| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1047 |
Windows Management Instrumentation |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1047 |
Windows Management Instrumentation |
| action.malware.vector.Direct install |
Directly installed or inserted by threat agent (after system access) |
related-to |
T1047 |
Windows Management Instrumentation |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1053 |
Scheduled Task/Job |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1053 |
Scheduled Task/Job |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1053 |
Scheduled Task/Job |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1053.002 |
Scheduled Task/Job: At |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1053.003 |
Scheduled Task/Job: Cron |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1053.005 |
Scheduled Task/Job: Scheduled Task |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1053.006 |
Scheduled Task/Job: Systemd Timers |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1053.007 |
Scheduled Task/Job: Container Orchestration Job |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1059 |
Command and Scripting Interpreter |
| action.hacking.variety.OS commanding |
OS commanding. Child of 'Exploit vuln'. |
related-to |
T1059 |
Command and Scripting Interpreter |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1059 |
Command and Scripting Interpreter |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1059.002 |
Command and Scripting Interpreter: AppleScript |
| action.hacking.variety.OS commanding |
OS commanding. Child of 'Exploit vuln'. |
related-to |
T1059.002 |
Command and Scripting Interpreter: AppleScript |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1059.002 |
Command and Scripting Interpreter: AppleScript |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
| action.hacking.variety.OS commanding |
OS commanding. Child of 'Exploit vuln'. |
related-to |
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1059.004 |
Command and Scripting Interpreter: Unix Shell |
| action.hacking.variety.OS commanding |
OS commanding. Child of 'Exploit vuln'. |
related-to |
T1059.004 |
Command and Scripting Interpreter: Unix Shell |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1059.004 |
Command and Scripting Interpreter: Unix Shell |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1059.005 |
Command and Scripting Interpreter: Visual Basic |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1059.005 |
Command and Scripting Interpreter: Visual Basic |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1059.005 |
Command and Scripting Interpreter: Visual Basic |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1059.006 |
Command and Scripting Interpreter: Python |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1059.006 |
Command and Scripting Interpreter: Python |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1059.007 |
Command and Scripting Interpreter: JavaScript |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1059.007 |
Command and Scripting Interpreter: JavaScript |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1059.007 |
Command and Scripting Interpreter: JavaScript |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1059.008 |
Command and Scripting Interpreter: Network Device CLI |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1059.008 |
Command and Scripting Interpreter: Network Device CLI |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1072 |
Software Deployment Tools |
| action.malware.variety.Adminware |
System or network utilities (e.g., PsTools, Netcat) |
related-to |
T1072 |
Software Deployment Tools |
| action.malware.vector.Software update |
Included in automated software update |
related-to |
T1072 |
Software Deployment Tools |
| attribute.integrity.variety.Software installation |
Software installation or code modification |
related-to |
T1072 |
Software Deployment Tools |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1106 |
Native API |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1112 |
Modify Registry |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1127 |
Trusted Developer Utilities Proxy Execution |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1127 |
Trusted Developer Utilities Proxy Execution |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1127.001 |
Tursted Developer Utilities Proxy Execution: MSBuild |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1127.001 |
Tursted Developer Utilities Proxy Execution: MSBuild |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1129 |
Shared Modules |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1137 |
Office Application Startup |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1137.001 |
Office Application Startup: Office Template Macros |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1137.002 |
Office Application Startup: Office Test |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1137.003 |
Office Application Startup: Outlook Forms |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1137.004 |
Office Application Startup: Outlook Home Page |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1137.005 |
Office Application Startup: Outlook Rules |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1187 |
Forced Authentication |
| action.hacking.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1187 |
Forced Authentication |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1187 |
Forced Authentication |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1202 |
Indirect Command Execution |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1216 |
Signed Script Proxy Execution |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1216.001 |
Signed Script Proxy Execution: PubPrn |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218 |
Signed Binary Proxy Execution |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.001 |
Signed Binary Proxy Execution: Compiled HTML File |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.002 |
Signed Binary Proxy Execution: Control Panel |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.003 |
Signed Binary Proxy Execution: CMSTP |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.004 |
Signed Binary Proxy Execution: InstallUtil |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.005 |
Signed Binary Proxy Execution: Mshta |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.007 |
Signed Binary Proxy Execution: Msiexec |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.008 |
Signed Binary Proxy Execution: Odbcconf |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.009 |
Signed Binary Proxy Execution: Regsvcs/Regasm |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.010 |
Signed Binary Proxy Execution: Regsvr32 |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.011 |
Signed Binary Proxy Execution: Rundll32 |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.012 |
Signed Binary Proxy Execution: Verclsid |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.013 |
System Binary Proxy Execution: Mavinject |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1218.014 |
System Binary Proxy Execution: MMC |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1220 |
XSL Script Processing |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1505.001 |
Server Software Component: SQL Stored Procedures |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1505.001 |
Server Software Component: SQL Stored Procedures |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1505.001 |
Server Software Component: SQL Stored Procedures |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1505.002 |
Server Software Component: Transport Agent |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1505.002 |
Server Software Component: Transport Agent |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1505.002 |
Server Software Component: Transport Agent |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1529 |
System Shutdown/Reboot |
| attribute.availability.variety.Interruption |
Interruption |
related-to |
T1529 |
System Shutdown/Reboot |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1543 |
Create or Modify System Process |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1543 |
Create or Modify System Process |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1543 |
Create or Modify System Process |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1543 |
Create or Modify System Process |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1543 |
Create or Modify System Process |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1543 |
Create or Modify System Process |
| attribute.integrity.variety.Software installation |
Software installation or code modification |
related-to |
T1543 |
Create or Modify System Process |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1543.001 |
Create or Modify System Process: Launch Agent |
| attribute.integrity.variety.Software installation |
Software installation or code modification |
related-to |
T1543.001 |
Create or Modify System Process: Launch Agent |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1543.002 |
Create or Modify System Process: Systemd Service |
| attribute.integrity.variety.Software installation |
Software installation or code modification |
related-to |
T1543.002 |
Create or Modify System Process: Systemd Service |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1543.003 |
Create or Modify System Process: Windows Service |
| action.malware.variety.RAT |
Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' |
related-to |
T1543.003 |
Create or Modify System Process: Windows Service |
| attribute.integrity.variety.Software installation |
Software installation or code modification |
related-to |
T1543.003 |
Create or Modify System Process: Windows Service |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1543.004 |
Create or Modify System Process: Launch Daemon |
| attribute.integrity.variety.Software installation |
Software installation or code modification |
related-to |
T1543.004 |
Create or Modify System Process: Launch Daemon |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1547 |
Boot or Logon Autostart Execution |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1547 |
Boot or Logon Autostart Execution |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1547 |
Boot or Logon Autostart Execution |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1547 |
Boot or Logon Autostart Execution |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1547 |
Boot or Logon Autostart Execution |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547 |
Boot or Logon Autostart Execution |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1548 |
Abuse Elevation Control Mechanism |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1548.001 |
Abuse Elevation Control Mechanism: Setuid and Setgid |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1548.002 |
Abuse Elevation Control Mechanism: Bypass User Account Control |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1548.002 |
Abuse Elevation Control Mechanism: Bypass User Account Control |
| action.malware.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1548.002 |
Abuse Elevation Control Mechanism: Bypass User Account Control |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1548.003 |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1548.003 |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
| action.malware.variety.Client-side attack |
Client-side or browser attack (e.g., redirection, XSS, MitB) |
related-to |
T1548.003 |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1548.004 |
Abuse Elevation Control Mechanism: Elevated Execution with Prompt |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1548.004 |
Abuse Elevation Control Mechanism: Elevated Execution with Prompt |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1559 |
Inter-Process Communication |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1559.001 |
Inter-Process Communication: Component Object Model |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1559.002 |
Inter-Process Communication: Dynamic Data Exchange |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1563 |
Remote Service Session Hijacking |
| action.hacking.variety.Hijack |
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) |
related-to |
T1563 |
Remote Service Session Hijacking |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1563 |
Remote Service Session Hijacking |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1563.001 |
Remote Service Session Hijacking: SSH Hijacking |
| action.hacking.variety.Hijack |
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) |
related-to |
T1563.001 |
Remote Service Session Hijacking: SSH Hijacking |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1563.001 |
Remote Service Session Hijacking: SSH Hijacking |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1563.002 |
Remote Service Session Hijacking: RDP Hijacking |
| action.hacking.variety.Hijack |
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) |
related-to |
T1563.002 |
Remote Service Session Hijacking: RDP Hijacking |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1563.002 |
Remote Service Session Hijacking: RDP Hijacking |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1564 |
Hide Artifacts |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564 |
Hide Artifacts |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564 |
Hide Artifacts |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564 |
Hide Artifacts |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1564.001 |
Hide Artifacts: Hidden Files and Directories |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.001 |
Hide Artifacts: Hidden Files and Directories |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.001 |
Hide Artifacts: Hidden Files and Directories |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.001 |
Hide Artifacts: Hidden Files and Directories |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1564.002 |
Hide Artifacts: Hidden Users |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.002 |
Hide Artifacts: Hidden Users |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.002 |
Hide Artifacts: Hidden Users |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.002 |
Hide Artifacts: Hidden Users |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1564.003 |
Hide Artifacts: Hidden Window |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.003 |
Hide Artifacts: Hidden Window |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.003 |
Hide Artifacts: Hidden Window |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.003 |
Hide Artifacts: Hidden Window |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1564.004 |
Hide Artifacts: NTFS File Attributes |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.004 |
Hide Artifacts: NTFS File Attributes |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.004 |
Hide Artifacts: NTFS File Attributes |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.004 |
Hide Artifacts: NTFS File Attributes |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1564.005 |
Hide Artifacts: Hidden File System |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.005 |
Hide Artifacts: Hidden File System |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.005 |
Hide Artifacts: Hidden File System |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.005 |
Hide Artifacts: Hidden File System |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1564.006 |
Hide Artifacts: Run Virtual Instance |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.006 |
Hide Artifacts: Run Virtual Instance |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.006 |
Hide Artifacts: Run Virtual Instance |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.006 |
Hide Artifacts: Run Virtual Instance |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1564.007 |
Hide Artifacts: VBA Stomping |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.007 |
Hide Artifacts: VBA Stomping |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.007 |
Hide Artifacts: VBA Stomping |
| action.malware.variety.Trojan |
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' |
related-to |
T1564.007 |
Hide Artifacts: VBA Stomping |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.007 |
Hide Artifacts: VBA Stomping |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1569 |
System Services |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1569.001 |
System Services: Launchctl |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1569.002 |
System Services: Service Execution |
| action.malware.vector.Direct install |
Directly installed or inserted by threat agent (after system access) |
related-to |
T1569.002 |
System Services: Service Execution |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1578 |
Modify Cloud Computer Infrastructure |
| action.hacking.vector.Hypervisor |
Hypervisor break-out attack |
related-to |
T1578 |
Modify Cloud Computer Infrastructure |
| action.hacking.vector.Inter-tenant |
Penetration of another VM or web site on shared device or infrastructure |
related-to |
T1578 |
Modify Cloud Computer Infrastructure |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1578.001 |
Modify Cloud Computer Infrastructure: Create Snapshot |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1578.002 |
Modify Cloud Computer Infrastructure: Create Cloud Instance |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1578.003 |
Modify Cloud Computer Infrastructure: Delete Cloud Instance |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1578.004 |
Modify Cloud Computer Infrastructure: Revert Cloud Instance |
| action.hacking.variety.Abuse of functionality |
Abuse of functionality. |
related-to |
T1609 |
Container Administration Command |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1098 |
Account Manipulation |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1098 |
Account Manipulation |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1098 |
Account Manipulation |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1098 |
Account Manipulation |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1098 |
Account Manipulation |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1037 |
Boot or Logon Initialization Scripts |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1037 |
Boot or Logon Initialization Scripts |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1037 |
Boot or Logon Initialization Scripts |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1037 |
Boot or Logon Initialization Scripts |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1037 |
Boot or Logon Initialization Scripts |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1554 |
Compromise Client Software Binary |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1554 |
Compromise Client Software Binary |
| action.malware.variety.Adminware |
System or network utilities (e.g., PsTools, Netcat) |
related-to |
T1554 |
Compromise Client Software Binary |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1554 |
Compromise Client Software Binary |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1554 |
Compromise Client Software Binary |
| action.malware.variety.Trojan |
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' |
related-to |
T1554 |
Compromise Client Software Binary |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1136 |
Create Accounts |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1136 |
Create Accounts |
| action.malware.variety.Modify data |
Malware which compromises a legitimate file rather than creating new filess |
related-to |
T1136 |
Create Accounts |
| attribute.integrity.variety.Created account |
Created new user account |
related-to |
T1136 |
Create Accounts |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1546 |
Event Triggered Execution |
| action.hacking.variety.XML injection |
XML injection. Child of 'Exploit vuln'. |
related-to |
T1546 |
Event Triggered Execution |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1546 |
Event Triggered Execution |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1546 |
Event Triggered Execution |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1546 |
Event Triggered Execution |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546 |
Event Triggered Execution |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1133 |
External Remote Services |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1133 |
External Remote Services |
| action.hacking.vector.3rd party desktop |
3rd party online desktop sharing (LogMeIn, Go2Assist) |
related-to |
T1133 |
External Remote Services |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1133 |
External Remote Services |
| action.hacking.vector.Desktop sharing software |
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two |
related-to |
T1133 |
External Remote Services |
| action.hacking.vector.VPN |
VPN |
related-to |
T1133 |
External Remote Services |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1133 |
External Remote Services |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1133 |
External Remote Services |
| action.malware.vector.Remote injection |
Remotely injected by agent (i.e. via SQLi) |
related-to |
T1133 |
External Remote Services |
| action.malware.vector.Web application |
Web application. Parent of 'Web application - download' and 'Web application - drive-by. |
related-to |
T1133 |
External Remote Services |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1525 |
Implant Internal Image |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1525 |
Implant Internal Image |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1525 |
Implant Internal Image |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1525 |
Implant Internal Image |
| action.malware.variety.RAT |
Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' |
related-to |
T1525 |
Implant Internal Image |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1525 |
Implant Internal Image |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1556 |
Modify Authentication Process |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1556 |
Modify Authentication Process |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1556 |
Modify Authentication Process |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1556 |
Modify Authentication Process |
| action.hacking.variety.Backdoor |
Hacking action that creates a backdoor for use. |
related-to |
T1078 |
Valid Accounts |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1078 |
Valid Accounts |
| action.hacking.vector.Backdoor |
Hacking actions taken through a backdoor. C2 is only used by malware. |
related-to |
T1078 |
Valid Accounts |
| action.hacking.variety.Brute force |
Brute force or password guessing attacks. |
related-to |
T1110 |
Brute Force |
| action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110 |
Brute Force |
| action.hacking.variety.Brute force |
Brute force or password guessing attacks. |
related-to |
T1110.001 |
Brute Force: Password Guessing |
| action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.001 |
Brute Force: Password Guessing |
| action.hacking.variety.Brute force |
Brute force or password guessing attacks. |
related-to |
T1110.002 |
Brute Force: Password Cracking |
| action.hacking.variety.Offline cracking |
Offline password or key cracking (e.g., rainbow tables, Hashcat, JtR) |
related-to |
T1110.002 |
Brute Force: Password Cracking |
| action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.002 |
Brute Force: Password Cracking |
| action.hacking.variety.Brute force |
Brute force or password guessing attacks. |
related-to |
T1110.003 |
Brute Force: Password Spraying |
| action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.003 |
Brute Force: Password Spraying |
| action.hacking.variety.Brute force |
Brute force or password guessing attacks. |
related-to |
T1110.004 |
Brute Force: Credential Stuffing |
| action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.004 |
Brute Force: Credential Stuffing |
| action.hacking.variety.Buffer overflow |
Buffer overflow. Child of 'Exploit vuln'. |
related-to |
T1203 |
Exploitation for Client Execution |
| action.hacking.variety.HTTP request smuggling |
HTTP request smuggling. Child of 'Exploit vuln'. |
related-to |
T1203 |
Exploitation for Client Execution |
| action.hacking.variety.HTTP request splitting |
HTTP request splitting. Child of 'Exploit vuln'. |
related-to |
T1203 |
Exploitation for Client Execution |
| action.hacking.variety.HTTP response smuggling |
HTTP response smuggling. Child of 'Exploit vuln'. |
related-to |
T1203 |
Exploitation for Client Execution |
| action.hacking.variety.HTTP response splitting |
HTTP response splitting. Child of 'Exploit vuln'. |
related-to |
T1203 |
Exploitation for Client Execution |
| action.malware.variety.Client-side attack |
Client-side or browser attack (e.g., redirection, XSS, MitB) |
related-to |
T1203 |
Exploitation for Client Execution |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1203 |
Exploitation for Client Execution |
| action.hacking.variety.Cache poisoning |
Cache poisoning. Child of 'Exploit vuln'. |
related-to |
T1557.002 |
Adversary-in-the-Middle: ARP Cache Poisoning |
| action.hacking.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557.002 |
Adversary-in-the-Middle: ARP Cache Poisoning |
| action.malware.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557.002 |
Adversary-in-the-Middle: ARP Cache Poisoning |
| action.hacking.variety.Cryptanalysis |
Cryptanalysis. Child of 'Exploit vuln'. |
related-to |
T1600 |
Weaken Encryption |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1600 |
Weaken Encryption |
| action.hacking.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562 |
Impair Defenses |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1562 |
Impair Defenses |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562 |
Impair Defenses |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1562 |
Impair Defenses |
| action.malware.variety.Modify data |
Malware which compromises a legitimate file rather than creating new filess |
related-to |
T1562 |
Impair Defenses |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1562 |
Impair Defenses |
| action.hacking.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.001 |
Disable or Modify Tools |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.001 |
Disable or Modify Tools |
| action.hacking.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.002 |
Disable Windows Event Logging |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.002 |
Disable Windows Event Logging |
| action.hacking.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.003 |
Impair Command History Logging |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.003 |
Impair Command History Logging |
| action.hacking.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.004 |
Disable or Modify System Firewall |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.004 |
Disable or Modify System Firewall |
| action.hacking.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.007 |
Disable or Modify Cloud Firewall |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.007 |
Disable or Modify Cloud Firewall |
| action.hacking.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.008 |
Disable Cloud Logs |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.008 |
Disable Cloud Logs |
| action.hacking.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1489 |
Service Stop |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1489 |
Service Stop |
| attribute.availability.variety.Interruption |
Interruption |
related-to |
T1489 |
Service Stop |
| action.hacking.variety.DoS |
Denial of service |
related-to |
T1498 |
Network Denial of Service |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1498 |
Network Denial of Service |
| attribute.availability.variety.Degradation |
Performance degradation |
related-to |
T1498 |
Network Denial of Service |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1498 |
Network Denial of Service |
| action.hacking.variety.DoS |
Denial of service |
related-to |
T1498.001 |
Network Denial of Service: Direct Network Flood |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1498.001 |
Network Denial of Service: Direct Network Flood |
| attribute.availability.variety.Degradation |
Performance degradation |
related-to |
T1498.001 |
Network Denial of Service: Direct Network Flood |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1498.001 |
Network Denial of Service: Direct Network Flood |
| action.hacking.variety.DoS |
Denial of service |
related-to |
T1498.002 |
Network Denial of Service: Reflection Amplification |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1498.002 |
Network Denial of Service: Reflection Amplification |
| attribute.availability.variety.Degradation |
Performance degradation |
related-to |
T1498.002 |
Network Denial of Service: Reflection Amplification |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1498.002 |
Network Denial of Service: Reflection Amplification |
| action.hacking.variety.DoS |
Denial of service |
related-to |
T1499 |
Endpoint Denial of Service |
| action.hacking.variety.Soap array abuse |
Soap array abuse. Child of 'Exploit vuln'. |
related-to |
T1499 |
Endpoint Denial of Service |
| action.hacking.variety.XML external entities |
XML external entities. Child of 'Exploit vuln'. |
related-to |
T1499 |
Endpoint Denial of Service |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1499 |
Endpoint Denial of Service |
| attribute.availability.variety.Degradation |
Performance degradation |
related-to |
T1499 |
Endpoint Denial of Service |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1499 |
Endpoint Denial of Service |
| action.hacking.variety.DoS |
Denial of service |
related-to |
T1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
| attribute.availability.variety.Degradation |
Performance degradation |
related-to |
T1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
| action.hacking.variety.DoS |
Denial of service |
related-to |
T1499.002 |
Endpoint Denial of Service: Service Exhaustion Flood |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1499.002 |
Endpoint Denial of Service: Service Exhaustion Flood |
| attribute.availability.variety.Degradation |
Performance degradation |
related-to |
T1499.002 |
Endpoint Denial of Service: Service Exhaustion Flood |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1499.002 |
Endpoint Denial of Service: Service Exhaustion Flood |
| action.hacking.variety.DoS |
Denial of service |
related-to |
T1499.003 |
Endpoint Denial of Service: Application Exhaustion Flood |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1499.003 |
Endpoint Denial of Service: Application Exhaustion Flood |
| attribute.availability.variety.Degradation |
Performance degradation |
related-to |
T1499.003 |
Endpoint Denial of Service: Application Exhaustion Flood |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1499.003 |
Endpoint Denial of Service: Application Exhaustion Flood |
| action.hacking.variety.DoS |
Denial of service |
related-to |
T1499.004 |
Endpoint Denial of Service: Application or System Exploitation |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1499.004 |
Endpoint Denial of Service: Application or System Exploitation |
| attribute.availability.variety.Degradation |
Performance degradation |
related-to |
T1499.004 |
Endpoint Denial of Service: Application or System Exploitation |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1499.004 |
Endpoint Denial of Service: Application or System Exploitation |
| action.hacking.variety.DoS |
Denial of service |
related-to |
T1583.005 |
Acquire Infrastructure: Botnet |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1583.005 |
Acquire Infrastructure: Botnet |
| value_chain.development.variety.Bot |
A small program that can be distributed, installed, and controlled en mass. |
related-to |
T1583.005 |
Acquire Infrastructure: Botnet |
| action.hacking.variety.DoS |
Denial of service |
related-to |
T1584.005 |
Compromise Infrastructure: Botnet |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1584.005 |
Compromise Infrastructure: Botnet |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1622 |
Debugger Evasion |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1622 |
Debugger Evasion |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1622 |
Debugger Evasion |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1211 |
Exploitation for Defense Evasion |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1211 |
Exploitation for Defense Evasion |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1211 |
Exploitation for Defense Evasion |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1036 |
Masquerading |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036 |
Masquerading |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1036 |
Masquerading |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1036 |
Masquerading |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1036 |
Masquerading |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1014 |
Rootkit |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1014 |
Rootkit |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1014 |
Rootkit |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1014 |
Rootkit |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1553 |
Subvert Trust Controls |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553 |
Subvert Trust Controls |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1553 |
Subvert Trust Controls |
| action.social.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1553 |
Subvert Trust Controls |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1001 |
Data Obfuscation |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1001 |
Data Obfuscation |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1001.001 |
Data Obfuscation: Junk Data |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1001.001 |
Data Obfuscation: Junk Data |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1001.001 |
Data Obfuscation: Junk Data |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1001.001 |
Data Obfuscation: Junk Data |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1001.002 |
Data Obfuscation: Steganography |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1001.002 |
Data Obfuscation: Steganography |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1001.003 |
Data Obfuscation: Protocol Impersonation |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1001.003 |
Data Obfuscation: Protocol Impersonation |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1071 |
Application Layer Protocol |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1071 |
Application Layer Protocol |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1071 |
Application Layer Protocol |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1071 |
Application Layer Protocol |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1071 |
Application Layer Protocol |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1132 |
Data Encoding |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1132 |
Data Encoding |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1132 |
Data Encoding |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1132.001 |
Data Encoding: Standard Encoding |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1132.001 |
Data Encoding: Standard Encoding |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1132.001 |
Data Encoding: Standard Encoding |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1132.002 |
Data Encoding: Non-Standard Encoding |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1132.002 |
Data Encoding: Non-Standard Encoding |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1132.002 |
Data Encoding: Non-Standard Encoding |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1568 |
Dynamic Resolution |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1568 |
Dynamic Resolution |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1568 |
Dynamic Resolution |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1568 |
Dynamic Resolution |
| action.malware.vector.Download by malware |
Downloaded and installed by local malware |
related-to |
T1568 |
Dynamic Resolution |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1568.001 |
Dynamic Resolution: Fast Flux DSN |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1568.001 |
Dynamic Resolution: Fast Flux DSN |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1568.001 |
Dynamic Resolution: Fast Flux DSN |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1568.002 |
Dynamic Resolution: Domain Generation Algorithms |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1568.002 |
Dynamic Resolution: Domain Generation Algorithms |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1568.002 |
Dynamic Resolution: Domain Generation Algorithms |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1568.003 |
Dynamic Resolution: DNS Calculation |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1568.003 |
Dynamic Resolution: DNS Calculation |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1568.003 |
Dynamic Resolution: DNS Calculation |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1573 |
Encrypted Channels |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1573 |
Encrypted Channels |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1573 |
Encrypted Channels |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1573 |
Encrypted Channels |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1573.002 |
Encrypted Channels: Asymmetric Cryptography |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1573.002 |
Encrypted Channels: Asymmetric Cryptography |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1573.002 |
Encrypted Channels: Asymmetric Cryptography |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1573.001 |
Encrypted Channels: Symmetric Cryptography |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1573.001 |
Encrypted Channels: Symmetric Cryptography |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1573.001 |
Encrypted Channels: Symmetric Cryptography |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1008 |
Fallback Channels |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1008 |
Fallback Channels |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1008 |
Fallback Channels |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1008 |
Fallback Channels |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1104 |
Multi-Stage Channels |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1104 |
Multi-Stage Channels |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1104 |
Multi-Stage Channels |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1104 |
Multi-Stage Channels |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1572 |
Protocol Tunneling |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1572 |
Protocol Tunneling |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1572 |
Protocol Tunneling |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1572 |
Protocol Tunneling |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1090 |
Proxy |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1090 |
Proxy |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1090 |
Proxy |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1090 |
Proxy |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1205 |
Traffic Signaling |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1205 |
Traffic Signaling |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1205 |
Traffic Signaling |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1205.001 |
Traffic Signaling: Port Knocking |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1205.001 |
Traffic Signaling: Port Knocking |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1205.001 |
Traffic Signaling: Port Knocking |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1205.001 |
Traffic Signaling: Port Knocking |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1205.002 |
Traffic Signaling: Socket Filters |
| action.hacking.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1102 |
Web Service |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1102 |
Web Service |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1102 |
Web Service |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1102 |
Web Service |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1068 |
Exploitation for Privilege Escalation |
| action.hacking.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. |
related-to |
T1068 |
Exploitation for Privilege Escalation |
| action.hacking.variety.Format string attack |
Format string attack. Child of 'Exploit vuln'. |
related-to |
T1068 |
Exploitation for Privilege Escalation |
| action.hacking.variety.Fuzz testing |
Fuzz testing. Child of 'Exploit vuln'. |
related-to |
T1068 |
Exploitation for Privilege Escalation |
| action.hacking.variety.Insecure deserialization |
iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'. |
related-to |
T1068 |
Exploitation for Privilege Escalation |
| action.hacking.variety.Integer overflows |
Integer overflows. Child of 'Exploit vuln'. |
related-to |
T1068 |
Exploitation for Privilege Escalation |
| action.hacking.variety.LDAP injection |
LDAP injection. Child of 'Exploit vuln'. |
related-to |
T1068 |
Exploitation for Privilege Escalation |
| action.malware.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1068 |
Exploitation for Privilege Escalation |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1190 |
Exploit Public-Facing Application |
| action.hacking.variety.SQLi |
SQL injection. Child of 'Exploit vuln'. |
related-to |
T1190 |
Exploit Public-Facing Application |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1212 |
Exploitation for Credential Access |
| action.hacking.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. |
related-to |
T1212 |
Exploitation for Credential Access |
| action.hacking.variety.Session fixation |
Session fixation. Child of 'Exploit vuln'. |
related-to |
T1212 |
Exploitation for Credential Access |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1212 |
Exploitation for Credential Access |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1212 |
Exploitation for Credential Access |
| action.malware.vector.Web application - drive-by |
Web via auto-executed or "drive-by" infection. Child of 'Web application'. |
related-to |
T1212 |
Exploitation for Credential Access |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1212 |
Exploitation for Credential Access |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1558.004 |
Steal or Forge Kerberos Tickets: AS-REP Roasting |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1558.004 |
Steal or Forge Kerberos Tickets: AS-REP Roasting |
| action.malware.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1558.004 |
Steal or Forge Kerberos Tickets: AS-REP Roasting |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1574.001 |
Hijack Execution Flow: DLL Search Order Hijacking |
| action.hacking.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. |
related-to |
T1574.001 |
Hijack Execution Flow: DLL Search Order Hijacking |
| action.hacking.variety.Hijack |
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) |
related-to |
T1574.001 |
Hijack Execution Flow: DLL Search Order Hijacking |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1574.001 |
Hijack Execution Flow: DLL Search Order Hijacking |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1574.002 |
Hijack Execution Flow: DLL Side-Loading |
| action.hacking.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. |
related-to |
T1574.002 |
Hijack Execution Flow: DLL Side-Loading |
| action.hacking.variety.Hijack |
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) |
related-to |
T1574.002 |
Hijack Execution Flow: DLL Side-Loading |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1574.002 |
Hijack Execution Flow: DLL Side-Loading |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1574.005 |
Hijack Execution Flow: Executable Installer File Permissions Weakness |
| action.hacking.variety.Hijack |
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) |
related-to |
T1574.005 |
Hijack Execution Flow: Executable Installer File Permissions Weakness |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1574.005 |
Hijack Execution Flow: Executable Installer File Permissions Weakness |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1574.010 |
Hijack Execution Flow: Services File Permissions Weakness |
| action.hacking.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1574.011 |
Hijack Execution Flow: Services Registry Permissions Weakness |
| action.hacking.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. |
related-to |
T1574.004 |
Hijack Execution Flow: Dylib Hijacking |
| action.hacking.variety.Hijack |
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) |
related-to |
T1574.004 |
Hijack Execution Flow: Dylib Hijacking |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1574.004 |
Hijack Execution Flow: Dylib Hijacking |
| action.hacking.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. |
related-to |
T1595.002 |
Active Scanning: Vulnerability Scanning |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1595.002 |
Active Scanning: Vulnerability Scanning |
| action.hacking.variety.Forced browsing |
Forced browsing or predictable resource location. Child of 'Exploit vuln'. |
related-to |
T1539 |
Steal Web Session Cookie |
| action.hacking.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1539 |
Steal Web Session Cookie |
| action.hacking.variety.Session replay |
Session replay. Child of 'Exploit vuln'. |
related-to |
T1539 |
Steal Web Session Cookie |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1539 |
Steal Web Session Cookie |
| action.hacking.variety.Forced browsing |
Forced browsing or predictable resource location. Child of 'Exploit vuln'. |
related-to |
T1583.003 |
Acquire Infrastructure: Virtual Private Server |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1583.003 |
Acquire Infrastructure: Virtual Private Server |
| action.hacking.variety.Forced browsing |
Forced browsing or predictable resource location. Child of 'Exploit vuln'. |
related-to |
T1583.004 |
Acquire Infrastructure: Server |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1583.004 |
Acquire Infrastructure: Server |
| action.hacking.variety.Forced browsing |
Forced browsing or predictable resource location. Child of 'Exploit vuln'. |
related-to |
T1583.006 |
Acquire Infrastructure: Web Services |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1583.006 |
Acquire Infrastructure: Web Services |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1583.006 |
Acquire Infrastructure: Web Services |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1583.006 |
Acquire Infrastructure: Web Services |
| value_chain.development.variety.Website |
Development of any full website controlled by the attacker |
related-to |
T1583.006 |
Acquire Infrastructure: Web Services |
| action.hacking.variety.HTTP request smuggling |
HTTP request smuggling. Child of 'Exploit vuln'. |
related-to |
T1185 |
Browser Session Hijacking |
| action.hacking.variety.HTTP request splitting |
HTTP request splitting. Child of 'Exploit vuln'. |
related-to |
T1185 |
Browser Session Hijacking |
| action.hacking.variety.HTTP response smuggling |
HTTP response smuggling. Child of 'Exploit vuln'. |
related-to |
T1185 |
Browser Session Hijacking |
| action.hacking.variety.HTTP response splitting |
HTTP response splitting. Child of 'Exploit vuln'. |
related-to |
T1185 |
Browser Session Hijacking |
| action.hacking.variety.Hijack |
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) |
related-to |
T1185 |
Browser Session Hijacking |
| action.hacking.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1185 |
Browser Session Hijacking |
| action.hacking.variety.Session fixation |
Session fixation. Child of 'Exploit vuln'. |
related-to |
T1185 |
Browser Session Hijacking |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1185 |
Browser Session Hijacking |
| action.hacking.variety.Hijack |
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) |
related-to |
T1496 |
Resource Hijacking |
| action.malware.variety.Click fraud |
Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. |
related-to |
T1496 |
Resource Hijacking |
| action.malware.variety.Click fraud and cryptocurrency mining |
Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. |
related-to |
T1496 |
Resource Hijacking |
| action.malware.variety.Cryptocurrency mining |
Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. |
related-to |
T1496 |
Resource Hijacking |
| attribute.availability.variety.Degradation |
Performance degradation |
related-to |
T1496 |
Resource Hijacking |
| action.hacking.variety.Hijack |
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) |
related-to |
T1574 |
Hijack Execution Flow |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1574 |
Hijack Execution Flow |
| action.hacking.variety.XML injection |
XML injection. Child of 'Exploit vuln'. |
related-to |
T1574 |
Hijack Execution Flow |
| action.hacking.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557 |
Man-in-the-Middle |
| action.hacking.variety.Routing detour |
Routing detour. Child of 'Exploit vuln'. |
related-to |
T1557 |
Man-in-the-Middle |
| action.malware.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557 |
Man-in-the-Middle |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1557 |
Man-in-the-Middle |
| action.hacking.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557.001 |
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay |
| action.malware.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557.001 |
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay |
| action.hacking.variety.Null byte injection |
Null byte injection. Child of 'Exploit vuln'. |
related-to |
T1027 |
Obfuscated Files or Information |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027 |
Obfuscated Files or Information |
| action.hacking.variety.Pass-the-hash |
Pass-the-hash |
related-to |
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
| action.malware.variety.Pass-the-hash |
Pass-the-hash |
related-to |
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1082 |
System Information Discovery |
| action.malware.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1082 |
System Information Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1033 |
System Owner/User Discovery |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1033 |
System Owner/User Discovery |
| action.malware.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1033 |
System Owner/User Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1007 |
System Service Discovery |
| action.malware.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1007 |
System Service Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1012 |
Query Registry |
| action.malware.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1012 |
Query Registry |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1083 |
File and Directory Discovery |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1083 |
File and Directory Discovery |
| action.malware.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1083 |
File and Directory Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1057 |
Process Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1120 |
Peripheral Device Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1124 |
System Time Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1201 |
Password Policy Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1119 |
Automated Collection |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1119 |
Automated Collection |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1119 |
Automated Collection |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1119 |
Automated Collection |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1480 |
Execution Guardrails |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1480 |
Execution Guardrails |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1480.001 |
Execution Guardrails: Environmental Keying |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1480.001 |
Execution Guardrails: Environmental Keying |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1518 |
Software Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1518.001 |
Software Discovery: Security Software Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1087 |
Account Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1087.001 |
Account Discovery: Local Account |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1069 |
Permission Groups Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1069.001 |
Permission Groups Discovery: Local Groups |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1614 |
System Location Discovery |
| action.hacking.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1614.001 |
System Location Discovery: System Language Discovery |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1046 |
Network Service Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1046 |
Network Service Discovery |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1135 |
Network Share Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1135 |
Network Share Discovery |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1040 |
Network Sniffing |
| action.malware.variety.Packet sniffer |
Packet sniffer (capture data from network) |
related-to |
T1040 |
Network Sniffing |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1040 |
Network Sniffing |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1040 |
Network Sniffing |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1018 |
Remote System Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1018 |
Remote System Discovery |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1049 |
System Network Connections Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1049 |
System Network Connections Discovery |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1589 |
Gather Victim Identity Information |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1589.001 |
Gather Victim Identity Information: Credentials |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1589.002 |
Gather Victim Identity Information: Email Addresses |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1589.003 |
Gather Victim Identity Information: Employee Names |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1590 |
Gather Victim Network Information |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1590.001 |
Gather Victim Network Information: Domain Properties |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1590.002 |
Gather Victim Network Information: DNS |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1590.003 |
Gather Victim Network Information: Network Trust Dependencies |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1590.004 |
Gather Victim Network Information: Network Topology |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1590.005 |
Gather Victim Network Information: IP Addresses |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1590.006 |
Gather Victim Network Information: Network Security Appliances |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1592 |
Gather Victim Host Information |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1592.001 |
Gather Victim Host Information: Hardware |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1592.002 |
Gather Victim Host Information: Software |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1592.003 |
Gather Victim Host Information: Firmware |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1592.004 |
Gather Victim Host Information: Client Configurations |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1613 |
Container and Resource Discovery |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1602 |
Data from Configuration Repository |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1602 |
Data from Configuration Repository |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1602 |
Data from Configuration Repository |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1602.001 |
Data from Configuration Repository: SNMP (MIB Dump) |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1602.001 |
Data from Configuration Repository: SNMP (MIB Dump) |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1602.002 |
Data from Configuration Repository: Network Device Configuration Dump |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1602.002 |
Data from Configuration Repository: Network Device Configuration Dump |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1526 |
Cloud Service Discovery |
| action.hacking.variety.Scan network |
Enumerating the state of the network |
related-to |
T1580 |
Cloud Infrastructure Discovery |
| action.hacking.variety.Session prediction |
Credential or session prediction. Child of 'Exploit vuln'. |
related-to |
T1606 |
Forge Web Credentials |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1606 |
Forge Web Credentials |
| action.hacking.variety.Session prediction |
Credential or session prediction. Child of 'Exploit vuln'. |
related-to |
T1606.001 |
Forge Web Credentials: Web Cookies |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1606.001 |
Forge Web Credentials: Web Cookies |
| action.hacking.variety.Session replay |
Session replay. Child of 'Exploit vuln'. |
related-to |
T1550.004 |
Use Alternate Authentication Material:Web Session Cookie |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1550.004 |
Use Alternate Authentication Material:Web Session Cookie |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1021 |
Remote Services |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1021 |
Remote Services |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1021.001 |
Remote Services: Remote Desktop Protocol |
| action.hacking.vector.Desktop sharing software |
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two |
related-to |
T1021.001 |
Remote Services: Remote Desktop Protocol |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1021.002 |
Remote Services: SMB/Windows Admin Shares |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1021.002 |
Remote Services: SMB/Windows Admin Shares |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1021.003 |
Remote Services: Distributed Component Object Model |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1021.003 |
Remote Services: Distributed Component Object Model |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1021.004 |
Remote Services: SSH |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1021.004 |
Remote Services: SSH |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1021.005 |
Remote Services: VNC |
| action.hacking.vector.Desktop sharing software |
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two |
related-to |
T1021.005 |
Remote Services: VNC |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1021.006 |
Remote Services: Windows Remote Management |
| action.hacking.vector.Command shell |
Remote shell |
related-to |
T1021.006 |
Remote Services: Windows Remote Management |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1078.001 |
Valid Accounts: Default Accounts |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1078.002 |
Valid Accounts: Domain Accounts |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1078.003 |
Valid Accounts: Local Accounts |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1078.004 |
Valid Accounts: Cloud Accounts |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1134 |
Access Token Manipulation |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1134.001 |
Access Token Manipulation: Token Impersonation/Theft |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1134.002 |
Access Token Manipulation: Create Process with Token |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1134.003 |
Access Token Manipulation: Make and Impersonate Token |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1134.004 |
Access Token Manipulation: Parent PID Spoofing |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1134.005 |
Access Token Manipulation: SID-History Injection |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1550 |
Use Alternate Authentication Material |
| action.malware.variety.Pass-the-hash |
Pass-the-hash |
related-to |
T1550 |
Use Alternate Authentication Material |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1550 |
Use Alternate Authentication Material |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1550.001 |
Use Alternate Authentication Material: Application Access Token |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1550.003 |
Use Alternate Authentication Material: Pass the Ticket |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1558 |
Steal or Forge Kerberos Tickets |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1558.001 |
Steal or Forge Kerberos Tickets: Golden Ticket |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1558.002 |
Steal or Forge Kerberos Tickets: Silver Ticket |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1558.003 |
Steal or Forge Kerberos Tickets: Kerberoasting |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1586 |
Compromise Account |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1586.001 |
Compromise Account: Social Media Accounts |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1586.001 |
Compromise Account: Social Media Accounts |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1586.001 |
Compromise Account: Social Media Accounts |
| action.hacking.variety.Use of stolen creds |
Use of stolen or default authentication credentials (including credential stuffing) |
related-to |
T1586.002 |
Compromise Account: Email Accounts |
| action.hacking.variety.Virtual machine escape |
Virtual machine escape. Child of 'Exploit vuln'. |
related-to |
T1611 |
Escape to Host |
| action.hacking.variety.XML external entities |
XML external entities. Child of 'Exploit vuln'. |
related-to |
T1213 |
Data from Information Repository |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1213 |
Data from Information Repository |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1213 |
Data from Information Repository |
| action.hacking.variety.XPath injection |
XPath injection. Child of 'Exploit vuln'. |
related-to |
T1010 |
Application Window Discovery |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1010 |
Application Window Discovery |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1105 |
Ingress Tool Transfer |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1105 |
Ingress Tool Transfer |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1111 |
Two-Factor Authentication Interception |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1583 |
Acquire Infrastructure |
| action.malware.vector.Web application - download |
Web via user-executed or downloaded content. Child of 'Web application'. |
related-to |
T1583 |
Acquire Infrastructure |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1583.001 |
Acquire Infrastructure: Domains |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1583.001 |
Acquire Infrastructure: Domains |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1583.001 |
Acquire Infrastructure: Domains |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1583.002 |
Acquire Infrastructure: DNS Server |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1583.002 |
Acquire Infrastructure: DNS Server |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1583.002 |
Acquire Infrastructure: DNS Server |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1584 |
Compromise Infrastructure |
| action.malware.vector.Web application - download |
Web via user-executed or downloaded content. Child of 'Web application'. |
related-to |
T1584 |
Compromise Infrastructure |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1584.001 |
Compromise Infrastructure: Domains |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1584.001 |
Compromise Infrastructure: Domains |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1584.002 |
Compromise Infrastructure: DNS Server |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1584.002 |
Compromise Infrastructure: DNS Server |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1584.002 |
Compromise Infrastructure: DNS Server |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1584.003 |
Compromise Infrastructure: Virtual Private Server |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1584.004 |
Compromise Infrastructure: Server |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1584.006 |
Compromise Infrastructure: Web Services |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1587 |
Develop Capabilities |
| value_chain.development.variety.Unknown |
Nothing is known about the need for or type of development investment other than it was present. |
related-to |
T1587 |
Develop Capabilities |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1587.001 |
Develop Capabilities: Malware |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1587.001 |
Develop Capabilities: Malware |
| value_chain.development.variety.Bot |
A small program that can be distributed, installed, and controlled en mass. |
related-to |
T1587.001 |
Develop Capabilities: Malware |
| value_chain.development.variety.Payload |
The portion a program that causes a negative effect. |
related-to |
T1587.001 |
Develop Capabilities: Malware |
| value_chain.development.variety.Ransomware |
Ransomware (encrypt or seize stored data) |
related-to |
T1587.001 |
Develop Capabilities: Malware |
| value_chain.development.variety.Trojan |
A program which masquerades as another program to get a target to execute malicious content |
related-to |
T1587.001 |
Develop Capabilities: Malware |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1587.002 |
Develop Capabilities: Code Signing Certificates |
| value_chain.development.variety.Other |
The variety of development required is known, but is not listed. |
related-to |
T1587.002 |
Develop Capabilities: Code Signing Certificates |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1587.003 |
Develop Capabilities: Digital Certificates |
| value_chain.development.variety.Other |
The variety of development required is known, but is not listed. |
related-to |
T1587.003 |
Develop Capabilities: Digital Certificates |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1587.004 |
Develop Capabilities: Exploits |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1587.004 |
Develop Capabilities: Exploits |
| value_chain.development.variety.Exploit |
Code to exploit a vulnerability, including web injects. |
related-to |
T1587.004 |
Develop Capabilities: Exploits |
| value_chain.development.variety.Exploit Kits |
Code sets capable of selecting and trying multiple exploits against a target. |
related-to |
T1587.004 |
Develop Capabilities: Exploits |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1588 |
Obtain Capabilities |
| value_chain.development.variety.Unknown |
Nothing is known about the need for or type of development investment other than it was present. |
related-to |
T1588 |
Obtain Capabilities |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1588.001 |
Obtain Capabilities: Malware |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1588.001 |
Obtain Capabilities: Malware |
| value_chain.development.variety.Bot |
A small program that can be distributed, installed, and controlled en mass. |
related-to |
T1588.001 |
Obtain Capabilities: Malware |
| value_chain.development.variety.Payload |
The portion a program that causes a negative effect. |
related-to |
T1588.001 |
Obtain Capabilities: Malware |
| value_chain.development.variety.Ransomware |
Ransomware (encrypt or seize stored data) |
related-to |
T1588.001 |
Obtain Capabilities: Malware |
| value_chain.development.variety.Trojan |
A program which masquerades as another program to get a target to execute malicious content |
related-to |
T1588.001 |
Obtain Capabilities: Malware |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1588.002 |
Obtain Capabilities: Tool |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1588.003 |
Obtain Capabilities: Code Signing Certificates |
| value_chain.development.variety.Other |
The variety of development required is known, but is not listed. |
related-to |
T1588.003 |
Obtain Capabilities: Code Signing Certificates |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1588.004 |
Obtain Capabilities: Digital Certificates |
| value_chain.development.variety.Other |
The variety of development required is known, but is not listed. |
related-to |
T1588.004 |
Obtain Capabilities: Digital Certificates |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1588.005 |
Obtain Capabilities: Exploits |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1588.005 |
Obtain Capabilities: Exploits |
| value_chain.development.variety.Exploit |
Code to exploit a vulnerability, including web injects. |
related-to |
T1588.005 |
Obtain Capabilities: Exploits |
| value_chain.development.variety.Exploit Kits |
Code sets capable of selecting and trying multiple exploits against a target. |
related-to |
T1588.005 |
Obtain Capabilities: Exploits |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1588.006 |
Obtain Capabilities: Vulnerabilities |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1588.006 |
Obtain Capabilities: Vulnerabilities |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1599 |
Network Boundry Bridging |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1599.001 |
Network Boundry Bridging: Network Address Translation Traversal |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1606.002 |
Forge Web Credentials: SAML Tokens |
| action.hacking.variety.Unknown |
Unknown |
related-to |
T1531 |
Account Access Removal |
| attribute.availability.variety.Destruction |
Destruction |
related-to |
T1531 |
Account Access Removal |
| attribute.availability.variety.Interruption |
Interruption |
related-to |
T1531 |
Account Access Removal |
| attribute.integrity.variety.Unknown |
Unknown |
related-to |
T1531 |
Account Access Removal |
| action.hacking.vector.Desktop sharing software |
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two |
related-to |
T1219 |
Remote Access Software |
| action.malware.variety.Adminware |
System or network utilities (e.g., PsTools, Netcat) |
related-to |
T1219 |
Remote Access Software |
| action.hacking.vector.Hypervisor |
Hypervisor break-out attack |
related-to |
T1497 |
Virtualization/Sandbox Evasion |
| action.hacking.vector.Inter-tenant |
Penetration of another VM or web site on shared device or infrastructure |
related-to |
T1497 |
Virtualization/Sandbox Evasion |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497 |
Virtualization/Sandbox Evasion |
| action.hacking.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1199 |
Trusted Relationship |
| action.malware.variety.Adware |
Adware |
related-to |
T1199 |
Trusted Relationship |
| action.malware.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1199 |
Trusted Relationship |
| action.social.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1199 |
Trusted Relationship |
| action.hacking.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1195 |
Supply Chain Compromise |
| action.malware.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1195 |
Supply Chain Compromise |
| action.malware.vector.Software update |
Included in automated software update |
related-to |
T1195 |
Supply Chain Compromise |
| action.hacking.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1195.001 |
Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
| action.social.vector.Software |
Software |
related-to |
T1195.001 |
Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
| action.hacking.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1195.002 |
Supply Chain Compromise: Compromise Software Supply Chain |
| action.social.vector.Software |
Software |
related-to |
T1195.002 |
Supply Chain Compromise: Compromise Software Supply Chain |
| action.hacking.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1195.003 |
Supply Chain Compromise: Compromise Hardware Supply Chain |
| action.social.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1195.003 |
Supply Chain Compromise: Compromise Hardware Supply Chain |
| action.hacking.vector.Physical access |
Physical access or connection (i.e., at keyboard or via cable) |
related-to |
T1200 |
Hardware Additions |
| action.hacking.vector.Web application |
Web application |
related-to |
T1056.003 |
Input Capture: Web Portal Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.003 |
Input Capture: Web Portal Capture |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1056.003 |
Input Capture: Web Portal Capture |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1095 |
Non-Application Layer Protocol |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1095 |
Non-Application Layer Protocol |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1095 |
Non-Application Layer Protocol |
| action.hacking.vector.Other network service |
Network service that is not remote access or a web application. |
related-to |
T1571 |
Non-Standard Port |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1571 |
Non-Standard Port |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1571 |
Non-Standard Port |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1505 |
Server Software Component |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1505 |
Server Software Component |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1505.003 |
Server Software Component: Web Shell |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1505.003 |
Server Software Component: Web Shell |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1071.001 |
Application Layer Protocol: Web Protocols |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1071.001 |
Application Layer Protocol: Web Protocols |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1071.001 |
Application Layer Protocol: Web Protocols |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1071.003 |
Application Layer Protocol: Mail Protocols |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1071.003 |
Application Layer Protocol: Mail Protocols |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1071.003 |
Application Layer Protocol: Mail Protocols |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1071.004 |
Application Layer Protocol: DNS |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1071.004 |
Application Layer Protocol: DNS |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1071.004 |
Application Layer Protocol: DNS |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1090.001 |
Proxy: Internal Proxy |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1090.001 |
Proxy: Internal Proxy |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1090.002 |
Proxy: External Proxy |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1090.002 |
Proxy: External Proxy |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1090.003 |
Proxy: Multi-hop Proxy |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1090.003 |
Proxy: Multi-hop Proxy |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1090.004 |
Proxy: Domain Fronting |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1090.004 |
Proxy: Domain Fronting |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1102.001 |
Web Service: Dead Drop Resolver |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1102.001 |
Web Service: Dead Drop Resolver |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1102.002 |
Web Service: Bidirectional Communication |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1102.002 |
Web Service: Bidirectional Communication |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1102.003 |
Web Service: One-Way Communication |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1102.003 |
Web Service: One-Way Communication |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056 |
Input Capture |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1056 |
Input Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.001 |
Input Capture: Keylogging |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1056.001 |
Input Capture: Keylogging |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.002 |
Input Capture: GUI Input Capture |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1056.002 |
Input Capture: GUI Input Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.004 |
Input Capture: Credential API Hooking |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1056.004 |
Input Capture: Credential API Hooking |
| action.malware.variety.Spyware/Keylogger |
Spyware, keylogger or form-grabber (capture user input or activity) |
related-to |
T1056.004 |
Input Capture: Credential API Hooking |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1056.004 |
Input Capture: Credential API Hooking |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1113 |
Screen Capture |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1113 |
Screen Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114 |
Email Collection |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1114 |
Email Collection |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114.001 |
Email Collection: Local Email Collection |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1114.001 |
Email Collection: Local Email Collection |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114.002 |
Email Collection: Remote Email Collection |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1114.002 |
Email Collection: Remote Email Collection |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114.003 |
Email Collection: Email Forwarding Rule |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1114.003 |
Email Collection: Email Forwarding Rule |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1114.003 |
Email Collection: Email Forwarding Rule |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1123 |
Audio Capture |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1123 |
Audio Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1125 |
Video Capture |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1125 |
Video Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1176 |
Browser Extensions |
| action.malware.vector.Web application - drive-by |
Web via auto-executed or "drive-by" infection. Child of 'Web application'. |
related-to |
T1176 |
Browser Extensions |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1207 |
Rogue Domain Controller |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1217 |
Browser Bookmark Discovery |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1528 |
Steal Application Access Token |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.002 |
OS Credential Dumping: Security Account Manager |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.002 |
OS Credential Dumping: Security Account Manager |
| action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.002 |
OS Credential Dumping: Security Account Manager |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1003.002 |
OS Credential Dumping: Security Account Manager |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.003 |
OS Credential Dumping: NTDS |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.003 |
OS Credential Dumping: NTDS |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1003.003 |
OS Credential Dumping: NTDS |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.006 |
OS Credential Dumping: DCSync |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1003.006 |
OS Credential Dumping: DCSync |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.006 |
OS Credential Dumping: DCSync |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1003.006 |
OS Credential Dumping: DCSync |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.008 |
OS Credential Dumping: /etc/passwd and /etc/shadow |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.008 |
OS Credential Dumping: /etc/passwd and /etc/shadow |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1003.008 |
OS Credential Dumping: /etc/passwd and /etc/shadow |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1005 |
Data from Local System |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1005 |
Data from Local System |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1025 |
Data from Removable Media |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1025 |
Data from Removable Media |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1039 |
Data from Network Shared Drive |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1039 |
Data from Network Shared Drive |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1213.001 |
Data from Information Repositories: Confluence |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1213.001 |
Data from Information Repositories: Confluence |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1213.002 |
Data from Information Repositories: Sharepoint |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1213.002 |
Data from Information Repositories: Sharepoint |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1530 |
Data from Cloud Storage |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1530 |
Data from Cloud Storage |
| action.malware.variety.Client-side attack |
Client-side or browser attack (e.g., redirection, XSS, MitB) |
related-to |
T1221 |
Template Injection |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070 |
Indicator Removal on Host |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.001 |
Indicator Removal on Host: Clear Windows Event Logs |
| attribute.integrity.variety.Log tampering |
Log tampering or modification |
related-to |
T1070.001 |
Indicator Removal on Host: Clear Windows Event Logs |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.002 |
Indicator Removal on Host: Clear Linux or Mac System Logs |
| attribute.integrity.variety.Log tampering |
Log tampering or modification |
related-to |
T1070.002 |
Indicator Removal on Host: Clear Linux or Mac System Logs |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.003 |
Indicator Removal on Host: Clear Command History |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.004 |
Indicator Removal on Host: File Deletion |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.005 |
Indicator Removal on Host: Network Share Connection Removal |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.006 |
Indicator Removal on Host: Timestomp |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1485 |
Data Destruction |
| attribute.availability.variety.Destruction |
Destruction |
related-to |
T1485 |
Data Destruction |
| attribute.availability.variety.Interruption |
Interruption |
related-to |
T1485 |
Data Destruction |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1495 |
Firmware Corruption |
| attribute.availability.variety.Destruction |
Destruction |
related-to |
T1495 |
Firmware Corruption |
| attribute.availability.variety.Interruption |
Interruption |
related-to |
T1495 |
Firmware Corruption |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1495 |
Firmware Corruption |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1561 |
Disk Wipe |
| attribute.availability.variety.Destruction |
Destruction |
related-to |
T1561 |
Disk Wipe |
| attribute.availability.variety.Interruption |
Interruption |
related-to |
T1561 |
Disk Wipe |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1561 |
Disk Wipe |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1561.001 |
Disk Wipe: Disk Content Wipe |
| attribute.availability.variety.Destruction |
Destruction |
related-to |
T1561.001 |
Disk Wipe: Disk Content Wipe |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1561.001 |
Disk Wipe: Disk Content Wipe |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1561.002 |
Disk Wipe: Disk Structure Wipe |
| attribute.availability.variety.Destruction |
Destruction |
related-to |
T1561.002 |
Disk Wipe: Disk Structure Wipe |
| attribute.availability.variety.Interruption |
Interruption |
related-to |
T1561.002 |
Disk Wipe: Disk Structure Wipe |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1561.002 |
Disk Wipe: Disk Structure Wipe |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1006 |
Direct Volume Access |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.001 |
Obfuscated Files or Information: Binary Padding |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.002 |
Obfuscated Files or Information: Software Packaging |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.003 |
Obfuscated Files or Information: Steganography |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.004 |
Obfuscated Files or Information: Compile After Dilevery |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.005 |
Obfuscated Files or Information: Indicator Removal from Tools |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.001 |
Masquerading: Invalid Code Signature |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.002 |
Masquerading: Right-to-Left Override |
| action.social.variety.Forgery |
Forgery or counterfeiting (fake hardware, software, documents, etc) |
related-to |
T1036.002 |
Masquerading: Right-to-Left Override |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1036.002 |
Masquerading: Right-to-Left Override |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.003 |
Masquerading: Rename System Utilities |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1036.003 |
Masquerading: Rename System Utilities |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.004 |
Masquerading: Masquerade Task or Service |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.005 |
Masquerading: Match Legitimate Name or Location |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.006 |
Masquerading: Space after Filename |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1222 |
File and Directory Permissions Modification |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1222.001 |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1222.002 |
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1490 |
Inhibit System Recovery |
| action.malware.variety.Ransomware |
Ransomware (encrypt or seize stored data) |
related-to |
T1490 |
Inhibit System Recovery |
| attribute.availability.variety.Loss |
Loss |
related-to |
T1490 |
Inhibit System Recovery |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497.001 |
Virtualization/Sandbox Evasion: System Checks |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497.002 |
Virtualization/Sandbox Evasion: User Activity Based Checks |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497.003 |
Virtualization/Sandbox Evasion: Time Based Evasion |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.001 |
Subvert Trust Contols: Gatekeeper Bypass |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.002 |
Subvert Trust Contols: Code Signing |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.003 |
Subvert Trust Contols: SIP and Trust Provider Hijacking |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.004 |
Subvert Trust Contols: Install Root Certificate |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.005 |
Subvert Trust Contols: Mark-of-the-Web Bypass |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.006 |
Subvert Trust Contols: Code Signing Policy Modification |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.006 |
Impair Defenses: Indicator Blocking |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1574.012 |
Hijack Execution Flow: COR_PROFILER |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1600.001 |
Weaken Encryption: Reduce Key Space |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1600.002 |
Weaken Encryption: Disable Crypto Hardware |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1601 |
Modify System Image |
| attribute.integrity.variety.Software installation |
Software installation or code modification |
related-to |
T1601 |
Modify System Image |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1601.001 |
Modify System Image: Patch System Image |
| attribute.integrity.variety.Software installation |
Software installation or code modification |
related-to |
T1601.001 |
Modify System Image: Patch System Image |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1601.002 |
Modify System Image: Downgrade System Image |
| action.malware.variety.Downloader |
Downloader (pull updates or other malware) |
related-to |
T1610 |
Deploy Container |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1610 |
Deploy Container |
| action.malware.variety.Downloader |
Downloader (pull updates or other malware) |
related-to |
T1204 |
User Execution |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1204 |
User Execution |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1204 |
User Execution |
| action.social.vector.Email |
Email |
related-to |
T1204 |
User Execution |
| action.social.vector.Social media |
Social media or networking |
related-to |
T1204 |
User Execution |
| action.malware.variety.Downloader |
Downloader (pull updates or other malware) |
related-to |
T1204.001 |
User Execution: Malicious Link |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1204.001 |
User Execution: Malicious Link |
| action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1204.001 |
User Execution: Malicious Link |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1204.001 |
User Execution: Malicious Link |
| action.social.vector.Email |
Email |
related-to |
T1204.001 |
User Execution: Malicious Link |
| action.social.vector.Social media |
Social media or networking |
related-to |
T1204.001 |
User Execution: Malicious Link |
| action.malware.variety.Downloader |
Downloader (pull updates or other malware) |
related-to |
T1204.002 |
User Execution: Malicious File |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1204.002 |
User Execution: Malicious File |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1204.002 |
User Execution: Malicious File |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1204.002 |
User Execution: Malicious File |
| action.social.vector.Email |
Email |
related-to |
T1204.002 |
User Execution: Malicious File |
| action.social.vector.Social media |
Social media or networking |
related-to |
T1204.002 |
User Execution: Malicious File |
| action.malware.variety.Downloader |
Downloader (pull updates or other malware) |
related-to |
T1204.003 |
User Execution: Malicious Image |
| action.malware.variety.Trojan |
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' |
related-to |
T1204.003 |
User Execution: Malicious Image |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1204.003 |
User Execution: Malicious Image |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1204.003 |
User Execution: Malicious Image |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1204.003 |
User Execution: Malicious Image |
| action.social.vector.Email |
Email |
related-to |
T1204.003 |
User Execution: Malicious Image |
| action.social.vector.Social media |
Social media or networking |
related-to |
T1204.003 |
User Execution: Malicious Image |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1011 |
Exfiltration Over Other Network Medium |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1011 |
Exfiltration Over Other Network Medium |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1011.001 |
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1011.001 |
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1020 |
Automated Exfiltration |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1020 |
Automated Exfiltration |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1020.001 |
Automated Exfiltration: Traffic Duplication |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1020.001 |
Automated Exfiltration: Traffic Duplication |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1029 |
Scheduled Transfer |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1029 |
Scheduled Transfer |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1030 |
Data Transfer Size Limits |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1030 |
Data Transfer Size Limits |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1041 |
Exfiltration Over C2 Channels |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1041 |
Exfiltration Over C2 Channels |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048 |
Exfiltration Over Alternative Protocol |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1048 |
Exfiltration Over Alternative Protocol |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048.001 |
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1048.001 |
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048.002 |
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1048.002 |
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048.003 |
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1048.003 |
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1052 |
Exfiltration Over Physical Medium |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1052 |
Exfiltration Over Physical Medium |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1052.001 |
Exfiltration Over Physical Medium: Exfiltration over USB |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1052.001 |
Exfiltration Over Physical Medium: Exfiltration over USB |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1074 |
Data Staged |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1074.001 |
Data Staged: Local Data Staging |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1074.002 |
Data Staged: Remote Data Staging |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1197 |
BITS Jobs |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1537 |
Transfer Data to Cloud Account |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1537 |
Transfer Data to Cloud Account |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560 |
Archive Collected Data |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560.001 |
Archive Collected Data: Archive via Utility |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560.002 |
Archive Collected Data: Archive via Library |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560.003 |
Archive Collected Data: Archive via Custom Method |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1567 |
Exfiltration Over Web Service |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1567 |
Exfiltration Over Web Service |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1567.001 |
Exfiltration Over Web Service: Exfiltration to Code Repository |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1567.001 |
Exfiltration Over Web Service: Exfiltration to Code Repository |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1567.002 |
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1567.002 |
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1003.007 |
OS Credential Dumping: Proc Filesystem |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.007 |
OS Credential Dumping: Proc Filesystem |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1003.007 |
OS Credential Dumping: Proc Filesystem |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055 |
Process Injection |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.001 |
Process Injection: Dynamic-link Library Injection |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.002 |
Process Injection: Portable Executable Injection |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.003 |
Process Injection: Thread Execution Hijacking |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.004 |
Process Injection: Asynchronous Procedure Call |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.005 |
Process Injection: Thread Local Storage |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.008 |
Process Injection: Ptrace System Calls |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.009 |
Process Injection: Proc Memory |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.011 |
Process Injection: Extra Window Memory Injection |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.012 |
Process Injection: Process Hollowing |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.013 |
Process Injection: Process Doppelganging |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.014 |
Process Injection: VDSO Hijacking |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1115 |
Clipboard Data |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1115 |
Clipboard Data |
| action.malware.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557.003 |
DHCP Spoofing |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003 |
OS Credential Dumping |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1003 |
OS Credential Dumping |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.001 |
OS Credential Dumping: LSASS Memory |
| action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.001 |
OS Credential Dumping: LSASS Memory |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1003.001 |
OS Credential Dumping: LSASS Memory |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.004 |
OS Credential Dumping: LSA Secrets |
| action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.004 |
OS Credential Dumping: LSA Secrets |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1003.004 |
OS Credential Dumping: LSA Secrets |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
| action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
| action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.001 |
Unsecured Credentials: Credentials in Files |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1552.001 |
Unsecured Credentials: Credentials in Files |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.002 |
Unsecured Credentials: Credentials in Registry |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1552.002 |
Unsecured Credentials: Credentials in Registry |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.003 |
Unsecured Credentials: Bash History |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1552.003 |
Unsecured Credentials: Bash History |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.004 |
Unsecured Credentials: Private Keys |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1552.004 |
Unsecured Credentials: Private Keys |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.005 |
Unsecured Credentials: Cloud Instance Metadata API |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1552.005 |
Unsecured Credentials: Cloud Instance Metadata API |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.006 |
Unsecured Credentials: Group Policy Preferences |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1552.006 |
Unsecured Credentials: Group Policy Preferences |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555 |
Credentials from Password Stores |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1555 |
Credentials from Password Stores |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.001 |
Credentials from Password Stores: Keychain |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1555.001 |
Credentials from Password Stores: Keychain |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.002 |
Credentials from Password Stores: Securityd Memory |
| action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1555.002 |
Credentials from Password Stores: Securityd Memory |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1555.002 |
Credentials from Password Stores: Securityd Memory |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.003 |
Credentials from Password Stores: Credentials from Web Browser |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1555.003 |
Credentials from Password Stores: Credentials from Web Browser |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.004 |
Credentials from Password Stores: Windows Credential Manager |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1555.004 |
Credentials from Password Stores: Windows Credential Manager |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.005 |
Credentials from Password Stores: Password Managers |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1555.005 |
Credentials from Password Stores: Password Managers |
| action.malware.variety.Ransomware |
Ransomware (encrypt or seize stored data) |
related-to |
T1486 |
Data Encrypted for Impact |
| attribute.availability.variety.Interruption |
Interruption |
related-to |
T1486 |
Data Encrypted for Impact |
| attribute.availability.variety.Obscuration |
Conversion or obscuration (ransomware) |
related-to |
T1486 |
Data Encrypted for Impact |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542 |
Pre-OS Boot |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.001 |
Pre-OS Boot: System Firmware |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.002 |
Pre-OS Boot: Component Firmware |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.003 |
Pre-OS Boot: Bootkit |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.004 |
Pre-OS Boot: ROMMONkit |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.005 |
Pre-OS Boot: TFTP Boot |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1016 |
System Network Configuration Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1016.001 |
System Network Configuration Discovery: Internet Connection Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1482 |
Domain Trust Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1595 |
Active Scanning |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1595.001 |
Active Scanning: Scanning IP Blocks |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1080 |
Taint Shared Content |
| action.malware.variety.Worm |
Worm (propagate to other systems or devices) |
related-to |
T1080 |
Taint Shared Content |
| attribute.integrity.variety.Software installation |
Software installation or code modification |
related-to |
T1080 |
Taint Shared Content |
| action.malware.variety.Worm |
Worm (propagate to other systems or devices) |
related-to |
T1091 |
Replication Through Removable Media |
| action.malware.vector.Removable media |
Removable storage media or devices |
related-to |
T1091 |
Replication Through Removable Media |
| action.social.vector.Removable media |
Removable storage media |
related-to |
T1091 |
Replication Through Removable Media |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1140 |
Deobfuscate/Decode Files or Information |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608 |
Stage Capabilities |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608.001 |
Stage Capabilities: Upload Malware |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608.002 |
Stage Capabilities: Upload Tools |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608.003 |
Stage Capabilities: Install Digital Certificate |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608.004 |
Stage Capabilities: Drive-by Target |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608.005 |
Stage Capabilities: Link Target |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1612 |
Build Image on Host |
| action.malware.vector.Email |
Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown' |
related-to |
T1566.001 |
Phishing: Spearphishing Attachment |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1566.001 |
Phishing: Spearphishing Attachment |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1566.001 |
Phishing: Spearphishing Attachment |
| action.social.vector.Email |
Email |
related-to |
T1566.001 |
Phishing: Spearphishing Attachment |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1598.002 |
Phishing for Information: Spearphishing Attachment |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1598.002 |
Phishing for Information: Spearphishing Attachment |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1598.002 |
Phishing for Information: Spearphishing Attachment |
| action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1556.002 |
Phishing: Spearphishing Link |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1556.002 |
Phishing: Spearphishing Link |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1556.002 |
Phishing: Spearphishing Link |
| action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1598.003 |
Phishing for Information: Spearphishing Link |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1598.003 |
Phishing for Information: Spearphishing Link |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1598.003 |
Phishing for Information: Spearphishing Link |
| action.malware.vector.Instant messaging |
Instant Messaging |
related-to |
T1566 |
Phishing |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1566 |
Phishing |
| action.social.vector.Email |
Email |
related-to |
T1566 |
Phishing |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1570 |
Lateral Tool Transfer |
| action.malware.vector.Removable media |
Removable storage media or devices |
related-to |
T1092 |
Communication Through Removable Media |
| action.malware.vector.Web application - drive-by |
Web via auto-executed or "drive-by" infection. Child of 'Web application'. |
related-to |
T1189 |
Drive-by Compromise |
| action.social.vector.Web application |
Web application |
related-to |
T1189 |
Drive-by Compromise |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1566.002 |
Phishing: Spearphishing Link |
| action.social.vector.Email |
Email |
related-to |
T1566.002 |
Phishing: Spearphishing Link |
| action.social.vector.Web application |
Web application |
related-to |
T1566.002 |
Phishing: Spearphishing Link |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1566.003 |
Phishing: Spearphishing via Service |
| action.social.vector.Email |
Email |
related-to |
T1566.003 |
Phishing: Spearphishing via Service |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1598 |
Phishing for Information |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1598 |
Phishing for Information |
| action.social.variety.Phishing |
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. |
related-to |
T1598.001 |
Phishing for Information: Spearphishing Service |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1598.001 |
Phishing for Information: Spearphishing Service |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1534 |
Internal Spearphishing |
| attribute.integrity.variety.Misrepresentation |
compromise of authenticity (e.g. masquerading as the legitimate owner of an account) |
related-to |
T1534 |
Internal Spearphishing |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1585 |
Establish Accounts |
| value_chain.development.variety.Persona |
A fake representation of a person, such as fake social media profiles |
related-to |
T1585 |
Establish Accounts |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1585.001 |
Establish Accounts: Social Media Accounts |
| value_chain.development.variety.Persona |
A fake representation of a person, such as fake social media profiles |
related-to |
T1585.001 |
Establish Accounts: Social Media Accounts |
| action.social.variety.Pretexting |
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. |
related-to |
T1585.002 |
Establish Accounts: Email Account |
| value_chain.development.variety.Persona |
A fake representation of a person, such as fake social media profiles |
related-to |
T1585.002 |
Establish Accounts: Email Account |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.001 |
Event Triggered Execution: Change Default File Association |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.002 |
Event Triggered Execution Screensaver |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.003 |
Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.004 |
Event Triggered Execution: Unix Shell Configuration Modification |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.005 |
Event Triggered Execution: Trap |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.006 |
Event Triggered Execution: LC_LOAD_DYLIB Addition |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.007 |
Event Triggered Execution: Netsh Helper DLL |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.008 |
Event Triggered Execution: Accessibility Features |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.009 |
Event Triggered Execution: AppCert DLLs |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.010 |
Event Triggered Execution: AppInit DLLs |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.011 |
Event Triggered Execution: Application Shimming |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.012 |
Event Triggered Execution: Image File Execution Options Injection |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.013 |
Event Triggered Execution: PowerShell Profile |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.014 |
Event Triggered Execution: Emond |
| attribute.integrity.variety.Alter behavior |
Influence or alter human behavior |
related-to |
T1546.015 |
Event Triggered Execution: Component Object Model Hijacking |
| attribute.integrity.variety.Created account |
Created new user account |
related-to |
T1136.001 |
Create Account: Local Account |
| attribute.integrity.variety.Created account |
Created new user account |
related-to |
T1136.002 |
Create Account: Domain Account |
| attribute.integrity.variety.Created account |
Created new user account |
related-to |
T1136.003 |
Create Account: Cloud Account |
| attribute.availability.variety.Obscuration |
Conversion or obscuration (ransomware) |
related-to |
T1491 |
Defacement |
| attribute.integrity.variety.Defacement |
Deface content |
related-to |
T1491 |
Defacement |
| attribute.availability.variety.Obscuration |
Conversion or obscuration (ransomware) |
related-to |
T1491.001 |
Defacement: Internal Defacement |
| attribute.integrity.variety.Defacement |
Deface content |
related-to |
T1491.001 |
Defacement: Internal Defacement |
| attribute.availability.variety.Obscuration |
Conversion or obscuration (ransomware) |
related-to |
T1491.002 |
Defacement: External Defacement |
| attribute.integrity.variety.Defacement |
Deface content |
related-to |
T1491.002 |
Defacement: External Defacement |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1037.001 |
Boot or Logon Initialization Scripts: Logon Script (Windows) |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1037.002 |
Boot or Logon Initialization Scripts: Logon Script (Mac) |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1037.003 |
Boot or Logon Initialization Scripts: Network Logon Script |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1037.004 |
Boot or Logon Initialization Scripts: RC Scripts |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1037.005 |
Boot or Logon Initialization Scripts: Startup Items |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1484 |
Domain Policy Modification |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1484.001 |
Domain Policy Modification: Group Policy Modification |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1484.002 |
Domain Policy Modification: Domain Trust Modification |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.001 |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.002 |
Boot or Logon Autostart Execution: Authentication Package |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.003 |
Boot or Logon Autostart Execution: Time Providers |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.004 |
Boot or Logon Autostart Execution: Winlogon Helper DLL |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.005 |
Boot or Logon Autostart Execution: Security Support Provider |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.006 |
Boot or Logon Autostart Execution: Kernel Modules and Extensions |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.007 |
Boot or Logon Autostart Execution: Re-opened Applications |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.008 |
Boot or Logon Autostart Execution: LSASS Driver |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.009 |
Boot or Logon Autostart Execution: Shortcut Modification |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.010 |
Boot or Logon Autostart Execution: Port Monitors |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.012 |
Boot or Logon Autostart Execution: Print Processors |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1547.013 |
Boot or Logon Autostart Execution: XDG Autostart Entries |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1556.001 |
Modify Authentication Process: Domain Controller Authentication |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1556.001 |
Modify Authentication Process: Domain Controller Authentication |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1556.003 |
Modify Authentication Process: Pluggable Authentication Modules |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1556.003 |
Modify Authentication Process: Pluggable Authentication Modules |
| attribute.integrity.variety.Modify configuration |
Modified configuration or services |
related-to |
T1556.004 |
Modify Authentication Process: Network Device Authentication |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1556.004 |
Modify Authentication Process: Network Device Authentication |
| attribute.integrity.variety.Modify data |
Modified stored data or content |
related-to |
T1565 |
Data Manipulation |
| attribute.integrity.variety.Modify data |
Modified stored data or content |
related-to |
T1565.001 |
Data Manipulation: Stored Data Manipulation |
| attribute.integrity.variety.Modify data |
Modified stored data or content |
related-to |
T1565.002 |
Data Manipulation: Transmitted Data Manipulation |
| attribute.integrity.variety.Modify data |
Modified stored data or content |
related-to |
T1565.003 |
Data Manipulation: Runtime Data Manipulation |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1098.001 |
Account Manipulation: Additional Cloud Credentials |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1098.002 |
Account Manipulation: Exchange Email Delegate Permissions |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1098.003 |
Account Manipulation: Add Office 365 Global Administrator Role |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1098.004 |
Account Manipulation: SSH Authorized Keys |
| attribute.integrity.variety.Modify privileges |
Modified privileges or permissions |
related-to |
T1547.014 |
Boot or Logon Autostart Execution: Active Setup |
| attribute.integrity.variety.Repurpose |
Repurposed asset for unauthorized function |
related-to |
T1535 |
Unused/Unsupported Cloud Regions |
| attribute.integrity.variety.Software installation |
Software installation or code modification |
related-to |
T1546.016 |
Event Triggered Execution: Installer Packages |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1213.003 |
Code Repositories |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1552 |
Unsecured Credentials |
| attribute.confidentiality.data_disclosure |
|
related-to |
T1552.007 |
Unsecured Credentials: Container API |
Non-mappable capabilities are either out of scope or unable to be mapped to any
ATT&CK objects
