforcement |
Protects |
T1548.002 |
Bypass User Account Control |
| AC-3 |
Access Enforcement |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| AC-3 |
Access Enforcement |
Protects |
T1550 |
Use Alternate Authentication Material |
| AC-3 |
Access Enforcement |
Protects |
T1550.002 |
Pass the Hash |
| AC-3 |
Access Enforcement |
Protects |
T1550.003 |
Pass the Ticket |
| AC-3 |
Access Enforcement |
Protects |
T1552 |
Unsecured Credentials |
| AC-3 |
Access Enforcement |
Protects |
T1552.002 |
Credentials in Registry |
| AC-3 |
Access Enforcement |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| AC-3 |
Access Enforcement |
Protects |
T1552.007 |
Container API |
| AC-3 |
Access Enforcement |
Protects |
T1553.003 |
SIP and Trust Provider Hijacking |
| AC-3 |
Access Enforcement |
Protects |
T1556 |
Modify Authentication Process |
| AC-3 |
Access Enforcement |
Protects |
T1556.001 |
Domain Controller Authentication |
| AC-3 |
Access Enforcement |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| AC-3 |
Access Enforcement |
Protects |
T1556.004 |
Network Device Authentication |
| AC-3 |
Access Enforcement |
Protects |
T1557 |
Man-in-the-Middle |
| AC-3 |
Access Enforcement |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| AC-3 |
Access Enforcement |
Protects |
T1557.002 |
ARP Cache Poisoning |
| AC-3 |
Access Enforcement |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| AC-3 |
Access Enforcement |
Protects |
T1558.001 |
Golden Ticket |
| AC-3 |
Access Enforcement |
Protects |
T1558.002 |
Silver Ticket |
| AC-3 |
Access Enforcement |
Protects |
T1558.003 |
Kerberoasting |
| AC-3 |
Access Enforcement |
Protects |
T1558.004 |
AS-REP Roasting |
| AC-3 |
Access Enforcement |
Protects |
T1559 |
Inter-Process Communication |
| AC-3 |
Access Enforcement |
Protects |
T1559.001 |
Component Object Model |
| AC-3 |
Access Enforcement |
Protects |
T1561 |
Disk Wipe |
| AC-3 |
Access Enforcement |
Protects |
T1561.001 |
Disk Content Wipe |
| AC-3 |
Access Enforcement |
Protects |
T1561.002 |
Disk Structure Wipe |
| AC-3 |
Access Enforcement |
Protects |
T1562 |
Impair Defenses |
| AC-3 |
Access Enforcement |
Protects |
T1562.001 |
Disable or Modify Tools |
| AC-3 |
Access Enforcement |
Protects |
T1562.002 |
Disable Windows Event Logging |
| AC-3 |
Access Enforcement |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| AC-3 |
Access Enforcement |
Protects |
T1562.006 |
Indicator Blocking |
| AC-3 |
Access Enforcement |
Protects |
T1562.007 |
Disable or Modify Cloud Firewall |
| AC-3 |
Access Enforcement |
Protects |
T1562.008 |
Disable Cloud Logs |
| AC-3 |
Access Enforcement |
Protects |
T1563 |
Remote Service Session Hijacking |
| AC-3 |
Access Enforcement |
Protects |
T1563.001 |
SSH Hijacking |
| AC-3 |
Access Enforcement |
Protects |
T1563.002 |
RDP Hijacking |
| AC-3 |
Access Enforcement |
Protects |
T1564.004 |
NTFS File Attributes |
| AC-3 |
Access Enforcement |
Protects |
T1565 |
Data Manipulation |
| AC-3 |
Access Enforcement |
Protects |
T1565.001 |
Stored Data Manipulation |
| AC-3 |
Access Enforcement |
Protects |
T1565.003 |
Runtime Data Manipulation |
| AC-3 |
Access Enforcement |
Protects |
T1569 |
System Services |
| AC-3 |
Access Enforcement |
Protects |
T1569.001 |
Launchctl |
| AC-3 |
Access Enforcement |
Protects |
T1569.002 |
Service Execution |
| AC-3 |
Access Enforcement |
Protects |
T1570 |
Lateral Tool Transfer |
| AC-3 |
Access Enforcement |
Protects |
T1572 |
Protocol Tunneling |
| AC-3 |
Access Enforcement |
Protects |
T1574 |
Hijack Execution Flow |
| AC-3 |
Access Enforcement |
Protects |
T1574.004 |
Dylib Hijacking |
| AC-3 |
Access Enforcement |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| AC-3 |
Access Enforcement |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| AC-3 |
Access Enforcement |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| AC-3 |
Access Enforcement |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| AC-3 |
Access Enforcement |
Protects |
T1574.010 |
Services File Permissions Weakness |
| AC-3 |
Access Enforcement |
Protects |
T1574.012 |
COR_PROFILER |
| AC-3 |
Access Enforcement |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| AC-3 |
Access Enforcement |
Protects |
T1578.001 |
Create Snapshot |
| AC-3 |
Access Enforcement |
Protects |
T1578.002 |
Create Cloud Instance |
| AC-3 |
Access Enforcement |
Protects |
T1578.003 |
Delete Cloud Instance |
| AC-3 |
Access Enforcement |
Protects |
T1580 |
Cloud Infrastructure Discovery |
| AC-3 |
Access Enforcement |
Protects |
T1599 |
Network Boundary Bridging |
| AC-3 |
Access Enforcement |
Protects |
T1599.001 |
Network Address Translation Traversal |
| AC-3 |
Access Enforcement |
Protects |
T1601 |
Modify System Image |
| AC-3 |
Access Enforcement |
Protects |
T1601.001 |
Patch System Image |
| AC-3 |
Access Enforcement |
Protects |
T1601.002 |
Downgrade System Image |
| AC-3 |
Access Enforcement |
Protects |
T1602 |
Data from Configuration Repository |
| AC-3 |
Access Enforcement |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| AC-3 |
Access Enforcement |
Protects |
T1602.002 |
Network Device Configuration Dump |
| AC-3 |
Access Enforcement |
Protects |
T1609 |
Container Administration Command |
| AC-3 |
Access Enforcement |
Protects |
T1610 |
Deploy Container |
| AC-3 |
Access Enforcement |
Protects |
T1611 |
Escape to Host |
| AC-3 |
Access Enforcement |
Protects |
T1612 |
Build Image on Host |
| AC-3 |
Access Enforcement |
Protects |
T1613 |
Container and Resource Discovery |
| AC-4 |
Information Flow Enforcement |
Protects |
T1001 |
Data Obfuscation |
| AC-4 |
Information Flow Enforcement |
Protects |
T1001.001 |
Junk Data |
| AC-4 |
Information Flow Enforcement |
Protects |
T1001.002 |
Steganography |
| AC-4 |
Information Flow Enforcement |
Protects |
T1001.003 |
Protocol Impersonation |
| AC-4 |
Information Flow Enforcement |
Protects |
T1003 |
OS Credential Dumping |
| AC-4 |
Information Flow Enforcement |
Protects |
T1003.001 |
LSASS Memory |
| AC-4 |
Information Flow Enforcement |
Protects |
T1003.005 |
Cached Domain Credentials |
| AC-4 |
Information Flow Enforcement |
Protects |
T1003.006 |
DCSync |
| AC-4 |
Information Flow Enforcement |
Protects |
T1008 |
Fallback Channels |
| AC-4 |
Information Flow Enforcement |
Protects |
T1021.001 |
Remote Desktop Protocol |
| AC-4 |
Information Flow Enforcement |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| AC-4 |
Information Flow Enforcement |
Protects |
T1021.003 |
Distributed Component Object Model |
| AC-4 |
Information Flow Enforcement |
Protects |
T1021.005 |
VNC |
| AC-4 |
Information Flow Enforcement |
Protects |
T1021.006 |
Windows Remote Management |
| AC-4 |
Information Flow Enforcement |
Protects |
T1029 |
Scheduled Transfer |
| AC-4 |
Information Flow Enforcement |
Protects |
T1030 |
Data Transfer Size Limits |
| AC-4 |
Information Flow Enforcement |
Protects |
T1041 |
Exfiltration Over C2 Channel |
| AC-4 |
Information Flow Enforcement |
Protects |
T1046 |
Network Service Scanning |
| AC-4 |
Information Flow Enforcement |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| AC-4 |
Information Flow Enforcement |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| AC-4 |
Information Flow Enforcement |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| AC-4 |
Information Flow Enforcement |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| AC-4 |
Information Flow Enforcement |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| AC-4 |
Information Flow Enforcement |
Protects |
T1071 |
Application Layer Protocol |
| AC-4 |
Information Flow Enforcement |
Protects |
T1071.001 |
Web Protocols |
| AC-4 |
Information Flow Enforcement |
Protects |
T1071.002 |
File Transfer Protocols |
| AC-4 |
Information Flow Enforcement |
Protects |
T1071.003 |
Mail Protocols |
| AC-4 |
Information Flow Enforcement |
Protects |
T1071.004 |
DNS |
| AC-4 |
Information Flow Enforcement |
Protects |
T1072 |
Software Deployment Tools |
| AC-4 |
Information Flow Enforcement |
Protects |
T1090 |
Proxy |
| AC-4 |
Information Flow Enforcement |
Protects |
T1090.001 |
Internal Proxy |
| AC-4 |
Information Flow Enforcement |
Protects |
T1090.002 |
External Proxy |
| AC-4 |
Information Flow Enforcement |
Protects |
T1090.003 |
Multi-hop Proxy |
| AC-4 |
Information Flow Enforcement |
Protects |
T1095 |
Non-Application Layer Protocol |
| AC-4 |
Information Flow Enforcement |
Protects |
T1098 |
Account Manipulation |
| AC-4 |
Information Flow Enforcement |
Protects |
T1098.001 |
Additional Cloud Credentials |
| AC-4 |
Information Flow Enforcement |
Protects |
T1102 |
Web Service |
| AC-4 |
Information Flow Enforcement |
Protects |
T1102.001 |
Dead Drop Resolver |
| AC-4 |
Information Flow Enforcement |
Protects |
T1102.002 |
Bidirectional Communication |
| AC-4 |
Information Flow Enforcement |
Protects |
T1102.003 |
One-Way Communication |
| AC-4 |
Information Flow Enforcement |
Protects |
T1104 |
Multi-Stage Channels |
| AC-4 |
Information Flow Enforcement |
Protects |
T1105 |
Ingress Tool Transfer |
| AC-4 |
Information Flow Enforcement |
Protects |
T1114 |
Email Collection |
| AC-4 |
Information Flow Enforcement |
Protects |
T1114.001 |
Local Email Collection |
| AC-4 |
Information Flow Enforcement |
Protects |
T1114.002 |
Remote Email Collection |
| AC-4 |
Information Flow Enforcement |
Protects |
T1114.003 |
Email Forwarding Rule |
| AC-4 |
Information Flow Enforcement |
Protects |
T1132 |
Data Encoding |
| AC-4 |
Information Flow Enforcement |
Protects |
T1132.001 |
Standard Encoding |
| AC-4 |
Information Flow Enforcement |
Protects |
T1132.002 |
Non-Standard Encoding |
| AC-4 |
Information Flow Enforcement |
Protects |
T1133 |
External Remote Services |
| AC-4 |
Information Flow Enforcement |
Protects |
T1134.005 |
SID-History Injection |
| AC-4 |
Information Flow Enforcement |
Protects |
T1136 |
Create Account |
| AC-4 |
Information Flow Enforcement |
Protects |
T1136.002 |
Domain Account |
| AC-4 |
Information Flow Enforcement |
Protects |
T1136.003 |
Cloud Account |
| AC-4 |
Information Flow Enforcement |
Protects |
T1187 |
Forced Authentication |
| AC-4 |
Information Flow Enforcement |
Protects |
T1189 |
Drive-by Compromise |
| AC-4 |
Information Flow Enforcement |
Protects |
T1190 |
Exploit Public-Facing Application |
| AC-4 |
Information Flow Enforcement |
Protects |
T1197 |
BITS Jobs |
| AC-4 |
Information Flow Enforcement |
Protects |
T1199 |
Trusted Relationship |
| AC-4 |
Information Flow Enforcement |
Protects |
T1203 |
Exploitation for Client Execution |
| AC-4 |
Information Flow Enforcement |
Protects |
T1204 |
User Execution |
| AC-4 |
Information Flow Enforcement |
Protects |
T1204.001 |
Malicious Link |
| AC-4 |
Information Flow Enforcement |
Protects |
T1204.002 |
Malicious File |
| AC-4 |
Information Flow Enforcement |
Protects |
T1204.003 |
Malicious Image |
| AC-4 |
Information Flow Enforcement |
Protects |
T1205 |
Traffic Signaling |
| AC-4 |
Information Flow Enforcement |
Protects |
T1205.001 |
Port Knocking |
| AC-4 |
Information Flow Enforcement |
Protects |
T1210 |
Exploitation of Remote Services |
| AC-4 |
Information Flow Enforcement |
Protects |
T1211 |
Exploitation for Defense Evasion |
| AC-4 |
Information Flow Enforcement |
Protects |
T1212 |
Exploitation for Credential Access |
| AC-4 |
Information Flow Enforcement |
Protects |
T1213 |
Data from Information Repositories |
| AC-4 |
Information Flow Enforcement |
Protects |
T1213.001 |
Confluence |
| AC-4 |
Information Flow Enforcement |
Protects |
T1213.002 |
Sharepoint |
| AC-4 |
Information Flow Enforcement |
Protects |
T1218.012 |
Verclsid |
| AC-4 |
Information Flow Enforcement |
Protects |
T1219 |
Remote Access Software |
| AC-4 |
Information Flow Enforcement |
Protects |
T1482 |
Domain Trust Discovery |
| AC-4 |
Information Flow Enforcement |
Protects |
T1484 |
Domain Policy Modification |
| AC-4 |
Information Flow Enforcement |
Protects |
T1489 |
Service Stop |
| AC-4 |
Information Flow Enforcement |
Protects |
T1498 |
Network Denial of Service |
| AC-4 |
Information Flow Enforcement |
Protects |
T1498.001 |
Direct Network Flood |
| AC-4 |
Information Flow Enforcement |
Protects |
T1498.002 |
Reflection Amplification |
| AC-4 |
Information Flow Enforcement |
Protects |
T1499 |
Endpoint Denial of Service |
| AC-4 |
Information Flow Enforcement |
Protects |
T1499.001 |
OS Exhaustion Flood |
| AC-4 |
Information Flow Enforcement |
Protects |
T1499.002 |
Service Exhaustion Flood |
| AC-4 |
Information Flow Enforcement |
Protects |
T1499.003 |
Application Exhaustion Flood |
| AC-4 |
Information Flow Enforcement |
Protects |
T1499.004 |
Application or System Exploitation |
| AC-4 |
Information Flow Enforcement |
Protects |
T1528 |
Steal Application Access Token |
| AC-4 |
Information Flow Enforcement |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-4 |
Information Flow Enforcement |
Protects |
T1537 |
Transfer Data to Cloud Account |
| AC-4 |
Information Flow Enforcement |
Protects |
T1547.003 |
Time Providers |
| AC-4 |
Information Flow Enforcement |
Protects |
T1552 |
Unsecured Credentials |
| AC-4 |
Information Flow Enforcement |
Protects |
T1552.001 |
Credentials In Files |
| AC-4 |
Information Flow Enforcement |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| AC-4 |
Information Flow Enforcement |
Protects |
T1552.007 |
Container API |
| AC-4 |
Information Flow Enforcement |
Protects |
T1557 |
Man-in-the-Middle |
| AC-4 |
Information Flow Enforcement |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| AC-4 |
Information Flow Enforcement |
Protects |
T1557.002 |
ARP Cache Poisoning |
| AC-4 |
Information Flow Enforcement |
Protects |
T1559 |
Inter-Process Communication |
| AC-4 |
Information Flow Enforcement |
Protects |
T1559.001 |
Component Object Model |
| AC-4 |
Information Flow Enforcement |
Protects |
T1559.002 |
Dynamic Data Exchange |
| AC-4 |
Information Flow Enforcement |
Protects |
T1563 |
Remote Service Session Hijacking |
| AC-4 |
Information Flow Enforcement |
Protects |
T1563.002 |
RDP Hijacking |
| AC-4 |
Information Flow Enforcement |
Protects |
T1565 |
Data Manipulation |
| AC-4 |
Information Flow Enforcement |
Protects |
T1565.003 |
Runtime Data Manipulation |
| AC-4 |
Information Flow Enforcement |
Protects |
T1566 |
Phishing |
| AC-4 |
Information Flow Enforcement |
Protects |
T1566.001 |
Spearphishing Attachment |
| AC-4 |
Information Flow Enforcement |
Protects |
T1566.002 |
Spearphishing Link |
| AC-4 |
Information Flow Enforcement |
Protects |
T1566.003 |
Spearphishing via Service |
| AC-4 |
Information Flow Enforcement |
Protects |
T1567 |
Exfiltration Over Web Service |
| AC-4 |
Information Flow Enforcement |
Protects |
T1567.001 |
Exfiltration to Code Repository |
| AC-4 |
Information Flow Enforcement |
Protects |
T1567.002 |
Exfiltration to Cloud Storage |
| AC-4 |
Information Flow Enforcement |
Protects |
T1568 |
Dynamic Resolution |
| AC-4 |
Information Flow Enforcement |
Protects |
T1568.002 |
Domain Generation Algorithms |
| AC-4 |
Information Flow Enforcement |
Protects |
T1570 |
Lateral Tool Transfer |
| AC-4 |
Information Flow Enforcement |
Protects |
T1571 |
Non-Standard Port |
| AC-4 |
Information Flow Enforcement |
Protects |
T1572 |
Protocol Tunneling |
| AC-4 |
Information Flow Enforcement |
Protects |
T1573 |
Encrypted Channel |
| AC-4 |
Information Flow Enforcement |
Protects |
T1573.001 |
Symmetric Cryptography |
| AC-4 |
Information Flow Enforcement |
Protects |
T1573.002 |
Asymmetric Cryptography |
| AC-4 |
Information Flow Enforcement |
Protects |
T1574 |
Hijack Execution Flow |
| AC-4 |
Information Flow Enforcement |
Protects |
T1574.004 |
Dylib Hijacking |
| AC-4 |
Information Flow Enforcement |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| AC-4 |
Information Flow Enforcement |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| AC-4 |
Information Flow Enforcement |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| AC-4 |
Information Flow Enforcement |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| AC-4 |
Information Flow Enforcement |
Protects |
T1574.010 |
Services File Permissions Weakness |
| AC-4 |
Information Flow Enforcement |
Protects |
T1598 |
Phishing for Information |
| AC-4 |
Information Flow Enforcement |
Protects |
T1598.001 |
Spearphishing Service |
| AC-4 |
Information Flow Enforcement |
Protects |
T1598.002 |
Spearphishing Attachment |
| AC-4 |
Information Flow Enforcement |
Protects |
T1598.003 |
Spearphishing Link |
| AC-4 |
Information Flow Enforcement |
Protects |
T1599 |
Network Boundary Bridging |
| AC-4 |
Information Flow Enforcement |
Protects |
T1599.001 |
Network Address Translation Traversal |
| AC-4 |
Information Flow Enforcement |
Protects |
T1601 |
Modify System Image |
| AC-4 |
Information Flow Enforcement |
Protects |
T1601.001 |
Patch System Image |
| AC-4 |
Information Flow Enforcement |
Protects |
T1601.002 |
Downgrade System Image |
| AC-4 |
Information Flow Enforcement |
Protects |
T1602 |
Data from Configuration Repository |
| AC-4 |
Information Flow Enforcement |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| AC-4 |
Information Flow Enforcement |
Protects |
T1602.002 |
Network Device Configuration Dump |
| AC-4 |
Information Flow Enforcement |
Protects |
T1611 |
Escape to Host |
| AC-5 |
Separation of Duties |
Protects |
T1003 |
OS Credential Dumping |
| AC-5 |
Separation of Duties |
Protects |
T1003.001 |
LSASS Memory |
| AC-5 |
Separation of Duties |
Protects |
T1003.002 |
Security Account Manager |
| AC-5 |
Separation of Duties |
Protects |
T1003.003 |
NTDS |
| AC-5 |
Separation of Duties |
Protects |
T1003.004 |
LSA Secrets |
| AC-5 |
Separation of Duties |
Protects |
T1003.005 |
Cached Domain Credentials |
| AC-5 |
Separation of Duties |
Protects |
T1003.006 |
DCSync |
| AC-5 |
Separation of Duties |
Protects |
T1003.007 |
Proc Filesystem |
| AC-5 |
Separation of Duties |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| AC-5 |
Separation of Duties |
Protects |
T1021 |
Remote Services |
| AC-5 |
Separation of Duties |
Protects |
T1021.001 |
Remote Desktop Protocol |
| AC-5 |
Separation of Duties |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| AC-5 |
Separation of Duties |
Protects |
T1021.003 |
Distributed Component Object Model |
| AC-5 |
Separation of Duties |
Protects |
T1021.004 |
SSH |
| AC-5 |
Separation of Duties |
Protects |
T1021.006 |
Windows Remote Management |
| AC-5 |
Separation of Duties |
Protects |
T1047 |
Windows Management Instrumentation |
| AC-5 |
Separation of Duties |
Protects |
T1053 |
Scheduled Task/Job |
| AC-5 |
Separation of Duties |
Protects |
T1053.001 |
At (Linux) |
| AC-5 |
Separation of Duties |
Protects |
T1053.002 |
At (Windows) |
| AC-5 |
Separation of Duties |
Protects |
T1053.003 |
Cron |
| AC-5 |
Separation of Duties |
Protects |
T1053.004 |
Launchd |
| AC-5 |
Separation of Duties |
Protects |
T1053.005 |
Scheduled Task |
| AC-5 |
Separation of Duties |
Protects |
T1053.006 |
Systemd Timers |
| AC-5 |
Separation of Duties |
Protects |
T1053.007 |
Container Orchestration Job |
| AC-5 |
Separation of Duties |
Protects |
T1055 |
Process Injection |
| AC-5 |
Separation of Duties |
Protects |
T1055.008 |
Ptrace System Calls |
| AC-5 |
Separation of Duties |
Protects |
T1056.003 |
Web Portal Capture |
| AC-5 |
Separation of Duties |
Protects |
T1059 |
Command and Scripting Interpreter |
| AC-5 |
Separation of Duties |
Protects |
T1059.001 |
PowerShell |
| AC-5 |
Separation of Duties |
Protects |
T1059.008 |
Network Device CLI |
| AC-5 |
Separation of Duties |
Protects |
T1070 |
Indicator Removal on Host |
| AC-5 |
Separation of Duties |
Protects |
T1070.001 |
Clear Windows Event Logs |
| AC-5 |
Separation of Duties |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| AC-5 |
Separation of Duties |
Protects |
T1070.003 |
Clear Command History |
| AC-5 |
Separation of Duties |
Protects |
T1072 |
Software Deployment Tools |
| AC-5 |
Separation of Duties |
Protects |
T1078 |
Valid Accounts |
| AC-5 |
Separation of Duties |
Protects |
T1078.001 |
Default Accounts |
| AC-5 |
Separation of Duties |
Protects |
T1078.002 |
Domain Accounts |
| AC-5 |
Separation of Duties |
Protects |
T1078.003 |
Local Accounts |
| AC-5 |
Separation of Duties |
Protects |
T1078.004 |
Cloud Accounts |
| AC-5 |
Separation of Duties |
Protects |
T1087.004 |
Cloud Account |
| AC-5 |
Separation of Duties |
Protects |
T1098 |
Account Manipulation |
| AC-5 |
Separation of Duties |
Protects |
T1098.001 |
Additional Cloud Credentials |
| AC-5 |
Separation of Duties |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| AC-5 |
Separation of Duties |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| AC-5 |
Separation of Duties |
Protects |
T1110 |
Brute Force |
| AC-5 |
Separation of Duties |
Protects |
T1110.001 |
Password Guessing |
| AC-5 |
Separation of Duties |
Protects |
T1110.002 |
Password Cracking |
| AC-5 |
Separation of Duties |
Protects |
T1110.003 |
Password Spraying |
| AC-5 |
Separation of Duties |
Protects |
T1110.004 |
Credential Stuffing |
| AC-5 |
Separation of Duties |
Protects |
T1134 |
Access Token Manipulation |
| AC-5 |
Separation of Duties |
Protects |
T1134.001 |
Token Impersonation/Theft |
| AC-5 |
Separation of Duties |
Protects |
T1134.002 |
Create Process with Token |
| AC-5 |
Separation of Duties |
Protects |
T1134.003 |
Make and Impersonate Token |
| AC-5 |
Separation of Duties |
Protects |
T1134.005 |
SID-History Injection |
| AC-5 |
Separation of Duties |
Protects |
T1136 |
Create Account |
| AC-5 |
Separation of Duties |
Protects |
T1136.001 |
Local Account |
| AC-5 |
Separation of Duties |
Protects |
T1136.002 |
Domain Account |
| AC-5 |
Separation of Duties |
Protects |
T1136.003 |
Cloud Account |
| AC-5 |
Separation of Duties |
Protects |
T1185 |
Man in the Browser |
| AC-5 |
Separation of Duties |
Protects |
T1190 |
Exploit Public-Facing Application |
| AC-5 |
Separation of Duties |
Protects |
T1197 |
BITS Jobs |
| AC-5 |
Separation of Duties |
Protects |
T1210 |
Exploitation of Remote Services |
| AC-5 |
Separation of Duties |
Protects |
T1213 |
Data from Information Repositories |
| AC-5 |
Separation of Duties |
Protects |
T1213.001 |
Confluence |
| AC-5 |
Separation of Duties |
Protects |
T1213.002 |
Sharepoint |
| AC-5 |
Separation of Duties |
Protects |
T1218 |
Signed Binary Proxy Execution |
| AC-5 |
Separation of Duties |
Protects |
T1218.007 |
Msiexec |
| AC-5 |
Separation of Duties |
Protects |
T1222 |
File and Directory Permissions Modification |
| AC-5 |
Separation of Duties |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| AC-5 |
Separation of Duties |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| AC-5 |
Separation of Duties |
Protects |
T1484 |
Domain Policy Modification |
| AC-5 |
Separation of Duties |
Protects |
T1489 |
Service Stop |
| AC-5 |
Separation of Duties |
Protects |
T1495 |
Firmware Corruption |
| AC-5 |
Separation of Duties |
Protects |
T1505 |
Server Software Component |
| AC-5 |
Separation of Duties |
Protects |
T1505.001 |
SQL Stored Procedures |
| AC-5 |
Separation of Duties |
Protects |
T1505.002 |
Transport Agent |
| AC-5 |
Separation of Duties |
Protects |
T1525 |
Implant Internal Image |
| AC-5 |
Separation of Duties |
Protects |
T1528 |
Steal Application Access Token |
| AC-5 |
Separation of Duties |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-5 |
Separation of Duties |
Protects |
T1537 |
Transfer Data to Cloud Account |
| AC-5 |
Separation of Duties |
Protects |
T1538 |
Cloud Service Dashboard |
| AC-5 |
Separation of Duties |
Protects |
T1542 |
Pre-OS Boot |
| AC-5 |
Separation of Duties |
Protects |
T1542.001 |
System Firmware |
| AC-5 |
Separation of Duties |
Protects |
T1542.003 |
Bootkit |
| AC-5 |
Separation of Duties |
Protects |
T1542.005 |
TFTP Boot |
| AC-5 |
Separation of Duties |
Protects |
T1543 |
Create or Modify System Process |
| AC-5 |
Separation of Duties |
Protects |
T1543.001 |
Launch Agent |
| AC-5 |
Separation of Duties |
Protects |
T1543.002 |
Systemd Service |
| AC-5 |
Separation of Duties |
Protects |
T1543.003 |
Windows Service |
| AC-5 |
Separation of Duties |
Protects |
T1543.004 |
Launch Daemon |
| AC-5 |
Separation of Duties |
Protects |
T1546.003 |
Windows Management Instrumentation Event Subscription |
| AC-5 |
Separation of Duties |
Protects |
T1547.004 |
Winlogon Helper DLL |
| AC-5 |
Separation of Duties |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| AC-5 |
Separation of Duties |
Protects |
T1547.009 |
Shortcut Modification |
| AC-5 |
Separation of Duties |
Protects |
T1547.012 |
Print Processors |
| AC-5 |
Separation of Duties |
Protects |
T1547.013 |
XDG Autostart Entries |
| AC-5 |
Separation of Duties |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| AC-5 |
Separation of Duties |
Protects |
T1548.002 |
Bypass User Account Control |
| AC-5 |
Separation of Duties |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| AC-5 |
Separation of Duties |
Protects |
T1550 |
Use Alternate Authentication Material |
| AC-5 |
Separation of Duties |
Protects |
T1550.002 |
Pass the Hash |
| AC-5 |
Separation of Duties |
Protects |
T1550.003 |
Pass the Ticket |
| AC-5 |
Separation of Duties |
Protects |
T1552 |
Unsecured Credentials |
| AC-5 |
Separation of Duties |
Protects |
T1552.001 |
Credentials In Files |
| AC-5 |
Separation of Duties |
Protects |
T1552.002 |
Credentials in Registry |
| AC-5 |
Separation of Duties |
Protects |
T1552.006 |
Group Policy Preferences |
| AC-5 |
Separation of Duties |
Protects |
T1552.007 |
Container API |
| AC-5 |
Separation of Duties |
Protects |
T1556 |
Modify Authentication Process |
| AC-5 |
Separation of Duties |
Protects |
T1556.001 |
Domain Controller Authentication |
| AC-5 |
Separation of Duties |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| AC-5 |
Separation of Duties |
Protects |
T1556.004 |
Network Device Authentication |
| AC-5 |
Separation of Duties |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| AC-5 |
Separation of Duties |
Protects |
T1558.001 |
Golden Ticket |
| AC-5 |
Separation of Duties |
Protects |
T1558.002 |
Silver Ticket |
| AC-5 |
Separation of Duties |
Protects |
T1558.003 |
Kerberoasting |
| AC-5 |
Separation of Duties |
Protects |
T1559 |
Inter-Process Communication |
| AC-5 |
Separation of Duties |
Protects |
T1559.001 |
Component Object Model |
| AC-5 |
Separation of Duties |
Protects |
T1562 |
Impair Defenses |
| AC-5 |
Separation of Duties |
Protects |
T1562.001 |
Disable or Modify Tools |
| AC-5 |
Separation of Duties |
Protects |
T1562.002 |
Disable Windows Event Logging |
| AC-5 |
Separation of Duties |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| AC-5 |
Separation of Duties |
Protects |
T1562.006 |
Indicator Blocking |
| AC-5 |
Separation of Duties |
Protects |
T1562.007 |
Disable or Modify Cloud Firewall |
| AC-5 |
Separation of Duties |
Protects |
T1562.008 |
Disable Cloud Logs |
| AC-5 |
Separation of Duties |
Protects |
T1563 |
Remote Service Session Hijacking |
| AC-5 |
Separation of Duties |
Protects |
T1563.001 |
SSH Hijacking |
| AC-5 |
Separation of Duties |
Protects |
T1563.002 |
RDP Hijacking |
| AC-5 |
Separation of Duties |
Protects |
T1569 |
System Services |
| AC-5 |
Separation of Duties |
Protects |
T1569.001 |
Launchctl |
| AC-5 |
Separation of Duties |
Protects |
T1569.002 |
Service Execution |
| AC-5 |
Separation of Duties |
Protects |
T1574 |
Hijack Execution Flow |
| AC-5 |
Separation of Duties |
Protects |
T1574.004 |
Dylib Hijacking |
| AC-5 |
Separation of Duties |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| AC-5 |
Separation of Duties |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| AC-5 |
Separation of Duties |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| AC-5 |
Separation of Duties |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| AC-5 |
Separation of Duties |
Protects |
T1574.010 |
Services File Permissions Weakness |
| AC-5 |
Separation of Duties |
Protects |
T1574.012 |
COR_PROFILER |
| AC-5 |
Separation of Duties |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| AC-5 |
Separation of Duties |
Protects |
T1578.001 |
Create Snapshot |
| AC-5 |
Separation of Duties |
Protects |
T1578.002 |
Create Cloud Instance |
| AC-5 |
Separation of Duties |
Protects |
T1578.003 |
Delete Cloud Instance |
| AC-5 |
Separation of Duties |
Protects |
T1580 |
Cloud Infrastructure Discovery |
| AC-5 |
Separation of Duties |
Protects |
T1599 |
Network Boundary Bridging |
| AC-5 |
Separation of Duties |
Protects |
T1599.001 |
Network Address Translation Traversal |
| AC-5 |
Separation of Duties |
Protects |
T1601 |
Modify System Image |
| AC-5 |
Separation of Duties |
Protects |
T1601.001 |
Patch System Image |
| AC-5 |
Separation of Duties |
Protects |
T1601.002 |
Downgrade System Image |
| AC-5 |
Separation of Duties |
Protects |
T1611 |
Escape to Host |
| AC-6 |
Least Privilege |
Protects |
T1003 |
OS Credential Dumping |
| AC-6 |
Least Privilege |
Protects |
T1003.001 |
LSASS Memory |
| AC-6 |
Least Privilege |
Protects |
T1003.002 |
Security Account Manager |
| AC-6 |
Least Privilege |
Protects |
T1003.003 |
NTDS |
| AC-6 |
Least Privilege |
Protects |
T1003.004 |
LSA Secrets |
| AC-6 |
Least Privilege |
Protects |
T1003.005 |
Cached Domain Credentials |
| AC-6 |
Least Privilege |
Protects |
T1003.006 |
DCSync |
| AC-6 |
Least Privilege |
Protects |
T1003.007 |
Proc Filesystem |
| AC-6 |
Least Privilege |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| AC-6 |
Least Privilege |
Protects |
T1021 |
Remote Services |
| AC-6 |
Least Privilege |
Protects |
T1021.001 |
Remote Desktop Protocol |
| AC-6 |
Least Privilege |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| AC-6 |
Least Privilege |
Protects |
T1021.003 |
Distributed Component Object Model |
| AC-6 |
Least Privilege |
Protects |
T1021.004 |
SSH |
| AC-6 |
Least Privilege |
Protects |
T1021.005 |
VNC |
| AC-6 |
Least Privilege |
Protects |
T1021.006 |
Windows Remote Management |
| AC-6 |
Least Privilege |
Protects |
T1036 |
Masquerading |
| AC-6 |
Least Privilege |
Protects |
T1036.003 |
Rename System Utilities |
| AC-6 |
Least Privilege |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| AC-6 |
Least Privilege |
Protects |
T1047 |
Windows Management Instrumentation |
| AC-6 |
Least Privilege |
Protects |
T1052 |
Exfiltration Over Physical Medium |
| AC-6 |
Least Privilege |
Protects |
T1052.001 |
Exfiltration over USB |
| AC-6 |
Least Privilege |
Protects |
T1053 |
Scheduled Task/Job |
| AC-6 |
Least Privilege |
Protects |
T1053.001 |
At (Linux) |
| AC-6 |
Least Privilege |
Protects |
T1053.002 |
At (Windows) |
| AC-6 |
Least Privilege |
Protects |
T1053.003 |
Cron |
| AC-6 |
Least Privilege |
Protects |
T1053.004 |
Launchd |
| AC-6 |
Least Privilege |
Protects |
T1053.005 |
Scheduled Task |
| AC-6 |
Least Privilege |
Protects |
T1053.006 |
Systemd Timers |
| AC-6 |
Least Privilege |
Protects |
T1053.007 |
Container Orchestration Job |
| AC-6 |
Least Privilege |
Protects |
T1055 |
Process Injection |
| AC-6 |
Least Privilege |
Protects |
T1055.001 |
Dynamic-link Library Injection |
| AC-6 |
Least Privilege |
Protects |
T1055.002 |
Portable Executable Injection |
| AC-6 |
Least Privilege |
Protects |
T1055.003 |
Thread Execution Hijacking |
| AC-6 |
Least Privilege |
Protects |
T1055.004 |
Asynchronous Procedure Call |
| AC-6 |
Least Privilege |
Protects |
T1055.005 |
Thread Local Storage |
| AC-6 |
Least Privilege |
Protects |
T1055.008 |
Ptrace System Calls |
| AC-6 |
Least Privilege |
Protects |
T1055.009 |
Proc Memory |
| AC-6 |
Least Privilege |
Protects |
T1055.011 |
Extra Window Memory Injection |
| AC-6 |
Least Privilege |
Protects |
T1055.012 |
Process Hollowing |
| AC-6 |
Least Privilege |
Protects |
T1055.013 |
Process Doppelgänging |
| AC-6 |
Least Privilege |
Protects |
T1055.014 |
VDSO Hijacking |
| AC-6 |
Least Privilege |
Protects |
T1056.003 |
Web Portal Capture |
| AC-6 |
Least Privilege |
Protects |
T1059 |
Command and Scripting Interpreter |
| AC-6 |
Least Privilege |
Protects |
T1059.001 |
PowerShell |
| AC-6 |
Least Privilege |
Protects |
T1059.006 |
Python |
| AC-6 |
Least Privilege |
Protects |
T1059.008 |
Network Device CLI |
| AC-6 |
Least Privilege |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| AC-6 |
Least Privilege |
Protects |
T1070 |
Indicator Removal on Host |
| AC-6 |
Least Privilege |
Protects |
T1070.001 |
Clear Windows Event Logs |
| AC-6 |
Least Privilege |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| AC-6 |
Least Privilege |
Protects |
T1070.003 |
Clear Command History |
| AC-6 |
Least Privilege |
Protects |
T1072 |
Software Deployment Tools |
| AC-6 |
Least Privilege |
Protects |
T1078 |
Valid Accounts |
| AC-6 |
Least Privilege |
Protects |
T1078.001 |
Default Accounts |
| AC-6 |
Least Privilege |
Protects |
T1078.002 |
Domain Accounts |
| AC-6 |
Least Privilege |
Protects |
T1078.003 |
Local Accounts |
| AC-6 |
Least Privilege |
Protects |
T1078.004 |
Cloud Accounts |
| AC-6 |
Least Privilege |
Protects |
T1087.004 |
Cloud Account |
| AC-6 |
Least Privilege |
Protects |
T1091 |
Replication Through Removable Media |
| AC-6 |
Least Privilege |
Protects |
T1098 |
Account Manipulation |
| AC-6 |
Least Privilege |
Protects |
T1098.001 |
Additional Cloud Credentials |
| AC-6 |
Least Privilege |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| AC-6 |
Least Privilege |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| AC-6 |
Least Privilege |
Protects |
T1110 |
Brute Force |
| AC-6 |
Least Privilege |
Protects |
T1110.001 |
Password Guessing |
| AC-6 |
Least Privilege |
Protects |
T1110.002 |
Password Cracking |
| AC-6 |
Least Privilege |
Protects |
T1110.003 |
Password Spraying |
| AC-6 |
Least Privilege |
Protects |
T1110.004 |
Credential Stuffing |
| AC-6 |
Least Privilege |
Protects |
T1112 |
Modify Registry |
| AC-6 |
Least Privilege |
Protects |
T1133 |
External Remote Services |
| AC-6 |
Least Privilege |
Protects |
T1134 |
Access Token Manipulation |
| AC-6 |
Least Privilege |
Protects |
T1134.001 |
Token Impersonation/Theft |
| AC-6 |
Least Privilege |
Protects |
T1134.002 |
Create Process with Token |
| AC-6 |
Least Privilege |
Protects |
T1134.003 |
Make and Impersonate Token |
| AC-6 |
Least Privilege |
Protects |
T1134.005 |
SID-History Injection |
| AC-6 |
Least Privilege |
Protects |
T1136 |
Create Account |
| AC-6 |
Least Privilege |
Protects |
T1136.001 |
Local Account |
| AC-6 |
Least Privilege |
Protects |
T1136.002 |
Domain Account |
| AC-6 |
Least Privilege |
Protects |
T1136.003 |
Cloud Account |
| AC-6 |
Least Privilege |
Protects |
T1137.002 |
Office Test |
| AC-6 |
Least Privilege |
Protects |
T1176 |
Browser Extensions |
| AC-6 |
Least Privilege |
Protects |
T1185 |
Man in the Browser |
| AC-6 |
Least Privilege |
Protects |
T1189 |
Drive-by Compromise |
| AC-6 |
Least Privilege |
Protects |
T1190 |
Exploit Public-Facing Application |
| AC-6 |
Least Privilege |
Protects |
T1197 |
BITS Jobs |
| AC-6 |
Least Privilege |
Protects |
T1199 |
Trusted Relationship |
| AC-6 |
Least Privilege |
Protects |
T1200 |
Hardware Additions |
| AC-6 |
Least Privilege |
Protects |
T1203 |
Exploitation for Client Execution |
| AC-6 |
Least Privilege |
Protects |
T1210 |
Exploitation of Remote Services |
| AC-6 |
Least Privilege |
Protects |
T1211 |
Exploitation for Defense Evasion |
| AC-6 |
Least Privilege |
Protects |
T1212 |
Exploitation for Credential Access |
| AC-6 |
Least Privilege |
Protects |
T1213 |
Data from Information Repositories |
| AC-6 |
Least Privilege |
Protects |
T1213.001 |
Confluence |
| AC-6 |
Least Privilege |
Protects |
T1213.002 |
Sharepoint |
| AC-6 |
Least Privilege |
Protects |
T1218 |
Signed Binary Proxy Execution |
| AC-6 |
Least Privilege |
Protects |
T1218.007 |
Msiexec |
| AC-6 |
Least Privilege |
Protects |
T1222 |
File and Directory Permissions Modification |
| AC-6 |
Least Privilege |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| AC-6 |
Least Privilege |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| AC-6 |
Least Privilege |
Protects |
T1484 |
Domain Policy Modification |
| AC-6 |
Least Privilege |
Protects |
T1485 |
Data Destruction |
| AC-6 |
Least Privilege |
Protects |
T1486 |
Data Encrypted for Impact |
| AC-6 |
Least Privilege |
Protects |
T1489 |
Service Stop |
| AC-6 |
Least Privilege |
Protects |
T1490 |
Inhibit System Recovery |
| AC-6 |
Least Privilege |
Protects |
T1491 |
Defacement |
| AC-6 |
Least Privilege |
Protects |
T1491.001 |
Internal Defacement |
| AC-6 |
Least Privilege |
Protects |
T1491.002 |
External Defacement |
| AC-6 |
Least Privilege |
Protects |
T1495 |
Firmware Corruption |
| AC-6 |
Least Privilege |
Protects |
T1505 |
Server Software Component |
| AC-6 |
Least Privilege |
Protects |
T1505.001 |
SQL Stored Procedures |
| AC-6 |
Least Privilege |
Protects |
T1505.002 |
Transport Agent |
| AC-6 |
Least Privilege |
Protects |
T1525 |
Implant Internal Image |
| AC-6 |
Least Privilege |
Protects |
T1528 |
Steal Application Access Token |
| AC-6 |
Least Privilege |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-6 |
Least Privilege |
Protects |
T1537 |
Transfer Data to Cloud Account |
| AC-6 |
Least Privilege |
Protects |
T1538 |
Cloud Service Dashboard |
| AC-6 |
Least Privilege |
Protects |
T1539 |
Steal Web Session Cookie |
| AC-6 |
Least Privilege |
Protects |
T1542 |
Pre-OS Boot |
| AC-6 |
Least Privilege |
Protects |
T1542.001 |
System Firmware |
| AC-6 |
Least Privilege |
Protects |
T1542.003 |
Bootkit |
| AC-6 |
Least Privilege |
Protects |
T1542.004 |
ROMMONkit |
| AC-6 |
Least Privilege |
Protects |
T1542.005 |
TFTP Boot |
| AC-6 |
Least Privilege |
Protects |
T1543 |
Create or Modify System Process |
| AC-6 |
Least Privilege |
Protects |
T1543.001 |
Launch Agent |
| AC-6 |
Least Privilege |
Protects |
T1543.002 |
Systemd Service |
| AC-6 |
Least Privilege |
Protects |
T1543.003 |
Windows Service |
| AC-6 |
Least Privilege |
Protects |
T1543.004 |
Launch Daemon |
| AC-6 |
Least Privilege |
Protects |
T1546.003 |
Windows Management Instrumentation Event Subscription |
| AC-6 |
Least Privilege |
Protects |
T1546.004 |
Unix Shell Configuration Modification |
| AC-6 |
Least Privilege |
Protects |
T1546.011 |
Application Shimming |
| AC-6 |
Least Privilege |
Protects |
T1546.013 |
PowerShell Profile |
| AC-6 |
Least Privilege |
Protects |
T1547.003 |
Time Providers |
| AC-6 |
Least Privilege |
Protects |
T1547.004 |
Winlogon Helper DLL |
| AC-6 |
Least Privilege |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| AC-6 |
Least Privilege |
Protects |
T1547.009 |
Shortcut Modification |
| AC-6 |
Least Privilege |
Protects |
T1547.011 |
Plist Modification |
| AC-6 |
Least Privilege |
Protects |
T1547.012 |
Print Processors |
| AC-6 |
Least Privilege |
Protects |
T1547.013 |
XDG Autostart Entries |
| AC-6 |
Least Privilege |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| AC-6 |
Least Privilege |
Protects |
T1548.002 |
Bypass User Account Control |
| AC-6 |
Least Privilege |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| AC-6 |
Least Privilege |
Protects |
T1550 |
Use Alternate Authentication Material |
| AC-6 |
Least Privilege |
Protects |
T1550.002 |
Pass the Hash |
| AC-6 |
Least Privilege |
Protects |
T1550.003 |
Pass the Ticket |
| AC-6 |
Least Privilege |
Protects |
T1552 |
Unsecured Credentials |
| AC-6 |
Least Privilege |
Protects |
T1552.001 |
Credentials In Files |
| AC-6 |
Least Privilege |
Protects |
T1552.002 |
Credentials in Registry |
| AC-6 |
Least Privilege |
Protects |
T1552.006 |
Group Policy Preferences |
| AC-6 |
Least Privilege |
Protects |
T1552.007 |
Container API |
| AC-6 |
Least Privilege |
Protects |
T1553 |
Subvert Trust Controls |
| AC-6 |
Least Privilege |
Protects |
T1553.003 |
SIP and Trust Provider Hijacking |
| AC-6 |
Least Privilege |
Protects |
T1553.006 |
Code Signing Policy Modification |
| AC-6 |
Least Privilege |
Protects |
T1556 |
Modify Authentication Process |
| AC-6 |
Least Privilege |
Protects |
T1556.001 |
Domain Controller Authentication |
| AC-6 |
Least Privilege |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| AC-6 |
Least Privilege |
Protects |
T1556.004 |
Network Device Authentication |
| AC-6 |
Least Privilege |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| AC-6 |
Least Privilege |
Protects |
T1558.001 |
Golden Ticket |
| AC-6 |
Least Privilege |
Protects |
T1558.002 |
Silver Ticket |
| AC-6 |
Least Privilege |
Protects |
T1558.003 |
Kerberoasting |
| AC-6 |
Least Privilege |
Protects |
T1559 |
Inter-Process Communication |
| AC-6 |
Least Privilege |
Protects |
T1559.001 |
Component Object Model |
| AC-6 |
Least Privilege |
Protects |
T1559.002 |
Dynamic Data Exchange |
| AC-6 |
Least Privilege |
Protects |
T1561 |
Disk Wipe |
| AC-6 |
Least Privilege |
Protects |
T1561.001 |
Disk Content Wipe |
| AC-6 |
Least Privilege |
Protects |
T1561.002 |
Disk Structure Wipe |
| AC-6 |
Least Privilege |
Protects |
T1562 |
Impair Defenses |
| AC-6 |
Least Privilege |
Protects |
T1562.001 |
Disable or Modify Tools |
| AC-6 |
Least Privilege |
Protects |
T1562.002 |
Disable Windows Event Logging |
| AC-6 |
Least Privilege |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| AC-6 |
Least Privilege |
Protects |
T1562.006 |
Indicator Blocking |
| AC-6 |
Least Privilege |
Protects |
T1562.007 |
Disable or Modify Cloud Firewall |
| AC-6 |
Least Privilege |
Protects |
T1562.008 |
Disable Cloud Logs |
| AC-6 |
Least Privilege |
Protects |
T1563 |
Remote Service Session Hijacking |
| AC-6 |
Least Privilege |
Protects |
T1563.001 |
SSH Hijacking |
| AC-6 |
Least Privilege |
Protects |
T1563.002 |
RDP Hijacking |
| AC-6 |
Least Privilege |
Protects |
T1569 |
System Services |
| AC-6 |
Least Privilege |
Protects |
T1569.001 |
Launchctl |
| AC-6 |
Least Privilege |
Protects |
T1569.002 |
Service Execution |
| AC-6 |
Least Privilege |
Protects |
T1574 |
Hijack Execution Flow |
| AC-6 |
Least Privilege |
Protects |
T1574.004 |
Dylib Hijacking |
| AC-6 |
Least Privilege |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| AC-6 |
Least Privilege |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| AC-6 |
Least Privilege |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| AC-6 |
Least Privilege |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| AC-6 |
Least Privilege |
Protects |
T1574.010 |
Services File Permissions Weakness |
| AC-6 |
Least Privilege |
Protects |
T1574.011 |
Services Registry Permissions Weakness |
| AC-6 |
Least Privilege |
Protects |
T1574.012 |
COR_PROFILER |
| AC-6 |
Least Privilege |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| AC-6 |
Least Privilege |
Protects |
T1578.001 |
Create Snapshot |
| AC-6 |
Least Privilege |
Protects |
T1578.002 |
Create Cloud Instance |
| AC-6 |
Least Privilege |
Protects |
T1578.003 |
Delete Cloud Instance |
| AC-6 |
Least Privilege |
Protects |
T1580 |
Cloud Infrastructure Discovery |
| AC-6 |
Least Privilege |
Protects |
T1599 |
Network Boundary Bridging |
| AC-6 |
Least Privilege |
Protects |
T1599.001 |
Network Address Translation Traversal |
| AC-6 |
Least Privilege |
Protects |
T1601 |
Modify System Image |
| AC-6 |
Least Privilege |
Protects |
T1601.001 |
Patch System Image |
| AC-6 |
Least Privilege |
Protects |
T1601.002 |
Downgrade System Image |
| AC-6 |
Least Privilege |
Protects |
T1609 |
Container Administration Command |
| AC-6 |
Least Privilege |
Protects |
T1610 |
Deploy Container |
| AC-6 |
Least Privilege |
Protects |
T1611 |
Escape to Host |
| AC-6 |
Least Privilege |
Protects |
T1612 |
Build Image on Host |
| AC-6 |
Least Privilege |
Protects |
T1613 |
Container and Resource Discovery |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1021 |
Remote Services |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1021.001 |
Remote Desktop Protocol |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1021.004 |
SSH |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1078.002 |
Domain Accounts |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1078.004 |
Cloud Accounts |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1110 |
Brute Force |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1110.001 |
Password Guessing |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1110.002 |
Password Cracking |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1110.003 |
Password Spraying |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1110.004 |
Credential Stuffing |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1133 |
External Remote Services |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1530 |
Data from Cloud Storage Object |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1556 |
Modify Authentication Process |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1556.001 |
Domain Controller Authentication |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| AC-7 |
Unsuccessful Logon Attempts |
Protects |
T1556.004 |
Network Device Authentication |
| AC-8 |
System Use Notification |
Protects |
T1199 |
Trusted Relationship |
| CA-2 |
Control Assessments |
Protects |
T1190 |
Exploit Public-Facing Application |
| CA-2 |
Control Assessments |
Protects |
T1195 |
Supply Chain Compromise |
| CA-2 |
Control Assessments |
Protects |
T1195.001 |
Compromise Software Dependencies and Development Tools |
| CA-2 |
Control Assessments |
Protects |
T1195.002 |
Compromise Software Supply Chain |
| CA-2 |
Control Assessments |
Protects |
T1210 |
Exploitation of Remote Services |
| CA-7 |
Continuous Monitoring |
Protects |
T1001 |
Data Obfuscation |
| CA-7 |
Continuous Monitoring |
Protects |
T1001.001 |
Junk Data |
| CA-7 |
Continuous Monitoring |
Protects |
T1001.002 |
Steganography |
| CA-7 |
Continuous Monitoring |
Protects |
T1001.003 |
Protocol Impersonation |
| CA-7 |
Continuous Monitoring |
Protects |
T1003 |
OS Credential Dumping |
| CA-7 |
Continuous Monitoring |
Protects |
T1003.001 |
LSASS Memory |
| CA-7 |
Continuous Monitoring |
Protects |
T1003.002 |
Security Account Manager |
| CA-7 |
Continuous Monitoring |
Protects |
T1003.003 |
NTDS |
| CA-7 |
Continuous Monitoring |
Protects |
T1003.004 |
LSA Secrets |
| CA-7 |
Continuous Monitoring |
Protects |
T1003.005 |
Cached Domain Credentials |
| CA-7 |
Continuous Monitoring |
Protects |
T1003.006 |
DCSync |
| CA-7 |
Continuous Monitoring |
Protects |
T1003.007 |
Proc Filesystem |
| CA-7 |
Continuous Monitoring |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| CA-7 |
Continuous Monitoring |
Protects |
T1008 |
Fallback Channels |
| CA-7 |
Continuous Monitoring |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| CA-7 |
Continuous Monitoring |
Protects |
T1021.005 |
VNC |
| CA-7 |
Continuous Monitoring |
Protects |
T1029 |
Scheduled Transfer |
| CA-7 |
Continuous Monitoring |
Protects |
T1030 |
Data Transfer Size Limits |
| CA-7 |
Continuous Monitoring |
Protects |
T1036 |
Masquerading |
| CA-7 |
Continuous Monitoring |
Protects |
T1036.003 |
Rename System Utilities |
| CA-7 |
Continuous Monitoring |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| CA-7 |
Continuous Monitoring |
Protects |
T1037 |
Boot or Logon Initialization Scripts |
| CA-7 |
Continuous Monitoring |
Protects |
T1037.002 |
Logon Script (Mac) |
| CA-7 |
Continuous Monitoring |
Protects |
T1037.003 |
Network Logon Script |
| CA-7 |
Continuous Monitoring |
Protects |
T1037.004 |
RC Scripts |
| CA-7 |
Continuous Monitoring |
Protects |
T1037.005 |
Startup Items |
| CA-7 |
Continuous Monitoring |
Protects |
T1041 |
Exfiltration Over C2 Channel |
| CA-7 |
Continuous Monitoring |
Protects |
T1046 |
Network Service Scanning |
| CA-7 |
Continuous Monitoring |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| CA-7 |
Continuous Monitoring |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| CA-7 |
Continuous Monitoring |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| CA-7 |
Continuous Monitoring |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| CA-7 |
Continuous Monitoring |
Protects |
T1053.006 |
Systemd Timers |
| CA-7 |
Continuous Monitoring |
Protects |
T1055.009 |
Proc Memory |
| CA-7 |
Continuous Monitoring |
Protects |
T1056.002 |
GUI Input Capture |
| CA-7 |
Continuous Monitoring |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| CA-7 |
Continuous Monitoring |
Protects |
T1070 |
Indicator Removal on Host |
| CA-7 |
Continuous Monitoring |
Protects |
T1070.001 |
Clear Windows Event Logs |
| CA-7 |
Continuous Monitoring |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| CA-7 |
Continuous Monitoring |
Protects |
T1070.003 |
Clear Command History |
| CA-7 |
Continuous Monitoring |
Protects |
T1071 |
Application Layer Protocol |
| CA-7 |
Continuous Monitoring |
Protects |
T1071.001 |
Web Protocols |
| CA-7 |
Continuous Monitoring |
Protects |
T1071.002 |
File Transfer Protocols |
| CA-7 |
Continuous Monitoring |
Protects |
T1071.003 |
Mail Protocols |
| CA-7 |
Continuous Monitoring |
Protects |
T1071.004 |
DNS |
| CA-7 |
Continuous Monitoring |
Protects |
T1072 |
Software Deployment Tools |
| CA-7 |
Continuous Monitoring |
Protects |
T1078 |
Valid Accounts |
| CA-7 |
Continuous Monitoring |
Protects |
T1078.001 |
Default Accounts |
| CA-7 |
Continuous Monitoring |
Protects |
T1078.003 |
Local Accounts |
| CA-7 |
Continuous Monitoring |
Protects |
T1078.004 |
Cloud Accounts |
| CA-7 |
Continuous Monitoring |
Protects |
T1080 |
Taint Shared Content |
| CA-7 |
Continuous Monitoring |
Protects |
T1090 |
Proxy |
| CA-7 |
Continuous Monitoring |
Protects |
T1090.001 |
Internal Proxy |
| CA-7 |
Continuous Monitoring |
Protects |
T1090.002 |
External Proxy |
| CA-7 |
Continuous Monitoring |
Protects |
T1090.003 |
Multi-hop Proxy |
| CA-7 |
Continuous Monitoring |
Protects |
T1095 |
Non-Application Layer Protocol |
| CA-7 |
Continuous Monitoring |
Protects |
T1102 |
Web Service |
| CA-7 |
Continuous Monitoring |
Protects |
T1102.001 |
Dead Drop Resolver |
| CA-7 |
Continuous Monitoring |
Protects |
T1102.002 |
Bidirectional Communication |
| CA-7 |
Continuous Monitoring |
Protects |
T1102.003 |
One-Way Communication |
| CA-7 |
Continuous Monitoring |
Protects |
T1104 |
Multi-Stage Channels |
| CA-7 |
Continuous Monitoring |
Protects |
T1105 |
Ingress Tool Transfer |
| CA-7 |
Continuous Monitoring |
Protects |
T1110 |
Brute Force |
| CA-7 |
Continuous Monitoring |
Protects |
T1110.001 |
Password Guessing |
| CA-7 |
Continuous Monitoring |
Protects |
T1110.002 |
Password Cracking |
| CA-7 |
Continuous Monitoring |
Protects |
T1110.003 |
Password Spraying |
| CA-7 |
Continuous Monitoring |
Protects |
T1110.004 |
Credential Stuffing |
| CA-7 |
Continuous Monitoring |
Protects |
T1111 |
Two-Factor Authentication Interception |
| CA-7 |
Continuous Monitoring |
Protects |
T1132 |
Data Encoding |
| CA-7 |
Continuous Monitoring |
Protects |
T1132.001 |
Standard Encoding |
| CA-7 |
Continuous Monitoring |
Protects |
T1132.002 |
Non-Standard Encoding |
| CA-7 |
Continuous Monitoring |
Protects |
T1176 |
Browser Extensions |
| CA-7 |
Continuous Monitoring |
Protects |
T1185 |
Man in the Browser |
| CA-7 |
Continuous Monitoring |
Protects |
T1187 |
Forced Authentication |
| CA-7 |
Continuous Monitoring |
Protects |
T1189 |
Drive-by Compromise |
| CA-7 |
Continuous Monitoring |
Protects |
T1190 |
Exploit Public-Facing Application |
| CA-7 |
Continuous Monitoring |
Protects |
T1195 |
Supply Chain Compromise |
| CA-7 |
Continuous Monitoring |
Protects |
T1195.001 |
Compromise Software Dependencies and Development Tools |
| CA-7 |
Continuous Monitoring |
Protects |
T1195.002 |
Compromise Software Supply Chain |
| CA-7 |
Continuous Monitoring |
Protects |
T1197 |
BITS Jobs |
| CA-7 |
Continuous Monitoring |
Protects |
T1201 |
Password Policy Discovery |
| CA-7 |
Continuous Monitoring |
Protects |
T1203 |
Exploitation for Client Execution |
| CA-7 |
Continuous Monitoring |
Protects |
T1204 |
User Execution |
| CA-7 |
Continuous Monitoring |
Protects |
T1204.001 |
Malicious Link |
| CA-7 |
Continuous Monitoring |
Protects |
T1204.002 |
Malicious File |
| CA-7 |
Continuous Monitoring |
Protects |
T1204.003 |
Malicious Image |
| CA-7 |
Continuous Monitoring |
Protects |
T1205 |
Traffic Signaling |
| CA-7 |
Continuous Monitoring |
Protects |
T1205.001 |
Port Knocking |
| CA-7 |
Continuous Monitoring |
Protects |
T1210 |
Exploitation of Remote Services |
| CA-7 |
Continuous Monitoring |
Protects |
T1211 |
Exploitation for Defense Evasion |
| CA-7 |
Continuous Monitoring |
Protects |
T1212 |
Exploitation for Credential Access |
| CA-7 |
Continuous Monitoring |
Protects |
T1213 |
Data from Information Repositories |
| CA-7 |
Continuous Monitoring |
Protects |
T1213.001 |
Confluence |
| CA-7 |
Continuous Monitoring |
Protects |
T1213.002 |
Sharepoint |
| CA-7 |
Continuous Monitoring |
Protects |
T1218 |
Signed Binary Proxy Execution |
| CA-7 |
Continuous Monitoring |
Protects |
T1218.002 |
Control Panel |
| CA-7 |
Continuous Monitoring |
Protects |
T1218.010 |
Regsvr32 |
| CA-7 |
Continuous Monitoring |
Protects |
T1218.011 |
Rundll32 |
| CA-7 |
Continuous Monitoring |
Protects |
T1218.012 |
Verclsid |
| CA-7 |
Continuous Monitoring |
Protects |
T1219 |
Remote Access Software |
| CA-7 |
Continuous Monitoring |
Protects |
T1221 |
Template Injection |
| CA-7 |
Continuous Monitoring |
Protects |
T1222 |
File and Directory Permissions Modification |
| CA-7 |
Continuous Monitoring |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| CA-7 |
Continuous Monitoring |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| CA-7 |
Continuous Monitoring |
Protects |
T1489 |
Service Stop |
| CA-7 |
Continuous Monitoring |
Protects |
T1498 |
Network Denial of Service |
| CA-7 |
Continuous Monitoring |
Protects |
T1498.001 |
Direct Network Flood |
| CA-7 |
Continuous Monitoring |
Protects |
T1498.002 |
Reflection Amplification |
| CA-7 |
Continuous Monitoring |
Protects |
T1499 |
Endpoint Denial of Service |
| CA-7 |
Continuous Monitoring |
Protects |
T1499.001 |
OS Exhaustion Flood |
| CA-7 |
Continuous Monitoring |
Protects |
T1499.002 |
Service Exhaustion Flood |
| CA-7 |
Continuous Monitoring |
Protects |
T1499.003 |
Application Exhaustion Flood |
| CA-7 |
Continuous Monitoring |
Protects |
T1499.004 |
Application or System Exploitation |
| CA-7 |
Continuous Monitoring |
Protects |
T1528 |
Steal Application Access Token |
| CA-7 |
Continuous Monitoring |
Protects |
T1530 |
Data from Cloud Storage Object |
| CA-7 |
Continuous Monitoring |
Protects |
T1537 |
Transfer Data to Cloud Account |
| CA-7 |
Continuous Monitoring |
Protects |
T1539 |
Steal Web Session Cookie |
| CA-7 |
Continuous Monitoring |
Protects |
T1542.004 |
ROMMONkit |
| CA-7 |
Continuous Monitoring |
Protects |
T1542.005 |
TFTP Boot |
| CA-7 |
Continuous Monitoring |
Protects |
T1543 |
Create or Modify System Process |
| CA-7 |
Continuous Monitoring |
Protects |
T1543.002 |
Systemd Service |
| CA-7 |
Continuous Monitoring |
Protects |
T1546.004 |
Unix Shell Configuration Modification |
| CA-7 |
Continuous Monitoring |
Protects |
T1546.013 |
PowerShell Profile |
| CA-7 |
Continuous Monitoring |
Protects |
T1547.003 |
Time Providers |
| CA-7 |
Continuous Monitoring |
Protects |
T1547.011 |
Plist Modification |
| CA-7 |
Continuous Monitoring |
Protects |
T1547.013 |
XDG Autostart Entries |
| CA-7 |
Continuous Monitoring |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| CA-7 |
Continuous Monitoring |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| CA-7 |
Continuous Monitoring |
Protects |
T1550.003 |
Pass the Ticket |
| CA-7 |
Continuous Monitoring |
Protects |
T1552 |
Unsecured Credentials |
| CA-7 |
Continuous Monitoring |
Protects |
T1552.001 |
Credentials In Files |
| CA-7 |
Continuous Monitoring |
Protects |
T1552.002 |
Credentials in Registry |
| CA-7 |
Continuous Monitoring |
Protects |
T1552.004 |
Private Keys |
| CA-7 |
Continuous Monitoring |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| CA-7 |
Continuous Monitoring |
Protects |
T1553.003 |
SIP and Trust Provider Hijacking |
| CA-7 |
Continuous Monitoring |
Protects |
T1555 |
Credentials from Password Stores |
| CA-7 |
Continuous Monitoring |
Protects |
T1555.001 |
Keychain |
| CA-7 |
Continuous Monitoring |
Protects |
T1555.002 |
Securityd Memory |
| CA-7 |
Continuous Monitoring |
Protects |
T1556 |
Modify Authentication Process |
| CA-7 |
Continuous Monitoring |
Protects |
T1556.001 |
Domain Controller Authentication |
| CA-7 |
Continuous Monitoring |
Protects |
T1557 |
Man-in-the-Middle |
| CA-7 |
Continuous Monitoring |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| CA-7 |
Continuous Monitoring |
Protects |
T1557.002 |
ARP Cache Poisoning |
| CA-7 |
Continuous Monitoring |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| CA-7 |
Continuous Monitoring |
Protects |
T1558.002 |
Silver Ticket |
| CA-7 |
Continuous Monitoring |
Protects |
T1558.003 |
Kerberoasting |
| CA-7 |
Continuous Monitoring |
Protects |
T1558.004 |
AS-REP Roasting |
| CA-7 |
Continuous Monitoring |
Protects |
T1562 |
Impair Defenses |
| CA-7 |
Continuous Monitoring |
Protects |
T1562.001 |
Disable or Modify Tools |
| CA-7 |
Continuous Monitoring |
Protects |
T1562.002 |
Disable Windows Event Logging |
| CA-7 |
Continuous Monitoring |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| CA-7 |
Continuous Monitoring |
Protects |
T1562.006 |
Indicator Blocking |
| CA-7 |
Continuous Monitoring |
Protects |
T1563.001 |
SSH Hijacking |
| CA-7 |
Continuous Monitoring |
Protects |
T1564.004 |
NTFS File Attributes |
| CA-7 |
Continuous Monitoring |
Protects |
T1565 |
Data Manipulation |
| CA-7 |
Continuous Monitoring |
Protects |
T1565.001 |
Stored Data Manipulation |
| CA-7 |
Continuous Monitoring |
Protects |
T1565.003 |
Runtime Data Manipulation |
| CA-7 |
Continuous Monitoring |
Protects |
T1566 |
Phishing |
| CA-7 |
Continuous Monitoring |
Protects |
T1566.001 |
Spearphishing Attachment |
| CA-7 |
Continuous Monitoring |
Protects |
T1566.002 |
Spearphishing Link |
| CA-7 |
Continuous Monitoring |
Protects |
T1566.003 |
Spearphishing via Service |
| CA-7 |
Continuous Monitoring |
Protects |
T1568 |
Dynamic Resolution |
| CA-7 |
Continuous Monitoring |
Protects |
T1568.002 |
Domain Generation Algorithms |
| CA-7 |
Continuous Monitoring |
Protects |
T1569 |
System Services |
| CA-7 |
Continuous Monitoring |
Protects |
T1569.002 |
Service Execution |
| CA-7 |
Continuous Monitoring |
Protects |
T1570 |
Lateral Tool Transfer |
| CA-7 |
Continuous Monitoring |
Protects |
T1571 |
Non-Standard Port |
| CA-7 |
Continuous Monitoring |
Protects |
T1572 |
Protocol Tunneling |
| CA-7 |
Continuous Monitoring |
Protects |
T1573 |
Encrypted Channel |
| CA-7 |
Continuous Monitoring |
Protects |
T1573.001 |
Symmetric Cryptography |
| CA-7 |
Continuous Monitoring |
Protects |
T1573.002 |
Asymmetric Cryptography |
| CA-7 |
Continuous Monitoring |
Protects |
T1574 |
Hijack Execution Flow |
| CA-7 |
Continuous Monitoring |
Protects |
T1574.004 |
Dylib Hijacking |
| CA-7 |
Continuous Monitoring |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| CA-7 |
Continuous Monitoring |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| CA-7 |
Continuous Monitoring |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| CA-7 |
Continuous Monitoring |
Protects |
T1598 |
Phishing for Information |
| CA-7 |
Continuous Monitoring |
Protects |
T1598.001 |
Spearphishing Service |
| CA-7 |
Continuous Monitoring |
Protects |
T1598.002 |
Spearphishing Attachment |
| CA-7 |
Continuous Monitoring |
Protects |
T1598.003 |
Spearphishing Link |
| CA-7 |
Continuous Monitoring |
Protects |
T1599 |
Network Boundary Bridging |
| CA-7 |
Continuous Monitoring |
Protects |
T1599.001 |
Network Address Translation Traversal |
| CA-7 |
Continuous Monitoring |
Protects |
T1602 |
Data from Configuration Repository |
| CA-7 |
Continuous Monitoring |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| CA-7 |
Continuous Monitoring |
Protects |
T1602.002 |
Network Device Configuration Dump |
| CA-8 |
Penetration Testing |
Protects |
T1021.001 |
Remote Desktop Protocol |
| CA-8 |
Penetration Testing |
Protects |
T1021.005 |
VNC |
| CA-8 |
Penetration Testing |
Protects |
T1053 |
Scheduled Task/Job |
| CA-8 |
Penetration Testing |
Protects |
T1053.001 |
At (Linux) |
| CA-8 |
Penetration Testing |
Protects |
T1053.002 |
At (Windows) |
| CA-8 |
Penetration Testing |
Protects |
T1053.003 |
Cron |
| CA-8 |
Penetration Testing |
Protects |
T1053.004 |
Launchd |
| CA-8 |
Penetration Testing |
Protects |
T1053.005 |
Scheduled Task |
| CA-8 |
Penetration Testing |
Protects |
T1059 |
Command and Scripting Interpreter |
| CA-8 |
Penetration Testing |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| CA-8 |
Penetration Testing |
Protects |
T1078 |
Valid Accounts |
| CA-8 |
Penetration Testing |
Protects |
T1176 |
Browser Extensions |
| CA-8 |
Penetration Testing |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| CA-8 |
Penetration Testing |
Protects |
T1204.003 |
Malicious Image |
| CA-8 |
Penetration Testing |
Protects |
T1210 |
Exploitation of Remote Services |
| CA-8 |
Penetration Testing |
Protects |
T1211 |
Exploitation for Defense Evasion |
| CA-8 |
Penetration Testing |
Protects |
T1212 |
Exploitation for Credential Access |
| CA-8 |
Penetration Testing |
Protects |
T1213 |
Data from Information Repositories |
| CA-8 |
Penetration Testing |
Protects |
T1213.001 |
Confluence |
| CA-8 |
Penetration Testing |
Protects |
T1213.002 |
Sharepoint |
| CA-8 |
Penetration Testing |
Protects |
T1482 |
Domain Trust Discovery |
| CA-8 |
Penetration Testing |
Protects |
T1484 |
Domain Policy Modification |
| CA-8 |
Penetration Testing |
Protects |
T1495 |
Firmware Corruption |
| CA-8 |
Penetration Testing |
Protects |
T1505 |
Server Software Component |
| CA-8 |
Penetration Testing |
Protects |
T1505.001 |
SQL Stored Procedures |
| CA-8 |
Penetration Testing |
Protects |
T1505.002 |
Transport Agent |
| CA-8 |
Penetration Testing |
Protects |
T1525 |
Implant Internal Image |
| CA-8 |
Penetration Testing |
Protects |
T1528 |
Steal Application Access Token |
| CA-8 |
Penetration Testing |
Protects |
T1530 |
Data from Cloud Storage Object |
| CA-8 |
Penetration Testing |
Protects |
T1542 |
Pre-OS Boot |
| CA-8 |
Penetration Testing |
Protects |
T1542.001 |
System Firmware |
| CA-8 |
Penetration Testing |
Protects |
T1542.003 |
Bootkit |
| CA-8 |
Penetration Testing |
Protects |
T1542.004 |
ROMMONkit |
| CA-8 |
Penetration Testing |
Protects |
T1542.005 |
TFTP Boot |
| CA-8 |
Penetration Testing |
Protects |
T1543 |
Create or Modify System Process |
| CA-8 |
Penetration Testing |
Protects |
T1543.003 |
Windows Service |
| CA-8 |
Penetration Testing |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| CA-8 |
Penetration Testing |
Protects |
T1548.002 |
Bypass User Account Control |
| CA-8 |
Penetration Testing |
Protects |
T1550.001 |
Application Access Token |
| CA-8 |
Penetration Testing |
Protects |
T1552 |
Unsecured Credentials |
| CA-8 |
Penetration Testing |
Protects |
T1552.001 |
Credentials In Files |
| CA-8 |
Penetration Testing |
Protects |
T1552.002 |
Credentials in Registry |
| CA-8 |
Penetration Testing |
Protects |
T1552.004 |
Private Keys |
| CA-8 |
Penetration Testing |
Protects |
T1552.006 |
Group Policy Preferences |
| CA-8 |
Penetration Testing |
Protects |
T1553 |
Subvert Trust Controls |
| CA-8 |
Penetration Testing |
Protects |
T1553.006 |
Code Signing Policy Modification |
| CA-8 |
Penetration Testing |
Protects |
T1554 |
Compromise Client Software Binary |
| CA-8 |
Penetration Testing |
Protects |
T1558.004 |
AS-REP Roasting |
| CA-8 |
Penetration Testing |
Protects |
T1560 |
Archive Collected Data |
| CA-8 |
Penetration Testing |
Protects |
T1560.001 |
Archive via Utility |
| CA-8 |
Penetration Testing |
Protects |
T1562 |
Impair Defenses |
| CA-8 |
Penetration Testing |
Protects |
T1563 |
Remote Service Session Hijacking |
| CA-8 |
Penetration Testing |
Protects |
T1574 |
Hijack Execution Flow |
| CA-8 |
Penetration Testing |
Protects |
T1574.001 |
DLL Search Order Hijacking |
| CA-8 |
Penetration Testing |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| CA-8 |
Penetration Testing |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| CA-8 |
Penetration Testing |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| CA-8 |
Penetration Testing |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| CA-8 |
Penetration Testing |
Protects |
T1574.010 |
Services File Permissions Weakness |
| CA-8 |
Penetration Testing |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| CA-8 |
Penetration Testing |
Protects |
T1578.001 |
Create Snapshot |
| CA-8 |
Penetration Testing |
Protects |
T1578.002 |
Create Cloud Instance |
| CA-8 |
Penetration Testing |
Protects |
T1578.003 |
Delete Cloud Instance |
| CA-8 |
Penetration Testing |
Protects |
T1601 |
Modify System Image |
| CA-8 |
Penetration Testing |
Protects |
T1601.001 |
Patch System Image |
| CA-8 |
Penetration Testing |
Protects |
T1601.002 |
Downgrade System Image |
| CA-8 |
Penetration Testing |
Protects |
T1612 |
Build Image on Host |
| CM-10 |
Software Usage Restrictions |
Protects |
T1546.008 |
Accessibility Features |
| CM-10 |
Software Usage Restrictions |
Protects |
T1546.013 |
PowerShell Profile |
| CM-10 |
Software Usage Restrictions |
Protects |
T1550.001 |
Application Access Token |
| CM-10 |
Software Usage Restrictions |
Protects |
T1553 |
Subvert Trust Controls |
| CM-10 |
Software Usage Restrictions |
Protects |
T1553.004 |
Install Root Certificate |
| CM-10 |
Software Usage Restrictions |
Protects |
T1559 |
Inter-Process Communication |
| CM-10 |
Software Usage Restrictions |
Protects |
T1559.002 |
Dynamic Data Exchange |
| CM-11 |
User-installed Software |
Protects |
T1021.005 |
VNC |
| CM-11 |
User-installed Software |
Protects |
T1059 |
Command and Scripting Interpreter |
| CM-11 |
User-installed Software |
Protects |
T1059.006 |
Python |
| CM-11 |
User-installed Software |
Protects |
T1176 |
Browser Extensions |
| CM-11 |
User-installed Software |
Protects |
T1195 |
Supply Chain Compromise |
| CM-11 |
User-installed Software |
Protects |
T1195.001 |
Compromise Software Dependencies and Development Tools |
| CM-11 |
User-installed Software |
Protects |
T1195.002 |
Compromise Software Supply Chain |
| CM-11 |
User-installed Software |
Protects |
T1505 |
Server Software Component |
| CM-11 |
User-installed Software |
Protects |
T1505.001 |
SQL Stored Procedures |
| CM-11 |
User-installed Software |
Protects |
T1505.002 |
Transport Agent |
| CM-11 |
User-installed Software |
Protects |
T1543 |
Create or Modify System Process |
| CM-11 |
User-installed Software |
Protects |
T1543.001 |
Launch Agent |
| CM-11 |
User-installed Software |
Protects |
T1543.002 |
Systemd Service |
| CM-11 |
User-installed Software |
Protects |
T1543.003 |
Windows Service |
| CM-11 |
User-installed Software |
Protects |
T1543.004 |
Launch Daemon |
| CM-11 |
User-installed Software |
Protects |
T1547.013 |
XDG Autostart Entries |
| CM-11 |
User-installed Software |
Protects |
T1550.001 |
Application Access Token |
| CM-11 |
User-installed Software |
Protects |
T1569 |
System Services |
| CM-11 |
User-installed Software |
Protects |
T1569.001 |
Launchctl |
| CM-2 |
Baseline Configuration |
Protects |
T1001 |
Data Obfuscation |
| CM-2 |
Baseline Configuration |
Protects |
T1001.001 |
Junk Data |
| CM-2 |
Baseline Configuration |
Protects |
T1001.002 |
Steganography |
| CM-2 |
Baseline Configuration |
Protects |
T1001.003 |
Protocol Impersonation |
| CM-2 |
Baseline Configuration |
Protects |
T1003 |
OS Credential Dumping |
| CM-2 |
Baseline Configuration |
Protects |
T1003.001 |
LSASS Memory |
| CM-2 |
Baseline Configuration |
Protects |
T1003.002 |
Security Account Manager |
| CM-2 |
Baseline Configuration |
Protects |
T1003.003 |
NTDS |
| CM-2 |
Baseline Configuration |
Protects |
T1003.004 |
LSA Secrets |
| CM-2 |
Baseline Configuration |
Protects |
T1003.005 |
Cached Domain Credentials |
| CM-2 |
Baseline Configuration |
Protects |
T1003.006 |
DCSync |
| CM-2 |
Baseline Configuration |
Protects |
T1003.007 |
Proc Filesystem |
| CM-2 |
Baseline Configuration |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| CM-2 |
Baseline Configuration |
Protects |
T1008 |
Fallback Channels |
| CM-2 |
Baseline Configuration |
Protects |
T1011.001 |
Exfiltration Over Bluetooth |
| CM-2 |
Baseline Configuration |
Protects |
T1020.001 |
Traffic Duplication |
| CM-2 |
Baseline Configuration |
Protects |
T1021.001 |
Remote Desktop Protocol |
| CM-2 |
Baseline Configuration |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| CM-2 |
Baseline Configuration |
Protects |
T1021.003 |
Distributed Component Object Model |
| CM-2 |
Baseline Configuration |
Protects |
T1021.004 |
SSH |
| CM-2 |
Baseline Configuration |
Protects |
T1021.005 |
VNC |
| CM-2 |
Baseline Configuration |
Protects |
T1021.006 |
Windows Remote Management |
| CM-2 |
Baseline Configuration |
Protects |
T1029 |
Scheduled Transfer |
| CM-2 |
Baseline Configuration |
Protects |
T1030 |
Data Transfer Size Limits |
| CM-2 |
Baseline Configuration |
Protects |
T1036 |
Masquerading |
| CM-2 |
Baseline Configuration |
Protects |
T1036.001 |
Invalid Code Signature |
| CM-2 |
Baseline Configuration |
Protects |
T1036.003 |
Rename System Utilities |
| CM-2 |
Baseline Configuration |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| CM-2 |
Baseline Configuration |
Protects |
T1037 |
Boot or Logon Initialization Scripts |
| CM-2 |
Baseline Configuration |
Protects |
T1037.002 |
Logon Script (Mac) |
| CM-2 |
Baseline Configuration |
Protects |
T1037.003 |
Network Logon Script |
| CM-2 |
Baseline Configuration |
Protects |
T1037.004 |
RC Scripts |
| CM-2 |
Baseline Configuration |
Protects |
T1037.005 |
Startup Items |
| CM-2 |
Baseline Configuration |
Protects |
T1046 |
Network Service Scanning |
| CM-2 |
Baseline Configuration |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| CM-2 |
Baseline Configuration |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| CM-2 |
Baseline Configuration |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| CM-2 |
Baseline Configuration |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| CM-2 |
Baseline Configuration |
Protects |
T1052 |
Exfiltration Over Physical Medium |
| CM-2 |
Baseline Configuration |
Protects |
T1052.001 |
Exfiltration over USB |
| CM-2 |
Baseline Configuration |
Protects |
T1053 |
Scheduled Task/Job |
| CM-2 |
Baseline Configuration |
Protects |
T1053.002 |
At (Windows) |
| CM-2 |
Baseline Configuration |
Protects |
T1053.005 |
Scheduled Task |
| CM-2 |
Baseline Configuration |
Protects |
T1059 |
Command and Scripting Interpreter |
| CM-2 |
Baseline Configuration |
Protects |
T1059.001 |
PowerShell |
| CM-2 |
Baseline Configuration |
Protects |
T1059.002 |
AppleScript |
| CM-2 |
Baseline Configuration |
Protects |
T1059.005 |
Visual Basic |
| CM-2 |
Baseline Configuration |
Protects |
T1059.007 |
JavaScript |
| CM-2 |
Baseline Configuration |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| CM-2 |
Baseline Configuration |
Protects |
T1070 |
Indicator Removal on Host |
| CM-2 |
Baseline Configuration |
Protects |
T1070.001 |
Clear Windows Event Logs |
| CM-2 |
Baseline Configuration |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| CM-2 |
Baseline Configuration |
Protects |
T1070.003 |
Clear Command History |
| CM-2 |
Baseline Configuration |
Protects |
T1071 |
Application Layer Protocol |
| CM-2 |
Baseline Configuration |
Protects |
T1071.001 |
Web Protocols |
| CM-2 |
Baseline Configuration |
Protects |
T1071.002 |
File Transfer Protocols |
| CM-2 |
Baseline Configuration |
Protects |
T1071.003 |
Mail Protocols |
| CM-2 |
Baseline Configuration |
Protects |
T1071.004 |
DNS |
| CM-2 |
Baseline Configuration |
Protects |
T1072 |
Software Deployment Tools |
| CM-2 |
Baseline Configuration |
Protects |
T1080 |
Taint Shared Content |
| CM-2 |
Baseline Configuration |
Protects |
T1090 |
Proxy |
| CM-2 |
Baseline Configuration |
Protects |
T1090.001 |
Internal Proxy |
| CM-2 |
Baseline Configuration |
Protects |
T1090.002 |
External Proxy |
| CM-2 |
Baseline Configuration |
Protects |
T1091 |
Replication Through Removable Media |
| CM-2 |
Baseline Configuration |
Protects |
T1092 |
Communication Through Removable Media |
| CM-2 |
Baseline Configuration |
Protects |
T1095 |
Non-Application Layer Protocol |
| CM-2 |
Baseline Configuration |
Protects |
T1098.004 |
SSH Authorized Keys |
| CM-2 |
Baseline Configuration |
Protects |
T1102 |
Web Service |
| CM-2 |
Baseline Configuration |
Protects |
T1102.001 |
Dead Drop Resolver |
| CM-2 |
Baseline Configuration |
Protects |
T1102.002 |
Bidirectional Communication |
| CM-2 |
Baseline Configuration |
Protects |
T1102.003 |
One-Way Communication |
| CM-2 |
Baseline Configuration |
Protects |
T1104 |
Multi-Stage Channels |
| CM-2 |
Baseline Configuration |
Protects |
T1105 |
Ingress Tool Transfer |
| CM-2 |
Baseline Configuration |
Protects |
T1110 |
Brute Force |
| CM-2 |
Baseline Configuration |
Protects |
T1110.001 |
Password Guessing |
| CM-2 |
Baseline Configuration |
Protects |
T1110.002 |
Password Cracking |
| CM-2 |
Baseline Configuration |
Protects |
T1110.003 |
Password Spraying |
| CM-2 |
Baseline Configuration |
Protects |
T1110.004 |
Credential Stuffing |
| CM-2 |
Baseline Configuration |
Protects |
T1111 |
Two-Factor Authentication Interception |
| CM-2 |
Baseline Configuration |
Protects |
T1114 |
Email Collection |
| CM-2 |
Baseline Configuration |
Protects |
T1114.002 |
Remote Email Collection |
| CM-2 |
Baseline Configuration |
Protects |
T1119 |
Automated Collection |
| CM-2 |
Baseline Configuration |
Protects |
T1127 |
Trusted Developer Utilities Proxy Execution |
| CM-2 |
Baseline Configuration |
Protects |
T1127.001 |
MSBuild |
| CM-2 |
Baseline Configuration |
Protects |
T1129 |
Shared Modules |
| CM-2 |
Baseline Configuration |
Protects |
T1132 |
Data Encoding |
| CM-2 |
Baseline Configuration |
Protects |
T1132.001 |
Standard Encoding |
| CM-2 |
Baseline Configuration |
Protects |
T1132.002 |
Non-Standard Encoding |
| CM-2 |
Baseline Configuration |
Protects |
T1133 |
External Remote Services |
| CM-2 |
Baseline Configuration |
Protects |
T1134.005 |
SID-History Injection |
| CM-2 |
Baseline Configuration |
Protects |
T1137 |
Office Application Startup |
| CM-2 |
Baseline Configuration |
Protects |
T1137.001 |
Office Template Macros |
| CM-2 |
Baseline Configuration |
Protects |
T1137.002 |
Office Test |
| CM-2 |
Baseline Configuration |
Protects |
T1137.003 |
Outlook Forms |
| CM-2 |
Baseline Configuration |
Protects |
T1137.004 |
Outlook Home Page |
| CM-2 |
Baseline Configuration |
Protects |
T1137.005 |
Outlook Rules |
| CM-2 |
Baseline Configuration |
Protects |
T1176 |
Browser Extensions |
| CM-2 |
Baseline Configuration |
Protects |
T1185 |
Man in the Browser |
| CM-2 |
Baseline Configuration |
Protects |
T1187 |
Forced Authentication |
| CM-2 |
Baseline Configuration |
Protects |
T1189 |
Drive-by Compromise |
| CM-2 |
Baseline Configuration |
Protects |
T1201 |
Password Policy Discovery |
| CM-2 |
Baseline Configuration |
Protects |
T1204 |
User Execution |
| CM-2 |
Baseline Configuration |
Protects |
T1204.001 |
Malicious Link |
| CM-2 |
Baseline Configuration |
Protects |
T1204.002 |
Malicious File |
| CM-2 |
Baseline Configuration |
Protects |
T1204.003 |
Malicious Image |
| CM-2 |
Baseline Configuration |
Protects |
T1205 |
Traffic Signaling |
| CM-2 |
Baseline Configuration |
Protects |
T1210 |
Exploitation of Remote Services |
| CM-2 |
Baseline Configuration |
Protects |
T1211 |
Exploitation for Defense Evasion |
| CM-2 |
Baseline Configuration |
Protects |
T1212 |
Exploitation for Credential Access |
| CM-2 |
Baseline Configuration |
Protects |
T1213 |
Data from Information Repositories |
| CM-2 |
Baseline Configuration |
Protects |
T1213.001 |
Confluence |
| CM-2 |
Baseline Configuration |
Protects |
T1213.002 |
Sharepoint |
| CM-2 |
Baseline Configuration |
Protects |
T1216 |
Signed Script Proxy Execution |
| CM-2 |
Baseline Configuration |
Protects |
T1216.001 |
PubPrn |
| CM-2 |
Baseline Configuration |
Protects |
T1218 |
Signed Binary Proxy Execution |
| CM-2 |
Baseline Configuration |
Protects |
T1218.001 |
Compiled HTML File |
| CM-2 |
Baseline Configuration |
Protects |
T1218.002 |
Control Panel |
| CM-2 |
Baseline Configuration |
Protects |
T1218.003 |
CMSTP |
| CM-2 |
Baseline Configuration |
Protects |
T1218.004 |
InstallUtil |
| CM-2 |
Baseline Configuration |
Protects |
T1218.005 |
Mshta |
| CM-2 |
Baseline Configuration |
Protects |
T1218.007 |
Msiexec |
| CM-2 |
Baseline Configuration |
Protects |
T1218.008 |
Odbcconf |
| CM-2 |
Baseline Configuration |
Protects |
T1218.009 |
Regsvcs/Regasm |
| CM-2 |
Baseline Configuration |
Protects |
T1218.012 |
Verclsid |
| CM-2 |
Baseline Configuration |
Protects |
T1219 |
Remote Access Software |
| CM-2 |
Baseline Configuration |
Protects |
T1220 |
XSL Script Processing |
| CM-2 |
Baseline Configuration |
Protects |
T1221 |
Template Injection |
| CM-2 |
Baseline Configuration |
Protects |
T1484 |
Domain Policy Modification |
| CM-2 |
Baseline Configuration |
Protects |
T1485 |
Data Destruction |
| CM-2 |
Baseline Configuration |
Protects |
T1486 |
Data Encrypted for Impact |
| CM-2 |
Baseline Configuration |
Protects |
T1490 |
Inhibit System Recovery |
| CM-2 |
Baseline Configuration |
Protects |
T1491 |
Defacement |
| CM-2 |
Baseline Configuration |
Protects |
T1491.001 |
Internal Defacement |
| CM-2 |
Baseline Configuration |
Protects |
T1491.002 |
External Defacement |
| CM-2 |
Baseline Configuration |
Protects |
T1505 |
Server Software Component |
| CM-2 |
Baseline Configuration |
Protects |
T1505.001 |
SQL Stored Procedures |
| CM-2 |
Baseline Configuration |
Protects |
T1505.002 |
Transport Agent |
| CM-2 |
Baseline Configuration |
Protects |
T1525 |
Implant Internal Image |
| CM-2 |
Baseline Configuration |
Protects |
T1528 |
Steal Application Access Token |
| CM-2 |
Baseline Configuration |
Protects |
T1530 |
Data from Cloud Storage Object |
| CM-2 |
Baseline Configuration |
Protects |
T1539 |
Steal Web Session Cookie |
| CM-2 |
Baseline Configuration |
Protects |
T1542.004 |
ROMMONkit |
| CM-2 |
Baseline Configuration |
Protects |
T1542.005 |
TFTP Boot |
| CM-2 |
Baseline Configuration |
Protects |
T1543 |
Create or Modify System Process |
| CM-2 |
Baseline Configuration |
Protects |
T1543.002 |
Systemd Service |
| CM-2 |
Baseline Configuration |
Protects |
T1543.003 |
Windows Service |
| CM-2 |
Baseline Configuration |
Protects |
T1546 |
Event Triggered Execution |
| CM-2 |
Baseline Configuration |
Protects |
T1546.002 |
Screensaver |
| CM-2 |
Baseline Configuration |
Protects |
T1546.004 |
Unix Shell Configuration Modification |
| CM-2 |
Baseline Configuration |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| CM-2 |
Baseline Configuration |
Protects |
T1546.010 |
AppInit DLLs |
| CM-2 |
Baseline Configuration |
Protects |
T1546.013 |
PowerShell Profile |
| CM-2 |
Baseline Configuration |
Protects |
T1546.014 |
Emond |
| CM-2 |
Baseline Configuration |
Protects |
T1547.003 |
Time Providers |
| CM-2 |
Baseline Configuration |
Protects |
T1547.007 |
Re-opened Applications |
| CM-2 |
Baseline Configuration |
Protects |
T1547.008 |
LSASS Driver |
| CM-2 |
Baseline Configuration |
Protects |
T1547.011 |
Plist Modification |
| CM-2 |
Baseline Configuration |
Protects |
T1547.013 |
XDG Autostart Entries |
| CM-2 |
Baseline Configuration |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| CM-2 |
Baseline Configuration |
Protects |
T1548.002 |
Bypass User Account Control |
| CM-2 |
Baseline Configuration |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| CM-2 |
Baseline Configuration |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| CM-2 |
Baseline Configuration |
Protects |
T1550.001 |
Application Access Token |
| CM-2 |
Baseline Configuration |
Protects |
T1550.003 |
Pass the Ticket |
| CM-2 |
Baseline Configuration |
Protects |
T1552 |
Unsecured Credentials |
| CM-2 |
Baseline Configuration |
Protects |
T1552.001 |
Credentials In Files |
| CM-2 |
Baseline Configuration |
Protects |
T1552.004 |
Private Keys |
| CM-2 |
Baseline Configuration |
Protects |
T1552.006 |
Group Policy Preferences |
| CM-2 |
Baseline Configuration |
Protects |
T1553 |
Subvert Trust Controls |
| CM-2 |
Baseline Configuration |
Protects |
T1553.001 |
Gatekeeper Bypass |
| CM-2 |
Baseline Configuration |
Protects |
T1553.003 |
SIP and Trust Provider Hijacking |
| CM-2 |
Baseline Configuration |
Protects |
T1553.005 |
Mark-of-the-Web Bypass |
| CM-2 |
Baseline Configuration |
Protects |
T1554 |
Compromise Client Software Binary |
| CM-2 |
Baseline Configuration |
Protects |
T1555.004 |
Windows Credential Manager |
| CM-2 |
Baseline Configuration |
Protects |
T1555.005 |
Password Managers |
| CM-2 |
Baseline Configuration |
Protects |
T1556 |
Modify Authentication Process |
| CM-2 |
Baseline Configuration |
Protects |
T1556.004 |
Network Device Authentication |
| CM-2 |
Baseline Configuration |
Protects |
T1557 |
Man-in-the-Middle |
| CM-2 |
Baseline Configuration |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| CM-2 |
Baseline Configuration |
Protects |
T1557.002 |
ARP Cache Poisoning |
| CM-2 |
Baseline Configuration |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| CM-2 |
Baseline Configuration |
Protects |
T1558.001 |
Golden Ticket |
| CM-2 |
Baseline Configuration |
Protects |
T1558.002 |
Silver Ticket |
| CM-2 |
Baseline Configuration |
Protects |
T1558.003 |
Kerberoasting |
| CM-2 |
Baseline Configuration |
Protects |
T1558.004 |
AS-REP Roasting |
| CM-2 |
Baseline Configuration |
Protects |
T1559 |
Inter-Process Communication |
| CM-2 |
Baseline Configuration |
Protects |
T1559.001 |
Component Object Model |
| CM-2 |
Baseline Configuration |
Protects |
T1559.002 |
Dynamic Data Exchange |
| CM-2 |
Baseline Configuration |
Protects |
T1561 |
Disk Wipe |
| CM-2 |
Baseline Configuration |
Protects |
T1561.001 |
Disk Content Wipe |
| CM-2 |
Baseline Configuration |
Protects |
T1561.002 |
Disk Structure Wipe |
| CM-2 |
Baseline Configuration |
Protects |
T1562 |
Impair Defenses |
| CM-2 |
Baseline Configuration |
Protects |
T1562.001 |
Disable or Modify Tools |
| CM-2 |
Baseline Configuration |
Protects |
T1562.002 |
Disable Windows Event Logging |
| CM-2 |
Baseline Configuration |
Protects |
T1562.003 |
Impair Command History Logging |
| CM-2 |
Baseline Configuration |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| CM-2 |
Baseline Configuration |
Protects |
T1562.006 |
Indicator Blocking |
| CM-2 |
Baseline Configuration |
Protects |
T1563 |
Remote Service Session Hijacking |
| CM-2 |
Baseline Configuration |
Protects |
T1563.001 |
SSH Hijacking |
| CM-2 |
Baseline Configuration |
Protects |
T1563.002 |
RDP Hijacking |
| CM-2 |
Baseline Configuration |
Protects |
T1564.006 |
Run Virtual Instance |
| CM-2 |
Baseline Configuration |
Protects |
T1564.007 |
VBA Stomping |
| CM-2 |
Baseline Configuration |
Protects |
T1565 |
Data Manipulation |
| CM-2 |
Baseline Configuration |
Protects |
T1565.001 |
Stored Data Manipulation |
| CM-2 |
Baseline Configuration |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| CM-2 |
Baseline Configuration |
Protects |
T1566 |
Phishing |
| CM-2 |
Baseline Configuration |
Protects |
T1566.001 |
Spearphishing Attachment |
| CM-2 |
Baseline Configuration |
Protects |
T1566.002 |
Spearphishing Link |
| CM-2 |
Baseline Configuration |
Protects |
T1569 |
System Services |
| CM-2 |
Baseline Configuration |
Protects |
T1569.002 |
Service Execution |
| CM-2 |
Baseline Configuration |
Protects |
T1570 |
Lateral Tool Transfer |
| CM-2 |
Baseline Configuration |
Protects |
T1571 |
Non-Standard Port |
| CM-2 |
Baseline Configuration |
Protects |
T1572 |
Protocol Tunneling |
| CM-2 |
Baseline Configuration |
Protects |
T1573 |
Encrypted Channel |
| CM-2 |
Baseline Configuration |
Protects |
T1573.001 |
Symmetric Cryptography |
| CM-2 |
Baseline Configuration |
Protects |
T1573.002 |
Asymmetric Cryptography |
| CM-2 |
Baseline Configuration |
Protects |
T1574 |
Hijack Execution Flow |
| CM-2 |
Baseline Configuration |
Protects |
T1574.001 |
DLL Search Order Hijacking |
| CM-2 |
Baseline Configuration |
Protects |
T1574.004 |
Dylib Hijacking |
| CM-2 |
Baseline Configuration |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| CM-2 |
Baseline Configuration |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| CM-2 |
Baseline Configuration |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| CM-2 |
Baseline Configuration |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| CM-2 |
Baseline Configuration |
Protects |
T1574.010 |
Services File Permissions Weakness |
| CM-2 |
Baseline Configuration |
Protects |
T1598 |
Phishing for Information |
| CM-2 |
Baseline Configuration |
Protects |
T1598.002 |
Spearphishing Attachment |
| CM-2 |
Baseline Configuration |
Protects |
T1598.003 |
Spearphishing Link |
| CM-2 |
Baseline Configuration |
Protects |
T1599 |
Network Boundary Bridging |
| CM-2 |
Baseline Configuration |
Protects |
T1599.001 |
Network Address Translation Traversal |
| CM-2 |
Baseline Configuration |
Protects |
T1601 |
Modify System Image |
| CM-2 |
Baseline Configuration |
Protects |
T1601.001 |
Patch System Image |
| CM-2 |
Baseline Configuration |
Protects |
T1601.002 |
Downgrade System Image |
| CM-2 |
Baseline Configuration |
Protects |
T1602 |
Data from Configuration Repository |
| CM-2 |
Baseline Configuration |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| CM-2 |
Baseline Configuration |
Protects |
T1602.002 |
Network Device Configuration Dump |
| CM-3 |
Configuration Change Control |
Protects |
T1021.005 |
VNC |
| CM-3 |
Configuration Change Control |
Protects |
T1059.006 |
Python |
| CM-3 |
Configuration Change Control |
Protects |
T1176 |
Browser Extensions |
| CM-3 |
Configuration Change Control |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| CM-3 |
Configuration Change Control |
Protects |
T1213 |
Data from Information Repositories |
| CM-3 |
Configuration Change Control |
Protects |
T1213.001 |
Confluence |
| CM-3 |
Configuration Change Control |
Protects |
T1213.002 |
Sharepoint |
| CM-3 |
Configuration Change Control |
Protects |
T1495 |
Firmware Corruption |
| CM-3 |
Configuration Change Control |
Protects |
T1542 |
Pre-OS Boot |
| CM-3 |
Configuration Change Control |
Protects |
T1542.001 |
System Firmware |
| CM-3 |
Configuration Change Control |
Protects |
T1542.003 |
Bootkit |
| CM-3 |
Configuration Change Control |
Protects |
T1542.004 |
ROMMONkit |
| CM-3 |
Configuration Change Control |
Protects |
T1542.005 |
TFTP Boot |
| CM-3 |
Configuration Change Control |
Protects |
T1543 |
Create or Modify System Process |
| CM-3 |
Configuration Change Control |
Protects |
T1543.002 |
Systemd Service |
| CM-3 |
Configuration Change Control |
Protects |
T1547.007 |
Re-opened Applications |
| CM-3 |
Configuration Change Control |
Protects |
T1547.011 |
Plist Modification |
| CM-3 |
Configuration Change Control |
Protects |
T1547.013 |
XDG Autostart Entries |
| CM-3 |
Configuration Change Control |
Protects |
T1553 |
Subvert Trust Controls |
| CM-3 |
Configuration Change Control |
Protects |
T1553.006 |
Code Signing Policy Modification |
| CM-3 |
Configuration Change Control |
Protects |
T1601 |
Modify System Image |
| CM-3 |
Configuration Change Control |
Protects |
T1601.001 |
Patch System Image |
| CM-3 |
Configuration Change Control |
Protects |
T1601.002 |
Downgrade System Image |
| CM-5 |
Access Restrictions for Change |
Protects |
T1003 |
OS Credential Dumping |
| CM-5 |
Access Restrictions for Change |
Protects |
T1003.001 |
LSASS Memory |
| CM-5 |
Access Restrictions for Change |
Protects |
T1003.002 |
Security Account Manager |
| CM-5 |
Access Restrictions for Change |
Protects |
T1003.003 |
NTDS |
| CM-5 |
Access Restrictions for Change |
Protects |
T1003.004 |
LSA Secrets |
| CM-5 |
Access Restrictions for Change |
Protects |
T1003.005 |
Cached Domain Credentials |
| CM-5 |
Access Restrictions for Change |
Protects |
T1003.006 |
DCSync |
| CM-5 |
Access Restrictions for Change |
Protects |
T1003.007 |
Proc Filesystem |
| CM-5 |
Access Restrictions for Change |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| CM-5 |
Access Restrictions for Change |
Protects |
T1021 |
Remote Services |
| CM-5 |
Access Restrictions for Change |
Protects |
T1021.001 |
Remote Desktop Protocol |
| CM-5 |
Access Restrictions for Change |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| CM-5 |
Access Restrictions for Change |
Protects |
T1021.003 |
Distributed Component Object Model |
| CM-5 |
Access Restrictions for Change |
Protects |
T1021.004 |
SSH |
| CM-5 |
Access Restrictions for Change |
Protects |
T1021.005 |
VNC |
| CM-5 |
Access Restrictions for Change |
Protects |
T1021.006 |
Windows Remote Management |
| CM-5 |
Access Restrictions for Change |
Protects |
T1047 |
Windows Management Instrumentation |
| CM-5 |
Access Restrictions for Change |
Protects |
T1053 |
Scheduled Task/Job |
| CM-5 |
Access Restrictions for Change |
Protects |
T1053.001 |
At (Linux) |
| CM-5 |
Access Restrictions for Change |
Protects |
T1053.002 |
At (Windows) |
| CM-5 |
Access Restrictions for Change |
Protects |
T1053.003 |
Cron |
| CM-5 |
Access Restrictions for Change |
Protects |
T1053.004 |
Launchd |
| CM-5 |
Access Restrictions for Change |
Protects |
T1053.005 |
Scheduled Task |
| CM-5 |
Access Restrictions for Change |
Protects |
T1053.006 |
Systemd Timers |
| CM-5 |
Access Restrictions for Change |
Protects |
T1053.007 |
Container Orchestration Job |
| CM-5 |
Access Restrictions for Change |
Protects |
T1055 |
Process Injection |
| CM-5 |
Access Restrictions for Change |
Protects |
T1055.008 |
Ptrace System Calls |
| CM-5 |
Access Restrictions for Change |
Protects |
T1056.003 |
Web Portal Capture |
| CM-5 |
Access Restrictions for Change |
Protects |
T1059 |
Command and Scripting Interpreter |
| CM-5 |
Access Restrictions for Change |
Protects |
T1059.001 |
PowerShell |
| CM-5 |
Access Restrictions for Change |
Protects |
T1059.006 |
Python |
| CM-5 |
Access Restrictions for Change |
Protects |
T1059.008 |
Network Device CLI |
| CM-5 |
Access Restrictions for Change |
Protects |
T1072 |
Software Deployment Tools |
| CM-5 |
Access Restrictions for Change |
Protects |
T1078 |
Valid Accounts |
| CM-5 |
Access Restrictions for Change |
Protects |
T1078.002 |
Domain Accounts |
| CM-5 |
Access Restrictions for Change |
Protects |
T1078.003 |
Local Accounts |
| CM-5 |
Access Restrictions for Change |
Protects |
T1078.004 |
Cloud Accounts |
| CM-5 |
Access Restrictions for Change |
Protects |
T1098 |
Account Manipulation |
| CM-5 |
Access Restrictions for Change |
Protects |
T1098.001 |
Additional Cloud Credentials |
| CM-5 |
Access Restrictions for Change |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| CM-5 |
Access Restrictions for Change |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| CM-5 |
Access Restrictions for Change |
Protects |
T1134 |
Access Token Manipulation |
| CM-5 |
Access Restrictions for Change |
Protects |
T1134.001 |
Token Impersonation/Theft |
| CM-5 |
Access Restrictions for Change |
Protects |
T1134.002 |
Create Process with Token |
| CM-5 |
Access Restrictions for Change |
Protects |
T1134.003 |
Make and Impersonate Token |
| CM-5 |
Access Restrictions for Change |
Protects |
T1136 |
Create Account |
| CM-5 |
Access Restrictions for Change |
Protects |
T1136.001 |
Local Account |
| CM-5 |
Access Restrictions for Change |
Protects |
T1136.002 |
Domain Account |
| CM-5 |
Access Restrictions for Change |
Protects |
T1136.003 |
Cloud Account |
| CM-5 |
Access Restrictions for Change |
Protects |
T1137.002 |
Office Test |
| CM-5 |
Access Restrictions for Change |
Protects |
T1176 |
Browser Extensions |
| CM-5 |
Access Restrictions for Change |
Protects |
T1185 |
Man in the Browser |
| CM-5 |
Access Restrictions for Change |
Protects |
T1190 |
Exploit Public-Facing Application |
| CM-5 |
Access Restrictions for Change |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| CM-5 |
Access Restrictions for Change |
Protects |
T1197 |
BITS Jobs |
| CM-5 |
Access Restrictions for Change |
Protects |
T1210 |
Exploitation of Remote Services |
| CM-5 |
Access Restrictions for Change |
Protects |
T1213 |
Data from Information Repositories |
| CM-5 |
Access Restrictions for Change |
Protects |
T1213.001 |
Confluence |
| CM-5 |
Access Restrictions for Change |
Protects |
T1213.002 |
Sharepoint |
| CM-5 |
Access Restrictions for Change |
Protects |
T1218 |
Signed Binary Proxy Execution |
| CM-5 |
Access Restrictions for Change |
Protects |
T1218.007 |
Msiexec |
| CM-5 |
Access Restrictions for Change |
Protects |
T1222 |
File and Directory Permissions Modification |
| CM-5 |
Access Restrictions for Change |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| CM-5 |
Access Restrictions for Change |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| CM-5 |
Access Restrictions for Change |
Protects |
T1484 |
Domain Policy Modification |
| CM-5 |
Access Restrictions for Change |
Protects |
T1489 |
Service Stop |
| CM-5 |
Access Restrictions for Change |
Protects |
T1495 |
Firmware Corruption |
| CM-5 |
Access Restrictions for Change |
Protects |
T1505 |
Server Software Component |
| CM-5 |
Access Restrictions for Change |
Protects |
T1505.001 |
SQL Stored Procedures |
| CM-5 |
Access Restrictions for Change |
Protects |
T1505.002 |
Transport Agent |
| CM-5 |
Access Restrictions for Change |
Protects |
T1525 |
Implant Internal Image |
| CM-5 |
Access Restrictions for Change |
Protects |
T1528 |
Steal Application Access Token |
| CM-5 |
Access Restrictions for Change |
Protects |
T1530 |
Data from Cloud Storage Object |
| CM-5 |
Access Restrictions for Change |
Protects |
T1537 |
Transfer Data to Cloud Account |
| CM-5 |
Access Restrictions for Change |
Protects |
T1542 |
Pre-OS Boot |
| CM-5 |
Access Restrictions for Change |
Protects |
T1542.001 |
System Firmware |
| CM-5 |
Access Restrictions for Change |
Protects |
T1542.003 |
Bootkit |
| CM-5 |
Access Restrictions for Change |
Protects |
T1542.004 |
ROMMONkit |
| CM-5 |
Access Restrictions for Change |
Protects |
T1542.005 |
TFTP Boot |
| CM-5 |
Access Restrictions for Change |
Protects |
T1543 |
Create or Modify System Process |
| CM-5 |
Access Restrictions for Change |
Protects |
T1543.001 |
Launch Agent |
| CM-5 |
Access Restrictions for Change |
Protects |
T1543.002 |
Systemd Service |
| CM-5 |
Access Restrictions for Change |
Protects |
T1543.003 |
Windows Service |
| CM-5 |
Access Restrictions for Change |
Protects |
T1543.004 |
Launch Daemon |
| CM-5 |
Access Restrictions for Change |
Protects |
T1546.003 |
Windows Management Instrumentation Event Subscription |
| CM-5 |
Access Restrictions for Change |
Protects |
T1547.003 |
Time Providers |
| CM-5 |
Access Restrictions for Change |
Protects |
T1547.004 |
Winlogon Helper DLL |
| CM-5 |
Access Restrictions for Change |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| CM-5 |
Access Restrictions for Change |
Protects |
T1547.007 |
Re-opened Applications |
| CM-5 |
Access Restrictions for Change |
Protects |
T1547.009 |
Shortcut Modification |
| CM-5 |
Access Restrictions for Change |
Protects |
T1547.011 |
Plist Modification |
| CM-5 |
Access Restrictions for Change |
Protects |
T1547.012 |
Print Processors |
| CM-5 |
Access Restrictions for Change |
Protects |
T1547.013 |
XDG Autostart Entries |
| CM-5 |
Access Restrictions for Change |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| CM-5 |
Access Restrictions for Change |
Protects |
T1548.002 |
Bypass User Account Control |
| CM-5 |
Access Restrictions for Change |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| CM-5 |
Access Restrictions for Change |
Protects |
T1550 |
Use Alternate Authentication Material |
| CM-5 |
Access Restrictions for Change |
Protects |
T1550.002 |
Pass the Hash |
| CM-5 |
Access Restrictions for Change |
Protects |
T1550.003 |
Pass the Ticket |
| CM-5 |
Access Restrictions for Change |
Protects |
T1552 |
Unsecured Credentials |
| CM-5 |
Access Restrictions for Change |
Protects |
T1552.002 |
Credentials in Registry |
| CM-5 |
Access Restrictions for Change |
Protects |
T1552.007 |
Container API |
| CM-5 |
Access Restrictions for Change |
Protects |
T1553 |
Subvert Trust Controls |
| CM-5 |
Access Restrictions for Change |
Protects |
T1553.006 |
Code Signing Policy Modification |
| CM-5 |
Access Restrictions for Change |
Protects |
T1556 |
Modify Authentication Process |
| CM-5 |
Access Restrictions for Change |
Protects |
T1556.001 |
Domain Controller Authentication |
| CM-5 |
Access Restrictions for Change |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| CM-5 |
Access Restrictions for Change |
Protects |
T1556.004 |
Network Device Authentication |
| CM-5 |
Access Restrictions for Change |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| CM-5 |
Access Restrictions for Change |
Protects |
T1558.001 |
Golden Ticket |
| CM-5 |
Access Restrictions for Change |
Protects |
T1558.002 |
Silver Ticket |
| CM-5 |
Access Restrictions for Change |
Protects |
T1558.003 |
Kerberoasting |
| CM-5 |
Access Restrictions for Change |
Protects |
T1559 |
Inter-Process Communication |
| CM-5 |
Access Restrictions for Change |
Protects |
T1559.001 |
Component Object Model |
| CM-5 |
Access Restrictions for Change |
Protects |
T1562 |
Impair Defenses |
| CM-5 |
Access Restrictions for Change |
Protects |
T1562.001 |
Disable or Modify Tools |
| CM-5 |
Access Restrictions for Change |
Protects |
T1562.002 |
Disable Windows Event Logging |
| CM-5 |
Access Restrictions for Change |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| CM-5 |
Access Restrictions for Change |
Protects |
T1562.006 |
Indicator Blocking |
| CM-5 |
Access Restrictions for Change |
Protects |
T1562.007 |
Disable or Modify Cloud Firewall |
| CM-5 |
Access Restrictions for Change |
Protects |
T1562.008 |
Disable Cloud Logs |
| CM-5 |
Access Restrictions for Change |
Protects |
T1563 |
Remote Service Session Hijacking |
| CM-5 |
Access Restrictions for Change |
Protects |
T1563.001 |
SSH Hijacking |
| CM-5 |
Access Restrictions for Change |
Protects |
T1563.002 |
RDP Hijacking |
| CM-5 |
Access Restrictions for Change |
Protects |
T1569 |
System Services |
| CM-5 |
Access Restrictions for Change |
Protects |
T1569.001 |
Launchctl |
| CM-5 |
Access Restrictions for Change |
Protects |
T1569.002 |
Service Execution |
| CM-5 |
Access Restrictions for Change |
Protects |
T1574 |
Hijack Execution Flow |
| CM-5 |
Access Restrictions for Change |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| CM-5 |
Access Restrictions for Change |
Protects |
T1574.010 |
Services File Permissions Weakness |
| CM-5 |
Access Restrictions for Change |
Protects |
T1574.011 |
Services Registry Permissions Weakness |
| CM-5 |
Access Restrictions for Change |
Protects |
T1574.012 |
COR_PROFILER |
| CM-5 |
Access Restrictions for Change |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| CM-5 |
Access Restrictions for Change |
Protects |
T1578.001 |
Create Snapshot |
| CM-5 |
Access Restrictions for Change |
Protects |
T1578.002 |
Create Cloud Instance |
| CM-5 |
Access Restrictions for Change |
Protects |
T1578.003 |
Delete Cloud Instance |
| CM-5 |
Access Restrictions for Change |
Protects |
T1599 |
Network Boundary Bridging |
| CM-5 |
Access Restrictions for Change |
Protects |
T1599.001 |
Network Address Translation Traversal |
| CM-5 |
Access Restrictions for Change |
Protects |
T1601 |
Modify System Image |
| CM-5 |
Access Restrictions for Change |
Protects |
T1601.001 |
Patch System Image |
| CM-5 |
Access Restrictions for Change |
Protects |
T1601.002 |
Downgrade System Image |
| CM-5 |
Access Restrictions for Change |
Protects |
T1611 |
Escape to Host |
| CM-6 |
Configuration Settings |
Protects |
T1001 |
Data Obfuscation |
| CM-6 |
Configuration Settings |
Protects |
T1001.001 |
Junk Data |
| CM-6 |
Configuration Settings |
Protects |
T1001.002 |
Steganography |
| CM-6 |
Configuration Settings |
Protects |
T1001.003 |
Protocol Impersonation |
| CM-6 |
Configuration Settings |
Protects |
T1003 |
OS Credential Dumping |
| CM-6 |
Configuration Settings |
Protects |
T1003.001 |
LSASS Memory |
| CM-6 |
Configuration Settings |
Protects |
T1003.002 |
Security Account Manager |
| CM-6 |
Configuration Settings |
Protects |
T1003.003 |
NTDS |
| CM-6 |
Configuration Settings |
Protects |
T1003.004 |
LSA Secrets |
| CM-6 |
Configuration Settings |
Protects |
T1003.005 |
Cached Domain Credentials |
| CM-6 |
Configuration Settings |
Protects |
T1003.006 |
DCSync |
| CM-6 |
Configuration Settings |
Protects |
T1003.007 |
Proc Filesystem |
| CM-6 |
Configuration Settings |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| CM-6 |
Configuration Settings |
Protects |
T1008 |
Fallback Channels |
| CM-6 |
Configuration Settings |
Protects |
T1011 |
Exfiltration Over Other Network Medium |
| CM-6 |
Configuration Settings |
Protects |
T1011.001 |
Exfiltration Over Bluetooth |
| CM-6 |
Configuration Settings |
Protects |
T1020.001 |
Traffic Duplication |
| CM-6 |
Configuration Settings |
Protects |
T1021 |
Remote Services |
| CM-6 |
Configuration Settings |
Protects |
T1021.001 |
Remote Desktop Protocol |
| CM-6 |
Configuration Settings |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| CM-6 |
Configuration Settings |
Protects |
T1021.003 |
Distributed Component Object Model |
| CM-6 |
Configuration Settings |
Protects |
T1021.004 |
SSH |
| CM-6 |
Configuration Settings |
Protects |
T1021.005 |
VNC |
| CM-6 |
Configuration Settings |
Protects |
T1021.006 |
Windows Remote Management |
| CM-6 |
Configuration Settings |
Protects |
T1029 |
Scheduled Transfer |
| CM-6 |
Configuration Settings |
Protects |
T1030 |
Data Transfer Size Limits |
| CM-6 |
Configuration Settings |
Protects |
T1036 |
Masquerading |
| CM-6 |
Configuration Settings |
Protects |
T1036.001 |
Invalid Code Signature |
| CM-6 |
Configuration Settings |
Protects |
T1036.003 |
Rename System Utilities |
| CM-6 |
Configuration Settings |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| CM-6 |
Configuration Settings |
Protects |
T1037 |
Boot or Logon Initialization Scripts |
| CM-6 |
Configuration Settings |
Protects |
T1037.002 |
Logon Script (Mac) |
| CM-6 |
Configuration Settings |
Protects |
T1037.003 |
Network Logon Script |
| CM-6 |
Configuration Settings |
Protects |
T1037.004 |
RC Scripts |
| CM-6 |
Configuration Settings |
Protects |
T1037.005 |
Startup Items |
| CM-6 |
Configuration Settings |
Protects |
T1046 |
Network Service Scanning |
| CM-6 |
Configuration Settings |
Protects |
T1047 |
Windows Management Instrumentation |
| CM-6 |
Configuration Settings |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| CM-6 |
Configuration Settings |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| CM-6 |
Configuration Settings |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| CM-6 |
Configuration Settings |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| CM-6 |
Configuration Settings |
Protects |
T1052 |
Exfiltration Over Physical Medium |
| CM-6 |
Configuration Settings |
Protects |
T1052.001 |
Exfiltration over USB |
| CM-6 |
Configuration Settings |
Protects |
T1053 |
Scheduled Task/Job |
| CM-6 |
Configuration Settings |
Protects |
T1053.002 |
At (Windows) |
| CM-6 |
Configuration Settings |
Protects |
T1053.005 |
Scheduled Task |
| CM-6 |
Configuration Settings |
Protects |
T1055 |
Process Injection |
| CM-6 |
Configuration Settings |
Protects |
T1055.008 |
Ptrace System Calls |
| CM-6 |
Configuration Settings |
Protects |
T1056.003 |
Web Portal Capture |
| CM-6 |
Configuration Settings |
Protects |
T1059 |
Command and Scripting Interpreter |
| CM-6 |
Configuration Settings |
Protects |
T1059.001 |
PowerShell |
| CM-6 |
Configuration Settings |
Protects |
T1059.002 |
AppleScript |
| CM-6 |
Configuration Settings |
Protects |
T1059.005 |
Visual Basic |
| CM-6 |
Configuration Settings |
Protects |
T1059.007 |
JavaScript |
| CM-6 |
Configuration Settings |
Protects |
T1059.008 |
Network Device CLI |
| CM-6 |
Configuration Settings |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| CM-6 |
Configuration Settings |
Protects |
T1070 |
Indicator Removal on Host |
| CM-6 |
Configuration Settings |
Protects |
T1070.001 |
Clear Windows Event Logs |
| CM-6 |
Configuration Settings |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| CM-6 |
Configuration Settings |
Protects |
T1070.003 |
Clear Command History |
| CM-6 |
Configuration Settings |
Protects |
T1071 |
Application Layer Protocol |
| CM-6 |
Configuration Settings |
Protects |
T1071.001 |
Web Protocols |
| CM-6 |
Configuration Settings |
Protects |
T1071.002 |
File Transfer Protocols |
| CM-6 |
Configuration Settings |
Protects |
T1071.003 |
Mail Protocols |
| CM-6 |
Configuration Settings |
Protects |
T1071.004 |
DNS |
| CM-6 |
Configuration Settings |
Protects |
T1072 |
Software Deployment Tools |
| CM-6 |
Configuration Settings |
Protects |
T1078 |
Valid Accounts |
| CM-6 |
Configuration Settings |
Protects |
T1078.002 |
Domain Accounts |
| CM-6 |
Configuration Settings |
Protects |
T1078.003 |
Local Accounts |
| CM-6 |
Configuration Settings |
Protects |
T1078.004 |
Cloud Accounts |
| CM-6 |
Configuration Settings |
Protects |
T1087 |
Account Discovery |
| CM-6 |
Configuration Settings |
Protects |
T1087.001 |
Local Account |
| CM-6 |
Configuration Settings |
Protects |
T1087.002 |
Domain Account |
| CM-6 |
Configuration Settings |
Protects |
T1090 |
Proxy |
| CM-6 |
Configuration Settings |
Protects |
T1090.001 |
Internal Proxy |
| CM-6 |
Configuration Settings |
Protects |
T1090.002 |
External Proxy |
| CM-6 |
Configuration Settings |
Protects |
T1090.003 |
Multi-hop Proxy |
| CM-6 |
Configuration Settings |
Protects |
T1091 |
Replication Through Removable Media |
| CM-6 |
Configuration Settings |
Protects |
T1092 |
Communication Through Removable Media |
| CM-6 |
Configuration Settings |
Protects |
T1095 |
Non-Application Layer Protocol |
| CM-6 |
Configuration Settings |
Protects |
T1098 |
Account Manipulation |
| CM-6 |
Configuration Settings |
Protects |
T1098.001 |
Additional Cloud Credentials |
| CM-6 |
Configuration Settings |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| CM-6 |
Configuration Settings |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| CM-6 |
Configuration Settings |
Protects |
T1098.004 |
SSH Authorized Keys |
| CM-6 |
Configuration Settings |
Protects |
T1102 |
Web Service |
| CM-6 |
Configuration Settings |
Protects |
T1102.001 |
Dead Drop Resolver |
| CM-6 |
Configuration Settings |
Protects |
T1102.002 |
Bidirectional Communication |
| CM-6 |
Configuration Settings |
Protects |
T1102.003 |
One-Way Communication |
| CM-6 |
Configuration Settings |
Protects |
T1104 |
Multi-Stage Channels |
| CM-6 |
Configuration Settings |
Protects |
T1105 |
Ingress Tool Transfer |
| CM-6 |
Configuration Settings |
Protects |
T1110 |
Brute Force |
| CM-6 |
Configuration Settings |
Protects |
T1110.001 |
Password Guessing |
| CM-6 |
Configuration Settings |
Protects |
T1110.002 |
Password Cracking |
| CM-6 |
Configuration Settings |
Protects |
T1110.003 |
Password Spraying |
| CM-6 |
Configuration Settings |
Protects |
T1110.004 |
Credential Stuffing |
| CM-6 |
Configuration Settings |
Protects |
T1111 |
Two-Factor Authentication Interception |
| CM-6 |
Configuration Settings |
Protects |
T1114 |
Email Collection |
| CM-6 |
Configuration Settings |
Protects |
T1114.002 |
Remote Email Collection |
| CM-6 |
Configuration Settings |
Protects |
T1119 |
Automated Collection |
| CM-6 |
Configuration Settings |
Protects |
T1127 |
Trusted Developer Utilities Proxy Execution |
| CM-6 |
Configuration Settings |
Protects |
T1127.001 |
MSBuild |
| CM-6 |
Configuration Settings |
Protects |
T1132 |
Data Encoding |
| CM-6 |
Configuration Settings |
Protects |
T1132.001 |
Standard Encoding |
| CM-6 |
Configuration Settings |
Protects |
T1132.002 |
Non-Standard Encoding |
| CM-6 |
Configuration Settings |
Protects |
T1133 |
External Remote Services |
| CM-6 |
Configuration Settings |
Protects |
T1134 |
Access Token Manipulation |
| CM-6 |
Configuration Settings |
Protects |
T1134.001 |
Token Impersonation/Theft |
| CM-6 |
Configuration Settings |
Protects |
T1134.002 |
Create Process with Token |
| CM-6 |
Configuration Settings |
Protects |
T1134.003 |
Make and Impersonate Token |
| CM-6 |
Configuration Settings |
Protects |
T1134.005 |
SID-History Injection |
| CM-6 |
Configuration Settings |
Protects |
T1135 |
Network Share Discovery |
| CM-6 |
Configuration Settings |
Protects |
T1136 |
Create Account |
| CM-6 |
Configuration Settings |
Protects |
T1136.001 |
Local Account |
| CM-6 |
Configuration Settings |
Protects |
T1136.002 |
Domain Account |
| CM-6 |
Configuration Settings |
Protects |
T1136.003 |
Cloud Account |
| CM-6 |
Configuration Settings |
Protects |
T1137 |
Office Application Startup |
| CM-6 |
Configuration Settings |
Protects |
T1137.001 |
Office Template Macros |
| CM-6 |
Configuration Settings |
Protects |
T1176 |
Browser Extensions |
| CM-6 |
Configuration Settings |
Protects |
T1187 |
Forced Authentication |
| CM-6 |
Configuration Settings |
Protects |
T1189 |
Drive-by Compromise |
| CM-6 |
Configuration Settings |
Protects |
T1190 |
Exploit Public-Facing Application |
| CM-6 |
Configuration Settings |
Protects |
T1197 |
BITS Jobs |
| CM-6 |
Configuration Settings |
Protects |
T1199 |
Trusted Relationship |
| CM-6 |
Configuration Settings |
Protects |
T1201 |
Password Policy Discovery |
| CM-6 |
Configuration Settings |
Protects |
T1204 |
User Execution |
| CM-6 |
Configuration Settings |
Protects |
T1204.001 |
Malicious Link |
| CM-6 |
Configuration Settings |
Protects |
T1204.002 |
Malicious File |
| CM-6 |
Configuration Settings |
Protects |
T1204.003 |
Malicious Image |
| CM-6 |
Configuration Settings |
Protects |
T1205 |
Traffic Signaling |
| CM-6 |
Configuration Settings |
Protects |
T1205.001 |
Port Knocking |
| CM-6 |
Configuration Settings |
Protects |
T1210 |
Exploitation of Remote Services |
| CM-6 |
Configuration Settings |
Protects |
T1211 |
Exploitation for Defense Evasion |
| CM-6 |
Configuration Settings |
Protects |
T1212 |
Exploitation for Credential Access |
| CM-6 |
Configuration Settings |
Protects |
T1213 |
Data from Information Repositories |
| CM-6 |
Configuration Settings |
Protects |
T1213.001 |
Confluence |
| CM-6 |
Configuration Settings |
Protects |
T1213.002 |
Sharepoint |
| CM-6 |
Configuration Settings |
Protects |
T1216 |
Signed Script Proxy Execution |
| CM-6 |
Configuration Settings |
Protects |
T1216.001 |
PubPrn |
| CM-6 |
Configuration Settings |
Protects |
T1218 |
Signed Binary Proxy Execution |
| CM-6 |
Configuration Settings |
Protects |
T1218.001 |
Compiled HTML File |
| CM-6 |
Configuration Settings |
Protects |
T1218.002 |
Control Panel |
| CM-6 |
Configuration Settings |
Protects |
T1218.003 |
CMSTP |
| CM-6 |
Configuration Settings |
Protects |
T1218.004 |
InstallUtil |
| CM-6 |
Configuration Settings |
Protects |
T1218.005 |
Mshta |
| CM-6 |
Configuration Settings |
Protects |
T1218.007 |
Msiexec |
| CM-6 |
Configuration Settings |
Protects |
T1218.008 |
Odbcconf |
| CM-6 |
Configuration Settings |
Protects |
T1218.009 |
Regsvcs/Regasm |
| CM-6 |
Configuration Settings |
Protects |
T1218.012 |
Verclsid |
| CM-6 |
Configuration Settings |
Protects |
T1219 |
Remote Access Software |
| CM-6 |
Configuration Settings |
Protects |
T1220 |
XSL Script Processing |
| CM-6 |
Configuration Settings |
Protects |
T1221 |
Template Injection |
| CM-6 |
Configuration Settings |
Protects |
T1222 |
File and Directory Permissions Modification |
| CM-6 |
Configuration Settings |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| CM-6 |
Configuration Settings |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| CM-6 |
Configuration Settings |
Protects |
T1482 |
Domain Trust Discovery |
| CM-6 |
Configuration Settings |
Protects |
T1484 |
Domain Policy Modification |
| CM-6 |
Configuration Settings |
Protects |
T1489 |
Service Stop |
| CM-6 |
Configuration Settings |
Protects |
T1490 |
Inhibit System Recovery |
| CM-6 |
Configuration Settings |
Protects |
T1495 |
Firmware Corruption |
| CM-6 |
Configuration Settings |
Protects |
T1498 |
Network Denial of Service |
| CM-6 |
Configuration Settings |
Protects |
T1498.001 |
Direct Network Flood |
| CM-6 |
Configuration Settings |
Protects |
T1498.002 |
Reflection Amplification |
| CM-6 |
Configuration Settings |
Protects |
T1499 |
Endpoint Denial of Service |
| CM-6 |
Configuration Settings |
Protects |
T1499.001 |
OS Exhaustion Flood |
| CM-6 |
Configuration Settings |
Protects |
T1499.002 |
Service Exhaustion Flood |
| CM-6 |
Configuration Settings |
Protects |
T1499.003 |
Application Exhaustion Flood |
| CM-6 |
Configuration Settings |
Protects |
T1499.004 |
Application or System Exploitation |
| CM-6 |
Configuration Settings |
Protects |
T1505 |
Server Software Component |
| CM-6 |
Configuration Settings |
Protects |
T1505.001 |
SQL Stored Procedures |
| CM-6 |
Configuration Settings |
Protects |
T1505.002 |
Transport Agent |
| CM-6 |
Configuration Settings |
Protects |
T1525 |
Implant Internal Image |
| CM-6 |
Configuration Settings |
Protects |
T1528 |
Steal Application Access Token |
| CM-6 |
Configuration Settings |
Protects |
T1530 |
Data from Cloud Storage Object |
| CM-6 |
Configuration Settings |
Protects |
T1537 |
Transfer Data to Cloud Account |
| CM-6 |
Configuration Settings |
Protects |
T1539 |
Steal Web Session Cookie |
| CM-6 |
Configuration Settings |
Protects |
T1542 |
Pre-OS Boot |
| CM-6 |
Configuration Settings |
Protects |
T1542.001 |
System Firmware |
| CM-6 |
Configuration Settings |
Protects |
T1542.003 |
Bootkit |
| CM-6 |
Configuration Settings |
Protects |
T1542.004 |
ROMMONkit |
| CM-6 |
Configuration Settings |
Protects |
T1542.005 |
TFTP Boot |
| CM-6 |
Configuration Settings |
Protects |
T1543 |
Create or Modify System Process |
| CM-6 |
Configuration Settings |
Protects |
T1543.002 |
Systemd Service |
| CM-6 |
Configuration Settings |
Protects |
T1543.003 |
Windows Service |
| CM-6 |
Configuration Settings |
Protects |
T1546 |
Event Triggered Execution |
| CM-6 |
Configuration Settings |
Protects |
T1546.002 |
Screensaver |
| CM-6 |
Configuration Settings |
Protects |
T1546.003 |
Windows Management Instrumentation Event Subscription |
| CM-6 |
Configuration Settings |
Protects |
T1546.004 |
Unix Shell Configuration Modification |
| CM-6 |
Configuration Settings |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| CM-6 |
Configuration Settings |
Protects |
T1546.008 |
Accessibility Features |
| CM-6 |
Configuration Settings |
Protects |
T1546.013 |
PowerShell Profile |
| CM-6 |
Configuration Settings |
Protects |
T1546.014 |
Emond |
| CM-6 |
Configuration Settings |
Protects |
T1547.002 |
Authentication Package |
| CM-6 |
Configuration Settings |
Protects |
T1547.003 |
Time Providers |
| CM-6 |
Configuration Settings |
Protects |
T1547.005 |
Security Support Provider |
| CM-6 |
Configuration Settings |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| CM-6 |
Configuration Settings |
Protects |
T1547.007 |
Re-opened Applications |
| CM-6 |
Configuration Settings |
Protects |
T1547.008 |
LSASS Driver |
| CM-6 |
Configuration Settings |
Protects |
T1547.011 |
Plist Modification |
| CM-6 |
Configuration Settings |
Protects |
T1547.013 |
XDG Autostart Entries |
| CM-6 |
Configuration Settings |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| CM-6 |
Configuration Settings |
Protects |
T1548.001 |
Setuid and Setgid |
| CM-6 |
Configuration Settings |
Protects |
T1548.002 |
Bypass User Account Control |
| CM-6 |
Configuration Settings |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| CM-6 |
Configuration Settings |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| CM-6 |
Configuration Settings |
Protects |
T1550 |
Use Alternate Authentication Material |
| CM-6 |
Configuration Settings |
Protects |
T1550.001 |
Application Access Token |
| CM-6 |
Configuration Settings |
Protects |
T1550.002 |
Pass the Hash |
| CM-6 |
Configuration Settings |
Protects |
T1550.003 |
Pass the Ticket |
| CM-6 |
Configuration Settings |
Protects |
T1552 |
Unsecured Credentials |
| CM-6 |
Configuration Settings |
Protects |
T1552.001 |
Credentials In Files |
| CM-6 |
Configuration Settings |
Protects |
T1552.002 |
Credentials in Registry |
| CM-6 |
Configuration Settings |
Protects |
T1552.003 |
Bash History |
| CM-6 |
Configuration Settings |
Protects |
T1552.004 |
Private Keys |
| CM-6 |
Configuration Settings |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| CM-6 |
Configuration Settings |
Protects |
T1552.006 |
Group Policy Preferences |
| CM-6 |
Configuration Settings |
Protects |
T1552.007 |
Container API |
| CM-6 |
Configuration Settings |
Protects |
T1553 |
Subvert Trust Controls |
| CM-6 |
Configuration Settings |
Protects |
T1553.001 |
Gatekeeper Bypass |
| CM-6 |
Configuration Settings |
Protects |
T1553.003 |
SIP and Trust Provider Hijacking |
| CM-6 |
Configuration Settings |
Protects |
T1553.004 |
Install Root Certificate |
| CM-6 |
Configuration Settings |
Protects |
T1553.005 |
Mark-of-the-Web Bypass |
| CM-6 |
Configuration Settings |
Protects |
T1554 |
Compromise Client Software Binary |
| CM-6 |
Configuration Settings |
Protects |
T1555.004 |
Windows Credential Manager |
| CM-6 |
Configuration Settings |
Protects |
T1555.005 |
Password Managers |
| CM-6 |
Configuration Settings |
Protects |
T1556 |
Modify Authentication Process |
| CM-6 |
Configuration Settings |
Protects |
T1556.001 |
Domain Controller Authentication |
| CM-6 |
Configuration Settings |
Protects |
T1556.002 |
Password Filter DLL |
| CM-6 |
Configuration Settings |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| CM-6 |
Configuration Settings |
Protects |
T1556.004 |
Network Device Authentication |
| CM-6 |
Configuration Settings |
Protects |
T1557 |
Man-in-the-Middle |
| CM-6 |
Configuration Settings |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| CM-6 |
Configuration Settings |
Protects |
T1557.002 |
ARP Cache Poisoning |
| CM-6 |
Configuration Settings |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| CM-6 |
Configuration Settings |
Protects |
T1558.001 |
Golden Ticket |
| CM-6 |
Configuration Settings |
Protects |
T1558.002 |
Silver Ticket |
| CM-6 |
Configuration Settings |
Protects |
T1558.003 |
Kerberoasting |
| CM-6 |
Configuration Settings |
Protects |
T1558.004 |
AS-REP Roasting |
| CM-6 |
Configuration Settings |
Protects |
T1559 |
Inter-Process Communication |
| CM-6 |
Configuration Settings |
Protects |
T1559.001 |
Component Object Model |
| CM-6 |
Configuration Settings |
Protects |
T1559.002 |
Dynamic Data Exchange |
| CM-6 |
Configuration Settings |
Protects |
T1562 |
Impair Defenses |
| CM-6 |
Configuration Settings |
Protects |
T1562.001 |
Disable or Modify Tools |
| CM-6 |
Configuration Settings |
Protects |
T1562.002 |
Disable Windows Event Logging |
| CM-6 |
Configuration Settings |
Protects |
T1562.003 |
Impair Command History Logging |
| CM-6 |
Configuration Settings |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| CM-6 |
Configuration Settings |
Protects |
T1562.006 |
Indicator Blocking |
| CM-6 |
Configuration Settings |
Protects |
T1563 |
Remote Service Session Hijacking |
| CM-6 |
Configuration Settings |
Protects |
T1563.001 |
SSH Hijacking |
| CM-6 |
Configuration Settings |
Protects |
T1563.002 |
RDP Hijacking |
| CM-6 |
Configuration Settings |
Protects |
T1564.002 |
Hidden Users |
| CM-6 |
Configuration Settings |
Protects |
T1564.006 |
Run Virtual Instance |
| CM-6 |
Configuration Settings |
Protects |
T1564.007 |
VBA Stomping |
| CM-6 |
Configuration Settings |
Protects |
T1565 |
Data Manipulation |
| CM-6 |
Configuration Settings |
Protects |
T1565.001 |
Stored Data Manipulation |
| CM-6 |
Configuration Settings |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| CM-6 |
Configuration Settings |
Protects |
T1565.003 |
Runtime Data Manipulation |
| CM-6 |
Configuration Settings |
Protects |
T1566 |
Phishing |
| CM-6 |
Configuration Settings |
Protects |
T1566.001 |
Spearphishing Attachment |
| CM-6 |
Configuration Settings |
Protects |
T1566.002 |
Spearphishing Link |
| CM-6 |
Configuration Settings |
Protects |
T1569 |
System Services |
| CM-6 |
Configuration Settings |
Protects |
T1569.002 |
Service Execution |
| CM-6 |
Configuration Settings |
Protects |
T1570 |
Lateral Tool Transfer |
| CM-6 |
Configuration Settings |
Protects |
T1571 |
Non-Standard Port |
| CM-6 |
Configuration Settings |
Protects |
T1572 |
Protocol Tunneling |
| CM-6 |
Configuration Settings |
Protects |
T1573 |
Encrypted Channel |
| CM-6 |
Configuration Settings |
Protects |
T1573.001 |
Symmetric Cryptography |
| CM-6 |
Configuration Settings |
Protects |
T1573.002 |
Asymmetric Cryptography |
| CM-6 |
Configuration Settings |
Protects |
T1574 |
Hijack Execution Flow |
| CM-6 |
Configuration Settings |
Protects |
T1574.001 |
DLL Search Order Hijacking |
| CM-6 |
Configuration Settings |
Protects |
T1574.004 |
Dylib Hijacking |
| CM-6 |
Configuration Settings |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| CM-6 |
Configuration Settings |
Protects |
T1574.006 |
Dynamic Linker Hijacking |
| CM-6 |
Configuration Settings |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| CM-6 |
Configuration Settings |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| CM-6 |
Configuration Settings |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| CM-6 |
Configuration Settings |
Protects |
T1574.010 |
Services File Permissions Weakness |
| CM-6 |
Configuration Settings |
Protects |
T1598 |
Phishing for Information |
| CM-6 |
Configuration Settings |
Protects |
T1598.002 |
Spearphishing Attachment |
| CM-6 |
Configuration Settings |
Protects |
T1598.003 |
Spearphishing Link |
| CM-6 |
Configuration Settings |
Protects |
T1599 |
Network Boundary Bridging |
| CM-6 |
Configuration Settings |
Protects |
T1599.001 |
Network Address Translation Traversal |
| CM-6 |
Configuration Settings |
Protects |
T1601 |
Modify System Image |
| CM-6 |
Configuration Settings |
Protects |
T1601.001 |
Patch System Image |
| CM-6 |
Configuration Settings |
Protects |
T1601.002 |
Downgrade System Image |
| CM-6 |
Configuration Settings |
Protects |
T1602 |
Data from Configuration Repository |
| CM-6 |
Configuration Settings |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| CM-6 |
Configuration Settings |
Protects |
T1602.002 |
Network Device Configuration Dump |
| CM-6 |
Configuration Settings |
Protects |
T1609 |
Container Administration Command |
| CM-6 |
Configuration Settings |
Protects |
T1610 |
Deploy Container |
| CM-6 |
Configuration Settings |
Protects |
T1611 |
Escape to Host |
| CM-6 |
Configuration Settings |
Protects |
T1612 |
Build Image on Host |
| CM-6 |
Configuration Settings |
Protects |
T1613 |
Container and Resource Discovery |
| CM-7 |
Least Functionality |
Protects |
T1003 |
OS Credential Dumping |
| CM-7 |
Least Functionality |
Protects |
T1003.001 |
LSASS Memory |
| CM-7 |
Least Functionality |
Protects |
T1003.002 |
Security Account Manager |
| CM-7 |
Least Functionality |
Protects |
T1003.005 |
Cached Domain Credentials |
| CM-7 |
Least Functionality |
Protects |
T1008 |
Fallback Channels |
| CM-7 |
Least Functionality |
Protects |
T1011 |
Exfiltration Over Other Network Medium |
| CM-7 |
Least Functionality |
Protects |
T1011.001 |
Exfiltration Over Bluetooth |
| CM-7 |
Least Functionality |
Protects |
T1021.001 |
Remote Desktop Protocol |
| CM-7 |
Least Functionality |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| CM-7 |
Least Functionality |
Protects |
T1021.003 |
Distributed Component Object Model |
| CM-7 |
Least Functionality |
Protects |
T1021.005 |
VNC |
| CM-7 |
Least Functionality |
Protects |
T1021.006 |
Windows Remote Management |
| CM-7 |
Least Functionality |
Protects |
T1036 |
Masquerading |
| CM-7 |
Least Functionality |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| CM-7 |
Least Functionality |
Protects |
T1037 |
Boot or Logon Initialization Scripts |
| CM-7 |
Least Functionality |
Protects |
T1037.001 |
Logon Script (Windows) |
| CM-7 |
Least Functionality |
Protects |
T1046 |
Network Service Scanning |
| CM-7 |
Least Functionality |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| CM-7 |
Least Functionality |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| CM-7 |
Least Functionality |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| CM-7 |
Least Functionality |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| CM-7 |
Least Functionality |
Protects |
T1053 |
Scheduled Task/Job |
| CM-7 |
Least Functionality |
Protects |
T1053.002 |
At (Windows) |
| CM-7 |
Least Functionality |
Protects |
T1053.005 |
Scheduled Task |
| CM-7 |
Least Functionality |
Protects |
T1059 |
Command and Scripting Interpreter |
| CM-7 |
Least Functionality |
Protects |
T1059.002 |
AppleScript |
| CM-7 |
Least Functionality |
Protects |
T1059.003 |
Windows Command Shell |
| CM-7 |
Least Functionality |
Protects |
T1059.004 |
Unix Shell |
| CM-7 |
Least Functionality |
Protects |
T1059.005 |
Visual Basic |
| CM-7 |
Least Functionality |
Protects |
T1059.006 |
Python |
| CM-7 |
Least Functionality |
Protects |
T1059.007 |
JavaScript |
| CM-7 |
Least Functionality |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| CM-7 |
Least Functionality |
Protects |
T1071 |
Application Layer Protocol |
| CM-7 |
Least Functionality |
Protects |
T1071.001 |
Web Protocols |
| CM-7 |
Least Functionality |
Protects |
T1071.002 |
File Transfer Protocols |
| CM-7 |
Least Functionality |
Protects |
T1071.003 |
Mail Protocols |
| CM-7 |
Least Functionality |
Protects |
T1071.004 |
DNS |
| CM-7 |
Least Functionality |
Protects |
T1072 |
Software Deployment Tools |
| CM-7 |
Least Functionality |
Protects |
T1080 |
Taint Shared Content |
| CM-7 |
Least Functionality |
Protects |
T1087 |
Account Discovery |
| CM-7 |
Least Functionality |
Protects |
T1087.001 |
Local Account |
| CM-7 |
Least Functionality |
Protects |
T1087.002 |
Domain Account |
| CM-7 |
Least Functionality |
Protects |
T1090 |
Proxy |
| CM-7 |
Least Functionality |
Protects |
T1090.001 |
Internal Proxy |
| CM-7 |
Least Functionality |
Protects |
T1090.002 |
External Proxy |
| CM-7 |
Least Functionality |
Protects |
T1090.003 |
Multi-hop Proxy |
| CM-7 |
Least Functionality |
Protects |
T1092 |
Communication Through Removable Media |
| CM-7 |
Least Functionality |
Protects |
T1095 |
Non-Application Layer Protocol |
| CM-7 |
Least Functionality |
Protects |
T1098 |
Account Manipulation |
| CM-7 |
Least Functionality |
Protects |
T1098.001 |
Additional Cloud Credentials |
| CM-7 |
Least Functionality |
Protects |
T1098.004 |
SSH Authorized Keys |
| CM-7 |
Least Functionality |
Protects |
T1102 |
Web Service |
| CM-7 |
Least Functionality |
Protects |
T1102.001 |
Dead Drop Resolver |
| CM-7 |
Least Functionality |
Protects |
T1102.002 |
Bidirectional Communication |
| CM-7 |
Least Functionality |
Protects |
T1102.003 |
One-Way Communication |
| CM-7 |
Least Functionality |
Protects |
T1104 |
Multi-Stage Channels |
| CM-7 |
Least Functionality |
Protects |
T1105 |
Ingress Tool Transfer |
| CM-7 |
Least Functionality |
Protects |
T1106 |
Native API |
| CM-7 |
Least Functionality |
Protects |
T1112 |
Modify Registry |
| CM-7 |
Least Functionality |
Protects |
T1127 |
Trusted Developer Utilities Proxy Execution |
| CM-7 |
Least Functionality |
Protects |
T1129 |
Shared Modules |
| CM-7 |
Least Functionality |
Protects |
T1133 |
External Remote Services |
| CM-7 |
Least Functionality |
Protects |
T1135 |
Network Share Discovery |
| CM-7 |
Least Functionality |
Protects |
T1136 |
Create Account |
| CM-7 |
Least Functionality |
Protects |
T1136.002 |
Domain Account |
| CM-7 |
Least Functionality |
Protects |
T1136.003 |
Cloud Account |
| CM-7 |
Least Functionality |
Protects |
T1176 |
Browser Extensions |
| CM-7 |
Least Functionality |
Protects |
T1187 |
Forced Authentication |
| CM-7 |
Least Functionality |
Protects |
T1190 |
Exploit Public-Facing Application |
| CM-7 |
Least Functionality |
Protects |
T1195 |
Supply Chain Compromise |
| CM-7 |
Least Functionality |
Protects |
T1195.001 |
Compromise Software Dependencies and Development Tools |
| CM-7 |
Least Functionality |
Protects |
T1195.002 |
Compromise Software Supply Chain |
| CM-7 |
Least Functionality |
Protects |
T1197 |
BITS Jobs |
| CM-7 |
Least Functionality |
Protects |
T1199 |
Trusted Relationship |
| CM-7 |
Least Functionality |
Protects |
T1204 |
User Execution |
| CM-7 |
Least Functionality |
Protects |
T1204.001 |
Malicious Link |
| CM-7 |
Least Functionality |
Protects |
T1204.002 |
Malicious File |
| CM-7 |
Least Functionality |
Protects |
T1204.003 |
Malicious Image |
| CM-7 |
Least Functionality |
Protects |
T1205 |
Traffic Signaling |
| CM-7 |
Least Functionality |
Protects |
T1205.001 |
Port Knocking |
| CM-7 |
Least Functionality |
Protects |
T1210 |
Exploitation of Remote Services |
| CM-7 |
Least Functionality |
Protects |
T1213 |
Data from Information Repositories |
| CM-7 |
Least Functionality |
Protects |
T1213.001 |
Confluence |
| CM-7 |
Least Functionality |
Protects |
T1213.002 |
Sharepoint |
| CM-7 |
Least Functionality |
Protects |
T1216 |
Signed Script Proxy Execution |
| CM-7 |
Least Functionality |
Protects |
T1216.001 |
PubPrn |
| CM-7 |
Least Functionality |
Protects |
T1218 |
Signed Binary Proxy Execution |
| CM-7 |
Least Functionality |
Protects |
T1218.001 |
Compiled HTML File |
| CM-7 |
Least Functionality |
Protects |
T1218.002 |
Control Panel |
| CM-7 |
Least Functionality |
Protects |
T1218.003 |
CMSTP |
| CM-7 |
Least Functionality |
Protects |
T1218.004 |
InstallUtil |
| CM-7 |
Least Functionality |
Protects |
T1218.005 |
Mshta |
| CM-7 |
Least Functionality |
Protects |
T1218.007 |
Msiexec |
| CM-7 |
Least Functionality |
Protects |
T1218.008 |
Odbcconf |
| CM-7 |
Least Functionality |
Protects |
T1218.009 |
Regsvcs/Regasm |
| CM-7 |
Least Functionality |
Protects |
T1218.012 |
Verclsid |
| CM-7 |
Least Functionality |
Protects |
T1219 |
Remote Access Software |
| CM-7 |
Least Functionality |
Protects |
T1220 |
XSL Script Processing |
| CM-7 |
Least Functionality |
Protects |
T1221 |
Template Injection |
| CM-7 |
Least Functionality |
Protects |
T1482 |
Domain Trust Discovery |
| CM-7 |
Least Functionality |
Protects |
T1484 |
Domain Policy Modification |
| CM-7 |
Least Functionality |
Protects |
T1489 |
Service Stop |
| CM-7 |
Least Functionality |
Protects |
T1490 |
Inhibit System Recovery |
| CM-7 |
Least Functionality |
Protects |
T1498 |
Network Denial of Service |
| CM-7 |
Least Functionality |
Protects |
T1498.001 |
Direct Network Flood |
| CM-7 |
Least Functionality |
Protects |
T1498.002 |
Reflection Amplification |
| CM-7 |
Least Functionality |
Protects |
T1499 |
Endpoint Denial of Service |
| CM-7 |
Least Functionality |
Protects |
T1499.001 |
OS Exhaustion Flood |
| CM-7 |
Least Functionality |
Protects |
T1499.002 |
Service Exhaustion Flood |
| CM-7 |
Least Functionality |
Protects |
T1499.003 |
Application Exhaustion Flood |
| CM-7 |
Least Functionality |
Protects |
T1499.004 |
Application or System Exploitation |
| CM-7 |
Least Functionality |
Protects |
T1525 |
Implant Internal Image |
| CM-7 |
Least Functionality |
Protects |
T1530 |
Data from Cloud Storage Object |
| CM-7 |
Least Functionality |
Protects |
T1537 |
Transfer Data to Cloud Account |
| CM-7 |
Least Functionality |
Protects |
T1542.004 |
ROMMONkit |
| CM-7 |
Least Functionality |
Protects |
T1542.005 |
TFTP Boot |
| CM-7 |
Least Functionality |
Protects |
T1543 |
Create or Modify System Process |
| CM-7 |
Least Functionality |
Protects |
T1543.003 |
Windows Service |
| CM-7 |
Least Functionality |
Protects |
T1546.002 |
Screensaver |
| CM-7 |
Least Functionality |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| CM-7 |
Least Functionality |
Protects |
T1546.008 |
Accessibility Features |
| CM-7 |
Least Functionality |
Protects |
T1546.009 |
AppCert DLLs |
| CM-7 |
Least Functionality |
Protects |
T1546.010 |
AppInit DLLs |
| CM-7 |
Least Functionality |
Protects |
T1547.004 |
Winlogon Helper DLL |
| CM-7 |
Least Functionality |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| CM-7 |
Least Functionality |
Protects |
T1547.007 |
Re-opened Applications |
| CM-7 |
Least Functionality |
Protects |
T1547.011 |
Plist Modification |
| CM-7 |
Least Functionality |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| CM-7 |
Least Functionality |
Protects |
T1548.001 |
Setuid and Setgid |
| CM-7 |
Least Functionality |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| CM-7 |
Least Functionality |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| CM-7 |
Least Functionality |
Protects |
T1552 |
Unsecured Credentials |
| CM-7 |
Least Functionality |
Protects |
T1552.003 |
Bash History |
| CM-7 |
Least Functionality |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| CM-7 |
Least Functionality |
Protects |
T1552.007 |
Container API |
| CM-7 |
Least Functionality |
Protects |
T1553 |
Subvert Trust Controls |
| CM-7 |
Least Functionality |
Protects |
T1553.001 |
Gatekeeper Bypass |
| CM-7 |
Least Functionality |
Protects |
T1553.003 |
SIP and Trust Provider Hijacking |
| CM-7 |
Least Functionality |
Protects |
T1553.004 |
Install Root Certificate |
| CM-7 |
Least Functionality |
Protects |
T1553.005 |
Mark-of-the-Web Bypass |
| CM-7 |
Least Functionality |
Protects |
T1553.006 |
Code Signing Policy Modification |
| CM-7 |
Least Functionality |
Protects |
T1555.004 |
Windows Credential Manager |
| CM-7 |
Least Functionality |
Protects |
T1556 |
Modify Authentication Process |
| CM-7 |
Least Functionality |
Protects |
T1556.002 |
Password Filter DLL |
| CM-7 |
Least Functionality |
Protects |
T1557 |
Man-in-the-Middle |
| CM-7 |
Least Functionality |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| CM-7 |
Least Functionality |
Protects |
T1557.002 |
ARP Cache Poisoning |
| CM-7 |
Least Functionality |
Protects |
T1559 |
Inter-Process Communication |
| CM-7 |
Least Functionality |
Protects |
T1559.002 |
Dynamic Data Exchange |
| CM-7 |
Least Functionality |
Protects |
T1562 |
Impair Defenses |
| CM-7 |
Least Functionality |
Protects |
T1562.001 |
Disable or Modify Tools |
| CM-7 |
Least Functionality |
Protects |
T1562.002 |
Disable Windows Event Logging |
| CM-7 |
Least Functionality |
Protects |
T1562.003 |
Impair Command History Logging |
| CM-7 |
Least Functionality |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| CM-7 |
Least Functionality |
Protects |
T1563 |
Remote Service Session Hijacking |
| CM-7 |
Least Functionality |
Protects |
T1563.001 |
SSH Hijacking |
| CM-7 |
Least Functionality |
Protects |
T1563.002 |
RDP Hijacking |
| CM-7 |
Least Functionality |
Protects |
T1564.002 |
Hidden Users |
| CM-7 |
Least Functionality |
Protects |
T1564.003 |
Hidden Window |
| CM-7 |
Least Functionality |
Protects |
T1564.006 |
Run Virtual Instance |
| CM-7 |
Least Functionality |
Protects |
T1565 |
Data Manipulation |
| CM-7 |
Least Functionality |
Protects |
T1565.003 |
Runtime Data Manipulation |
| CM-7 |
Least Functionality |
Protects |
T1569 |
System Services |
| CM-7 |
Least Functionality |
Protects |
T1569.002 |
Service Execution |
| CM-7 |
Least Functionality |
Protects |
T1570 |
Lateral Tool Transfer |
| CM-7 |
Least Functionality |
Protects |
T1571 |
Non-Standard Port |
| CM-7 |
Least Functionality |
Protects |
T1572 |
Protocol Tunneling |
| CM-7 |
Least Functionality |
Protects |
T1573 |
Encrypted Channel |
| CM-7 |
Least Functionality |
Protects |
T1573.001 |
Symmetric Cryptography |
| CM-7 |
Least Functionality |
Protects |
T1573.002 |
Asymmetric Cryptography |
| CM-7 |
Least Functionality |
Protects |
T1574 |
Hijack Execution Flow |
| CM-7 |
Least Functionality |
Protects |
T1574.001 |
DLL Search Order Hijacking |
| CM-7 |
Least Functionality |
Protects |
T1574.006 |
Dynamic Linker Hijacking |
| CM-7 |
Least Functionality |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| CM-7 |
Least Functionality |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| CM-7 |
Least Functionality |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| CM-7 |
Least Functionality |
Protects |
T1574.012 |
COR_PROFILER |
| CM-7 |
Least Functionality |
Protects |
T1599 |
Network Boundary Bridging |
| CM-7 |
Least Functionality |
Protects |
T1599.001 |
Network Address Translation Traversal |
| CM-7 |
Least Functionality |
Protects |
T1601 |
Modify System Image |
| CM-7 |
Least Functionality |
Protects |
T1601.001 |
Patch System Image |
| CM-7 |
Least Functionality |
Protects |
T1601.002 |
Downgrade System Image |
| CM-7 |
Least Functionality |
Protects |
T1602 |
Data from Configuration Repository |
| CM-7 |
Least Functionality |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| CM-7 |
Least Functionality |
Protects |
T1602.002 |
Network Device Configuration Dump |
| CM-7 |
Least Functionality |
Protects |
T1609 |
Container Administration Command |
| CM-7 |
Least Functionality |
Protects |
T1610 |
Deploy Container |
| CM-7 |
Least Functionality |
Protects |
T1611 |
Escape to Host |
| CM-7 |
Least Functionality |
Protects |
T1612 |
Build Image on Host |
| CM-7 |
Least Functionality |
Protects |
T1613 |
Container and Resource Discovery |
| CM-8 |
System Component Inventory |
Protects |
T1011.001 |
Exfiltration Over Bluetooth |
| CM-8 |
System Component Inventory |
Protects |
T1020.001 |
Traffic Duplication |
| CM-8 |
System Component Inventory |
Protects |
T1021.001 |
Remote Desktop Protocol |
| CM-8 |
System Component Inventory |
Protects |
T1021.003 |
Distributed Component Object Model |
| CM-8 |
System Component Inventory |
Protects |
T1021.004 |
SSH |
| CM-8 |
System Component Inventory |
Protects |
T1021.005 |
VNC |
| CM-8 |
System Component Inventory |
Protects |
T1021.006 |
Windows Remote Management |
| CM-8 |
System Component Inventory |
Protects |
T1046 |
Network Service Scanning |
| CM-8 |
System Component Inventory |
Protects |
T1052 |
Exfiltration Over Physical Medium |
| CM-8 |
System Component Inventory |
Protects |
T1052.001 |
Exfiltration over USB |
| CM-8 |
System Component Inventory |
Protects |
T1053 |
Scheduled Task/Job |
| CM-8 |
System Component Inventory |
Protects |
T1053.002 |
At (Windows) |
| CM-8 |
System Component Inventory |
Protects |
T1053.005 |
Scheduled Task |
| CM-8 |
System Component Inventory |
Protects |
T1059 |
Command and Scripting Interpreter |
| CM-8 |
System Component Inventory |
Protects |
T1059.001 |
PowerShell |
| CM-8 |
System Component Inventory |
Protects |
T1059.005 |
Visual Basic |
| CM-8 |
System Component Inventory |
Protects |
T1059.007 |
JavaScript |
| CM-8 |
System Component Inventory |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| CM-8 |
System Component Inventory |
Protects |
T1072 |
Software Deployment Tools |
| CM-8 |
System Component Inventory |
Protects |
T1091 |
Replication Through Removable Media |
| CM-8 |
System Component Inventory |
Protects |
T1092 |
Communication Through Removable Media |
| CM-8 |
System Component Inventory |
Protects |
T1098.004 |
SSH Authorized Keys |
| CM-8 |
System Component Inventory |
Protects |
T1119 |
Automated Collection |
| CM-8 |
System Component Inventory |
Protects |
T1127 |
Trusted Developer Utilities Proxy Execution |
| CM-8 |
System Component Inventory |
Protects |
T1127.001 |
MSBuild |
| CM-8 |
System Component Inventory |
Protects |
T1133 |
External Remote Services |
| CM-8 |
System Component Inventory |
Protects |
T1137 |
Office Application Startup |
| CM-8 |
System Component Inventory |
Protects |
T1137.001 |
Office Template Macros |
| CM-8 |
System Component Inventory |
Protects |
T1189 |
Drive-by Compromise |
| CM-8 |
System Component Inventory |
Protects |
T1190 |
Exploit Public-Facing Application |
| CM-8 |
System Component Inventory |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| CM-8 |
System Component Inventory |
Protects |
T1203 |
Exploitation for Client Execution |
| CM-8 |
System Component Inventory |
Protects |
T1210 |
Exploitation of Remote Services |
| CM-8 |
System Component Inventory |
Protects |
T1211 |
Exploitation for Defense Evasion |
| CM-8 |
System Component Inventory |
Protects |
T1212 |
Exploitation for Credential Access |
| CM-8 |
System Component Inventory |
Protects |
T1213 |
Data from Information Repositories |
| CM-8 |
System Component Inventory |
Protects |
T1213.001 |
Confluence |
| CM-8 |
System Component Inventory |
Protects |
T1213.002 |
Sharepoint |
| CM-8 |
System Component Inventory |
Protects |
T1218 |
Signed Binary Proxy Execution |
| CM-8 |
System Component Inventory |
Protects |
T1218.003 |
CMSTP |
| CM-8 |
System Component Inventory |
Protects |
T1218.004 |
InstallUtil |
| CM-8 |
System Component Inventory |
Protects |
T1218.005 |
Mshta |
| CM-8 |
System Component Inventory |
Protects |
T1218.008 |
Odbcconf |
| CM-8 |
System Component Inventory |
Protects |
T1218.009 |
Regsvcs/Regasm |
| CM-8 |
System Component Inventory |
Protects |
T1218.012 |
Verclsid |
| CM-8 |
System Component Inventory |
Protects |
T1221 |
Template Injection |
| CM-8 |
System Component Inventory |
Protects |
T1495 |
Firmware Corruption |
| CM-8 |
System Component Inventory |
Protects |
T1505 |
Server Software Component |
| CM-8 |
System Component Inventory |
Protects |
T1505.001 |
SQL Stored Procedures |
| CM-8 |
System Component Inventory |
Protects |
T1505.002 |
Transport Agent |
| CM-8 |
System Component Inventory |
Protects |
T1530 |
Data from Cloud Storage Object |
| CM-8 |
System Component Inventory |
Protects |
T1542 |
Pre-OS Boot |
| CM-8 |
System Component Inventory |
Protects |
T1542.001 |
System Firmware |
| CM-8 |
System Component Inventory |
Protects |
T1542.003 |
Bootkit |
| CM-8 |
System Component Inventory |
Protects |
T1542.004 |
ROMMONkit |
| CM-8 |
System Component Inventory |
Protects |
T1542.005 |
TFTP Boot |
| CM-8 |
System Component Inventory |
Protects |
T1546.002 |
Screensaver |
| CM-8 |
System Component Inventory |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| CM-8 |
System Component Inventory |
Protects |
T1546.014 |
Emond |
| CM-8 |
System Component Inventory |
Protects |
T1547.007 |
Re-opened Applications |
| CM-8 |
System Component Inventory |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| CM-8 |
System Component Inventory |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| CM-8 |
System Component Inventory |
Protects |
T1553 |
Subvert Trust Controls |
| CM-8 |
System Component Inventory |
Protects |
T1553.006 |
Code Signing Policy Modification |
| CM-8 |
System Component Inventory |
Protects |
T1557 |
Man-in-the-Middle |
| CM-8 |
System Component Inventory |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| CM-8 |
System Component Inventory |
Protects |
T1557.002 |
ARP Cache Poisoning |
| CM-8 |
System Component Inventory |
Protects |
T1559 |
Inter-Process Communication |
| CM-8 |
System Component Inventory |
Protects |
T1559.002 |
Dynamic Data Exchange |
| CM-8 |
System Component Inventory |
Protects |
T1563 |
Remote Service Session Hijacking |
| CM-8 |
System Component Inventory |
Protects |
T1563.001 |
SSH Hijacking |
| CM-8 |
System Component Inventory |
Protects |
T1563.002 |
RDP Hijacking |
| CM-8 |
System Component Inventory |
Protects |
T1564.006 |
Run Virtual Instance |
| CM-8 |
System Component Inventory |
Protects |
T1564.007 |
VBA Stomping |
| CM-8 |
System Component Inventory |
Protects |
T1565 |
Data Manipulation |
| CM-8 |
System Component Inventory |
Protects |
T1565.001 |
Stored Data Manipulation |
| CM-8 |
System Component Inventory |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| CM-8 |
System Component Inventory |
Protects |
T1574 |
Hijack Execution Flow |
| CM-8 |
System Component Inventory |
Protects |
T1574.004 |
Dylib Hijacking |
| CM-8 |
System Component Inventory |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| CM-8 |
System Component Inventory |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| CM-8 |
System Component Inventory |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| CM-8 |
System Component Inventory |
Protects |
T1601 |
Modify System Image |
| CM-8 |
System Component Inventory |
Protects |
T1601.001 |
Patch System Image |
| CM-8 |
System Component Inventory |
Protects |
T1601.002 |
Downgrade System Image |
| CM-8 |
System Component Inventory |
Protects |
T1602 |
Data from Configuration Repository |
| CM-8 |
System Component Inventory |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| CM-8 |
System Component Inventory |
Protects |
T1602.002 |
Network Device Configuration Dump |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1485 |
Data Destruction |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1486 |
Data Encrypted for Impact |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1490 |
Inhibit System Recovery |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1491 |
Defacement |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1491.001 |
Internal Defacement |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1491.002 |
External Defacement |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1561 |
Disk Wipe |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1561.001 |
Disk Content Wipe |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1561.002 |
Disk Structure Wipe |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1565 |
Data Manipulation |
| CP-10 |
System Recovery and Reconstitution |
Protects |
T1565.001 |
Stored Data Manipulation |
| CP-2 |
Contingency Plan |
Protects |
T1485 |
Data Destruction |
| CP-2 |
Contingency Plan |
Protects |
T1486 |
Data Encrypted for Impact |
| CP-2 |
Contingency Plan |
Protects |
T1490 |
Inhibit System Recovery |
| CP-2 |
Contingency Plan |
Protects |
T1491 |
Defacement |
| CP-2 |
Contingency Plan |
Protects |
T1491.001 |
Internal Defacement |
| CP-2 |
Contingency Plan |
Protects |
T1491.002 |
External Defacement |
| CP-2 |
Contingency Plan |
Protects |
T1561 |
Disk Wipe |
| CP-2 |
Contingency Plan |
Protects |
T1561.001 |
Disk Content Wipe |
| CP-2 |
Contingency Plan |
Protects |
T1561.002 |
Disk Structure Wipe |
| CP-6 |
Alternate Storage Site |
Protects |
T1070 |
Indicator Removal on Host |
| CP-6 |
Alternate Storage Site |
Protects |
T1070.001 |
Clear Windows Event Logs |
| CP-6 |
Alternate Storage Site |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| CP-6 |
Alternate Storage Site |
Protects |
T1119 |
Automated Collection |
| CP-6 |
Alternate Storage Site |
Protects |
T1486 |
Data Encrypted for Impact |
| CP-6 |
Alternate Storage Site |
Protects |
T1565 |
Data Manipulation |
| CP-6 |
Alternate Storage Site |
Protects |
T1565.001 |
Stored Data Manipulation |
| CP-7 |
Alternate Processing Site |
Protects |
T1070 |
Indicator Removal on Host |
| CP-7 |
Alternate Processing Site |
Protects |
T1070.001 |
Clear Windows Event Logs |
| CP-7 |
Alternate Processing Site |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| CP-7 |
Alternate Processing Site |
Protects |
T1119 |
Automated Collection |
| CP-7 |
Alternate Processing Site |
Protects |
T1485 |
Data Destruction |
| CP-7 |
Alternate Processing Site |
Protects |
T1486 |
Data Encrypted for Impact |
| CP-7 |
Alternate Processing Site |
Protects |
T1490 |
Inhibit System Recovery |
| CP-7 |
Alternate Processing Site |
Protects |
T1491 |
Defacement |
| CP-7 |
Alternate Processing Site |
Protects |
T1491.001 |
Internal Defacement |
| CP-7 |
Alternate Processing Site |
Protects |
T1491.002 |
External Defacement |
| CP-7 |
Alternate Processing Site |
Protects |
T1561 |
Disk Wipe |
| CP-7 |
Alternate Processing Site |
Protects |
T1561.001 |
Disk Content Wipe |
| CP-7 |
Alternate Processing Site |
Protects |
T1561.002 |
Disk Structure Wipe |
| CP-7 |
Alternate Processing Site |
Protects |
T1565 |
Data Manipulation |
| CP-7 |
Alternate Processing Site |
Protects |
T1565.001 |
Stored Data Manipulation |
| CP-9 |
System Backup |
Protects |
T1003 |
OS Credential Dumping |
| CP-9 |
System Backup |
Protects |
T1003.003 |
NTDS |
| CP-9 |
System Backup |
Protects |
T1070 |
Indicator Removal on Host |
| CP-9 |
System Backup |
Protects |
T1070.001 |
Clear Windows Event Logs |
| CP-9 |
System Backup |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| CP-9 |
System Backup |
Protects |
T1119 |
Automated Collection |
| CP-9 |
System Backup |
Protects |
T1485 |
Data Destruction |
| CP-9 |
System Backup |
Protects |
T1486 |
Data Encrypted for Impact |
| CP-9 |
System Backup |
Protects |
T1490 |
Inhibit System Recovery |
| CP-9 |
System Backup |
Protects |
T1491 |
Defacement |
| CP-9 |
System Backup |
Protects |
T1491.001 |
Internal Defacement |
| CP-9 |
System Backup |
Protects |
T1491.002 |
External Defacement |
| CP-9 |
System Backup |
Protects |
T1561 |
Disk Wipe |
| CP-9 |
System Backup |
Protects |
T1561.001 |
Disk Content Wipe |
| CP-9 |
System Backup |
Protects |
T1561.002 |
Disk Structure Wipe |
| CP-9 |
System Backup |
Protects |
T1565 |
Data Manipulation |
| CP-9 |
System Backup |
Protects |
T1565.001 |
Stored Data Manipulation |
| CP-9 |
System Backup |
Protects |
T1565.003 |
Runtime Data Manipulation |
| IA-11 |
Re-authentication |
Protects |
T1110 |
Brute Force |
| IA-11 |
Re-authentication |
Protects |
T1110.001 |
Password Guessing |
| IA-11 |
Re-authentication |
Protects |
T1110.002 |
Password Cracking |
| IA-11 |
Re-authentication |
Protects |
T1110.003 |
Password Spraying |
| IA-11 |
Re-authentication |
Protects |
T1110.004 |
Credential Stuffing |
| IA-12 |
Identity Proofing |
Protects |
T1078 |
Valid Accounts |
| IA-12 |
Identity Proofing |
Protects |
T1078.002 |
Domain Accounts |
| IA-12 |
Identity Proofing |
Protects |
T1078.003 |
Local Accounts |
| IA-12 |
Identity Proofing |
Protects |
T1078.004 |
Cloud Accounts |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1003 |
OS Credential Dumping |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1003.001 |
LSASS Memory |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1003.002 |
Security Account Manager |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1003.003 |
NTDS |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1003.004 |
LSA Secrets |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1003.005 |
Cached Domain Credentials |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1003.006 |
DCSync |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1003.007 |
Proc Filesystem |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1021 |
Remote Services |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1021.001 |
Remote Desktop Protocol |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1021.003 |
Distributed Component Object Model |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1021.004 |
SSH |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1021.005 |
VNC |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1021.006 |
Windows Remote Management |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1040 |
Network Sniffing |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1047 |
Windows Management Instrumentation |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1053 |
Scheduled Task/Job |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1053.001 |
At (Linux) |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1053.002 |
At (Windows) |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1053.003 |
Cron |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1053.004 |
Launchd |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1053.005 |
Scheduled Task |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1053.006 |
Systemd Timers |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1053.007 |
Container Orchestration Job |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1055 |
Process Injection |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1055.008 |
Ptrace System Calls |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1056.003 |
Web Portal Capture |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1059 |
Command and Scripting Interpreter |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1059.001 |
PowerShell |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1059.008 |
Network Device CLI |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1072 |
Software Deployment Tools |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1078 |
Valid Accounts |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1078.002 |
Domain Accounts |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1078.003 |
Local Accounts |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1078.004 |
Cloud Accounts |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1087.004 |
Cloud Account |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1098 |
Account Manipulation |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1098.001 |
Additional Cloud Credentials |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1110 |
Brute Force |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1110.001 |
Password Guessing |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1110.002 |
Password Cracking |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1110.003 |
Password Spraying |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1110.004 |
Credential Stuffing |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1111 |
Two-Factor Authentication Interception |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1114 |
Email Collection |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1114.002 |
Remote Email Collection |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1133 |
External Remote Services |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1134 |
Access Token Manipulation |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1134.001 |
Token Impersonation/Theft |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1134.002 |
Create Process with Token |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1134.003 |
Make and Impersonate Token |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1136 |
Create Account |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1136.001 |
Local Account |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1136.002 |
Domain Account |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1136.003 |
Cloud Account |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1185 |
Man in the Browser |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1190 |
Exploit Public-Facing Application |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1197 |
BITS Jobs |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1210 |
Exploitation of Remote Services |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1213 |
Data from Information Repositories |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1213.001 |
Confluence |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1213.002 |
Sharepoint |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1218 |
Signed Binary Proxy Execution |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1218.007 |
Msiexec |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1222 |
File and Directory Permissions Modification |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1484 |
Domain Policy Modification |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1489 |
Service Stop |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1495 |
Firmware Corruption |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1505 |
Server Software Component |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1505.001 |
SQL Stored Procedures |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1505.002 |
Transport Agent |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1525 |
Implant Internal Image |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1528 |
Steal Application Access Token |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1530 |
Data from Cloud Storage Object |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1537 |
Transfer Data to Cloud Account |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1538 |
Cloud Service Dashboard |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1539 |
Steal Web Session Cookie |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1542 |
Pre-OS Boot |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1542.001 |
System Firmware |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1542.003 |
Bootkit |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1542.005 |
TFTP Boot |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1543 |
Create or Modify System Process |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1543.001 |
Launch Agent |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1543.002 |
Systemd Service |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1543.003 |
Windows Service |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1543.004 |
Launch Daemon |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1546.003 |
Windows Management Instrumentation Event Subscription |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1547.004 |
Winlogon Helper DLL |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1547.009 |
Shortcut Modification |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1547.012 |
Print Processors |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1547.013 |
XDG Autostart Entries |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1548.002 |
Bypass User Account Control |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1550 |
Use Alternate Authentication Material |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1550.001 |
Application Access Token |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1550.002 |
Pass the Hash |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1550.003 |
Pass the Ticket |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1552 |
Unsecured Credentials |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1552.001 |
Credentials In Files |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1552.002 |
Credentials in Registry |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1552.004 |
Private Keys |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1552.006 |
Group Policy Preferences |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1552.007 |
Container API |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1555.005 |
Password Managers |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1556 |
Modify Authentication Process |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1556.001 |
Domain Controller Authentication |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1556.004 |
Network Device Authentication |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1558.001 |
Golden Ticket |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1558.002 |
Silver Ticket |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1558.003 |
Kerberoasting |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1558.004 |
AS-REP Roasting |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1559 |
Inter-Process Communication |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1559.001 |
Component Object Model |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1562 |
Impair Defenses |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1562.001 |
Disable or Modify Tools |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1562.002 |
Disable Windows Event Logging |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1562.006 |
Indicator Blocking |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1562.007 |
Disable or Modify Cloud Firewall |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1562.008 |
Disable Cloud Logs |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1563 |
Remote Service Session Hijacking |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1563.001 |
SSH Hijacking |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1563.002 |
RDP Hijacking |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1569 |
System Services |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1569.001 |
Launchctl |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1569.002 |
Service Execution |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1574 |
Hijack Execution Flow |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1574.010 |
Services File Permissions Weakness |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1574.012 |
COR_PROFILER |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1578.001 |
Create Snapshot |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1578.002 |
Create Cloud Instance |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1578.003 |
Delete Cloud Instance |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1580 |
Cloud Infrastructure Discovery |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1599 |
Network Boundary Bridging |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1599.001 |
Network Address Translation Traversal |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1601 |
Modify System Image |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1601.001 |
Patch System Image |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1601.002 |
Downgrade System Image |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1610 |
Deploy Container |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1611 |
Escape to Host |
| IA-2 |
Identification and Authentication (organizational Users) |
Protects |
T1613 |
Container and Resource Discovery |
| IA-3 |
Device Identification and Authentication |
Protects |
T1530 |
Data from Cloud Storage Object |
| IA-3 |
Device Identification and Authentication |
Protects |
T1537 |
Transfer Data to Cloud Account |
| IA-3 |
Device Identification and Authentication |
Protects |
T1552 |
Unsecured Credentials |
| IA-3 |
Device Identification and Authentication |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| IA-3 |
Device Identification and Authentication |
Protects |
T1602 |
Data from Configuration Repository |
| IA-3 |
Device Identification and Authentication |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| IA-3 |
Device Identification and Authentication |
Protects |
T1602.002 |
Network Device Configuration Dump |
| IA-4 |
Identifier Management |
Protects |
T1003 |
OS Credential Dumping |
| IA-4 |
Identifier Management |
Protects |
T1003.005 |
Cached Domain Credentials |
| IA-4 |
Identifier Management |
Protects |
T1003.006 |
DCSync |
| IA-4 |
Identifier Management |
Protects |
T1021.001 |
Remote Desktop Protocol |
| IA-4 |
Identifier Management |
Protects |
T1021.005 |
VNC |
| IA-4 |
Identifier Management |
Protects |
T1053 |
Scheduled Task/Job |
| IA-4 |
Identifier Management |
Protects |
T1053.002 |
At (Windows) |
| IA-4 |
Identifier Management |
Protects |
T1053.005 |
Scheduled Task |
| IA-4 |
Identifier Management |
Protects |
T1110 |
Brute Force |
| IA-4 |
Identifier Management |
Protects |
T1110.001 |
Password Guessing |
| IA-4 |
Identifier Management |
Protects |
T1110.002 |
Password Cracking |
| IA-4 |
Identifier Management |
Protects |
T1110.003 |
Password Spraying |
| IA-4 |
Identifier Management |
Protects |
T1110.004 |
Credential Stuffing |
| IA-4 |
Identifier Management |
Protects |
T1213 |
Data from Information Repositories |
| IA-4 |
Identifier Management |
Protects |
T1213.001 |
Confluence |
| IA-4 |
Identifier Management |
Protects |
T1213.002 |
Sharepoint |
| IA-4 |
Identifier Management |
Protects |
T1528 |
Steal Application Access Token |
| IA-4 |
Identifier Management |
Protects |
T1530 |
Data from Cloud Storage Object |
| IA-4 |
Identifier Management |
Protects |
T1537 |
Transfer Data to Cloud Account |
| IA-4 |
Identifier Management |
Protects |
T1543 |
Create or Modify System Process |
| IA-4 |
Identifier Management |
Protects |
T1543.003 |
Windows Service |
| IA-4 |
Identifier Management |
Protects |
T1550.001 |
Application Access Token |
| IA-4 |
Identifier Management |
Protects |
T1552 |
Unsecured Credentials |
| IA-4 |
Identifier Management |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| IA-4 |
Identifier Management |
Protects |
T1562 |
Impair Defenses |
| IA-4 |
Identifier Management |
Protects |
T1563 |
Remote Service Session Hijacking |
| IA-4 |
Identifier Management |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| IA-4 |
Identifier Management |
Protects |
T1578.001 |
Create Snapshot |
| IA-4 |
Identifier Management |
Protects |
T1578.002 |
Create Cloud Instance |
| IA-4 |
Identifier Management |
Protects |
T1578.003 |
Delete Cloud Instance |
| IA-4 |
Identifier Management |
Protects |
T1602 |
Data from Configuration Repository |
| IA-4 |
Identifier Management |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| IA-4 |
Identifier Management |
Protects |
T1602.002 |
Network Device Configuration Dump |
| IA-5 |
Authenticator Management |
Protects |
T1003 |
OS Credential Dumping |
| IA-5 |
Authenticator Management |
Protects |
T1003.001 |
LSASS Memory |
| IA-5 |
Authenticator Management |
Protects |
T1003.002 |
Security Account Manager |
| IA-5 |
Authenticator Management |
Protects |
T1003.003 |
NTDS |
| IA-5 |
Authenticator Management |
Protects |
T1003.004 |
LSA Secrets |
| IA-5 |
Authenticator Management |
Protects |
T1003.005 |
Cached Domain Credentials |
| IA-5 |
Authenticator Management |
Protects |
T1003.006 |
DCSync |
| IA-5 |
Authenticator Management |
Protects |
T1003.007 |
Proc Filesystem |
| IA-5 |
Authenticator Management |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| IA-5 |
Authenticator Management |
Protects |
T1021 |
Remote Services |
| IA-5 |
Authenticator Management |
Protects |
T1021.001 |
Remote Desktop Protocol |
| IA-5 |
Authenticator Management |
Protects |
T1021.004 |
SSH |
| IA-5 |
Authenticator Management |
Protects |
T1040 |
Network Sniffing |
| IA-5 |
Authenticator Management |
Protects |
T1072 |
Software Deployment Tools |
| IA-5 |
Authenticator Management |
Protects |
T1078 |
Valid Accounts |
| IA-5 |
Authenticator Management |
Protects |
T1078.002 |
Domain Accounts |
| IA-5 |
Authenticator Management |
Protects |
T1078.004 |
Cloud Accounts |
| IA-5 |
Authenticator Management |
Protects |
T1098.001 |
Additional Cloud Credentials |
| IA-5 |
Authenticator Management |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| IA-5 |
Authenticator Management |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| IA-5 |
Authenticator Management |
Protects |
T1110 |
Brute Force |
| IA-5 |
Authenticator Management |
Protects |
T1110.001 |
Password Guessing |
| IA-5 |
Authenticator Management |
Protects |
T1110.002 |
Password Cracking |
| IA-5 |
Authenticator Management |
Protects |
T1110.003 |
Password Spraying |
| IA-5 |
Authenticator Management |
Protects |
T1110.004 |
Credential Stuffing |
| IA-5 |
Authenticator Management |
Protects |
T1111 |
Two-Factor Authentication Interception |
| IA-5 |
Authenticator Management |
Protects |
T1114 |
Email Collection |
| IA-5 |
Authenticator Management |
Protects |
T1114.002 |
Remote Email Collection |
| IA-5 |
Authenticator Management |
Protects |
T1133 |
External Remote Services |
| IA-5 |
Authenticator Management |
Protects |
T1136 |
Create Account |
| IA-5 |
Authenticator Management |
Protects |
T1136.001 |
Local Account |
| IA-5 |
Authenticator Management |
Protects |
T1136.002 |
Domain Account |
| IA-5 |
Authenticator Management |
Protects |
T1136.003 |
Cloud Account |
| IA-5 |
Authenticator Management |
Protects |
T1528 |
Steal Application Access Token |
| IA-5 |
Authenticator Management |
Protects |
T1530 |
Data from Cloud Storage Object |
| IA-5 |
Authenticator Management |
Protects |
T1539 |
Steal Web Session Cookie |
| IA-5 |
Authenticator Management |
Protects |
T1550.003 |
Pass the Ticket |
| IA-5 |
Authenticator Management |
Protects |
T1552 |
Unsecured Credentials |
| IA-5 |
Authenticator Management |
Protects |
T1552.001 |
Credentials In Files |
| IA-5 |
Authenticator Management |
Protects |
T1552.002 |
Credentials in Registry |
| IA-5 |
Authenticator Management |
Protects |
T1552.004 |
Private Keys |
| IA-5 |
Authenticator Management |
Protects |
T1552.006 |
Group Policy Preferences |
| IA-5 |
Authenticator Management |
Protects |
T1555 |
Credentials from Password Stores |
| IA-5 |
Authenticator Management |
Protects |
T1555.001 |
Keychain |
| IA-5 |
Authenticator Management |
Protects |
T1555.002 |
Securityd Memory |
| IA-5 |
Authenticator Management |
Protects |
T1555.004 |
Windows Credential Manager |
| IA-5 |
Authenticator Management |
Protects |
T1555.005 |
Password Managers |
| IA-5 |
Authenticator Management |
Protects |
T1556 |
Modify Authentication Process |
| IA-5 |
Authenticator Management |
Protects |
T1556.001 |
Domain Controller Authentication |
| IA-5 |
Authenticator Management |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| IA-5 |
Authenticator Management |
Protects |
T1556.004 |
Network Device Authentication |
| IA-5 |
Authenticator Management |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| IA-5 |
Authenticator Management |
Protects |
T1558.001 |
Golden Ticket |
| IA-5 |
Authenticator Management |
Protects |
T1558.002 |
Silver Ticket |
| IA-5 |
Authenticator Management |
Protects |
T1558.003 |
Kerberoasting |
| IA-5 |
Authenticator Management |
Protects |
T1558.004 |
AS-REP Roasting |
| IA-5 |
Authenticator Management |
Protects |
T1563.001 |
SSH Hijacking |
| IA-5 |
Authenticator Management |
Protects |
T1599 |
Network Boundary Bridging |
| IA-5 |
Authenticator Management |
Protects |
T1599.001 |
Network Address Translation Traversal |
| IA-5 |
Authenticator Management |
Protects |
T1601 |
Modify System Image |
| IA-5 |
Authenticator Management |
Protects |
T1601.001 |
Patch System Image |
| IA-5 |
Authenticator Management |
Protects |
T1601.002 |
Downgrade System Image |
| IA-6 |
Authentication Feedback |
Protects |
T1021.001 |
Remote Desktop Protocol |
| IA-6 |
Authentication Feedback |
Protects |
T1021.005 |
VNC |
| IA-6 |
Authentication Feedback |
Protects |
T1530 |
Data from Cloud Storage Object |
| IA-6 |
Authentication Feedback |
Protects |
T1563 |
Remote Service Session Hijacking |
| IA-6 |
Authentication Feedback |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| IA-6 |
Authentication Feedback |
Protects |
T1578.001 |
Create Snapshot |
| IA-6 |
Authentication Feedback |
Protects |
T1578.002 |
Create Cloud Instance |
| IA-6 |
Authentication Feedback |
Protects |
T1578.003 |
Delete Cloud Instance |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1495 |
Firmware Corruption |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1542 |
Pre-OS Boot |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1542.001 |
System Firmware |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1542.003 |
Bootkit |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1542.004 |
ROMMONkit |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1542.005 |
TFTP Boot |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1553 |
Subvert Trust Controls |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1553.006 |
Code Signing Policy Modification |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1601 |
Modify System Image |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1601.001 |
Patch System Image |
| IA-7 |
Cryptographic Module Authentication |
Protects |
T1601.002 |
Downgrade System Image |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1053 |
Scheduled Task/Job |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1053.007 |
Container Orchestration Job |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1059 |
Command and Scripting Interpreter |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1059.001 |
PowerShell |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1059.008 |
Network Device CLI |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1087.004 |
Cloud Account |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1190 |
Exploit Public-Facing Application |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1210 |
Exploitation of Remote Services |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1213 |
Data from Information Repositories |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1213.001 |
Confluence |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1213.002 |
Sharepoint |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1528 |
Steal Application Access Token |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1530 |
Data from Cloud Storage Object |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1537 |
Transfer Data to Cloud Account |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1538 |
Cloud Service Dashboard |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1542 |
Pre-OS Boot |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1542.001 |
System Firmware |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1542.003 |
Bootkit |
| IA-8 |
Identification and Authentication (non-organizational Users) |
Protects |
T1542.005 |
TFTP Boot |
| IA-9 |
Service Identification and Authentication |
Protects |
T1036 |
Masquerading |
| IA-9 |
Service Identification and Authentication |
Protects |
T1036.001 |
Invalid Code Signature |
| IA-9 |
Service Identification and Authentication |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| IA-9 |
Service Identification and Authentication |
Protects |
T1059 |
Command and Scripting Interpreter |
| IA-9 |
Service Identification and Authentication |
Protects |
T1059.001 |
PowerShell |
| IA-9 |
Service Identification and Authentication |
Protects |
T1059.002 |
AppleScript |
| IA-9 |
Service Identification and Authentication |
Protects |
T1505 |
Server Software Component |
| IA-9 |
Service Identification and Authentication |
Protects |
T1505.001 |
SQL Stored Procedures |
| IA-9 |
Service Identification and Authentication |
Protects |
T1505.002 |
Transport Agent |
| IA-9 |
Service Identification and Authentication |
Protects |
T1525 |
Implant Internal Image |
| IA-9 |
Service Identification and Authentication |
Protects |
T1546 |
Event Triggered Execution |
| IA-9 |
Service Identification and Authentication |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| IA-9 |
Service Identification and Authentication |
Protects |
T1546.013 |
PowerShell Profile |
| IA-9 |
Service Identification and Authentication |
Protects |
T1553 |
Subvert Trust Controls |
| IA-9 |
Service Identification and Authentication |
Protects |
T1553.004 |
Install Root Certificate |
| IA-9 |
Service Identification and Authentication |
Protects |
T1554 |
Compromise Client Software Binary |
| IA-9 |
Service Identification and Authentication |
Protects |
T1566 |
Phishing |
| IA-9 |
Service Identification and Authentication |
Protects |
T1566.001 |
Spearphishing Attachment |
| IA-9 |
Service Identification and Authentication |
Protects |
T1566.002 |
Spearphishing Link |
| IA-9 |
Service Identification and Authentication |
Protects |
T1598 |
Phishing for Information |
| IA-9 |
Service Identification and Authentication |
Protects |
T1598.002 |
Spearphishing Attachment |
| IA-9 |
Service Identification and Authentication |
Protects |
T1598.003 |
Spearphishing Link |
| MP-7 |
Media Use |
Protects |
T1052 |
Exfiltration Over Physical Medium |
| MP-7 |
Media Use |
Protects |
T1052.001 |
Exfiltration over USB |
| MP-7 |
Media Use |
Protects |
T1091 |
Replication Through Removable Media |
| MP-7 |
Media Use |
Protects |
T1092 |
Communication Through Removable Media |
| MP-7 |
Media Use |
Protects |
T1200 |
Hardware Additions |
| PL-8 |
Security and Privacy Architectures |
Protects |
T1078 |
Valid Accounts |
| RA-10 |
Threat Hunting |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| RA-10 |
Threat Hunting |
Protects |
T1190 |
Exploit Public-Facing Application |
| RA-10 |
Threat Hunting |
Protects |
T1195 |
Supply Chain Compromise |
| RA-10 |
Threat Hunting |
Protects |
T1195.001 |
Compromise Software Dependencies and Development Tools |
| RA-10 |
Threat Hunting |
Protects |
T1195.002 |
Compromise Software Supply Chain |
| RA-10 |
Threat Hunting |
Protects |
T1210 |
Exploitation of Remote Services |
| RA-10 |
Threat Hunting |
Protects |
T1211 |
Exploitation for Defense Evasion |
| RA-10 |
Threat Hunting |
Protects |
T1212 |
Exploitation for Credential Access |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1011.001 |
Exfiltration Over Bluetooth |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1021.001 |
Remote Desktop Protocol |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1021.003 |
Distributed Component Object Model |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1021.004 |
SSH |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1021.005 |
VNC |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1021.006 |
Windows Remote Management |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1046 |
Network Service Scanning |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1052 |
Exfiltration Over Physical Medium |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1052.001 |
Exfiltration over USB |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1053 |
Scheduled Task/Job |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1053.001 |
At (Linux) |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1053.002 |
At (Windows) |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1053.003 |
Cron |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1053.004 |
Launchd |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1053.005 |
Scheduled Task |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1059 |
Command and Scripting Interpreter |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1059.001 |
PowerShell |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1059.005 |
Visual Basic |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1059.007 |
JavaScript |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1078 |
Valid Accounts |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1091 |
Replication Through Removable Media |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1092 |
Communication Through Removable Media |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1098.004 |
SSH Authorized Keys |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1127 |
Trusted Developer Utilities Proxy Execution |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1127.001 |
MSBuild |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1133 |
External Remote Services |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1137 |
Office Application Startup |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1137.001 |
Office Template Macros |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1176 |
Browser Extensions |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1190 |
Exploit Public-Facing Application |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1195 |
Supply Chain Compromise |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1195.001 |
Compromise Software Dependencies and Development Tools |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1195.002 |
Compromise Software Supply Chain |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1204.003 |
Malicious Image |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1210 |
Exploitation of Remote Services |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1211 |
Exploitation for Defense Evasion |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1212 |
Exploitation for Credential Access |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1213 |
Data from Information Repositories |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1213.001 |
Confluence |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1213.002 |
Sharepoint |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1218 |
Signed Binary Proxy Execution |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1218.003 |
CMSTP |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1218.004 |
InstallUtil |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1218.005 |
Mshta |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1218.008 |
Odbcconf |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1218.009 |
Regsvcs/Regasm |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1218.012 |
Verclsid |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1221 |
Template Injection |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1482 |
Domain Trust Discovery |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1484 |
Domain Policy Modification |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1505 |
Server Software Component |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1505.001 |
SQL Stored Procedures |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1505.002 |
Transport Agent |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1525 |
Implant Internal Image |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1528 |
Steal Application Access Token |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1530 |
Data from Cloud Storage Object |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1542.004 |
ROMMONkit |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1542.005 |
TFTP Boot |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1543 |
Create or Modify System Process |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1543.003 |
Windows Service |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1546.002 |
Screensaver |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1546.014 |
Emond |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1547.007 |
Re-opened Applications |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1547.008 |
LSASS Driver |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1548.002 |
Bypass User Account Control |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1552 |
Unsecured Credentials |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1552.001 |
Credentials In Files |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1552.002 |
Credentials in Registry |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1552.004 |
Private Keys |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1552.006 |
Group Policy Preferences |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1557 |
Man-in-the-Middle |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1558.004 |
AS-REP Roasting |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1559 |
Inter-Process Communication |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1559.002 |
Dynamic Data Exchange |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1560 |
Archive Collected Data |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1560.001 |
Archive via Utility |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1562 |
Impair Defenses |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1563 |
Remote Service Session Hijacking |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1563.001 |
SSH Hijacking |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1563.002 |
RDP Hijacking |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1574 |
Hijack Execution Flow |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1574.001 |
DLL Search Order Hijacking |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1574.004 |
Dylib Hijacking |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1574.010 |
Services File Permissions Weakness |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1578.001 |
Create Snapshot |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1578.002 |
Create Cloud Instance |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1578.003 |
Delete Cloud Instance |
| RA-5 |
Vulnerability Monitoring and Scanning |
Protects |
T1612 |
Build Image on Host |
| RA-9 |
Criticality Analysis |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| RA-9 |
Criticality Analysis |
Protects |
T1495 |
Firmware Corruption |
| RA-9 |
Criticality Analysis |
Protects |
T1542 |
Pre-OS Boot |
| RA-9 |
Criticality Analysis |
Protects |
T1542.001 |
System Firmware |
| RA-9 |
Criticality Analysis |
Protects |
T1542.003 |
Bootkit |
| RA-9 |
Criticality Analysis |
Protects |
T1542.004 |
ROMMONkit |
| RA-9 |
Criticality Analysis |
Protects |
T1542.005 |
TFTP Boot |
| RA-9 |
Criticality Analysis |
Protects |
T1553 |
Subvert Trust Controls |
| RA-9 |
Criticality Analysis |
Protects |
T1553.006 |
Code Signing Policy Modification |
| RA-9 |
Criticality Analysis |
Protects |
T1601 |
Modify System Image |
| RA-9 |
Criticality Analysis |
Protects |
T1601.001 |
Patch System Image |
| RA-9 |
Criticality Analysis |
Protects |
T1601.002 |
Downgrade System Image |
| SA-10 |
Developer Configuration Management |
Protects |
T1078 |
Valid Accounts |
| SA-10 |
Developer Configuration Management |
Protects |
T1078.001 |
Default Accounts |
| SA-10 |
Developer Configuration Management |
Protects |
T1078.003 |
Local Accounts |
| SA-10 |
Developer Configuration Management |
Protects |
T1078.004 |
Cloud Accounts |
| SA-10 |
Developer Configuration Management |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| SA-10 |
Developer Configuration Management |
Protects |
T1495 |
Firmware Corruption |
| SA-10 |
Developer Configuration Management |
Protects |
T1505 |
Server Software Component |
| SA-10 |
Developer Configuration Management |
Protects |
T1505.001 |
SQL Stored Procedures |
| SA-10 |
Developer Configuration Management |
Protects |
T1505.002 |
Transport Agent |
| SA-10 |
Developer Configuration Management |
Protects |
T1542 |
Pre-OS Boot |
| SA-10 |
Developer Configuration Management |
Protects |
T1542.001 |
System Firmware |
| SA-10 |
Developer Configuration Management |
Protects |
T1542.003 |
Bootkit |
| SA-10 |
Developer Configuration Management |
Protects |
T1542.004 |
ROMMONkit |
| SA-10 |
Developer Configuration Management |
Protects |
T1542.005 |
TFTP Boot |
| SA-10 |
Developer Configuration Management |
Protects |
T1553 |
Subvert Trust Controls |
| SA-10 |
Developer Configuration Management |
Protects |
T1553.006 |
Code Signing Policy Modification |
| SA-10 |
Developer Configuration Management |
Protects |
T1574.002 |
DLL Side-Loading |
| SA-10 |
Developer Configuration Management |
Protects |
T1601 |
Modify System Image |
| SA-10 |
Developer Configuration Management |
Protects |
T1601.001 |
Patch System Image |
| SA-10 |
Developer Configuration Management |
Protects |
T1601.002 |
Downgrade System Image |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1078 |
Valid Accounts |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1078.001 |
Default Accounts |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1078.003 |
Local Accounts |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1078.004 |
Cloud Accounts |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1134.005 |
SID-History Injection |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1495 |
Firmware Corruption |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1505 |
Server Software Component |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1505.001 |
SQL Stored Procedures |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1505.002 |
Transport Agent |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1528 |
Steal Application Access Token |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1542 |
Pre-OS Boot |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1542.001 |
System Firmware |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1542.003 |
Bootkit |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1542.004 |
ROMMONkit |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1542.005 |
TFTP Boot |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1552 |
Unsecured Credentials |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1552.001 |
Credentials In Files |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1552.002 |
Credentials in Registry |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1552.004 |
Private Keys |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1552.006 |
Group Policy Preferences |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1553 |
Subvert Trust Controls |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1553.006 |
Code Signing Policy Modification |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1558.004 |
AS-REP Roasting |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1574.002 |
DLL Side-Loading |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1601 |
Modify System Image |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1601.001 |
Patch System Image |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1601.002 |
Downgrade System Image |
| SA-11 |
Developer Testing and Evaluation |
Protects |
T1612 |
Build Image on Host |
| SA-12 |
Supply Chain Protection |
Protects |
T1078 |
Valid Accounts |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1078 |
Valid Accounts |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1078.001 |
Default Accounts |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1078.003 |
Local Accounts |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1078.004 |
Cloud Accounts |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1528 |
Steal Application Access Token |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1552 |
Unsecured Credentials |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1552.001 |
Credentials In Files |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1552.002 |
Credentials in Registry |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1552.004 |
Private Keys |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1552.006 |
Group Policy Preferences |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1558.004 |
AS-REP Roasting |
| SA-15 |
Development Process, Standards, and Tools |
Protects |
T1574.002 |
DLL Side-Loading |
| SA-16 |
Developer-provided Training |
Protects |
T1078 |
Valid Accounts |
| SA-16 |
Developer-provided Training |
Protects |
T1078.001 |
Default Accounts |
| SA-16 |
Developer-provided Training |
Protects |
T1078.003 |
Local Accounts |
| SA-16 |
Developer-provided Training |
Protects |
T1078.004 |
Cloud Accounts |
| SA-16 |
Developer-provided Training |
Protects |
T1574.002 |
DLL Side-Loading |
| SA-17 |
Developer Security and Privacy Architecture and Design |
Protects |
T1078 |
Valid Accounts |
| SA-17 |
Developer Security and Privacy Architecture and Design |
Protects |
T1078.001 |
Default Accounts |
| SA-17 |
Developer Security and Privacy Architecture and Design |
Protects |
T1078.003 |
Local Accounts |
| SA-17 |
Developer Security and Privacy Architecture and Design |
Protects |
T1078.004 |
Cloud Accounts |
| SA-17 |
Developer Security and Privacy Architecture and Design |
Protects |
T1134.005 |
SID-History Injection |
| SA-17 |
Developer Security and Privacy Architecture and Design |
Protects |
T1482 |
Domain Trust Discovery |
| SA-17 |
Developer Security and Privacy Architecture and Design |
Protects |
T1574.002 |
DLL Side-Loading |
| SA-22 |
Unsupported System Components |
Protects |
T1189 |
Drive-by Compromise |
| SA-22 |
Unsupported System Components |
Protects |
T1195 |
Supply Chain Compromise |
| SA-22 |
Unsupported System Components |
Protects |
T1195.001 |
Compromise Software Dependencies and Development Tools |
| SA-22 |
Unsupported System Components |
Protects |
T1195.002 |
Compromise Software Supply Chain |
| SA-22 |
Unsupported System Components |
Protects |
T1543 |
Create or Modify System Process |
| SA-22 |
Unsupported System Components |
Protects |
T1543.002 |
Systemd Service |
| SA-3 |
System Development Life Cycle |
Protects |
T1078 |
Valid Accounts |
| SA-3 |
System Development Life Cycle |
Protects |
T1078.001 |
Default Accounts |
| SA-3 |
System Development Life Cycle |
Protects |
T1078.003 |
Local Accounts |
| SA-3 |
System Development Life Cycle |
Protects |
T1078.004 |
Cloud Accounts |
| SA-3 |
System Development Life Cycle |
Protects |
T1574.002 |
DLL Side-Loading |
| SA-4 |
Acquisition Process |
Protects |
T1078 |
Valid Accounts |
| SA-4 |
Acquisition Process |
Protects |
T1078.001 |
Default Accounts |
| SA-4 |
Acquisition Process |
Protects |
T1078.003 |
Local Accounts |
| SA-4 |
Acquisition Process |
Protects |
T1078.004 |
Cloud Accounts |
| SA-4 |
Acquisition Process |
Protects |
T1134.005 |
SID-History Injection |
| SA-4 |
Acquisition Process |
Protects |
T1574.002 |
DLL Side-Loading |
| SA-8 |
Security and Privacy Engineering Principles |
Protects |
T1078 |
Valid Accounts |
| SA-8 |
Security and Privacy Engineering Principles |
Protects |
T1078.001 |
Default Accounts |
| SA-8 |
Security and Privacy Engineering Principles |
Protects |
T1078.003 |
Local Accounts |
| SA-8 |
Security and Privacy Engineering Principles |
Protects |
T1078.004 |
Cloud Accounts |
| SA-8 |
Security and Privacy Engineering Principles |
Protects |
T1134.005 |
SID-History Injection |
| SA-8 |
Security and Privacy Engineering Principles |
Protects |
T1190 |
Exploit Public-Facing Application |
| SA-8 |
Security and Privacy Engineering Principles |
Protects |
T1482 |
Domain Trust Discovery |
| SA-8 |
Security and Privacy Engineering Principles |
Protects |
T1574.002 |
DLL Side-Loading |
| SC-10 |
Network Disconnect |
Protects |
T1071 |
Application Layer Protocol |
| SC-10 |
Network Disconnect |
Protects |
T1071.001 |
Web Protocols |
| SC-10 |
Network Disconnect |
Protects |
T1071.002 |
File Transfer Protocols |
| SC-10 |
Network Disconnect |
Protects |
T1071.003 |
Mail Protocols |
| SC-10 |
Network Disconnect |
Protects |
T1071.004 |
DNS |
| SC-12 |
Cryptographic Key Establishment and Management |
Protects |
T1072 |
Software Deployment Tools |
| SC-12 |
Cryptographic Key Establishment and Management |
Protects |
T1098.004 |
SSH Authorized Keys |
| SC-12 |
Cryptographic Key Establishment and Management |
Protects |
T1552 |
Unsecured Credentials |
| SC-12 |
Cryptographic Key Establishment and Management |
Protects |
T1552.001 |
Credentials In Files |
| SC-12 |
Cryptographic Key Establishment and Management |
Protects |
T1552.002 |
Credentials in Registry |
| SC-12 |
Cryptographic Key Establishment and Management |
Protects |
T1552.004 |
Private Keys |
| SC-12 |
Cryptographic Key Establishment and Management |
Protects |
T1563.001 |
SSH Hijacking |
| SC-12 |
Cryptographic Key Establishment and Management |
Protects |
T1573 |
Encrypted Channel |
| SC-12 |
Cryptographic Key Establishment and Management |
Protects |
T1573.001 |
Symmetric Cryptography |
| SC-12 |
Cryptographic Key Establishment and Management |
Protects |
T1573.002 |
Asymmetric Cryptography |
| SC-16 |
Transmission of Security and Privacy Attributes |
Protects |
T1573 |
Encrypted Channel |
| SC-16 |
Transmission of Security and Privacy Attributes |
Protects |
T1573.001 |
Symmetric Cryptography |
| SC-16 |
Transmission of Security and Privacy Attributes |
Protects |
T1573.002 |
Asymmetric Cryptography |
| SC-17 |
Public Key Infrastructure Certificates |
Protects |
T1072 |
Software Deployment Tools |
| SC-18 |
Mobile Code |
Protects |
T1021.003 |
Distributed Component Object Model |
| SC-18 |
Mobile Code |
Protects |
T1055 |
Process Injection |
| SC-18 |
Mobile Code |
Protects |
T1055.001 |
Dynamic-link Library Injection |
| SC-18 |
Mobile Code |
Protects |
T1055.002 |
Portable Executable Injection |
| SC-18 |
Mobile Code |
Protects |
T1055.003 |
Thread Execution Hijacking |
| SC-18 |
Mobile Code |
Protects |
T1055.004 |
Asynchronous Procedure Call |
| SC-18 |
Mobile Code |
Protects |
T1055.005 |
Thread Local Storage |
| SC-18 |
Mobile Code |
Protects |
T1055.008 |
Ptrace System Calls |
| SC-18 |
Mobile Code |
Protects |
T1055.009 |
Proc Memory |
| SC-18 |
Mobile Code |
Protects |
T1055.011 |
Extra Window Memory Injection |
| SC-18 |
Mobile Code |
Protects |
T1055.012 |
Process Hollowing |
| SC-18 |
Mobile Code |
Protects |
T1055.013 |
Process Doppelgänging |
| SC-18 |
Mobile Code |
Protects |
T1055.014 |
VDSO Hijacking |
| SC-18 |
Mobile Code |
Protects |
T1059 |
Command and Scripting Interpreter |
| SC-18 |
Mobile Code |
Protects |
T1059.005 |
Visual Basic |
| SC-18 |
Mobile Code |
Protects |
T1059.007 |
JavaScript |
| SC-18 |
Mobile Code |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SC-18 |
Mobile Code |
Protects |
T1189 |
Drive-by Compromise |
| SC-18 |
Mobile Code |
Protects |
T1190 |
Exploit Public-Facing Application |
| SC-18 |
Mobile Code |
Protects |
T1203 |
Exploitation for Client Execution |
| SC-18 |
Mobile Code |
Protects |
T1210 |
Exploitation of Remote Services |
| SC-18 |
Mobile Code |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SC-18 |
Mobile Code |
Protects |
T1212 |
Exploitation for Credential Access |
| SC-18 |
Mobile Code |
Protects |
T1218.001 |
Compiled HTML File |
| SC-18 |
Mobile Code |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| SC-18 |
Mobile Code |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| SC-18 |
Mobile Code |
Protects |
T1559 |
Inter-Process Communication |
| SC-18 |
Mobile Code |
Protects |
T1559.001 |
Component Object Model |
| SC-18 |
Mobile Code |
Protects |
T1559.002 |
Dynamic Data Exchange |
| SC-18 |
Mobile Code |
Protects |
T1611 |
Escape to Host |
| SC-2 |
Separation of System and User Functionality |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SC-2 |
Separation of System and User Functionality |
Protects |
T1189 |
Drive-by Compromise |
| SC-2 |
Separation of System and User Functionality |
Protects |
T1190 |
Exploit Public-Facing Application |
| SC-2 |
Separation of System and User Functionality |
Protects |
T1203 |
Exploitation for Client Execution |
| SC-2 |
Separation of System and User Functionality |
Protects |
T1210 |
Exploitation of Remote Services |
| SC-2 |
Separation of System and User Functionality |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SC-2 |
Separation of System and User Functionality |
Protects |
T1212 |
Exploitation for Credential Access |
| SC-2 |
Separation of System and User Functionality |
Protects |
T1611 |
Escape to Host |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1071 |
Application Layer Protocol |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1071.001 |
Web Protocols |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1071.002 |
File Transfer Protocols |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1071.003 |
Mail Protocols |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1071.004 |
DNS |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1553.004 |
Install Root Certificate |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1566 |
Phishing |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1566.001 |
Spearphishing Attachment |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1566.002 |
Spearphishing Link |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1568 |
Dynamic Resolution |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1568.002 |
Domain Generation Algorithms |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1598 |
Phishing for Information |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1598.002 |
Spearphishing Attachment |
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Protects |
T1598.003 |
Spearphishing Link |
| SC-21 |
Secure Name/address Resolution Service (recursive or Caching Resolver) |
Protects |
T1071 |
Application Layer Protocol |
| SC-21 |
Secure Name/address Resolution Service (recursive or Caching Resolver) |
Protects |
T1071.001 |
Web Protocols |
| SC-21 |
Secure Name/address Resolution Service (recursive or Caching Resolver) |
Protects |
T1071.002 |
File Transfer Protocols |
| SC-21 |
Secure Name/address Resolution Service (recursive or Caching Resolver) |
Protects |
T1071.003 |
Mail Protocols |
| SC-21 |
Secure Name/address Resolution Service (recursive or Caching Resolver) |
Protects |
T1071.004 |
DNS |
| SC-21 |
Secure Name/address Resolution Service (recursive or Caching Resolver) |
Protects |
T1568 |
Dynamic Resolution |
| SC-21 |
Secure Name/address Resolution Service (recursive or Caching Resolver) |
Protects |
T1568.002 |
Domain Generation Algorithms |
| SC-22 |
Architecture and Provisioning for Name/address Resolution Service |
Protects |
T1071 |
Application Layer Protocol |
| SC-22 |
Architecture and Provisioning for Name/address Resolution Service |
Protects |
T1071.001 |
Web Protocols |
| SC-22 |
Architecture and Provisioning for Name/address Resolution Service |
Protects |
T1071.002 |
File Transfer Protocols |
| SC-22 |
Architecture and Provisioning for Name/address Resolution Service |
Protects |
T1071.003 |
Mail Protocols |
| SC-22 |
Architecture and Provisioning for Name/address Resolution Service |
Protects |
T1071.004 |
DNS |
| SC-22 |
Architecture and Provisioning for Name/address Resolution Service |
Protects |
T1568 |
Dynamic Resolution |
| SC-22 |
Architecture and Provisioning for Name/address Resolution Service |
Protects |
T1568.002 |
Domain Generation Algorithms |
| SC-23 |
Session Authenticity |
Protects |
T1071 |
Application Layer Protocol |
| SC-23 |
Session Authenticity |
Protects |
T1071.001 |
Web Protocols |
| SC-23 |
Session Authenticity |
Protects |
T1071.002 |
File Transfer Protocols |
| SC-23 |
Session Authenticity |
Protects |
T1071.003 |
Mail Protocols |
| SC-23 |
Session Authenticity |
Protects |
T1071.004 |
DNS |
| SC-23 |
Session Authenticity |
Protects |
T1535 |
Unused/Unsupported Cloud Regions |
| SC-23 |
Session Authenticity |
Protects |
T1550.004 |
Web Session Cookie |
| SC-23 |
Session Authenticity |
Protects |
T1557 |
Man-in-the-Middle |
| SC-23 |
Session Authenticity |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| SC-23 |
Session Authenticity |
Protects |
T1557.002 |
ARP Cache Poisoning |
| SC-23 |
Session Authenticity |
Protects |
T1563.001 |
SSH Hijacking |
| SC-23 |
Session Authenticity |
Protects |
T1573 |
Encrypted Channel |
| SC-23 |
Session Authenticity |
Protects |
T1573.001 |
Symmetric Cryptography |
| SC-23 |
Session Authenticity |
Protects |
T1573.002 |
Asymmetric Cryptography |
| SC-26 |
Decoys |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SC-26 |
Decoys |
Protects |
T1210 |
Exploitation of Remote Services |
| SC-26 |
Decoys |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SC-26 |
Decoys |
Protects |
T1212 |
Exploitation for Credential Access |
| SC-28 |
Protection of Information at Rest |
Protects |
T1003 |
OS Credential Dumping |
| SC-28 |
Protection of Information at Rest |
Protects |
T1003.001 |
LSASS Memory |
| SC-28 |
Protection of Information at Rest |
Protects |
T1003.002 |
Security Account Manager |
| SC-28 |
Protection of Information at Rest |
Protects |
T1003.003 |
NTDS |
| SC-28 |
Protection of Information at Rest |
Protects |
T1003.004 |
LSA Secrets |
| SC-28 |
Protection of Information at Rest |
Protects |
T1003.005 |
Cached Domain Credentials |
| SC-28 |
Protection of Information at Rest |
Protects |
T1003.006 |
DCSync |
| SC-28 |
Protection of Information at Rest |
Protects |
T1003.007 |
Proc Filesystem |
| SC-28 |
Protection of Information at Rest |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| SC-28 |
Protection of Information at Rest |
Protects |
T1078 |
Valid Accounts |
| SC-28 |
Protection of Information at Rest |
Protects |
T1078.001 |
Default Accounts |
| SC-28 |
Protection of Information at Rest |
Protects |
T1078.003 |
Local Accounts |
| SC-28 |
Protection of Information at Rest |
Protects |
T1078.004 |
Cloud Accounts |
| SC-28 |
Protection of Information at Rest |
Protects |
T1213 |
Data from Information Repositories |
| SC-28 |
Protection of Information at Rest |
Protects |
T1213.001 |
Confluence |
| SC-28 |
Protection of Information at Rest |
Protects |
T1213.002 |
Sharepoint |
| SC-28 |
Protection of Information at Rest |
Protects |
T1530 |
Data from Cloud Storage Object |
| SC-28 |
Protection of Information at Rest |
Protects |
T1550.001 |
Application Access Token |
| SC-28 |
Protection of Information at Rest |
Protects |
T1552 |
Unsecured Credentials |
| SC-28 |
Protection of Information at Rest |
Protects |
T1552.001 |
Credentials In Files |
| SC-28 |
Protection of Information at Rest |
Protects |
T1552.002 |
Credentials in Registry |
| SC-28 |
Protection of Information at Rest |
Protects |
T1552.003 |
Bash History |
| SC-28 |
Protection of Information at Rest |
Protects |
T1552.004 |
Private Keys |
| SC-28 |
Protection of Information at Rest |
Protects |
T1565 |
Data Manipulation |
| SC-28 |
Protection of Information at Rest |
Protects |
T1565.001 |
Stored Data Manipulation |
| SC-28 |
Protection of Information at Rest |
Protects |
T1565.003 |
Runtime Data Manipulation |
| SC-28 |
Protection of Information at Rest |
Protects |
T1599 |
Network Boundary Bridging |
| SC-28 |
Protection of Information at Rest |
Protects |
T1599.001 |
Network Address Translation Traversal |
| SC-28 |
Protection of Information at Rest |
Protects |
T1602 |
Data from Configuration Repository |
| SC-28 |
Protection of Information at Rest |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SC-28 |
Protection of Information at Rest |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SC-29 |
Heterogeneity |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SC-29 |
Heterogeneity |
Protects |
T1189 |
Drive-by Compromise |
| SC-29 |
Heterogeneity |
Protects |
T1190 |
Exploit Public-Facing Application |
| SC-29 |
Heterogeneity |
Protects |
T1203 |
Exploitation for Client Execution |
| SC-29 |
Heterogeneity |
Protects |
T1210 |
Exploitation of Remote Services |
| SC-29 |
Heterogeneity |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SC-29 |
Heterogeneity |
Protects |
T1212 |
Exploitation for Credential Access |
| SC-3 |
Security Function Isolation |
Protects |
T1021.003 |
Distributed Component Object Model |
| SC-3 |
Security Function Isolation |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SC-3 |
Security Function Isolation |
Protects |
T1134.005 |
SID-History Injection |
| SC-3 |
Security Function Isolation |
Protects |
T1189 |
Drive-by Compromise |
| SC-3 |
Security Function Isolation |
Protects |
T1190 |
Exploit Public-Facing Application |
| SC-3 |
Security Function Isolation |
Protects |
T1203 |
Exploitation for Client Execution |
| SC-3 |
Security Function Isolation |
Protects |
T1210 |
Exploitation of Remote Services |
| SC-3 |
Security Function Isolation |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SC-3 |
Security Function Isolation |
Protects |
T1212 |
Exploitation for Credential Access |
| SC-3 |
Security Function Isolation |
Protects |
T1559 |
Inter-Process Communication |
| SC-3 |
Security Function Isolation |
Protects |
T1559.001 |
Component Object Model |
| SC-3 |
Security Function Isolation |
Protects |
T1559.002 |
Dynamic Data Exchange |
| SC-3 |
Security Function Isolation |
Protects |
T1602 |
Data from Configuration Repository |
| SC-3 |
Security Function Isolation |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SC-3 |
Security Function Isolation |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SC-3 |
Security Function Isolation |
Protects |
T1611 |
Escape to Host |
| SC-30 |
Concealment and Misdirection |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SC-30 |
Concealment and Misdirection |
Protects |
T1189 |
Drive-by Compromise |
| SC-30 |
Concealment and Misdirection |
Protects |
T1190 |
Exploit Public-Facing Application |
| SC-30 |
Concealment and Misdirection |
Protects |
T1203 |
Exploitation for Client Execution |
| SC-30 |
Concealment and Misdirection |
Protects |
T1210 |
Exploitation of Remote Services |
| SC-30 |
Concealment and Misdirection |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SC-30 |
Concealment and Misdirection |
Protects |
T1212 |
Exploitation for Credential Access |
| SC-31 |
Covert Channel Analysis |
Protects |
T1071 |
Application Layer Protocol |
| SC-31 |
Covert Channel Analysis |
Protects |
T1071.001 |
Web Protocols |
| SC-31 |
Covert Channel Analysis |
Protects |
T1071.002 |
File Transfer Protocols |
| SC-31 |
Covert Channel Analysis |
Protects |
T1071.003 |
Mail Protocols |
| SC-31 |
Covert Channel Analysis |
Protects |
T1071.004 |
DNS |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1542 |
Pre-OS Boot |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1542.001 |
System Firmware |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1542.003 |
Bootkit |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1542.004 |
ROMMONkit |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1542.005 |
TFTP Boot |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1553 |
Subvert Trust Controls |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1553.006 |
Code Signing Policy Modification |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1601 |
Modify System Image |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1601.001 |
Patch System Image |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1601.002 |
Downgrade System Image |
| SC-34 |
Non-modifiable Executable Programs |
Protects |
T1611 |
Escape to Host |
| SC-35 |
External Malicious Code Identification |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SC-35 |
External Malicious Code Identification |
Protects |
T1210 |
Exploitation of Remote Services |
| SC-35 |
External Malicious Code Identification |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SC-35 |
External Malicious Code Identification |
Protects |
T1212 |
Exploitation for Credential Access |
| SC-36 |
Distributed Processing and Storage |
Protects |
T1070 |
Indicator Removal on Host |
| SC-36 |
Distributed Processing and Storage |
Protects |
T1070.001 |
Clear Windows Event Logs |
| SC-36 |
Distributed Processing and Storage |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| SC-36 |
Distributed Processing and Storage |
Protects |
T1119 |
Automated Collection |
| SC-36 |
Distributed Processing and Storage |
Protects |
T1565 |
Data Manipulation |
| SC-36 |
Distributed Processing and Storage |
Protects |
T1565.001 |
Stored Data Manipulation |
| SC-37 |
Out-of-band Channels |
Protects |
T1071 |
Application Layer Protocol |
| SC-37 |
Out-of-band Channels |
Protects |
T1071.001 |
Web Protocols |
| SC-37 |
Out-of-band Channels |
Protects |
T1071.002 |
File Transfer Protocols |
| SC-37 |
Out-of-band Channels |
Protects |
T1071.003 |
Mail Protocols |
| SC-37 |
Out-of-band Channels |
Protects |
T1071.004 |
DNS |
| SC-39 |
Process Isolation |
Protects |
T1003 |
OS Credential Dumping |
| SC-39 |
Process Isolation |
Protects |
T1003.001 |
LSASS Memory |
| SC-39 |
Process Isolation |
Protects |
T1003.002 |
Security Account Manager |
| SC-39 |
Process Isolation |
Protects |
T1003.003 |
NTDS |
| SC-39 |
Process Isolation |
Protects |
T1003.004 |
LSA Secrets |
| SC-39 |
Process Isolation |
Protects |
T1003.005 |
Cached Domain Credentials |
| SC-39 |
Process Isolation |
Protects |
T1003.006 |
DCSync |
| SC-39 |
Process Isolation |
Protects |
T1003.007 |
Proc Filesystem |
| SC-39 |
Process Isolation |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| SC-39 |
Process Isolation |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SC-39 |
Process Isolation |
Protects |
T1189 |
Drive-by Compromise |
| SC-39 |
Process Isolation |
Protects |
T1190 |
Exploit Public-Facing Application |
| SC-39 |
Process Isolation |
Protects |
T1203 |
Exploitation for Client Execution |
| SC-39 |
Process Isolation |
Protects |
T1210 |
Exploitation of Remote Services |
| SC-39 |
Process Isolation |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SC-39 |
Process Isolation |
Protects |
T1212 |
Exploitation for Credential Access |
| SC-39 |
Process Isolation |
Protects |
T1547.002 |
Authentication Package |
| SC-39 |
Process Isolation |
Protects |
T1547.005 |
Security Support Provider |
| SC-39 |
Process Isolation |
Protects |
T1547.008 |
LSASS Driver |
| SC-39 |
Process Isolation |
Protects |
T1556 |
Modify Authentication Process |
| SC-39 |
Process Isolation |
Protects |
T1556.001 |
Domain Controller Authentication |
| SC-39 |
Process Isolation |
Protects |
T1611 |
Escape to Host |
| SC-4 |
Information in Shared System Resources |
Protects |
T1020.001 |
Traffic Duplication |
| SC-4 |
Information in Shared System Resources |
Protects |
T1040 |
Network Sniffing |
| SC-4 |
Information in Shared System Resources |
Protects |
T1070 |
Indicator Removal on Host |
| SC-4 |
Information in Shared System Resources |
Protects |
T1070.001 |
Clear Windows Event Logs |
| SC-4 |
Information in Shared System Resources |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| SC-4 |
Information in Shared System Resources |
Protects |
T1080 |
Taint Shared Content |
| SC-4 |
Information in Shared System Resources |
Protects |
T1119 |
Automated Collection |
| SC-4 |
Information in Shared System Resources |
Protects |
T1530 |
Data from Cloud Storage Object |
| SC-4 |
Information in Shared System Resources |
Protects |
T1552 |
Unsecured Credentials |
| SC-4 |
Information in Shared System Resources |
Protects |
T1552.001 |
Credentials In Files |
| SC-4 |
Information in Shared System Resources |
Protects |
T1552.002 |
Credentials in Registry |
| SC-4 |
Information in Shared System Resources |
Protects |
T1552.004 |
Private Keys |
| SC-4 |
Information in Shared System Resources |
Protects |
T1557 |
Man-in-the-Middle |
| SC-4 |
Information in Shared System Resources |
Protects |
T1557.002 |
ARP Cache Poisoning |
| SC-4 |
Information in Shared System Resources |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| SC-4 |
Information in Shared System Resources |
Protects |
T1558.002 |
Silver Ticket |
| SC-4 |
Information in Shared System Resources |
Protects |
T1558.003 |
Kerberoasting |
| SC-4 |
Information in Shared System Resources |
Protects |
T1558.004 |
AS-REP Roasting |
| SC-4 |
Information in Shared System Resources |
Protects |
T1565 |
Data Manipulation |
| SC-4 |
Information in Shared System Resources |
Protects |
T1565.001 |
Stored Data Manipulation |
| SC-4 |
Information in Shared System Resources |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| SC-4 |
Information in Shared System Resources |
Protects |
T1565.003 |
Runtime Data Manipulation |
| SC-4 |
Information in Shared System Resources |
Protects |
T1602 |
Data from Configuration Repository |
| SC-4 |
Information in Shared System Resources |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SC-4 |
Information in Shared System Resources |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SC-41 |
Port and I/O Device Access |
Protects |
T1052 |
Exfiltration Over Physical Medium |
| SC-41 |
Port and I/O Device Access |
Protects |
T1052.001 |
Exfiltration over USB |
| SC-41 |
Port and I/O Device Access |
Protects |
T1091 |
Replication Through Removable Media |
| SC-41 |
Port and I/O Device Access |
Protects |
T1200 |
Hardware Additions |
| SC-43 |
Usage Restrictions |
Protects |
T1613 |
Container and Resource Discovery |
| SC-44 |
Detonation Chambers |
Protects |
T1204 |
User Execution |
| SC-44 |
Detonation Chambers |
Protects |
T1204.001 |
Malicious Link |
| SC-44 |
Detonation Chambers |
Protects |
T1204.002 |
Malicious File |
| SC-44 |
Detonation Chambers |
Protects |
T1204.003 |
Malicious Image |
| SC-44 |
Detonation Chambers |
Protects |
T1221 |
Template Injection |
| SC-44 |
Detonation Chambers |
Protects |
T1566 |
Phishing |
| SC-44 |
Detonation Chambers |
Protects |
T1566.001 |
Spearphishing Attachment |
| SC-44 |
Detonation Chambers |
Protects |
T1566.002 |
Spearphishing Link |
| SC-44 |
Detonation Chambers |
Protects |
T1566.003 |
Spearphishing via Service |
| SC-44 |
Detonation Chambers |
Protects |
T1598 |
Phishing for Information |
| SC-44 |
Detonation Chambers |
Protects |
T1598.001 |
Spearphishing Service |
| SC-44 |
Detonation Chambers |
Protects |
T1598.002 |
Spearphishing Attachment |
| SC-44 |
Detonation Chambers |
Protects |
T1598.003 |
Spearphishing Link |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1021.001 |
Remote Desktop Protocol |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1021.003 |
Distributed Component Object Model |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1021.006 |
Windows Remote Management |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1046 |
Network Service Scanning |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1072 |
Software Deployment Tools |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1098 |
Account Manipulation |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1098.001 |
Additional Cloud Credentials |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1133 |
External Remote Services |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1136 |
Create Account |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1136.002 |
Domain Account |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1136.003 |
Cloud Account |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1190 |
Exploit Public-Facing Application |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1199 |
Trusted Relationship |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1210 |
Exploitation of Remote Services |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1482 |
Domain Trust Discovery |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1489 |
Service Stop |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1552.007 |
Container API |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1557 |
Man-in-the-Middle |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1563 |
Remote Service Session Hijacking |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1563.002 |
RDP Hijacking |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1565 |
Data Manipulation |
| SC-46 |
Cross Domain Policy Enforcement |
Protects |
T1565.003 |
Runtime Data Manipulation |
| SC-7 |
Boundary Protection |
Protects |
T1001 |
Data Obfuscation |
| SC-7 |
Boundary Protection |
Protects |
T1001.001 |
Junk Data |
| SC-7 |
Boundary Protection |
Protects |
T1001.002 |
Steganography |
| SC-7 |
Boundary Protection |
Protects |
T1001.003 |
Protocol Impersonation |
| SC-7 |
Boundary Protection |
Protects |
T1008 |
Fallback Channels |
| SC-7 |
Boundary Protection |
Protects |
T1021.001 |
Remote Desktop Protocol |
| SC-7 |
Boundary Protection |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| SC-7 |
Boundary Protection |
Protects |
T1021.003 |
Distributed Component Object Model |
| SC-7 |
Boundary Protection |
Protects |
T1021.005 |
VNC |
| SC-7 |
Boundary Protection |
Protects |
T1021.006 |
Windows Remote Management |
| SC-7 |
Boundary Protection |
Protects |
T1029 |
Scheduled Transfer |
| SC-7 |
Boundary Protection |
Protects |
T1030 |
Data Transfer Size Limits |
| SC-7 |
Boundary Protection |
Protects |
T1041 |
Exfiltration Over C2 Channel |
| SC-7 |
Boundary Protection |
Protects |
T1046 |
Network Service Scanning |
| SC-7 |
Boundary Protection |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| SC-7 |
Boundary Protection |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| SC-7 |
Boundary Protection |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| SC-7 |
Boundary Protection |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| SC-7 |
Boundary Protection |
Protects |
T1055 |
Process Injection |
| SC-7 |
Boundary Protection |
Protects |
T1055.001 |
Dynamic-link Library Injection |
| SC-7 |
Boundary Protection |
Protects |
T1055.002 |
Portable Executable Injection |
| SC-7 |
Boundary Protection |
Protects |
T1055.003 |
Thread Execution Hijacking |
| SC-7 |
Boundary Protection |
Protects |
T1055.004 |
Asynchronous Procedure Call |
| SC-7 |
Boundary Protection |
Protects |
T1055.005 |
Thread Local Storage |
| SC-7 |
Boundary Protection |
Protects |
T1055.008 |
Ptrace System Calls |
| SC-7 |
Boundary Protection |
Protects |
T1055.009 |
Proc Memory |
| SC-7 |
Boundary Protection |
Protects |
T1055.011 |
Extra Window Memory Injection |
| SC-7 |
Boundary Protection |
Protects |
T1055.012 |
Process Hollowing |
| SC-7 |
Boundary Protection |
Protects |
T1055.013 |
Process Doppelgänging |
| SC-7 |
Boundary Protection |
Protects |
T1055.014 |
VDSO Hijacking |
| SC-7 |
Boundary Protection |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SC-7 |
Boundary Protection |
Protects |
T1071 |
Application Layer Protocol |
| SC-7 |
Boundary Protection |
Protects |
T1071.001 |
Web Protocols |
| SC-7 |
Boundary Protection |
Protects |
T1071.002 |
File Transfer Protocols |
| SC-7 |
Boundary Protection |
Protects |
T1071.003 |
Mail Protocols |
| SC-7 |
Boundary Protection |
Protects |
T1071.004 |
DNS |
| SC-7 |
Boundary Protection |
Protects |
T1072 |
Software Deployment Tools |
| SC-7 |
Boundary Protection |
Protects |
T1080 |
Taint Shared Content |
| SC-7 |
Boundary Protection |
Protects |
T1090 |
Proxy |
| SC-7 |
Boundary Protection |
Protects |
T1090.001 |
Internal Proxy |
| SC-7 |
Boundary Protection |
Protects |
T1090.002 |
External Proxy |
| SC-7 |
Boundary Protection |
Protects |
T1090.003 |
Multi-hop Proxy |
| SC-7 |
Boundary Protection |
Protects |
T1095 |
Non-Application Layer Protocol |
| SC-7 |
Boundary Protection |
Protects |
T1098 |
Account Manipulation |
| SC-7 |
Boundary Protection |
Protects |
T1098.001 |
Additional Cloud Credentials |
| SC-7 |
Boundary Protection |
Protects |
T1102 |
Web Service |
| SC-7 |
Boundary Protection |
Protects |
T1102.001 |
Dead Drop Resolver |
| SC-7 |
Boundary Protection |
Protects |
T1102.002 |
Bidirectional Communication |
| SC-7 |
Boundary Protection |
Protects |
T1102.003 |
One-Way Communication |
| SC-7 |
Boundary Protection |
Protects |
T1104 |
Multi-Stage Channels |
| SC-7 |
Boundary Protection |
Protects |
T1105 |
Ingress Tool Transfer |
| SC-7 |
Boundary Protection |
Protects |
T1114 |
Email Collection |
| SC-7 |
Boundary Protection |
Protects |
T1114.003 |
Email Forwarding Rule |
| SC-7 |
Boundary Protection |
Protects |
T1132 |
Data Encoding |
| SC-7 |
Boundary Protection |
Protects |
T1132.001 |
Standard Encoding |
| SC-7 |
Boundary Protection |
Protects |
T1132.002 |
Non-Standard Encoding |
| SC-7 |
Boundary Protection |
Protects |
T1133 |
External Remote Services |
| SC-7 |
Boundary Protection |
Protects |
T1136 |
Create Account |
| SC-7 |
Boundary Protection |
Protects |
T1136.002 |
Domain Account |
| SC-7 |
Boundary Protection |
Protects |
T1136.003 |
Cloud Account |
| SC-7 |
Boundary Protection |
Protects |
T1176 |
Browser Extensions |
| SC-7 |
Boundary Protection |
Protects |
T1187 |
Forced Authentication |
| SC-7 |
Boundary Protection |
Protects |
T1189 |
Drive-by Compromise |
| SC-7 |
Boundary Protection |
Protects |
T1190 |
Exploit Public-Facing Application |
| SC-7 |
Boundary Protection |
Protects |
T1197 |
BITS Jobs |
| SC-7 |
Boundary Protection |
Protects |
T1199 |
Trusted Relationship |
| SC-7 |
Boundary Protection |
Protects |
T1203 |
Exploitation for Client Execution |
| SC-7 |
Boundary Protection |
Protects |
T1204 |
User Execution |
| SC-7 |
Boundary Protection |
Protects |
T1204.001 |
Malicious Link |
| SC-7 |
Boundary Protection |
Protects |
T1204.002 |
Malicious File |
| SC-7 |
Boundary Protection |
Protects |
T1204.003 |
Malicious Image |
| SC-7 |
Boundary Protection |
Protects |
T1205 |
Traffic Signaling |
| SC-7 |
Boundary Protection |
Protects |
T1205.001 |
Port Knocking |
| SC-7 |
Boundary Protection |
Protects |
T1210 |
Exploitation of Remote Services |
| SC-7 |
Boundary Protection |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SC-7 |
Boundary Protection |
Protects |
T1212 |
Exploitation for Credential Access |
| SC-7 |
Boundary Protection |
Protects |
T1218.012 |
Verclsid |
| SC-7 |
Boundary Protection |
Protects |
T1219 |
Remote Access Software |
| SC-7 |
Boundary Protection |
Protects |
T1221 |
Template Injection |
| SC-7 |
Boundary Protection |
Protects |
T1482 |
Domain Trust Discovery |
| SC-7 |
Boundary Protection |
Protects |
T1489 |
Service Stop |
| SC-7 |
Boundary Protection |
Protects |
T1498 |
Network Denial of Service |
| SC-7 |
Boundary Protection |
Protects |
T1498.001 |
Direct Network Flood |
| SC-7 |
Boundary Protection |
Protects |
T1498.002 |
Reflection Amplification |
| SC-7 |
Boundary Protection |
Protects |
T1499 |
Endpoint Denial of Service |
| SC-7 |
Boundary Protection |
Protects |
T1499.001 |
OS Exhaustion Flood |
| SC-7 |
Boundary Protection |
Protects |
T1499.002 |
Service Exhaustion Flood |
| SC-7 |
Boundary Protection |
Protects |
T1499.003 |
Application Exhaustion Flood |
| SC-7 |
Boundary Protection |
Protects |
T1499.004 |
Application or System Exploitation |
| SC-7 |
Boundary Protection |
Protects |
T1530 |
Data from Cloud Storage Object |
| SC-7 |
Boundary Protection |
Protects |
T1537 |
Transfer Data to Cloud Account |
| SC-7 |
Boundary Protection |
Protects |
T1542 |
Pre-OS Boot |
| SC-7 |
Boundary Protection |
Protects |
T1542.004 |
ROMMONkit |
| SC-7 |
Boundary Protection |
Protects |
T1542.005 |
TFTP Boot |
| SC-7 |
Boundary Protection |
Protects |
T1552 |
Unsecured Credentials |
| SC-7 |
Boundary Protection |
Protects |
T1552.001 |
Credentials In Files |
| SC-7 |
Boundary Protection |
Protects |
T1552.004 |
Private Keys |
| SC-7 |
Boundary Protection |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| SC-7 |
Boundary Protection |
Protects |
T1552.007 |
Container API |
| SC-7 |
Boundary Protection |
Protects |
T1557 |
Man-in-the-Middle |
| SC-7 |
Boundary Protection |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| SC-7 |
Boundary Protection |
Protects |
T1557.002 |
ARP Cache Poisoning |
| SC-7 |
Boundary Protection |
Protects |
T1559 |
Inter-Process Communication |
| SC-7 |
Boundary Protection |
Protects |
T1559.001 |
Component Object Model |
| SC-7 |
Boundary Protection |
Protects |
T1559.002 |
Dynamic Data Exchange |
| SC-7 |
Boundary Protection |
Protects |
T1560 |
Archive Collected Data |
| SC-7 |
Boundary Protection |
Protects |
T1560.001 |
Archive via Utility |
| SC-7 |
Boundary Protection |
Protects |
T1563 |
Remote Service Session Hijacking |
| SC-7 |
Boundary Protection |
Protects |
T1563.002 |
RDP Hijacking |
| SC-7 |
Boundary Protection |
Protects |
T1565 |
Data Manipulation |
| SC-7 |
Boundary Protection |
Protects |
T1565.001 |
Stored Data Manipulation |
| SC-7 |
Boundary Protection |
Protects |
T1565.003 |
Runtime Data Manipulation |
| SC-7 |
Boundary Protection |
Protects |
T1566 |
Phishing |
| SC-7 |
Boundary Protection |
Protects |
T1566.001 |
Spearphishing Attachment |
| SC-7 |
Boundary Protection |
Protects |
T1566.002 |
Spearphishing Link |
| SC-7 |
Boundary Protection |
Protects |
T1566.003 |
Spearphishing via Service |
| SC-7 |
Boundary Protection |
Protects |
T1567 |
Exfiltration Over Web Service |
| SC-7 |
Boundary Protection |
Protects |
T1567.001 |
Exfiltration to Code Repository |
| SC-7 |
Boundary Protection |
Protects |
T1567.002 |
Exfiltration to Cloud Storage |
| SC-7 |
Boundary Protection |
Protects |
T1568 |
Dynamic Resolution |
| SC-7 |
Boundary Protection |
Protects |
T1568.002 |
Domain Generation Algorithms |
| SC-7 |
Boundary Protection |
Protects |
T1570 |
Lateral Tool Transfer |
| SC-7 |
Boundary Protection |
Protects |
T1571 |
Non-Standard Port |
| SC-7 |
Boundary Protection |
Protects |
T1572 |
Protocol Tunneling |
| SC-7 |
Boundary Protection |
Protects |
T1573 |
Encrypted Channel |
| SC-7 |
Boundary Protection |
Protects |
T1573.001 |
Symmetric Cryptography |
| SC-7 |
Boundary Protection |
Protects |
T1573.002 |
Asymmetric Cryptography |
| SC-7 |
Boundary Protection |
Protects |
T1598 |
Phishing for Information |
| SC-7 |
Boundary Protection |
Protects |
T1598.001 |
Spearphishing Service |
| SC-7 |
Boundary Protection |
Protects |
T1598.002 |
Spearphishing Attachment |
| SC-7 |
Boundary Protection |
Protects |
T1598.003 |
Spearphishing Link |
| SC-7 |
Boundary Protection |
Protects |
T1599 |
Network Boundary Bridging |
| SC-7 |
Boundary Protection |
Protects |
T1599.001 |
Network Address Translation Traversal |
| SC-7 |
Boundary Protection |
Protects |
T1602 |
Data from Configuration Repository |
| SC-7 |
Boundary Protection |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SC-7 |
Boundary Protection |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SC-7 |
Boundary Protection |
Protects |
T1609 |
Container Administration Command |
| SC-7 |
Boundary Protection |
Protects |
T1610 |
Deploy Container |
| SC-7 |
Boundary Protection |
Protects |
T1611 |
Escape to Host |
| SC-7 |
Boundary Protection |
Protects |
T1612 |
Build Image on Host |
| SC-7 |
Boundary Protection |
Protects |
T1613 |
Container and Resource Discovery |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1040 |
Network Sniffing |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1090 |
Proxy |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1090.004 |
Domain Fronting |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1550.001 |
Application Access Token |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1550.004 |
Web Session Cookie |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1552.007 |
Container API |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1557 |
Man-in-the-Middle |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1557.002 |
ARP Cache Poisoning |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1562.006 |
Indicator Blocking |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1602 |
Data from Configuration Repository |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SC-8 |
Transmission Confidentiality and Integrity |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SI-10 |
Information Input Validation |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| SI-10 |
Information Input Validation |
Protects |
T1021.005 |
VNC |
| SI-10 |
Information Input Validation |
Protects |
T1036 |
Masquerading |
| SI-10 |
Information Input Validation |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| SI-10 |
Information Input Validation |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| SI-10 |
Information Input Validation |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| SI-10 |
Information Input Validation |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| SI-10 |
Information Input Validation |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| SI-10 |
Information Input Validation |
Protects |
T1059 |
Command and Scripting Interpreter |
| SI-10 |
Information Input Validation |
Protects |
T1059.002 |
AppleScript |
| SI-10 |
Information Input Validation |
Protects |
T1059.003 |
Windows Command Shell |
| SI-10 |
Information Input Validation |
Protects |
T1059.004 |
Unix Shell |
| SI-10 |
Information Input Validation |
Protects |
T1059.005 |
Visual Basic |
| SI-10 |
Information Input Validation |
Protects |
T1059.006 |
Python |
| SI-10 |
Information Input Validation |
Protects |
T1059.007 |
JavaScript |
| SI-10 |
Information Input Validation |
Protects |
T1059.008 |
Network Device CLI |
| SI-10 |
Information Input Validation |
Protects |
T1071.004 |
DNS |
| SI-10 |
Information Input Validation |
Protects |
T1080 |
Taint Shared Content |
| SI-10 |
Information Input Validation |
Protects |
T1090 |
Proxy |
| SI-10 |
Information Input Validation |
Protects |
T1090.003 |
Multi-hop Proxy |
| SI-10 |
Information Input Validation |
Protects |
T1095 |
Non-Application Layer Protocol |
| SI-10 |
Information Input Validation |
Protects |
T1127 |
Trusted Developer Utilities Proxy Execution |
| SI-10 |
Information Input Validation |
Protects |
T1129 |
Shared Modules |
| SI-10 |
Information Input Validation |
Protects |
T1176 |
Browser Extensions |
| SI-10 |
Information Input Validation |
Protects |
T1187 |
Forced Authentication |
| SI-10 |
Information Input Validation |
Protects |
T1190 |
Exploit Public-Facing Application |
| SI-10 |
Information Input Validation |
Protects |
T1197 |
BITS Jobs |
| SI-10 |
Information Input Validation |
Protects |
T1204 |
User Execution |
| SI-10 |
Information Input Validation |
Protects |
T1204.002 |
Malicious File |
| SI-10 |
Information Input Validation |
Protects |
T1216 |
Signed Script Proxy Execution |
| SI-10 |
Information Input Validation |
Protects |
T1216.001 |
PubPrn |
| SI-10 |
Information Input Validation |
Protects |
T1218 |
Signed Binary Proxy Execution |
| SI-10 |
Information Input Validation |
Protects |
T1218.001 |
Compiled HTML File |
| SI-10 |
Information Input Validation |
Protects |
T1218.002 |
Control Panel |
| SI-10 |
Information Input Validation |
Protects |
T1218.003 |
CMSTP |
| SI-10 |
Information Input Validation |
Protects |
T1218.004 |
InstallUtil |
| SI-10 |
Information Input Validation |
Protects |
T1218.005 |
Mshta |
| SI-10 |
Information Input Validation |
Protects |
T1218.008 |
Odbcconf |
| SI-10 |
Information Input Validation |
Protects |
T1218.009 |
Regsvcs/Regasm |
| SI-10 |
Information Input Validation |
Protects |
T1218.010 |
Regsvr32 |
| SI-10 |
Information Input Validation |
Protects |
T1218.011 |
Rundll32 |
| SI-10 |
Information Input Validation |
Protects |
T1218.012 |
Verclsid |
| SI-10 |
Information Input Validation |
Protects |
T1219 |
Remote Access Software |
| SI-10 |
Information Input Validation |
Protects |
T1220 |
XSL Script Processing |
| SI-10 |
Information Input Validation |
Protects |
T1221 |
Template Injection |
| SI-10 |
Information Input Validation |
Protects |
T1498 |
Network Denial of Service |
| SI-10 |
Information Input Validation |
Protects |
T1498.001 |
Direct Network Flood |
| SI-10 |
Information Input Validation |
Protects |
T1498.002 |
Reflection Amplification |
| SI-10 |
Information Input Validation |
Protects |
T1499 |
Endpoint Denial of Service |
| SI-10 |
Information Input Validation |
Protects |
T1499.001 |
OS Exhaustion Flood |
| SI-10 |
Information Input Validation |
Protects |
T1499.002 |
Service Exhaustion Flood |
| SI-10 |
Information Input Validation |
Protects |
T1499.003 |
Application Exhaustion Flood |
| SI-10 |
Information Input Validation |
Protects |
T1499.004 |
Application or System Exploitation |
| SI-10 |
Information Input Validation |
Protects |
T1530 |
Data from Cloud Storage Object |
| SI-10 |
Information Input Validation |
Protects |
T1537 |
Transfer Data to Cloud Account |
| SI-10 |
Information Input Validation |
Protects |
T1546.002 |
Screensaver |
| SI-10 |
Information Input Validation |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| SI-10 |
Information Input Validation |
Protects |
T1546.008 |
Accessibility Features |
| SI-10 |
Information Input Validation |
Protects |
T1546.009 |
AppCert DLLs |
| SI-10 |
Information Input Validation |
Protects |
T1546.010 |
AppInit DLLs |
| SI-10 |
Information Input Validation |
Protects |
T1547.004 |
Winlogon Helper DLL |
| SI-10 |
Information Input Validation |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| SI-10 |
Information Input Validation |
Protects |
T1552 |
Unsecured Credentials |
| SI-10 |
Information Input Validation |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| SI-10 |
Information Input Validation |
Protects |
T1553 |
Subvert Trust Controls |
| SI-10 |
Information Input Validation |
Protects |
T1553.001 |
Gatekeeper Bypass |
| SI-10 |
Information Input Validation |
Protects |
T1553.003 |
SIP and Trust Provider Hijacking |
| SI-10 |
Information Input Validation |
Protects |
T1553.005 |
Mark-of-the-Web Bypass |
| SI-10 |
Information Input Validation |
Protects |
T1557 |
Man-in-the-Middle |
| SI-10 |
Information Input Validation |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| SI-10 |
Information Input Validation |
Protects |
T1557.002 |
ARP Cache Poisoning |
| SI-10 |
Information Input Validation |
Protects |
T1564.003 |
Hidden Window |
| SI-10 |
Information Input Validation |
Protects |
T1564.006 |
Run Virtual Instance |
| SI-10 |
Information Input Validation |
Protects |
T1570 |
Lateral Tool Transfer |
| SI-10 |
Information Input Validation |
Protects |
T1572 |
Protocol Tunneling |
| SI-10 |
Information Input Validation |
Protects |
T1574 |
Hijack Execution Flow |
| SI-10 |
Information Input Validation |
Protects |
T1574.001 |
DLL Search Order Hijacking |
| SI-10 |
Information Input Validation |
Protects |
T1574.006 |
Dynamic Linker Hijacking |
| SI-10 |
Information Input Validation |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| SI-10 |
Information Input Validation |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| SI-10 |
Information Input Validation |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| SI-10 |
Information Input Validation |
Protects |
T1574.012 |
COR_PROFILER |
| SI-10 |
Information Input Validation |
Protects |
T1599 |
Network Boundary Bridging |
| SI-10 |
Information Input Validation |
Protects |
T1599.001 |
Network Address Translation Traversal |
| SI-10 |
Information Input Validation |
Protects |
T1602 |
Data from Configuration Repository |
| SI-10 |
Information Input Validation |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SI-10 |
Information Input Validation |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SI-10 |
Information Input Validation |
Protects |
T1609 |
Container Administration Command |
| SI-12 |
Information Management and Retention |
Protects |
T1003 |
OS Credential Dumping |
| SI-12 |
Information Management and Retention |
Protects |
T1003.003 |
NTDS |
| SI-12 |
Information Management and Retention |
Protects |
T1020.001 |
Traffic Duplication |
| SI-12 |
Information Management and Retention |
Protects |
T1040 |
Network Sniffing |
| SI-12 |
Information Management and Retention |
Protects |
T1070 |
Indicator Removal on Host |
| SI-12 |
Information Management and Retention |
Protects |
T1070.001 |
Clear Windows Event Logs |
| SI-12 |
Information Management and Retention |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| SI-12 |
Information Management and Retention |
Protects |
T1114 |
Email Collection |
| SI-12 |
Information Management and Retention |
Protects |
T1114.001 |
Local Email Collection |
| SI-12 |
Information Management and Retention |
Protects |
T1114.002 |
Remote Email Collection |
| SI-12 |
Information Management and Retention |
Protects |
T1114.003 |
Email Forwarding Rule |
| SI-12 |
Information Management and Retention |
Protects |
T1119 |
Automated Collection |
| SI-12 |
Information Management and Retention |
Protects |
T1530 |
Data from Cloud Storage Object |
| SI-12 |
Information Management and Retention |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| SI-12 |
Information Management and Retention |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| SI-12 |
Information Management and Retention |
Protects |
T1550.001 |
Application Access Token |
| SI-12 |
Information Management and Retention |
Protects |
T1552 |
Unsecured Credentials |
| SI-12 |
Information Management and Retention |
Protects |
T1552.004 |
Private Keys |
| SI-12 |
Information Management and Retention |
Protects |
T1557 |
Man-in-the-Middle |
| SI-12 |
Information Management and Retention |
Protects |
T1557.002 |
ARP Cache Poisoning |
| SI-12 |
Information Management and Retention |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| SI-12 |
Information Management and Retention |
Protects |
T1558.002 |
Silver Ticket |
| SI-12 |
Information Management and Retention |
Protects |
T1558.003 |
Kerberoasting |
| SI-12 |
Information Management and Retention |
Protects |
T1558.004 |
AS-REP Roasting |
| SI-12 |
Information Management and Retention |
Protects |
T1565 |
Data Manipulation |
| SI-12 |
Information Management and Retention |
Protects |
T1565.001 |
Stored Data Manipulation |
| SI-12 |
Information Management and Retention |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| SI-12 |
Information Management and Retention |
Protects |
T1602 |
Data from Configuration Repository |
| SI-12 |
Information Management and Retention |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SI-12 |
Information Management and Retention |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SI-15 |
Information Output Filtering |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| SI-15 |
Information Output Filtering |
Protects |
T1021.005 |
VNC |
| SI-15 |
Information Output Filtering |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| SI-15 |
Information Output Filtering |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| SI-15 |
Information Output Filtering |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| SI-15 |
Information Output Filtering |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| SI-15 |
Information Output Filtering |
Protects |
T1071.004 |
DNS |
| SI-15 |
Information Output Filtering |
Protects |
T1090 |
Proxy |
| SI-15 |
Information Output Filtering |
Protects |
T1090.003 |
Multi-hop Proxy |
| SI-15 |
Information Output Filtering |
Protects |
T1095 |
Non-Application Layer Protocol |
| SI-15 |
Information Output Filtering |
Protects |
T1187 |
Forced Authentication |
| SI-15 |
Information Output Filtering |
Protects |
T1197 |
BITS Jobs |
| SI-15 |
Information Output Filtering |
Protects |
T1205 |
Traffic Signaling |
| SI-15 |
Information Output Filtering |
Protects |
T1205.001 |
Port Knocking |
| SI-15 |
Information Output Filtering |
Protects |
T1218.012 |
Verclsid |
| SI-15 |
Information Output Filtering |
Protects |
T1219 |
Remote Access Software |
| SI-15 |
Information Output Filtering |
Protects |
T1498 |
Network Denial of Service |
| SI-15 |
Information Output Filtering |
Protects |
T1498.001 |
Direct Network Flood |
| SI-15 |
Information Output Filtering |
Protects |
T1498.002 |
Reflection Amplification |
| SI-15 |
Information Output Filtering |
Protects |
T1499 |
Endpoint Denial of Service |
| SI-15 |
Information Output Filtering |
Protects |
T1499.001 |
OS Exhaustion Flood |
| SI-15 |
Information Output Filtering |
Protects |
T1499.002 |
Service Exhaustion Flood |
| SI-15 |
Information Output Filtering |
Protects |
T1499.003 |
Application Exhaustion Flood |
| SI-15 |
Information Output Filtering |
Protects |
T1499.004 |
Application or System Exploitation |
| SI-15 |
Information Output Filtering |
Protects |
T1530 |
Data from Cloud Storage Object |
| SI-15 |
Information Output Filtering |
Protects |
T1537 |
Transfer Data to Cloud Account |
| SI-15 |
Information Output Filtering |
Protects |
T1552 |
Unsecured Credentials |
| SI-15 |
Information Output Filtering |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| SI-15 |
Information Output Filtering |
Protects |
T1557 |
Man-in-the-Middle |
| SI-15 |
Information Output Filtering |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| SI-15 |
Information Output Filtering |
Protects |
T1557.002 |
ARP Cache Poisoning |
| SI-15 |
Information Output Filtering |
Protects |
T1570 |
Lateral Tool Transfer |
| SI-15 |
Information Output Filtering |
Protects |
T1572 |
Protocol Tunneling |
| SI-15 |
Information Output Filtering |
Protects |
T1599 |
Network Boundary Bridging |
| SI-15 |
Information Output Filtering |
Protects |
T1599.001 |
Network Address Translation Traversal |
| SI-15 |
Information Output Filtering |
Protects |
T1602 |
Data from Configuration Repository |
| SI-15 |
Information Output Filtering |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SI-15 |
Information Output Filtering |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SI-16 |
Memory Protection |
Protects |
T1055.009 |
Proc Memory |
| SI-16 |
Memory Protection |
Protects |
T1543 |
Create or Modify System Process |
| SI-16 |
Memory Protection |
Protects |
T1543.002 |
Systemd Service |
| SI-16 |
Memory Protection |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| SI-16 |
Memory Protection |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| SI-16 |
Memory Protection |
Protects |
T1565 |
Data Manipulation |
| SI-16 |
Memory Protection |
Protects |
T1565.001 |
Stored Data Manipulation |
| SI-16 |
Memory Protection |
Protects |
T1565.003 |
Runtime Data Manipulation |
| SI-16 |
Memory Protection |
Protects |
T1611 |
Escape to Host |
| SI-2 |
Flaw Remediation |
Protects |
T1027 |
Obfuscated Files or Information |
| SI-2 |
Flaw Remediation |
Protects |
T1027.002 |
Software Packing |
| SI-2 |
Flaw Remediation |
Protects |
T1055 |
Process Injection |
| SI-2 |
Flaw Remediation |
Protects |
T1055.001 |
Dynamic-link Library Injection |
| SI-2 |
Flaw Remediation |
Protects |
T1055.002 |
Portable Executable Injection |
| SI-2 |
Flaw Remediation |
Protects |
T1055.003 |
Thread Execution Hijacking |
| SI-2 |
Flaw Remediation |
Protects |
T1055.004 |
Asynchronous Procedure Call |
| SI-2 |
Flaw Remediation |
Protects |
T1055.005 |
Thread Local Storage |
| SI-2 |
Flaw Remediation |
Protects |
T1055.008 |
Ptrace System Calls |
| SI-2 |
Flaw Remediation |
Protects |
T1055.009 |
Proc Memory |
| SI-2 |
Flaw Remediation |
Protects |
T1055.011 |
Extra Window Memory Injection |
| SI-2 |
Flaw Remediation |
Protects |
T1055.012 |
Process Hollowing |
| SI-2 |
Flaw Remediation |
Protects |
T1055.013 |
Process Doppelgänging |
| SI-2 |
Flaw Remediation |
Protects |
T1055.014 |
VDSO Hijacking |
| SI-2 |
Flaw Remediation |
Protects |
T1059 |
Command and Scripting Interpreter |
| SI-2 |
Flaw Remediation |
Protects |
T1059.001 |
PowerShell |
| SI-2 |
Flaw Remediation |
Protects |
T1059.005 |
Visual Basic |
| SI-2 |
Flaw Remediation |
Protects |
T1059.006 |
Python |
| SI-2 |
Flaw Remediation |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SI-2 |
Flaw Remediation |
Protects |
T1072 |
Software Deployment Tools |
| SI-2 |
Flaw Remediation |
Protects |
T1137 |
Office Application Startup |
| SI-2 |
Flaw Remediation |
Protects |
T1137.003 |
Outlook Forms |
| SI-2 |
Flaw Remediation |
Protects |
T1137.004 |
Outlook Home Page |
| SI-2 |
Flaw Remediation |
Protects |
T1137.005 |
Outlook Rules |
| SI-2 |
Flaw Remediation |
Protects |
T1189 |
Drive-by Compromise |
| SI-2 |
Flaw Remediation |
Protects |
T1190 |
Exploit Public-Facing Application |
| SI-2 |
Flaw Remediation |
Protects |
T1195 |
Supply Chain Compromise |
| SI-2 |
Flaw Remediation |
Protects |
T1195.001 |
Compromise Software Dependencies and Development Tools |
| SI-2 |
Flaw Remediation |
Protects |
T1195.002 |
Compromise Software Supply Chain |
| SI-2 |
Flaw Remediation |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| SI-2 |
Flaw Remediation |
Protects |
T1204 |
User Execution |
| SI-2 |
Flaw Remediation |
Protects |
T1204.001 |
Malicious Link |
| SI-2 |
Flaw Remediation |
Protects |
T1204.003 |
Malicious Image |
| SI-2 |
Flaw Remediation |
Protects |
T1210 |
Exploitation of Remote Services |
| SI-2 |
Flaw Remediation |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SI-2 |
Flaw Remediation |
Protects |
T1212 |
Exploitation for Credential Access |
| SI-2 |
Flaw Remediation |
Protects |
T1221 |
Template Injection |
| SI-2 |
Flaw Remediation |
Protects |
T1495 |
Firmware Corruption |
| SI-2 |
Flaw Remediation |
Protects |
T1525 |
Implant Internal Image |
| SI-2 |
Flaw Remediation |
Protects |
T1542 |
Pre-OS Boot |
| SI-2 |
Flaw Remediation |
Protects |
T1542.001 |
System Firmware |
| SI-2 |
Flaw Remediation |
Protects |
T1542.003 |
Bootkit |
| SI-2 |
Flaw Remediation |
Protects |
T1542.004 |
ROMMONkit |
| SI-2 |
Flaw Remediation |
Protects |
T1542.005 |
TFTP Boot |
| SI-2 |
Flaw Remediation |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| SI-2 |
Flaw Remediation |
Protects |
T1546.010 |
AppInit DLLs |
| SI-2 |
Flaw Remediation |
Protects |
T1546.011 |
Application Shimming |
| SI-2 |
Flaw Remediation |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| SI-2 |
Flaw Remediation |
Protects |
T1548.002 |
Bypass User Account Control |
| SI-2 |
Flaw Remediation |
Protects |
T1550.002 |
Pass the Hash |
| SI-2 |
Flaw Remediation |
Protects |
T1552 |
Unsecured Credentials |
| SI-2 |
Flaw Remediation |
Protects |
T1552.006 |
Group Policy Preferences |
| SI-2 |
Flaw Remediation |
Protects |
T1553 |
Subvert Trust Controls |
| SI-2 |
Flaw Remediation |
Protects |
T1553.006 |
Code Signing Policy Modification |
| SI-2 |
Flaw Remediation |
Protects |
T1555.005 |
Password Managers |
| SI-2 |
Flaw Remediation |
Protects |
T1559 |
Inter-Process Communication |
| SI-2 |
Flaw Remediation |
Protects |
T1559.002 |
Dynamic Data Exchange |
| SI-2 |
Flaw Remediation |
Protects |
T1566 |
Phishing |
| SI-2 |
Flaw Remediation |
Protects |
T1566.001 |
Spearphishing Attachment |
| SI-2 |
Flaw Remediation |
Protects |
T1566.003 |
Spearphishing via Service |
| SI-2 |
Flaw Remediation |
Protects |
T1574 |
Hijack Execution Flow |
| SI-2 |
Flaw Remediation |
Protects |
T1574.002 |
DLL Side-Loading |
| SI-2 |
Flaw Remediation |
Protects |
T1601 |
Modify System Image |
| SI-2 |
Flaw Remediation |
Protects |
T1601.001 |
Patch System Image |
| SI-2 |
Flaw Remediation |
Protects |
T1601.002 |
Downgrade System Image |
| SI-2 |
Flaw Remediation |
Protects |
T1611 |
Escape to Host |
| SI-23 |
Information Fragmentation |
Protects |
T1070 |
Indicator Removal on Host |
| SI-23 |
Information Fragmentation |
Protects |
T1070.001 |
Clear Windows Event Logs |
| SI-23 |
Information Fragmentation |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| SI-23 |
Information Fragmentation |
Protects |
T1072 |
Software Deployment Tools |
| SI-23 |
Information Fragmentation |
Protects |
T1119 |
Automated Collection |
| SI-23 |
Information Fragmentation |
Protects |
T1565 |
Data Manipulation |
| SI-23 |
Information Fragmentation |
Protects |
T1565.001 |
Stored Data Manipulation |
| SI-3 |
Malicious Code Protection |
Protects |
T1001 |
Data Obfuscation |
| SI-3 |
Malicious Code Protection |
Protects |
T1001.001 |
Junk Data |
| SI-3 |
Malicious Code Protection |
Protects |
T1001.002 |
Steganography |
| SI-3 |
Malicious Code Protection |
Protects |
T1001.003 |
Protocol Impersonation |
| SI-3 |
Malicious Code Protection |
Protects |
T1003 |
OS Credential Dumping |
| SI-3 |
Malicious Code Protection |
Protects |
T1003.001 |
LSASS Memory |
| SI-3 |
Malicious Code Protection |
Protects |
T1003.002 |
Security Account Manager |
| SI-3 |
Malicious Code Protection |
Protects |
T1003.003 |
NTDS |
| SI-3 |
Malicious Code Protection |
Protects |
T1003.004 |
LSA Secrets |
| SI-3 |
Malicious Code Protection |
Protects |
T1003.005 |
Cached Domain Credentials |
| SI-3 |
Malicious Code Protection |
Protects |
T1003.006 |
DCSync |
| SI-3 |
Malicious Code Protection |
Protects |
T1003.007 |
Proc Filesystem |
| SI-3 |
Malicious Code Protection |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| SI-3 |
Malicious Code Protection |
Protects |
T1008 |
Fallback Channels |
| SI-3 |
Malicious Code Protection |
Protects |
T1011.001 |
Exfiltration Over Bluetooth |
| SI-3 |
Malicious Code Protection |
Protects |
T1021.003 |
Distributed Component Object Model |
| SI-3 |
Malicious Code Protection |
Protects |
T1021.005 |
VNC |
| SI-3 |
Malicious Code Protection |
Protects |
T1027 |
Obfuscated Files or Information |
| SI-3 |
Malicious Code Protection |
Protects |
T1027.002 |
Software Packing |
| SI-3 |
Malicious Code Protection |
Protects |
T1029 |
Scheduled Transfer |
| SI-3 |
Malicious Code Protection |
Protects |
T1030 |
Data Transfer Size Limits |
| SI-3 |
Malicious Code Protection |
Protects |
T1036 |
Masquerading |
| SI-3 |
Malicious Code Protection |
Protects |
T1036.003 |
Rename System Utilities |
| SI-3 |
Malicious Code Protection |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| SI-3 |
Malicious Code Protection |
Protects |
T1037 |
Boot or Logon Initialization Scripts |
| SI-3 |
Malicious Code Protection |
Protects |
T1037.002 |
Logon Script (Mac) |
| SI-3 |
Malicious Code Protection |
Protects |
T1037.003 |
Network Logon Script |
| SI-3 |
Malicious Code Protection |
Protects |
T1037.004 |
RC Scripts |
| SI-3 |
Malicious Code Protection |
Protects |
T1037.005 |
Startup Items |
| SI-3 |
Malicious Code Protection |
Protects |
T1041 |
Exfiltration Over C2 Channel |
| SI-3 |
Malicious Code Protection |
Protects |
T1046 |
Network Service Scanning |
| SI-3 |
Malicious Code Protection |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| SI-3 |
Malicious Code Protection |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| SI-3 |
Malicious Code Protection |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| SI-3 |
Malicious Code Protection |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| SI-3 |
Malicious Code Protection |
Protects |
T1052 |
Exfiltration Over Physical Medium |
| SI-3 |
Malicious Code Protection |
Protects |
T1052.001 |
Exfiltration over USB |
| SI-3 |
Malicious Code Protection |
Protects |
T1055 |
Process Injection |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.001 |
Dynamic-link Library Injection |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.002 |
Portable Executable Injection |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.003 |
Thread Execution Hijacking |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.004 |
Asynchronous Procedure Call |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.005 |
Thread Local Storage |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.008 |
Ptrace System Calls |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.009 |
Proc Memory |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.011 |
Extra Window Memory Injection |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.012 |
Process Hollowing |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.013 |
Process Doppelgänging |
| SI-3 |
Malicious Code Protection |
Protects |
T1055.014 |
VDSO Hijacking |
| SI-3 |
Malicious Code Protection |
Protects |
T1056.002 |
GUI Input Capture |
| SI-3 |
Malicious Code Protection |
Protects |
T1059 |
Command and Scripting Interpreter |
| SI-3 |
Malicious Code Protection |
Protects |
T1059.001 |
PowerShell |
| SI-3 |
Malicious Code Protection |
Protects |
T1059.005 |
Visual Basic |
| SI-3 |
Malicious Code Protection |
Protects |
T1059.006 |
Python |
| SI-3 |
Malicious Code Protection |
Protects |
T1059.007 |
JavaScript |
| SI-3 |
Malicious Code Protection |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SI-3 |
Malicious Code Protection |
Protects |
T1070 |
Indicator Removal on Host |
| SI-3 |
Malicious Code Protection |
Protects |
T1070.001 |
Clear Windows Event Logs |
| SI-3 |
Malicious Code Protection |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| SI-3 |
Malicious Code Protection |
Protects |
T1070.003 |
Clear Command History |
| SI-3 |
Malicious Code Protection |
Protects |
T1071 |
Application Layer Protocol |
| SI-3 |
Malicious Code Protection |
Protects |
T1071.001 |
Web Protocols |
| SI-3 |
Malicious Code Protection |
Protects |
T1071.002 |
File Transfer Protocols |
| SI-3 |
Malicious Code Protection |
Protects |
T1071.003 |
Mail Protocols |
| SI-3 |
Malicious Code Protection |
Protects |
T1071.004 |
DNS |
| SI-3 |
Malicious Code Protection |
Protects |
T1072 |
Software Deployment Tools |
| SI-3 |
Malicious Code Protection |
Protects |
T1080 |
Taint Shared Content |
| SI-3 |
Malicious Code Protection |
Protects |
T1090 |
Proxy |
| SI-3 |
Malicious Code Protection |
Protects |
T1090.001 |
Internal Proxy |
| SI-3 |
Malicious Code Protection |
Protects |
T1090.002 |
External Proxy |
| SI-3 |
Malicious Code Protection |
Protects |
T1091 |
Replication Through Removable Media |
| SI-3 |
Malicious Code Protection |
Protects |
T1092 |
Communication Through Removable Media |
| SI-3 |
Malicious Code Protection |
Protects |
T1095 |
Non-Application Layer Protocol |
| SI-3 |
Malicious Code Protection |
Protects |
T1098.004 |
SSH Authorized Keys |
| SI-3 |
Malicious Code Protection |
Protects |
T1102 |
Web Service |
| SI-3 |
Malicious Code Protection |
Protects |
T1102.001 |
Dead Drop Resolver |
| SI-3 |
Malicious Code Protection |
Protects |
T1102.002 |
Bidirectional Communication |
| SI-3 |
Malicious Code Protection |
Protects |
T1102.003 |
One-Way Communication |
| SI-3 |
Malicious Code Protection |
Protects |
T1104 |
Multi-Stage Channels |
| SI-3 |
Malicious Code Protection |
Protects |
T1105 |
Ingress Tool Transfer |
| SI-3 |
Malicious Code Protection |
Protects |
T1111 |
Two-Factor Authentication Interception |
| SI-3 |
Malicious Code Protection |
Protects |
T1132 |
Data Encoding |
| SI-3 |
Malicious Code Protection |
Protects |
T1132.001 |
Standard Encoding |
| SI-3 |
Malicious Code Protection |
Protects |
T1132.002 |
Non-Standard Encoding |
| SI-3 |
Malicious Code Protection |
Protects |
T1137 |
Office Application Startup |
| SI-3 |
Malicious Code Protection |
Protects |
T1137.001 |
Office Template Macros |
| SI-3 |
Malicious Code Protection |
Protects |
T1176 |
Browser Extensions |
| SI-3 |
Malicious Code Protection |
Protects |
T1185 |
Man in the Browser |
| SI-3 |
Malicious Code Protection |
Protects |
T1189 |
Drive-by Compromise |
| SI-3 |
Malicious Code Protection |
Protects |
T1190 |
Exploit Public-Facing Application |
| SI-3 |
Malicious Code Protection |
Protects |
T1201 |
Password Policy Discovery |
| SI-3 |
Malicious Code Protection |
Protects |
T1203 |
Exploitation for Client Execution |
| SI-3 |
Malicious Code Protection |
Protects |
T1204 |
User Execution |
| SI-3 |
Malicious Code Protection |
Protects |
T1204.001 |
Malicious Link |
| SI-3 |
Malicious Code Protection |
Protects |
T1204.002 |
Malicious File |
| SI-3 |
Malicious Code Protection |
Protects |
T1204.003 |
Malicious Image |
| SI-3 |
Malicious Code Protection |
Protects |
T1210 |
Exploitation of Remote Services |
| SI-3 |
Malicious Code Protection |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SI-3 |
Malicious Code Protection |
Protects |
T1212 |
Exploitation for Credential Access |
| SI-3 |
Malicious Code Protection |
Protects |
T1218.002 |
Control Panel |
| SI-3 |
Malicious Code Protection |
Protects |
T1219 |
Remote Access Software |
| SI-3 |
Malicious Code Protection |
Protects |
T1221 |
Template Injection |
| SI-3 |
Malicious Code Protection |
Protects |
T1485 |
Data Destruction |
| SI-3 |
Malicious Code Protection |
Protects |
T1486 |
Data Encrypted for Impact |
| SI-3 |
Malicious Code Protection |
Protects |
T1490 |
Inhibit System Recovery |
| SI-3 |
Malicious Code Protection |
Protects |
T1491 |
Defacement |
| SI-3 |
Malicious Code Protection |
Protects |
T1491.001 |
Internal Defacement |
| SI-3 |
Malicious Code Protection |
Protects |
T1491.002 |
External Defacement |
| SI-3 |
Malicious Code Protection |
Protects |
T1525 |
Implant Internal Image |
| SI-3 |
Malicious Code Protection |
Protects |
T1539 |
Steal Web Session Cookie |
| SI-3 |
Malicious Code Protection |
Protects |
T1543 |
Create or Modify System Process |
| SI-3 |
Malicious Code Protection |
Protects |
T1543.002 |
Systemd Service |
| SI-3 |
Malicious Code Protection |
Protects |
T1546.002 |
Screensaver |
| SI-3 |
Malicious Code Protection |
Protects |
T1546.004 |
Unix Shell Configuration Modification |
| SI-3 |
Malicious Code Protection |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| SI-3 |
Malicious Code Protection |
Protects |
T1546.013 |
PowerShell Profile |
| SI-3 |
Malicious Code Protection |
Protects |
T1546.014 |
Emond |
| SI-3 |
Malicious Code Protection |
Protects |
T1547.002 |
Authentication Package |
| SI-3 |
Malicious Code Protection |
Protects |
T1547.005 |
Security Support Provider |
| SI-3 |
Malicious Code Protection |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| SI-3 |
Malicious Code Protection |
Protects |
T1547.007 |
Re-opened Applications |
| SI-3 |
Malicious Code Protection |
Protects |
T1547.008 |
LSASS Driver |
| SI-3 |
Malicious Code Protection |
Protects |
T1547.013 |
XDG Autostart Entries |
| SI-3 |
Malicious Code Protection |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| SI-3 |
Malicious Code Protection |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| SI-3 |
Malicious Code Protection |
Protects |
T1553.003 |
SIP and Trust Provider Hijacking |
| SI-3 |
Malicious Code Protection |
Protects |
T1557 |
Man-in-the-Middle |
| SI-3 |
Malicious Code Protection |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| SI-3 |
Malicious Code Protection |
Protects |
T1557.002 |
ARP Cache Poisoning |
| SI-3 |
Malicious Code Protection |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| SI-3 |
Malicious Code Protection |
Protects |
T1558.002 |
Silver Ticket |
| SI-3 |
Malicious Code Protection |
Protects |
T1558.003 |
Kerberoasting |
| SI-3 |
Malicious Code Protection |
Protects |
T1558.004 |
AS-REP Roasting |
| SI-3 |
Malicious Code Protection |
Protects |
T1559 |
Inter-Process Communication |
| SI-3 |
Malicious Code Protection |
Protects |
T1559.001 |
Component Object Model |
| SI-3 |
Malicious Code Protection |
Protects |
T1559.002 |
Dynamic Data Exchange |
| SI-3 |
Malicious Code Protection |
Protects |
T1560 |
Archive Collected Data |
| SI-3 |
Malicious Code Protection |
Protects |
T1560.001 |
Archive via Utility |
| SI-3 |
Malicious Code Protection |
Protects |
T1561 |
Disk Wipe |
| SI-3 |
Malicious Code Protection |
Protects |
T1561.001 |
Disk Content Wipe |
| SI-3 |
Malicious Code Protection |
Protects |
T1561.002 |
Disk Structure Wipe |
| SI-3 |
Malicious Code Protection |
Protects |
T1562 |
Impair Defenses |
| SI-3 |
Malicious Code Protection |
Protects |
T1562.001 |
Disable or Modify Tools |
| SI-3 |
Malicious Code Protection |
Protects |
T1562.002 |
Disable Windows Event Logging |
| SI-3 |
Malicious Code Protection |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| SI-3 |
Malicious Code Protection |
Protects |
T1562.006 |
Indicator Blocking |
| SI-3 |
Malicious Code Protection |
Protects |
T1564.004 |
NTFS File Attributes |
| SI-3 |
Malicious Code Protection |
Protects |
T1566 |
Phishing |
| SI-3 |
Malicious Code Protection |
Protects |
T1566.001 |
Spearphishing Attachment |
| SI-3 |
Malicious Code Protection |
Protects |
T1566.002 |
Spearphishing Link |
| SI-3 |
Malicious Code Protection |
Protects |
T1566.003 |
Spearphishing via Service |
| SI-3 |
Malicious Code Protection |
Protects |
T1568 |
Dynamic Resolution |
| SI-3 |
Malicious Code Protection |
Protects |
T1568.002 |
Domain Generation Algorithms |
| SI-3 |
Malicious Code Protection |
Protects |
T1569 |
System Services |
| SI-3 |
Malicious Code Protection |
Protects |
T1569.002 |
Service Execution |
| SI-3 |
Malicious Code Protection |
Protects |
T1570 |
Lateral Tool Transfer |
| SI-3 |
Malicious Code Protection |
Protects |
T1571 |
Non-Standard Port |
| SI-3 |
Malicious Code Protection |
Protects |
T1572 |
Protocol Tunneling |
| SI-3 |
Malicious Code Protection |
Protects |
T1573 |
Encrypted Channel |
| SI-3 |
Malicious Code Protection |
Protects |
T1573.001 |
Symmetric Cryptography |
| SI-3 |
Malicious Code Protection |
Protects |
T1573.002 |
Asymmetric Cryptography |
| SI-3 |
Malicious Code Protection |
Protects |
T1574 |
Hijack Execution Flow |
| SI-3 |
Malicious Code Protection |
Protects |
T1574.001 |
DLL Search Order Hijacking |
| SI-3 |
Malicious Code Protection |
Protects |
T1574.004 |
Dylib Hijacking |
| SI-3 |
Malicious Code Protection |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| SI-3 |
Malicious Code Protection |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| SI-3 |
Malicious Code Protection |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| SI-3 |
Malicious Code Protection |
Protects |
T1598 |
Phishing for Information |
| SI-3 |
Malicious Code Protection |
Protects |
T1598.001 |
Spearphishing Service |
| SI-3 |
Malicious Code Protection |
Protects |
T1598.002 |
Spearphishing Attachment |
| SI-3 |
Malicious Code Protection |
Protects |
T1598.003 |
Spearphishing Link |
| SI-3 |
Malicious Code Protection |
Protects |
T1602 |
Data from Configuration Repository |
| SI-3 |
Malicious Code Protection |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SI-3 |
Malicious Code Protection |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SI-3 |
Malicious Code Protection |
Protects |
T1611 |
Escape to Host |
| SI-4 |
System Monitoring |
Protects |
T1001 |
Data Obfuscation |
| SI-4 |
System Monitoring |
Protects |
T1001.001 |
Junk Data |
| SI-4 |
System Monitoring |
Protects |
T1001.002 |
Steganography |
| SI-4 |
System Monitoring |
Protects |
T1001.003 |
Protocol Impersonation |
| SI-4 |
System Monitoring |
Protects |
T1003 |
OS Credential Dumping |
| SI-4 |
System Monitoring |
Protects |
T1003.001 |
LSASS Memory |
| SI-4 |
System Monitoring |
Protects |
T1003.002 |
Security Account Manager |
| SI-4 |
System Monitoring |
Protects |
T1003.003 |
NTDS |
| SI-4 |
System Monitoring |
Protects |
T1003.004 |
LSA Secrets |
| SI-4 |
System Monitoring |
Protects |
T1003.005 |
Cached Domain Credentials |
| SI-4 |
System Monitoring |
Protects |
T1003.006 |
DCSync |
| SI-4 |
System Monitoring |
Protects |
T1003.007 |
Proc Filesystem |
| SI-4 |
System Monitoring |
Protects |
T1003.008 |
/etc/passwd and /etc/shadow |
| SI-4 |
System Monitoring |
Protects |
T1008 |
Fallback Channels |
| SI-4 |
System Monitoring |
Protects |
T1011 |
Exfiltration Over Other Network Medium |
| SI-4 |
System Monitoring |
Protects |
T1011.001 |
Exfiltration Over Bluetooth |
| SI-4 |
System Monitoring |
Protects |
T1020.001 |
Traffic Duplication |
| SI-4 |
System Monitoring |
Protects |
T1021 |
Remote Services |
| SI-4 |
System Monitoring |
Protects |
T1021.001 |
Remote Desktop Protocol |
| SI-4 |
System Monitoring |
Protects |
T1021.002 |
SMB/Windows Admin Shares |
| SI-4 |
System Monitoring |
Protects |
T1021.003 |
Distributed Component Object Model |
| SI-4 |
System Monitoring |
Protects |
T1021.004 |
SSH |
| SI-4 |
System Monitoring |
Protects |
T1021.005 |
VNC |
| SI-4 |
System Monitoring |
Protects |
T1021.006 |
Windows Remote Management |
| SI-4 |
System Monitoring |
Protects |
T1027 |
Obfuscated Files or Information |
| SI-4 |
System Monitoring |
Protects |
T1027.002 |
Software Packing |
| SI-4 |
System Monitoring |
Protects |
T1029 |
Scheduled Transfer |
| SI-4 |
System Monitoring |
Protects |
T1030 |
Data Transfer Size Limits |
| SI-4 |
System Monitoring |
Protects |
T1036 |
Masquerading |
| SI-4 |
System Monitoring |
Protects |
T1036.001 |
Invalid Code Signature |
| SI-4 |
System Monitoring |
Protects |
T1036.003 |
Rename System Utilities |
| SI-4 |
System Monitoring |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| SI-4 |
System Monitoring |
Protects |
T1037 |
Boot or Logon Initialization Scripts |
| SI-4 |
System Monitoring |
Protects |
T1037.002 |
Logon Script (Mac) |
| SI-4 |
System Monitoring |
Protects |
T1037.003 |
Network Logon Script |
| SI-4 |
System Monitoring |
Protects |
T1037.004 |
RC Scripts |
| SI-4 |
System Monitoring |
Protects |
T1037.005 |
Startup Items |
| SI-4 |
System Monitoring |
Protects |
T1040 |
Network Sniffing |
| SI-4 |
System Monitoring |
Protects |
T1041 |
Exfiltration Over C2 Channel |
| SI-4 |
System Monitoring |
Protects |
T1046 |
Network Service Scanning |
| SI-4 |
System Monitoring |
Protects |
T1048 |
Exfiltration Over Alternative Protocol |
| SI-4 |
System Monitoring |
Protects |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| SI-4 |
System Monitoring |
Protects |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| SI-4 |
System Monitoring |
Protects |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| SI-4 |
System Monitoring |
Protects |
T1052 |
Exfiltration Over Physical Medium |
| SI-4 |
System Monitoring |
Protects |
T1052.001 |
Exfiltration over USB |
| SI-4 |
System Monitoring |
Protects |
T1053 |
Scheduled Task/Job |
| SI-4 |
System Monitoring |
Protects |
T1053.001 |
At (Linux) |
| SI-4 |
System Monitoring |
Protects |
T1053.002 |
At (Windows) |
| SI-4 |
System Monitoring |
Protects |
T1053.003 |
Cron |
| SI-4 |
System Monitoring |
Protects |
T1053.004 |
Launchd |
| SI-4 |
System Monitoring |
Protects |
T1053.005 |
Scheduled Task |
| SI-4 |
System Monitoring |
Protects |
T1053.006 |
Systemd Timers |
| SI-4 |
System Monitoring |
Protects |
T1055 |
Process Injection |
| SI-4 |
System Monitoring |
Protects |
T1055.001 |
Dynamic-link Library Injection |
| SI-4 |
System Monitoring |
Protects |
T1055.002 |
Portable Executable Injection |
| SI-4 |
System Monitoring |
Protects |
T1055.003 |
Thread Execution Hijacking |
| SI-4 |
System Monitoring |
Protects |
T1055.004 |
Asynchronous Procedure Call |
| SI-4 |
System Monitoring |
Protects |
T1055.005 |
Thread Local Storage |
| SI-4 |
System Monitoring |
Protects |
T1055.008 |
Ptrace System Calls |
| SI-4 |
System Monitoring |
Protects |
T1055.009 |
Proc Memory |
| SI-4 |
System Monitoring |
Protects |
T1055.011 |
Extra Window Memory Injection |
| SI-4 |
System Monitoring |
Protects |
T1055.012 |
Process Hollowing |
| SI-4 |
System Monitoring |
Protects |
T1055.013 |
Process Doppelgänging |
| SI-4 |
System Monitoring |
Protects |
T1055.014 |
VDSO Hijacking |
| SI-4 |
System Monitoring |
Protects |
T1056.002 |
GUI Input Capture |
| SI-4 |
System Monitoring |
Protects |
T1059 |
Command and Scripting Interpreter |
| SI-4 |
System Monitoring |
Protects |
T1059.001 |
PowerShell |
| SI-4 |
System Monitoring |
Protects |
T1059.002 |
AppleScript |
| SI-4 |
System Monitoring |
Protects |
T1059.003 |
Windows Command Shell |
| SI-4 |
System Monitoring |
Protects |
T1059.004 |
Unix Shell |
| SI-4 |
System Monitoring |
Protects |
T1059.005 |
Visual Basic |
| SI-4 |
System Monitoring |
Protects |
T1059.006 |
Python |
| SI-4 |
System Monitoring |
Protects |
T1059.007 |
JavaScript |
| SI-4 |
System Monitoring |
Protects |
T1059.008 |
Network Device CLI |
| SI-4 |
System Monitoring |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SI-4 |
System Monitoring |
Protects |
T1070 |
Indicator Removal on Host |
| SI-4 |
System Monitoring |
Protects |
T1070.001 |
Clear Windows Event Logs |
| SI-4 |
System Monitoring |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| SI-4 |
System Monitoring |
Protects |
T1070.003 |
Clear Command History |
| SI-4 |
System Monitoring |
Protects |
T1071 |
Application Layer Protocol |
| SI-4 |
System Monitoring |
Protects |
T1071.001 |
Web Protocols |
| SI-4 |
System Monitoring |
Protects |
T1071.002 |
File Transfer Protocols |
| SI-4 |
System Monitoring |
Protects |
T1071.003 |
Mail Protocols |
| SI-4 |
System Monitoring |
Protects |
T1071.004 |
DNS |
| SI-4 |
System Monitoring |
Protects |
T1072 |
Software Deployment Tools |
| SI-4 |
System Monitoring |
Protects |
T1078 |
Valid Accounts |
| SI-4 |
System Monitoring |
Protects |
T1078.001 |
Default Accounts |
| SI-4 |
System Monitoring |
Protects |
T1078.002 |
Domain Accounts |
| SI-4 |
System Monitoring |
Protects |
T1078.003 |
Local Accounts |
| SI-4 |
System Monitoring |
Protects |
T1078.004 |
Cloud Accounts |
| SI-4 |
System Monitoring |
Protects |
T1080 |
Taint Shared Content |
| SI-4 |
System Monitoring |
Protects |
T1087 |
Account Discovery |
| SI-4 |
System Monitoring |
Protects |
T1087.001 |
Local Account |
| SI-4 |
System Monitoring |
Protects |
T1087.002 |
Domain Account |
| SI-4 |
System Monitoring |
Protects |
T1090 |
Proxy |
| SI-4 |
System Monitoring |
Protects |
T1090.001 |
Internal Proxy |
| SI-4 |
System Monitoring |
Protects |
T1090.002 |
External Proxy |
| SI-4 |
System Monitoring |
Protects |
T1091 |
Replication Through Removable Media |
| SI-4 |
System Monitoring |
Protects |
T1092 |
Communication Through Removable Media |
| SI-4 |
System Monitoring |
Protects |
T1095 |
Non-Application Layer Protocol |
| SI-4 |
System Monitoring |
Protects |
T1098 |
Account Manipulation |
| SI-4 |
System Monitoring |
Protects |
T1098.001 |
Additional Cloud Credentials |
| SI-4 |
System Monitoring |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| SI-4 |
System Monitoring |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| SI-4 |
System Monitoring |
Protects |
T1098.004 |
SSH Authorized Keys |
| SI-4 |
System Monitoring |
Protects |
T1102 |
Web Service |
| SI-4 |
System Monitoring |
Protects |
T1102.001 |
Dead Drop Resolver |
| SI-4 |
System Monitoring |
Protects |
T1102.002 |
Bidirectional Communication |
| SI-4 |
System Monitoring |
Protects |
T1102.003 |
One-Way Communication |
| SI-4 |
System Monitoring |
Protects |
T1104 |
Multi-Stage Channels |
| SI-4 |
System Monitoring |
Protects |
T1105 |
Ingress Tool Transfer |
| SI-4 |
System Monitoring |
Protects |
T1110 |
Brute Force |
| SI-4 |
System Monitoring |
Protects |
T1110.001 |
Password Guessing |
| SI-4 |
System Monitoring |
Protects |
T1110.002 |
Password Cracking |
| SI-4 |
System Monitoring |
Protects |
T1110.003 |
Password Spraying |
| SI-4 |
System Monitoring |
Protects |
T1110.004 |
Credential Stuffing |
| SI-4 |
System Monitoring |
Protects |
T1111 |
Two-Factor Authentication Interception |
| SI-4 |
System Monitoring |
Protects |
T1114 |
Email Collection |
| SI-4 |
System Monitoring |
Protects |
T1114.001 |
Local Email Collection |
| SI-4 |
System Monitoring |
Protects |
T1114.002 |
Remote Email Collection |
| SI-4 |
System Monitoring |
Protects |
T1114.003 |
Email Forwarding Rule |
| SI-4 |
System Monitoring |
Protects |
T1119 |
Automated Collection |
| SI-4 |
System Monitoring |
Protects |
T1127 |
Trusted Developer Utilities Proxy Execution |
| SI-4 |
System Monitoring |
Protects |
T1127.001 |
MSBuild |
| SI-4 |
System Monitoring |
Protects |
T1129 |
Shared Modules |
| SI-4 |
System Monitoring |
Protects |
T1132 |
Data Encoding |
| SI-4 |
System Monitoring |
Protects |
T1132.001 |
Standard Encoding |
| SI-4 |
System Monitoring |
Protects |
T1132.002 |
Non-Standard Encoding |
| SI-4 |
System Monitoring |
Protects |
T1133 |
External Remote Services |
| SI-4 |
System Monitoring |
Protects |
T1135 |
Network Share Discovery |
| SI-4 |
System Monitoring |
Protects |
T1136 |
Create Account |
| SI-4 |
System Monitoring |
Protects |
T1136.001 |
Local Account |
| SI-4 |
System Monitoring |
Protects |
T1136.002 |
Domain Account |
| SI-4 |
System Monitoring |
Protects |
T1136.003 |
Cloud Account |
| SI-4 |
System Monitoring |
Protects |
T1137 |
Office Application Startup |
| SI-4 |
System Monitoring |
Protects |
T1137.001 |
Office Template Macros |
| SI-4 |
System Monitoring |
Protects |
T1176 |
Browser Extensions |
| SI-4 |
System Monitoring |
Protects |
T1185 |
Man in the Browser |
| SI-4 |
System Monitoring |
Protects |
T1187 |
Forced Authentication |
| SI-4 |
System Monitoring |
Protects |
T1189 |
Drive-by Compromise |
| SI-4 |
System Monitoring |
Protects |
T1190 |
Exploit Public-Facing Application |
| SI-4 |
System Monitoring |
Protects |
T1197 |
BITS Jobs |
| SI-4 |
System Monitoring |
Protects |
T1201 |
Password Policy Discovery |
| SI-4 |
System Monitoring |
Protects |
T1203 |
Exploitation for Client Execution |
| SI-4 |
System Monitoring |
Protects |
T1204 |
User Execution |
| SI-4 |
System Monitoring |
Protects |
T1204.001 |
Malicious Link |
| SI-4 |
System Monitoring |
Protects |
T1204.002 |
Malicious File |
| SI-4 |
System Monitoring |
Protects |
T1204.003 |
Malicious Image |
| SI-4 |
System Monitoring |
Protects |
T1205 |
Traffic Signaling |
| SI-4 |
System Monitoring |
Protects |
T1205.001 |
Port Knocking |
| SI-4 |
System Monitoring |
Protects |
T1210 |
Exploitation of Remote Services |
| SI-4 |
System Monitoring |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SI-4 |
System Monitoring |
Protects |
T1212 |
Exploitation for Credential Access |
| SI-4 |
System Monitoring |
Protects |
T1213 |
Data from Information Repositories |
| SI-4 |
System Monitoring |
Protects |
T1213.001 |
Confluence |
| SI-4 |
System Monitoring |
Protects |
T1213.002 |
Sharepoint |
| SI-4 |
System Monitoring |
Protects |
T1216 |
Signed Script Proxy Execution |
| SI-4 |
System Monitoring |
Protects |
T1216.001 |
PubPrn |
| SI-4 |
System Monitoring |
Protects |
T1218 |
Signed Binary Proxy Execution |
| SI-4 |
System Monitoring |
Protects |
T1218.001 |
Compiled HTML File |
| SI-4 |
System Monitoring |
Protects |
T1218.002 |
Control Panel |
| SI-4 |
System Monitoring |
Protects |
T1218.003 |
CMSTP |
| SI-4 |
System Monitoring |
Protects |
T1218.004 |
InstallUtil |
| SI-4 |
System Monitoring |
Protects |
T1218.005 |
Mshta |
| SI-4 |
System Monitoring |
Protects |
T1218.008 |
Odbcconf |
| SI-4 |
System Monitoring |
Protects |
T1218.009 |
Regsvcs/Regasm |
| SI-4 |
System Monitoring |
Protects |
T1218.010 |
Regsvr32 |
| SI-4 |
System Monitoring |
Protects |
T1218.011 |
Rundll32 |
| SI-4 |
System Monitoring |
Protects |
T1218.012 |
Verclsid |
| SI-4 |
System Monitoring |
Protects |
T1219 |
Remote Access Software |
| SI-4 |
System Monitoring |
Protects |
T1220 |
XSL Script Processing |
| SI-4 |
System Monitoring |
Protects |
T1221 |
Template Injection |
| SI-4 |
System Monitoring |
Protects |
T1222 |
File and Directory Permissions Modification |
| SI-4 |
System Monitoring |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| SI-4 |
System Monitoring |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| SI-4 |
System Monitoring |
Protects |
T1484 |
Domain Policy Modification |
| SI-4 |
System Monitoring |
Protects |
T1485 |
Data Destruction |
| SI-4 |
System Monitoring |
Protects |
T1486 |
Data Encrypted for Impact |
| SI-4 |
System Monitoring |
Protects |
T1489 |
Service Stop |
| SI-4 |
System Monitoring |
Protects |
T1490 |
Inhibit System Recovery |
| SI-4 |
System Monitoring |
Protects |
T1491 |
Defacement |
| SI-4 |
System Monitoring |
Protects |
T1491.001 |
Internal Defacement |
| SI-4 |
System Monitoring |
Protects |
T1491.002 |
External Defacement |
| SI-4 |
System Monitoring |
Protects |
T1499 |
Endpoint Denial of Service |
| SI-4 |
System Monitoring |
Protects |
T1499.001 |
OS Exhaustion Flood |
| SI-4 |
System Monitoring |
Protects |
T1499.002 |
Service Exhaustion Flood |
| SI-4 |
System Monitoring |
Protects |
T1499.003 |
Application Exhaustion Flood |
| SI-4 |
System Monitoring |
Protects |
T1499.004 |
Application or System Exploitation |
| SI-4 |
System Monitoring |
Protects |
T1505 |
Server Software Component |
| SI-4 |
System Monitoring |
Protects |
T1505.001 |
SQL Stored Procedures |
| SI-4 |
System Monitoring |
Protects |
T1505.002 |
Transport Agent |
| SI-4 |
System Monitoring |
Protects |
T1525 |
Implant Internal Image |
| SI-4 |
System Monitoring |
Protects |
T1528 |
Steal Application Access Token |
| SI-4 |
System Monitoring |
Protects |
T1530 |
Data from Cloud Storage Object |
| SI-4 |
System Monitoring |
Protects |
T1537 |
Transfer Data to Cloud Account |
| SI-4 |
System Monitoring |
Protects |
T1539 |
Steal Web Session Cookie |
| SI-4 |
System Monitoring |
Protects |
T1542.004 |
ROMMONkit |
| SI-4 |
System Monitoring |
Protects |
T1542.005 |
TFTP Boot |
| SI-4 |
System Monitoring |
Protects |
T1543 |
Create or Modify System Process |
| SI-4 |
System Monitoring |
Protects |
T1543.002 |
Systemd Service |
| SI-4 |
System Monitoring |
Protects |
T1543.003 |
Windows Service |
| SI-4 |
System Monitoring |
Protects |
T1546.002 |
Screensaver |
| SI-4 |
System Monitoring |
Protects |
T1546.004 |
Unix Shell Configuration Modification |
| SI-4 |
System Monitoring |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| SI-4 |
System Monitoring |
Protects |
T1546.008 |
Accessibility Features |
| SI-4 |
System Monitoring |
Protects |
T1546.013 |
PowerShell Profile |
| SI-4 |
System Monitoring |
Protects |
T1546.014 |
Emond |
| SI-4 |
System Monitoring |
Protects |
T1547.002 |
Authentication Package |
| SI-4 |
System Monitoring |
Protects |
T1547.003 |
Time Providers |
| SI-4 |
System Monitoring |
Protects |
T1547.004 |
Winlogon Helper DLL |
| SI-4 |
System Monitoring |
Protects |
T1547.005 |
Security Support Provider |
| SI-4 |
System Monitoring |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| SI-4 |
System Monitoring |
Protects |
T1547.007 |
Re-opened Applications |
| SI-4 |
System Monitoring |
Protects |
T1547.008 |
LSASS Driver |
| SI-4 |
System Monitoring |
Protects |
T1547.009 |
Shortcut Modification |
| SI-4 |
System Monitoring |
Protects |
T1547.011 |
Plist Modification |
| SI-4 |
System Monitoring |
Protects |
T1547.012 |
Print Processors |
| SI-4 |
System Monitoring |
Protects |
T1547.013 |
XDG Autostart Entries |
| SI-4 |
System Monitoring |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| SI-4 |
System Monitoring |
Protects |
T1548.001 |
Setuid and Setgid |
| SI-4 |
System Monitoring |
Protects |
T1548.002 |
Bypass User Account Control |
| SI-4 |
System Monitoring |
Protects |
T1548.003 |
Sudo and Sudo Caching |
| SI-4 |
System Monitoring |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| SI-4 |
System Monitoring |
Protects |
T1550.001 |
Application Access Token |
| SI-4 |
System Monitoring |
Protects |
T1550.003 |
Pass the Ticket |
| SI-4 |
System Monitoring |
Protects |
T1552 |
Unsecured Credentials |
| SI-4 |
System Monitoring |
Protects |
T1552.001 |
Credentials In Files |
| SI-4 |
System Monitoring |
Protects |
T1552.002 |
Credentials in Registry |
| SI-4 |
System Monitoring |
Protects |
T1552.003 |
Bash History |
| SI-4 |
System Monitoring |
Protects |
T1552.004 |
Private Keys |
| SI-4 |
System Monitoring |
Protects |
T1552.005 |
Cloud Instance Metadata API |
| SI-4 |
System Monitoring |
Protects |
T1552.006 |
Group Policy Preferences |
| SI-4 |
System Monitoring |
Protects |
T1553 |
Subvert Trust Controls |
| SI-4 |
System Monitoring |
Protects |
T1553.001 |
Gatekeeper Bypass |
| SI-4 |
System Monitoring |
Protects |
T1553.003 |
SIP and Trust Provider Hijacking |
| SI-4 |
System Monitoring |
Protects |
T1553.004 |
Install Root Certificate |
| SI-4 |
System Monitoring |
Protects |
T1553.005 |
Mark-of-the-Web Bypass |
| SI-4 |
System Monitoring |
Protects |
T1555 |
Credentials from Password Stores |
| SI-4 |
System Monitoring |
Protects |
T1555.001 |
Keychain |
| SI-4 |
System Monitoring |
Protects |
T1555.002 |
Securityd Memory |
| SI-4 |
System Monitoring |
Protects |
T1555.004 |
Windows Credential Manager |
| SI-4 |
System Monitoring |
Protects |
T1555.005 |
Password Managers |
| SI-4 |
System Monitoring |
Protects |
T1556 |
Modify Authentication Process |
| SI-4 |
System Monitoring |
Protects |
T1556.001 |
Domain Controller Authentication |
| SI-4 |
System Monitoring |
Protects |
T1556.002 |
Password Filter DLL |
| SI-4 |
System Monitoring |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| SI-4 |
System Monitoring |
Protects |
T1556.004 |
Network Device Authentication |
| SI-4 |
System Monitoring |
Protects |
T1557 |
Man-in-the-Middle |
| SI-4 |
System Monitoring |
Protects |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| SI-4 |
System Monitoring |
Protects |
T1557.002 |
ARP Cache Poisoning |
| SI-4 |
System Monitoring |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| SI-4 |
System Monitoring |
Protects |
T1558.002 |
Silver Ticket |
| SI-4 |
System Monitoring |
Protects |
T1558.003 |
Kerberoasting |
| SI-4 |
System Monitoring |
Protects |
T1558.004 |
AS-REP Roasting |
| SI-4 |
System Monitoring |
Protects |
T1559 |
Inter-Process Communication |
| SI-4 |
System Monitoring |
Protects |
T1559.002 |
Dynamic Data Exchange |
| SI-4 |
System Monitoring |
Protects |
T1560 |
Archive Collected Data |
| SI-4 |
System Monitoring |
Protects |
T1560.001 |
Archive via Utility |
| SI-4 |
System Monitoring |
Protects |
T1561 |
Disk Wipe |
| SI-4 |
System Monitoring |
Protects |
T1561.001 |
Disk Content Wipe |
| SI-4 |
System Monitoring |
Protects |
T1561.002 |
Disk Structure Wipe |
| SI-4 |
System Monitoring |
Protects |
T1562 |
Impair Defenses |
| SI-4 |
System Monitoring |
Protects |
T1562.001 |
Disable or Modify Tools |
| SI-4 |
System Monitoring |
Protects |
T1562.002 |
Disable Windows Event Logging |
| SI-4 |
System Monitoring |
Protects |
T1562.003 |
Impair Command History Logging |
| SI-4 |
System Monitoring |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| SI-4 |
System Monitoring |
Protects |
T1562.006 |
Indicator Blocking |
| SI-4 |
System Monitoring |
Protects |
T1563 |
Remote Service Session Hijacking |
| SI-4 |
System Monitoring |
Protects |
T1563.001 |
SSH Hijacking |
| SI-4 |
System Monitoring |
Protects |
T1563.002 |
RDP Hijacking |
| SI-4 |
System Monitoring |
Protects |
T1564.002 |
Hidden Users |
| SI-4 |
System Monitoring |
Protects |
T1564.004 |
NTFS File Attributes |
| SI-4 |
System Monitoring |
Protects |
T1564.006 |
Run Virtual Instance |
| SI-4 |
System Monitoring |
Protects |
T1564.007 |
VBA Stomping |
| SI-4 |
System Monitoring |
Protects |
T1565 |
Data Manipulation |
| SI-4 |
System Monitoring |
Protects |
T1565.001 |
Stored Data Manipulation |
| SI-4 |
System Monitoring |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| SI-4 |
System Monitoring |
Protects |
T1565.003 |
Runtime Data Manipulation |
| SI-4 |
System Monitoring |
Protects |
T1566 |
Phishing |
| SI-4 |
System Monitoring |
Protects |
T1566.001 |
Spearphishing Attachment |
| SI-4 |
System Monitoring |
Protects |
T1566.002 |
Spearphishing Link |
| SI-4 |
System Monitoring |
Protects |
T1566.003 |
Spearphishing via Service |
| SI-4 |
System Monitoring |
Protects |
T1568 |
Dynamic Resolution |
| SI-4 |
System Monitoring |
Protects |
T1568.002 |
Domain Generation Algorithms |
| SI-4 |
System Monitoring |
Protects |
T1569 |
System Services |
| SI-4 |
System Monitoring |
Protects |
T1569.002 |
Service Execution |
| SI-4 |
System Monitoring |
Protects |
T1570 |
Lateral Tool Transfer |
| SI-4 |
System Monitoring |
Protects |
T1571 |
Non-Standard Port |
| SI-4 |
System Monitoring |
Protects |
T1572 |
Protocol Tunneling |
| SI-4 |
System Monitoring |
Protects |
T1573 |
Encrypted Channel |
| SI-4 |
System Monitoring |
Protects |
T1573.001 |
Symmetric Cryptography |
| SI-4 |
System Monitoring |
Protects |
T1573.002 |
Asymmetric Cryptography |
| SI-4 |
System Monitoring |
Protects |
T1574 |
Hijack Execution Flow |
| SI-4 |
System Monitoring |
Protects |
T1574.001 |
DLL Search Order Hijacking |
| SI-4 |
System Monitoring |
Protects |
T1574.004 |
Dylib Hijacking |
| SI-4 |
System Monitoring |
Protects |
T1574.005 |
Executable Installer File Permissions Weakness |
| SI-4 |
System Monitoring |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| SI-4 |
System Monitoring |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| SI-4 |
System Monitoring |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| SI-4 |
System Monitoring |
Protects |
T1574.010 |
Services File Permissions Weakness |
| SI-4 |
System Monitoring |
Protects |
T1578 |
Modify Cloud Compute Infrastructure |
| SI-4 |
System Monitoring |
Protects |
T1578.001 |
Create Snapshot |
| SI-4 |
System Monitoring |
Protects |
T1578.002 |
Create Cloud Instance |
| SI-4 |
System Monitoring |
Protects |
T1578.003 |
Delete Cloud Instance |
| SI-4 |
System Monitoring |
Protects |
T1598 |
Phishing for Information |
| SI-4 |
System Monitoring |
Protects |
T1598.001 |
Spearphishing Service |
| SI-4 |
System Monitoring |
Protects |
T1598.002 |
Spearphishing Attachment |
| SI-4 |
System Monitoring |
Protects |
T1598.003 |
Spearphishing Link |
| SI-4 |
System Monitoring |
Protects |
T1599 |
Network Boundary Bridging |
| SI-4 |
System Monitoring |
Protects |
T1599.001 |
Network Address Translation Traversal |
| SI-4 |
System Monitoring |
Protects |
T1601 |
Modify System Image |
| SI-4 |
System Monitoring |
Protects |
T1601.001 |
Patch System Image |
| SI-4 |
System Monitoring |
Protects |
T1601.002 |
Downgrade System Image |
| SI-4 |
System Monitoring |
Protects |
T1602 |
Data from Configuration Repository |
| SI-4 |
System Monitoring |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SI-4 |
System Monitoring |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SI-4 |
System Monitoring |
Protects |
T1610 |
Deploy Container |
| SI-4 |
System Monitoring |
Protects |
T1611 |
Escape to Host |
| SI-4 |
System Monitoring |
Protects |
T1612 |
Build Image on Host |
| SI-4 |
System Monitoring |
Protects |
T1613 |
Container and Resource Discovery |
| SI-5 |
Security Alerts, Advisories, and Directives |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SI-5 |
Security Alerts, Advisories, and Directives |
Protects |
T1210 |
Exploitation of Remote Services |
| SI-5 |
Security Alerts, Advisories, and Directives |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SI-5 |
Security Alerts, Advisories, and Directives |
Protects |
T1212 |
Exploitation for Credential Access |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1003 |
OS Credential Dumping |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1003.003 |
NTDS |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1020.001 |
Traffic Duplication |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1027 |
Obfuscated Files or Information |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1027.002 |
Software Packing |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1036 |
Masquerading |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1036.001 |
Invalid Code Signature |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1036.005 |
Match Legitimate Name or Location |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1037 |
Boot or Logon Initialization Scripts |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1037.002 |
Logon Script (Mac) |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1037.003 |
Network Logon Script |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1037.004 |
RC Scripts |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1037.005 |
Startup Items |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1040 |
Network Sniffing |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1053.006 |
Systemd Timers |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1056.002 |
GUI Input Capture |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1059 |
Command and Scripting Interpreter |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1059.001 |
PowerShell |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1059.002 |
AppleScript |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1059.003 |
Windows Command Shell |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1059.004 |
Unix Shell |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1059.005 |
Visual Basic |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1059.006 |
Python |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1059.007 |
JavaScript |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1059.008 |
Network Device CLI |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1068 |
Exploitation for Privilege Escalation |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1070 |
Indicator Removal on Host |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1070.001 |
Clear Windows Event Logs |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1070.002 |
Clear Linux or Mac System Logs |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1070.003 |
Clear Command History |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1072 |
Software Deployment Tools |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1080 |
Taint Shared Content |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1098.001 |
Additional Cloud Credentials |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1098.002 |
Exchange Email Delegate Permissions |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1098.003 |
Add Office 365 Global Administrator Role |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1114 |
Email Collection |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1114.001 |
Local Email Collection |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1114.002 |
Remote Email Collection |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1114.003 |
Email Forwarding Rule |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1119 |
Automated Collection |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1127 |
Trusted Developer Utilities Proxy Execution |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1129 |
Shared Modules |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1133 |
External Remote Services |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1136 |
Create Account |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1136.001 |
Local Account |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1136.002 |
Domain Account |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1136.003 |
Cloud Account |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1176 |
Browser Extensions |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1185 |
Man in the Browser |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1189 |
Drive-by Compromise |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1190 |
Exploit Public-Facing Application |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1195.003 |
Compromise Hardware Supply Chain |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1203 |
Exploitation for Client Execution |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1204 |
User Execution |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1204.002 |
Malicious File |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1204.003 |
Malicious Image |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1210 |
Exploitation of Remote Services |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1211 |
Exploitation for Defense Evasion |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1212 |
Exploitation for Credential Access |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1213 |
Data from Information Repositories |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1213.001 |
Confluence |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1213.002 |
Sharepoint |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1216 |
Signed Script Proxy Execution |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1216.001 |
PubPrn |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218 |
Signed Binary Proxy Execution |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218.001 |
Compiled HTML File |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218.002 |
Control Panel |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218.003 |
CMSTP |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218.004 |
InstallUtil |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218.005 |
Mshta |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218.008 |
Odbcconf |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218.009 |
Regsvcs/Regasm |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218.010 |
Regsvr32 |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218.011 |
Rundll32 |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1218.012 |
Verclsid |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1219 |
Remote Access Software |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1220 |
XSL Script Processing |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1221 |
Template Injection |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1222 |
File and Directory Permissions Modification |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1222.001 |
Windows File and Directory Permissions Modification |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1485 |
Data Destruction |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1486 |
Data Encrypted for Impact |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1490 |
Inhibit System Recovery |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1491 |
Defacement |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1491.001 |
Internal Defacement |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1491.002 |
External Defacement |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1495 |
Firmware Corruption |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1505 |
Server Software Component |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1505.001 |
SQL Stored Procedures |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1505.002 |
Transport Agent |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1525 |
Implant Internal Image |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1530 |
Data from Cloud Storage Object |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1542 |
Pre-OS Boot |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1542.001 |
System Firmware |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1542.003 |
Bootkit |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1542.004 |
ROMMONkit |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1542.005 |
TFTP Boot |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1543 |
Create or Modify System Process |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1543.002 |
Systemd Service |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1546 |
Event Triggered Execution |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1546.002 |
Screensaver |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1546.004 |
Unix Shell Configuration Modification |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1546.008 |
Accessibility Features |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1546.009 |
AppCert DLLs |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1546.010 |
AppInit DLLs |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1546.013 |
PowerShell Profile |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1547.002 |
Authentication Package |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1547.003 |
Time Providers |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1547.004 |
Winlogon Helper DLL |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1547.005 |
Security Support Provider |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1547.006 |
Kernel Modules and Extensions |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1547.008 |
LSASS Driver |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1547.011 |
Plist Modification |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1547.013 |
XDG Autostart Entries |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1548 |
Abuse Elevation Control Mechanism |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1548.004 |
Elevated Execution with Prompt |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1550.001 |
Application Access Token |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1550.004 |
Web Session Cookie |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1552 |
Unsecured Credentials |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1552.004 |
Private Keys |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1553 |
Subvert Trust Controls |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1553.001 |
Gatekeeper Bypass |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1553.003 |
SIP and Trust Provider Hijacking |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1553.005 |
Mark-of-the-Web Bypass |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1553.006 |
Code Signing Policy Modification |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1554 |
Compromise Client Software Binary |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1556 |
Modify Authentication Process |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1556.001 |
Domain Controller Authentication |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1556.003 |
Pluggable Authentication Modules |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1556.004 |
Network Device Authentication |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1557 |
Man-in-the-Middle |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1557.002 |
ARP Cache Poisoning |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1558 |
Steal or Forge Kerberos Tickets |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1558.002 |
Silver Ticket |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1558.003 |
Kerberoasting |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1558.004 |
AS-REP Roasting |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1561 |
Disk Wipe |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1561.001 |
Disk Content Wipe |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1561.002 |
Disk Structure Wipe |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1562 |
Impair Defenses |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1562.001 |
Disable or Modify Tools |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1562.002 |
Disable Windows Event Logging |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1562.004 |
Disable or Modify System Firewall |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1562.006 |
Indicator Blocking |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1564.003 |
Hidden Window |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1564.004 |
NTFS File Attributes |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1564.006 |
Run Virtual Instance |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1565 |
Data Manipulation |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1565.001 |
Stored Data Manipulation |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1565.002 |
Transmitted Data Manipulation |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1569 |
System Services |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1569.002 |
Service Execution |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1574 |
Hijack Execution Flow |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1574.001 |
DLL Search Order Hijacking |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1574.004 |
Dylib Hijacking |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1574.006 |
Dynamic Linker Hijacking |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1574.007 |
Path Interception by PATH Environment Variable |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1574.008 |
Path Interception by Search Order Hijacking |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1574.009 |
Path Interception by Unquoted Path |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1574.012 |
COR_PROFILER |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1599 |
Network Boundary Bridging |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1599.001 |
Network Address Translation Traversal |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1601 |
Modify System Image |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1601.001 |
Patch System Image |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1601.002 |
Downgrade System Image |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1602 |
Data from Configuration Repository |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1602.001 |
SNMP (MIB Dump) |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1602.002 |
Network Device Configuration Dump |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1609 |
Container Administration Command |
| SI-7 |
Software, Firmware, and Information Integrity |
Protects |
T1611 |
Escape to Host |
| SI-8 |
Spam Protection |
Protects |
T1204 |
User Execution |
| SI-8 |
Spam Protection |
Protects |
T1204.001 |
Malicious Link |
| SI-8 |
Spam Protection |
Protects |
T1204.002 |
Malicious File |
| SI-8 |
Spam Protection |
Protects |
T1204.003 |
Malicious Image |
| SI-8 |
Spam Protection |
Protects |
T1221 |
Template Injection |
| SI-8 |
Spam Protection |
Protects |
T1566 |
Phishing |
| SI-8 |
Spam Protection |
Protects |
T1566.001 |
Spearphishing Attachment |
| SI-8 |
Spam Protection |
Protects |
T1566.002 |
Spearphishing Link |
| SI-8 |
Spam Protection |
Protects |
T1566.003 |
Spearphishing via Service |
| SI-8 |
Spam Protection |
Protects |
T1598 |
Phishing for Information |
| SI-8 |
Spam Protection |
Protects |
T1598.001 |
Spearphishing Service |
| SI-8 |
Spam Protection |
Protects |
T1598.002 |
Spearphishing Attachment |
| SI-8 |
Spam Protection |
Protects |
T1598.003 |
Spearphishing Link |
| SR-11 |
Component Authenticity |
Protects |
T1059.002 |
AppleScript |
| SR-11 |
Component Authenticity |
Protects |
T1204.003 |
Malicious Image |
| SR-11 |
Component Authenticity |
Protects |
T1505 |
Server Software Component |
| SR-11 |
Component Authenticity |
Protects |
T1505.001 |
SQL Stored Procedures |
| SR-11 |
Component Authenticity |
Protects |
T1505.002 |
Transport Agent |
| SR-11 |
Component Authenticity |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| SR-11 |
Component Authenticity |
Protects |
T1554 |
Compromise Client Software Binary |
| SR-11 |
Component Authenticity |
Protects |
T1601 |
Modify System Image |
| SR-11 |
Component Authenticity |
Protects |
T1601.001 |
Patch System Image |
| SR-11 |
Component Authenticity |
Protects |
T1601.002 |
Downgrade System Image |
| SR-4 |
Provenance |
Protects |
T1059.002 |
AppleScript |
| SR-4 |
Provenance |
Protects |
T1204.003 |
Malicious Image |
| SR-4 |
Provenance |
Protects |
T1505 |
Server Software Component |
| SR-4 |
Provenance |
Protects |
T1505.001 |
SQL Stored Procedures |
| SR-4 |
Provenance |
Protects |
T1505.002 |
Transport Agent |
| SR-4 |
Provenance |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| SR-4 |
Provenance |
Protects |
T1554 |
Compromise Client Software Binary |
| SR-4 |
Provenance |
Protects |
T1601 |
Modify System Image |
| SR-4 |
Provenance |
Protects |
T1601.001 |
Patch System Image |
| SR-4 |
Provenance |
Protects |
T1601.002 |
Downgrade System Image |
| SR-5 |
Acquisition Strategies, Tools, and Methods |
Protects |
T1059.002 |
AppleScript |
| SR-5 |
Acquisition Strategies, Tools, and Methods |
Protects |
T1204.003 |
Malicious Image |
| SR-5 |
Acquisition Strategies, Tools, and Methods |
Protects |
T1505 |
Server Software Component |
| SR-5 |
Acquisition Strategies, Tools, and Methods |
Protects |
T1505.001 |
SQL Stored Procedures |
| SR-5 |
Acquisition Strategies, Tools, and Methods |
Protects |
T1505.002 |
Transport Agent |
| SR-5 |
Acquisition Strategies, Tools, and Methods |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| SR-5 |
Acquisition Strategies, Tools, and Methods |
Protects |
T1554 |
Compromise Client Software Binary |
| SR-5 |
Acquisition Strategies, Tools, and Methods |
Protects |
T1601 |
Modify System Image |
| SR-5 |
Acquisition Strategies, Tools, and Methods |
Protects |
T1601.001 |
Patch System Image |
| SR-5 |
Acquisition Strategies, Tools, and Methods |
Protects |
T1601.002 |
Downgrade System Image |
| SR-6 |
Supplier Assessments and Reviews |
Protects |
T1059.002 |
AppleScript |
| SR-6 |
Supplier Assessments and Reviews |
Protects |
T1204.003 |
Malicious Image |
| SR-6 |
Supplier Assessments and Reviews |
Protects |
T1505 |
Server Software Component |
| SR-6 |
Supplier Assessments and Reviews |
Protects |
T1505.001 |
SQL Stored Procedures |
| SR-6 |
Supplier Assessments and Reviews |
Protects |
T1505.002 |
Transport Agent |
| SR-6 |
Supplier Assessments and Reviews |
Protects |
T1546.006 |
LC_LOAD_DYLIB Addition |
| SR-6 |
Supplier Assessments and Reviews |
Protects |
T1554 |
Compromise Client Software Binary |
| SR-6 |
Supplier Assessments and Reviews |
Protects |
T1601 |
Modify System Image |
| SR-6 |
Supplier Assessments and Reviews |
Protects |
T1601.001 |
Patch System Image |
| SR-6 |
Supplier Assessments and Reviews |
Protects |
T1601.002 |
Downgrade System Image |
