VERIS MAPPINGS

The Vocabulary for Event Recording and Incident Sharing (VERIS) provides a common language for describing security incidents in a structured and repeatable manner that allows for the analysis of data across a variety of incidents. This project provides mappings to better connect the who, what, and why captured in VERIS incident representation with the when and how described in MITRE ATT&CK® adversary behavioral tactics and techniques.

VERIS Versions: 1.3.7, 1.3.5 ATT&CK Versions: 12.1, 9.0 ATT&CK Domain: Enterprise, ICS, Mobile

VERIS Mapping Methodology

SELECT VERSIONS

VERIS Version

ATT&CK Version

ATT&CK Domain

Capability Groups

ID Capability Group Name Number of Mappings Number of Capabilities
action.hacking action.hacking 409 52
action.malware action.malware 411 49
attribute.integrity attribute.integrity 81 11
attribute.confidentiality attribute.confidentiality 69 1
attribute.availability attribute.availability 40 5
action.social action.social 59 10
value_chain.development value_chain.development 23 10

All Mappings

This is a very large mapping. To reduce the size, we have only downloaded the first 500 of 1,092 mappings. Load all data (1.1 MB)

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1047 Windows Management Instrumentation
action.hacking.vector.Command shell Remote shell related-to T1047 Windows Management Instrumentation
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1047 Windows Management Instrumentation
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053 Scheduled Task/Job
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1053 Scheduled Task/Job
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1053 Scheduled Task/Job
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.002 Scheduled Task/Job: At
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.003 Scheduled Task/Job: Cron
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.005 Scheduled Task/Job: Scheduled Task
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.006 Scheduled Task/Job: Systemd Timers
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.007 Scheduled Task/Job: Container Orchestration Job
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059 Command and Scripting Interpreter
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059 Command and Scripting Interpreter
action.hacking.vector.Command shell Remote shell related-to T1059 Command and Scripting Interpreter
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.001 Command and Scripting Interpreter: PowerShell
action.hacking.vector.Command shell Remote shell related-to T1059.001 Command and Scripting Interpreter: PowerShell
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.002 Command and Scripting Interpreter: AppleScript
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059.002 Command and Scripting Interpreter: AppleScript
action.hacking.vector.Command shell Remote shell related-to T1059.002 Command and Scripting Interpreter: AppleScript
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.003 Command and Scripting Interpreter: Windows Command Shell
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059.003 Command and Scripting Interpreter: Windows Command Shell
action.hacking.vector.Command shell Remote shell related-to T1059.003 Command and Scripting Interpreter: Windows Command Shell
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.004 Command and Scripting Interpreter: Unix Shell
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059.004 Command and Scripting Interpreter: Unix Shell
action.hacking.vector.Command shell Remote shell related-to T1059.004 Command and Scripting Interpreter: Unix Shell
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.005 Command and Scripting Interpreter: Visual Basic
action.hacking.vector.Command shell Remote shell related-to T1059.005 Command and Scripting Interpreter: Visual Basic
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1059.005 Command and Scripting Interpreter: Visual Basic
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.006 Command and Scripting Interpreter: Python
action.hacking.vector.Command shell Remote shell related-to T1059.006 Command and Scripting Interpreter: Python
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.007 Command and Scripting Interpreter: JavaScript
action.hacking.vector.Command shell Remote shell related-to T1059.007 Command and Scripting Interpreter: JavaScript
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1059.007 Command and Scripting Interpreter: JavaScript
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.008 Command and Scripting Interpreter: Network Device CLI
action.hacking.vector.Command shell Remote shell related-to T1059.008 Command and Scripting Interpreter: Network Device CLI
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1072 Software Deployment Tools
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1072 Software Deployment Tools
action.malware.vector.Software update Included in automated software update related-to T1072 Software Deployment Tools
attribute.integrity.variety.Software installation Software installation or code modification related-to T1072 Software Deployment Tools
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1106 Native API
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1112 Modify Registry
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1127 Trusted Developer Utilities Proxy Execution
action.hacking.variety.Unknown Unknown related-to T1127 Trusted Developer Utilities Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1127.001 Tursted Developer Utilities Proxy Execution: MSBuild
action.hacking.variety.Unknown Unknown related-to T1127.001 Tursted Developer Utilities Proxy Execution: MSBuild
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1129 Shared Modules
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137 Office Application Startup
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137.001 Office Application Startup: Office Template Macros
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137.002 Office Application Startup: Office Test
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137.003 Office Application Startup: Outlook Forms
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137.004 Office Application Startup: Outlook Home Page
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137.005 Office Application Startup: Outlook Rules
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1187 Forced Authentication
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1187 Forced Authentication
attribute.confidentiality.data_disclosure related-to T1187 Forced Authentication
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1202 Indirect Command Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1216 Signed Script Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1216.001 Signed Script Proxy Execution: PubPrn
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218 Signed Binary Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.001 Signed Binary Proxy Execution: Compiled HTML File
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.002 Signed Binary Proxy Execution: Control Panel
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.003 Signed Binary Proxy Execution: CMSTP
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.004 Signed Binary Proxy Execution: InstallUtil
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.005 Signed Binary Proxy Execution: Mshta
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.007 Signed Binary Proxy Execution: Msiexec
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.008 Signed Binary Proxy Execution: Odbcconf
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.010 Signed Binary Proxy Execution: Regsvr32
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.011 Signed Binary Proxy Execution: Rundll32
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.012 Signed Binary Proxy Execution: Verclsid
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.013 System Binary Proxy Execution: Mavinject
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.014 System Binary Proxy Execution: MMC
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1220 XSL Script Processing
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1505.001 Server Software Component: SQL Stored Procedures
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.001 Server Software Component: SQL Stored Procedures
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.001 Server Software Component: SQL Stored Procedures
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1505.002 Server Software Component: Transport Agent
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.002 Server Software Component: Transport Agent
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.002 Server Software Component: Transport Agent
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1529 System Shutdown/Reboot
attribute.availability.variety.Interruption Interruption related-to T1529 System Shutdown/Reboot
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543 Create or Modify System Process
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1543 Create or Modify System Process
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1543 Create or Modify System Process
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1543 Create or Modify System Process
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1543 Create or Modify System Process
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1543 Create or Modify System Process
attribute.integrity.variety.Software installation Software installation or code modification related-to T1543 Create or Modify System Process
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.001 Create or Modify System Process: Launch Agent
attribute.integrity.variety.Software installation Software installation or code modification related-to T1543.001 Create or Modify System Process: Launch Agent
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.002 Create or Modify System Process: Systemd Service
attribute.integrity.variety.Software installation Software installation or code modification related-to T1543.002 Create or Modify System Process: Systemd Service
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.003 Create or Modify System Process: Windows Service
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1543.003 Create or Modify System Process: Windows Service
attribute.integrity.variety.Software installation Software installation or code modification related-to T1543.003 Create or Modify System Process: Windows Service
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.004 Create or Modify System Process: Launch Daemon
attribute.integrity.variety.Software installation Software installation or code modification related-to T1543.004 Create or Modify System Process: Launch Daemon
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1547 Boot or Logon Autostart Execution
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1547 Boot or Logon Autostart Execution
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1547 Boot or Logon Autostart Execution
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547 Boot or Logon Autostart Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548 Abuse Elevation Control Mechanism
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) related-to T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1559 Inter-Process Communication
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1559.001 Inter-Process Communication: Component Object Model
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1559.002 Inter-Process Communication: Dynamic Data Exchange
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1563 Remote Service Session Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1563 Remote Service Session Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563 Remote Service Session Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1563.001 Remote Service Session Hijacking: SSH Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1563.001 Remote Service Session Hijacking: SSH Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563.001 Remote Service Session Hijacking: SSH Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1563.002 Remote Service Session Hijacking: RDP Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1563.002 Remote Service Session Hijacking: RDP Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563.002 Remote Service Session Hijacking: RDP Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564 Hide Artifacts
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.001 Hide Artifacts: Hidden Files and Directories
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.001 Hide Artifacts: Hidden Files and Directories
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.001 Hide Artifacts: Hidden Files and Directories
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.001 Hide Artifacts: Hidden Files and Directories
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.002 Hide Artifacts: Hidden Users
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.002 Hide Artifacts: Hidden Users
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.002 Hide Artifacts: Hidden Users
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.002 Hide Artifacts: Hidden Users
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.003 Hide Artifacts: Hidden Window
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.003 Hide Artifacts: Hidden Window
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.003 Hide Artifacts: Hidden Window
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.003 Hide Artifacts: Hidden Window
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.004 Hide Artifacts: NTFS File Attributes
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.004 Hide Artifacts: NTFS File Attributes
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.004 Hide Artifacts: NTFS File Attributes
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.004 Hide Artifacts: NTFS File Attributes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.005 Hide Artifacts: Hidden File System
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.005 Hide Artifacts: Hidden File System
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.005 Hide Artifacts: Hidden File System
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.005 Hide Artifacts: Hidden File System
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.006 Hide Artifacts: Run Virtual Instance
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.006 Hide Artifacts: Run Virtual Instance
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.006 Hide Artifacts: Run Virtual Instance
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.006 Hide Artifacts: Run Virtual Instance
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.007 Hide Artifacts: VBA Stomping
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.007 Hide Artifacts: VBA Stomping
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.007 Hide Artifacts: VBA Stomping
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1564.007 Hide Artifacts: VBA Stomping
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.007 Hide Artifacts: VBA Stomping
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1569 System Services
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1569.001 System Services: Launchctl
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1569.002 System Services: Service Execution
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1569.002 System Services: Service Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578 Modify Cloud Computer Infrastructure
action.hacking.vector.Hypervisor Hypervisor break-out attack related-to T1578 Modify Cloud Computer Infrastructure
action.hacking.vector.Inter-tenant Penetration of another VM or web site on shared device or infrastructure related-to T1578 Modify Cloud Computer Infrastructure
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578.001 Modify Cloud Computer Infrastructure: Create Snapshot
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578.002 Modify Cloud Computer Infrastructure: Create Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578.003 Modify Cloud Computer Infrastructure: Delete Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578.004 Modify Cloud Computer Infrastructure: Revert Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1609 Container Administration Command
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1098 Account Manipulation
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1098 Account Manipulation
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1098 Account Manipulation
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1098 Account Manipulation
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098 Account Manipulation
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1037 Boot or Logon Initialization Scripts
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1037 Boot or Logon Initialization Scripts
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1037 Boot or Logon Initialization Scripts
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1037 Boot or Logon Initialization Scripts
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037 Boot or Logon Initialization Scripts
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1554 Compromise Client Software Binary
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1554 Compromise Client Software Binary
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1554 Compromise Client Software Binary
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1554 Compromise Client Software Binary
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1554 Compromise Client Software Binary
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1554 Compromise Client Software Binary
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1136 Create Accounts
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1136 Create Accounts
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1136 Create Accounts
attribute.integrity.variety.Created account Created new user account related-to T1136 Create Accounts
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1546 Event Triggered Execution
action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1546 Event Triggered Execution
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1546 Event Triggered Execution
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546 Event Triggered Execution
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1133 External Remote Services
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1133 External Remote Services
action.hacking.vector.3rd party desktop 3rd party online desktop sharing (LogMeIn, Go2Assist) related-to T1133 External Remote Services
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1133 External Remote Services
action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1133 External Remote Services
action.hacking.vector.VPN VPN related-to T1133 External Remote Services
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1133 External Remote Services
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1133 External Remote Services
action.malware.vector.Remote injection Remotely injected by agent (i.e. via SQLi) related-to T1133 External Remote Services
action.malware.vector.Web application Web application. Parent of 'Web application - download' and 'Web application - drive-by. related-to T1133 External Remote Services
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1525 Implant Internal Image
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1525 Implant Internal Image
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1525 Implant Internal Image
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1525 Implant Internal Image
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1525 Implant Internal Image
action.malware.variety.Unknown Unknown related-to T1525 Implant Internal Image
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1556 Modify Authentication Process
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1556 Modify Authentication Process
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556 Modify Authentication Process
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556 Modify Authentication Process
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1078 Valid Accounts
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1078 Valid Accounts
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1078 Valid Accounts
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1110 Brute Force
action.malware.variety.Brute force Brute force attack related-to T1110 Brute Force
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1110.001 Brute Force: Password Guessing
action.malware.variety.Brute force Brute force attack related-to T1110.001 Brute Force: Password Guessing
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1110.002 Brute Force: Password Cracking
action.hacking.variety.Offline cracking Offline password or key cracking (e.g., rainbow tables, Hashcat, JtR) related-to T1110.002 Brute Force: Password Cracking
action.malware.variety.Brute force Brute force attack related-to T1110.002 Brute Force: Password Cracking
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1110.003 Brute Force: Password Spraying
action.malware.variety.Brute force Brute force attack related-to T1110.003 Brute Force: Password Spraying
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1110.004 Brute Force: Credential Stuffing
action.malware.variety.Brute force Brute force attack related-to T1110.004 Brute Force: Credential Stuffing
action.hacking.variety.Buffer overflow Buffer overflow. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP request smuggling HTTP request smuggling. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP request splitting HTTP request splitting. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP response smuggling HTTP response smuggling. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP response splitting HTTP response splitting. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) related-to T1203 Exploitation for Client Execution
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1203 Exploitation for Client Execution
action.hacking.variety.Cache poisoning Cache poisoning. Child of 'Exploit vuln'. related-to T1557.002 Adversary-in-the-Middle: ARP Cache Poisoning
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.002 Adversary-in-the-Middle: ARP Cache Poisoning
action.malware.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.002 Adversary-in-the-Middle: ARP Cache Poisoning
action.hacking.variety.Cryptanalysis Cryptanalysis. Child of 'Exploit vuln'. related-to T1600 Weaken Encryption
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600 Weaken Encryption
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562 Impair Defenses
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562 Impair Defenses
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1562 Impair Defenses
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.001 Disable or Modify Tools
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.001 Disable or Modify Tools
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.002 Disable Windows Event Logging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.002 Disable Windows Event Logging
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.003 Impair Command History Logging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.003 Impair Command History Logging
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.004 Disable or Modify System Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.004 Disable or Modify System Firewall
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.007 Disable or Modify Cloud Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.007 Disable or Modify Cloud Firewall
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.008 Disable Cloud Logs
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.008 Disable Cloud Logs
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1489 Service Stop
action.malware.variety.DoS DoS attack related-to T1489 Service Stop
attribute.availability.variety.Interruption Interruption related-to T1489 Service Stop
action.hacking.variety.DoS Denial of service related-to T1498 Network Denial of Service
action.malware.variety.DoS DoS attack related-to T1498 Network Denial of Service
attribute.availability.variety.Degradation Performance degradation related-to T1498 Network Denial of Service
attribute.availability.variety.Loss Loss related-to T1498 Network Denial of Service
action.hacking.variety.DoS Denial of service related-to T1498.001 Network Denial of Service: Direct Network Flood
action.malware.variety.DoS DoS attack related-to T1498.001 Network Denial of Service: Direct Network Flood
attribute.availability.variety.Degradation Performance degradation related-to T1498.001 Network Denial of Service: Direct Network Flood
attribute.availability.variety.Loss Loss related-to T1498.001 Network Denial of Service: Direct Network Flood
action.hacking.variety.DoS Denial of service related-to T1498.002 Network Denial of Service: Reflection Amplification
action.malware.variety.DoS DoS attack related-to T1498.002 Network Denial of Service: Reflection Amplification
attribute.availability.variety.Degradation Performance degradation related-to T1498.002 Network Denial of Service: Reflection Amplification
attribute.availability.variety.Loss Loss related-to T1498.002 Network Denial of Service: Reflection Amplification
action.hacking.variety.DoS Denial of service related-to T1499 Endpoint Denial of Service
action.hacking.variety.Soap array abuse Soap array abuse. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.hacking.variety.XML external entities XML external entities. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.malware.variety.DoS DoS attack related-to T1499 Endpoint Denial of Service
attribute.availability.variety.Degradation Performance degradation related-to T1499 Endpoint Denial of Service
attribute.availability.variety.Loss Loss related-to T1499 Endpoint Denial of Service
action.hacking.variety.DoS Denial of service related-to T1499.001 Endpoint Denial of Service: OS Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.001 Endpoint Denial of Service: OS Exhaustion Flood
attribute.availability.variety.Degradation Performance degradation related-to T1499.001 Endpoint Denial of Service: OS Exhaustion Flood
attribute.availability.variety.Loss Loss related-to T1499.001 Endpoint Denial of Service: OS Exhaustion Flood
action.hacking.variety.DoS Denial of service related-to T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
attribute.availability.variety.Degradation Performance degradation related-to T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
attribute.availability.variety.Loss Loss related-to T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
action.hacking.variety.DoS Denial of service related-to T1499.003 Endpoint Denial of Service: Application Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.003 Endpoint Denial of Service: Application Exhaustion Flood
attribute.availability.variety.Degradation Performance degradation related-to T1499.003 Endpoint Denial of Service: Application Exhaustion Flood
attribute.availability.variety.Loss Loss related-to T1499.003 Endpoint Denial of Service: Application Exhaustion Flood
action.hacking.variety.DoS Denial of service related-to T1499.004 Endpoint Denial of Service: Application or System Exploitation
action.malware.variety.DoS DoS attack related-to T1499.004 Endpoint Denial of Service: Application or System Exploitation
attribute.availability.variety.Degradation Performance degradation related-to T1499.004 Endpoint Denial of Service: Application or System Exploitation
attribute.availability.variety.Loss Loss related-to T1499.004 Endpoint Denial of Service: Application or System Exploitation
action.hacking.variety.DoS Denial of service related-to T1583.005 Acquire Infrastructure: Botnet
action.hacking.variety.Unknown Unknown related-to T1583.005 Acquire Infrastructure: Botnet
value_chain.development.variety.Bot A small program that can be distributed, installed, and controlled en mass. related-to T1583.005 Acquire Infrastructure: Botnet
action.hacking.variety.DoS Denial of service related-to T1584.005 Compromise Infrastructure: Botnet
action.hacking.variety.Unknown Unknown related-to T1584.005 Compromise Infrastructure: Botnet
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1622 Debugger Evasion
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1622 Debugger Evasion
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1622 Debugger Evasion
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1211 Exploitation for Defense Evasion
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1211 Exploitation for Defense Evasion
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1211 Exploitation for Defense Evasion
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036 Masquerading
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1036 Masquerading
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1014 Rootkit
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1014 Rootkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1014 Rootkit
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1014 Rootkit
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553 Subvert Trust Controls
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1001 Data Obfuscation
action.malware.variety.Unknown Unknown related-to T1001 Data Obfuscation
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1001.001 Data Obfuscation: Junk Data
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1001.001 Data Obfuscation: Junk Data
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1001.001 Data Obfuscation: Junk Data
action.malware.variety.Unknown Unknown related-to T1001.001 Data Obfuscation: Junk Data
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1001.002 Data Obfuscation: Steganography
action.malware.variety.Unknown Unknown related-to T1001.002 Data Obfuscation: Steganography
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1001.003 Data Obfuscation: Protocol Impersonation
action.malware.variety.Unknown Unknown related-to T1001.003 Data Obfuscation: Protocol Impersonation
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1071 Application Layer Protocol
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1071 Application Layer Protocol
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1071 Application Layer Protocol
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071 Application Layer Protocol
action.malware.variety.Unknown Unknown related-to T1071 Application Layer Protocol
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1132 Data Encoding
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1132 Data Encoding
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1132 Data Encoding
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1132.001 Data Encoding: Standard Encoding
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1132.001 Data Encoding: Standard Encoding
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1132.001 Data Encoding: Standard Encoding
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1132.002 Data Encoding: Non-Standard Encoding
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1132.002 Data Encoding: Non-Standard Encoding
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1132.002 Data Encoding: Non-Standard Encoding
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1568 Dynamic Resolution
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1568 Dynamic Resolution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568 Dynamic Resolution
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568 Dynamic Resolution
action.malware.vector.Download by malware Downloaded and installed by local malware related-to T1568 Dynamic Resolution
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1568.001 Dynamic Resolution: Fast Flux DSN
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.001 Dynamic Resolution: Fast Flux DSN
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.001 Dynamic Resolution: Fast Flux DSN
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1568.002 Dynamic Resolution: Domain Generation Algorithms
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.002 Dynamic Resolution: Domain Generation Algorithms
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.002 Dynamic Resolution: Domain Generation Algorithms
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1568.003 Dynamic Resolution: DNS Calculation
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.003 Dynamic Resolution: DNS Calculation
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.003 Dynamic Resolution: DNS Calculation
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1573 Encrypted Channels
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1573 Encrypted Channels
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573 Encrypted Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573 Encrypted Channels
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1573.002 Encrypted Channels: Asymmetric Cryptography
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573.002 Encrypted Channels: Asymmetric Cryptography
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573.002 Encrypted Channels: Asymmetric Cryptography
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1573.001 Encrypted Channels: Symmetric Cryptography
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573.001 Encrypted Channels: Symmetric Cryptography
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573.001 Encrypted Channels: Symmetric Cryptography
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1008 Fallback Channels
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1008 Fallback Channels
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1008 Fallback Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1008 Fallback Channels
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1104 Multi-Stage Channels
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1104 Multi-Stage Channels
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1104 Multi-Stage Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1104 Multi-Stage Channels
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1572 Protocol Tunneling
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1572 Protocol Tunneling
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1572 Protocol Tunneling
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1572 Protocol Tunneling
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1090 Proxy
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1090 Proxy
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1090 Proxy
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1090 Proxy
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1205 Traffic Signaling
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1205 Traffic Signaling
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1205 Traffic Signaling
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1205.001 Traffic Signaling: Port Knocking
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1205.001 Traffic Signaling: Port Knocking
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1205.001 Traffic Signaling: Port Knocking
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1205.001 Traffic Signaling: Port Knocking
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1205.002 Traffic Signaling: Socket Filters
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1102 Web Service
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1102 Web Service
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1102 Web Service
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102 Web Service
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Format string attack Format string attack. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Fuzz testing Fuzz testing. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Insecure deserialization iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Integer overflows Integer overflows. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.LDAP injection LDAP injection. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1190 Exploit Public-Facing Application
action.hacking.variety.SQLi SQL injection. Child of 'Exploit vuln'. related-to T1190 Exploit Public-Facing Application
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1212 Exploitation for Credential Access
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1212 Exploitation for Credential Access
action.hacking.variety.Session fixation Session fixation. Child of 'Exploit vuln'. related-to T1212 Exploitation for Credential Access
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1212 Exploitation for Credential Access
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1212 Exploitation for Credential Access
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1212 Exploitation for Credential Access
attribute.confidentiality.data_disclosure related-to T1212 Exploitation for Credential Access
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
action.hacking.variety.Unknown Unknown related-to T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.002 Hijack Execution Flow: DLL Side-Loading
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1574.002 Hijack Execution Flow: DLL Side-Loading
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574.002 Hijack Execution Flow: DLL Side-Loading
action.hacking.variety.Unknown Unknown related-to T1574.002 Hijack Execution Flow: DLL Side-Loading
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness
action.hacking.variety.Unknown Unknown related-to T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.010 Hijack Execution Flow: Services File Permissions Weakness
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1574.004 Hijack Execution Flow: Dylib Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574.004 Hijack Execution Flow: Dylib Hijacking
action.hacking.variety.Unknown Unknown related-to T1574.004 Hijack Execution Flow: Dylib Hijacking
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1595.002 Active Scanning: Vulnerability Scanning
action.malware.variety.Scan network Enumerating the state of the network related-to T1595.002 Active Scanning: Vulnerability Scanning
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
action.hacking.variety.Session replay Session replay. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
action.malware.variety.Capture app data Capture data from application or system process related-to T1539 Steal Web Session Cookie
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1583.003 Acquire Infrastructure: Virtual Private Server
action.hacking.variety.Unknown Unknown related-to T1583.003 Acquire Infrastructure: Virtual Private Server
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1583.004 Acquire Infrastructure: Server
action.hacking.variety.Unknown Unknown related-to T1583.004 Acquire Infrastructure: Server
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1583.006 Acquire Infrastructure: Web Services
action.hacking.variety.Unknown Unknown related-to T1583.006 Acquire Infrastructure: Web Services
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1583.006 Acquire Infrastructure: Web Services
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.006 Acquire Infrastructure: Web Services
value_chain.development.variety.Website Development of any full website controlled by the attacker related-to T1583.006 Acquire Infrastructure: Web Services
action.hacking.variety.HTTP request smuggling HTTP request smuggling. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP request splitting HTTP request splitting. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP response smuggling HTTP response smuggling. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP response splitting HTTP response splitting. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1185 Browser Session Hijacking
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.Session fixation Session fixation. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.malware.variety.Capture app data Capture data from application or system process related-to T1185 Browser Session Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1496 Resource Hijacking
action.malware.variety.Click fraud Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Click fraud and cryptocurrency mining Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Cryptocurrency mining Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. related-to T1496 Resource Hijacking
attribute.availability.variety.Degradation Performance degradation related-to T1496 Resource Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574 Hijack Execution Flow
action.hacking.variety.Unknown Unknown related-to T1574 Hijack Execution Flow
action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1574 Hijack Execution Flow
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557 Man-in-the-Middle
action.hacking.variety.Routing detour Routing detour. Child of 'Exploit vuln'. related-to T1557 Man-in-the-Middle
action.malware.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557 Man-in-the-Middle
attribute.confidentiality.data_disclosure related-to T1557 Man-in-the-Middle
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay
action.malware.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay
action.hacking.variety.Null byte injection Null byte injection. Child of 'Exploit vuln'. related-to T1027 Obfuscated Files or Information
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027 Obfuscated Files or Information
action.hacking.variety.Pass-the-hash Pass-the-hash related-to T1550.002 Use Alternate Authentication Material: Pass the Hash
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1550.002 Use Alternate Authentication Material: Pass the Hash
action.malware.variety.Pass-the-hash Pass-the-hash related-to T1550.002 Use Alternate Authentication Material: Pass the Hash
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1550.002 Use Alternate Authentication Material: Pass the Hash
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1082 System Information Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1082 System Information Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1033 System Owner/User Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1033 System Owner/User Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1033 System Owner/User Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1007 System Service Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1007 System Service Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1012 Query Registry
action.malware.variety.Profile host Enumerating the state of the current host related-to T1012 Query Registry
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1083 File and Directory Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1083 File and Directory Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1083 File and Directory Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1057 Process Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1120 Peripheral Device Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1124 System Time Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1201 Password Policy Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1119 Automated Collection
action.hacking.variety.Scan network Enumerating the state of the network related-to T1119 Automated Collection
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1119 Automated Collection
attribute.confidentiality.data_disclosure related-to T1119 Automated Collection
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1480 Execution Guardrails
action.hacking.variety.Scan network Enumerating the state of the network related-to T1480 Execution Guardrails
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1480.001 Execution Guardrails: Environmental Keying
action.hacking.variety.Scan network Enumerating the state of the network related-to T1480.001 Execution Guardrails: Environmental Keying

Non-Mappable Capabilities

Non-mappable capabilities are either out of scope or unable to be mapped to any ATT&CK objects
Capability ID Capability Description
Action.Hacking.Variety.Special element injection Special element injection. Child of 'Exploit vuln'.
Action.Social.Variety.Elicitation Elicitation (subtle extraction of info through conversation)
Action.Social.Variety.Unknown Unknown
Action.Social.Variety.Extortion Extortion or blackmail
Attribute.Availability.Variety.Other Other
Attribute.Integrity.Variety.Hardware tampering Hardware tampering or physical alteration
Action.Hacking.Variety.User breakout Elevation of privilege by another customer in shared environment. Child of 'Exploit vuln'.
Action.Hacking.Variety.RFI Remote file inclusion. Child of 'Exploit vuln'.
Action.Hacking.Vector.Unknown Unknown
Action.Social.Vector.In-person In-person
Value_chain.development.variety.NA No type of development was necessary
Action.Social.Variety.Prompt Bombing Bombarding the user with MFA prompts to get them to accept the login request
Action.Social.Variety.Spam Spam (unsolicited or undesired email and advertisements)
Action.Social.Vector.IM Instant messaging
Action.Hacking.Variety.Other Other
Action.Malware.Variety.Other Other
Action.Hacking.Variety.URL redirector abuse URL redirector abuse. Child of 'Exploit vuln'.
Action.Hacking.Variety.SSI injection SSI injection. Child of 'Exploit vuln'.
Action.Social.Variety.Propaganda Propaganda or disinformation
Action.Hacking.Variety.Mail command injection Mail command injection. Child of 'Exploit vuln'.
Action.Malware.Variety.Spam Send spam
Attribute.Integrity.Variety.Other Other
Attribute.Availability.Variety.Unknown Unknown
Action.Malware.Vector.Email other Email sub-variety known, but not one of those listed (attachment, link, autoexecute, etc). Child of 'Email'
Action.Hacking.Variety.CSRF Cross-site request forgery. Child of 'Exploit vuln'.
Action.Social.Vector.Documents Documents
Action.Malware.Vector.Other Other
Attribute.Integrity.Variety.Fraudulent transaction Initiate fraudulent transaction
Action.Hacking.Variety.XQuery injection XQuery injection. Child of 'Exploit vuln'.
Action.Social.Variety.Other Other
Action.Hacking.Variety.Reverse engineering Reverse engineering. Child of 'Exploit vuln'.
Action.Hacking.Variety.XSS Cross-site scripting. Child of 'Exploit vuln'.
Action.Social.Variety.Baiting Prepare malicious content in a location where a victim is likely to interact with it. (e.g. SEO - vect: websites, left usbs- vect: removable media, etc)
Action.Social.Vector.SMS SMS or texting
Action.Hacking.Variety.Soap array abuse Soap array abuse. Child of 'Exploit vuln'.
Action.Malware.Vector.Email autoexecute Email via automatic execution. Child of 'Email'
Action.Social.Variety.Scam Online scam or hoax (e.g., scareware, 419 scam, auction fraud)
Action.Social.Variety.Influence Influence tactics (Leveraging authority or obligation, framing, etc)
Value_chain.development.variety.Email Develop an email such as for phishing.
Action.Hacking.Variety.Path traversal Path traversal. Child of 'Exploit vuln'.
Action.Social.Variety.Bribery Bribery or solicitation
Action.Malware.Vector.Unknown Unknown
Value_chain.development.variety.Physical Development of something physical such as a skimming device
Action.Malware.Vector.Email unknown Email but sub-variety (attachment, autoexecute, link, etc) not known. Child of 'Email'
Action.Hacking.Variety.XML attribute blowup XML attribute blowup. Child of 'Exploit vuln'.
Action.Social.Vector.Unknown Unknown
Attribute.Availability.Variety.Acceleration Acceleration
Action.Social.Vector.Other Other
Action.Social.Vector.Phone Phone
Action.Hacking.Variety.XML entity expansion XML entity expansion. Child of 'Exploit vuln'.
Action.Hacking.Vector.Other Other