VERIS

The Vocabulary for Event Recording and Incident Sharing (VERIS) provides a common language for describing security incidents in a structured and repeatable manner that allows for the analysis of data across a variety of incidents. These mappings provide the context to better connect the who, what, and why captured in VERIS incident representation with the when and how described in MITRE ATT&CK® adversary behavioral tactics and techniques.

VERIS Versions: 1.4.0, 1.3.7, 1.3.5 ATT&CK Versions: 16.1, 12.1, 9.0 ATT&CK Domain: Enterprise, ICS, Mobile

VERIS Mapping Methodology

SELECT VERSIONS

VERIS Version

ATT&CK Version

ATT&CK Domain

Capability Groups

ID Capability Group Name Number of Mappings Number of Capabilities
action.hacking action.hacking 478 53
action.malware action.malware 400 51
attribute.integrity attribute.integrity 88 11
attribute.confidentiality attribute.confidentiality 75 1
attribute.availability attribute.availability 42 5
action.social action.social 64 10
value_chain.development value_chain.development 23 10

All Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1656 Impersonation
action.hacking.variety.Other Other related-to T1001 Data Obfuscation
action.hacking.variety.Other Other related-to T1001.001 Junk Data
action.hacking.variety.Other Other related-to T1001.002 Steganography
action.hacking.variety.Other Other related-to T1001.003 Protocol or Service Impersonation
action.hacking.variety.Other Other related-to T1071 Application Layer Protocol
action.hacking.variety.Other Other related-to T1071.001 Web Protocols
action.hacking.variety.Other Other related-to T1071.002 File Transfer Protocols
action.hacking.variety.Other Other related-to T1071.003 Mail Protocols
action.hacking.variety.Other Other related-to T1071.004 DNS
action.hacking.variety.Other Other related-to T1105 Ingress Tool Transfer
action.hacking.variety.Other Other related-to T1127.001 MSBuild
action.malware.variety.Other Other related-to T1080 Taint Shared Content
action.malware.variety.Other Other related-to T1204 User Execution
action.malware.variety.Other Other related-to T1204.001 Malicious Link
action.malware.variety.Other Other related-to T1204.002 Malicious File
action.malware.variety.Other Other related-to T1204.003 Malicious Image
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1027.011 Fileless Storage
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1027.012 LNK Icon Smuggling
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1027.013 Encrypted/Encoded File
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.009 Cloud API
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.010 AutoHotKey & AutoIT
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.011 Lua
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1127.002 ClickOnce
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1098.006 Additional Container Cluster Roles
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1098.007 Additional Local or Domain Groups
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027 Obfuscated Files or Information
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.001 Binary Padding
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.002 Software Packing
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.003 Steganography
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.004 Compile After Delivery
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.010 Command Obfuscation
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.011 Fileless Storage
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.012 LNK Icon Smuggling
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.013 Encrypted/Encoded File
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1027.014 Polymorphic Code
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1070.010 Relocate Malware
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1132.002 Non-Standard Encoding
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059.009 Cloud API
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059.010 AutoHotKey & AutoIT
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059.011 Lua
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1127.002 ClickOnce
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1021.007 Cloud Services
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1021.008 Direct Cloud VM Connections
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1134.003 Make and Impersonate Token
action.hacking.vector.Command shell Remote shell related-to T1021.008 Direct Cloud VM Connections
action.hacking.vector.Command shell Remote shell related-to T1027.010 Command Obfuscation
action.hacking.vector.Command shell Remote shell related-to T1059.009 Cloud API
action.hacking.vector.Command shell Remote shell related-to T1059.010 AutoHotKey & AutoIT
action.hacking.vector.Command shell Remote shell related-to T1059.011 Lua
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071.005 Publish/Subscribe Protocols
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1016.002 Wi-Fi Discovery
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036.009 Break Process Trees
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1071.005 Publish/Subscribe Protocols
action.malware.variety.Scan network Enumerating the state of the network related-to T1016.002 Wi-Fi Discovery
action.malware.variety.Spyware/Keylogger Spyware, keylogger or form-grabber (capture user input or activity) related-to T1111 Multi-Factor Authentication Interception
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036.008 Masquerade File Type
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036.010 Masquerade Account Name
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.006 Additional Container Cluster Roles
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.007 Additional Local or Domain Groups
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1047 Windows Management Instrumentation
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053 Scheduled Task/Job
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.002 At
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.003 Cron
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.005 Scheduled Task
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.006 Systemd Timers
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.007 Container Orchestration Job
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059 Command and Scripting Interpreter
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.001 PowerShell
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.002 AppleScript
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.003 Windows Command Shell
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.004 Unix Shell
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.005 Visual Basic
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.006 Python
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.007 JavaScript
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.008 Network Device CLI
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1072 Software Deployment Tools
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1105 Ingress Tool Transfer
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1106 Native API
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1112 Modify Registry
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1127 Trusted Developer Utilities Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1127.001 MSBuild
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1129 Shared Modules
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137 Office Application Startup
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137.001 Office Template Macros
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137.002 Office Test
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137.003 Outlook Forms
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137.004 Outlook Home Page
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137.005 Outlook Rules
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1187 Forced Authentication
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1202 Indirect Command Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1216 System Script Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1216.001 PubPrn
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1216.002 SyncAppvPublishingServer
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218 System Binary Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.001 Compiled HTML File
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.002 Control Panel
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.003 CMSTP
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.004 InstallUtil
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.005 Mshta
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.007 Msiexec
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.008 Odbcconf
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.009 Regsvcs/Regasm
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.010 Regsvr32
action.hacking.variety.AiTM Adversary-in-the-middle attack. Child of 'Exploit vuln' related-to T1111 Multi-Factor Authentication Interception
action.hacking.variety.AiTM Adversary-in-the-middle attack. Child of 'Exploit vuln' related-to T1185 Browser Session Hijacking
action.hacking.variety.AiTM Adversary-in-the-middle attack. Child of 'Exploit vuln' related-to T1187 Forced Authentication
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1037 Boot or Logon Initialization Scripts
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1053 Scheduled Task/Job
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1078 Valid Accounts
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1098 Account Manipulation
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1133 External Remote Services
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1563.002 RDP Hijacking
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1110 Brute Force
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1222.002 Linux and Mac File and Directory Permissions Modification
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1565.001 Stored Data Manipulation
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1021.003 Distributed Component Object Model
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1531 Account Access Removal
action.hacking.variety.Buffer overflow Buffer overflow. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1001 Data Obfuscation
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1102.001 Dead Drop Resolver
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1602.001 SNMP (MIB Dump)
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1584.002 DNS Server
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1008 Fallback Channels
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1014 Rootkit
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1071 Application Layer Protocol
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1090 Proxy
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1102 Web Service
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1104 Multi-Stage Channels
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1132 Data Encoding
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1583.007 Serverless
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1205 Traffic Signaling
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1021.007 Cloud Services
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1053.005 Scheduled Task
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1211 Exploitation for Defense Evasion
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1190 Exploit Public-Facing Application
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1212 Exploitation for Credential Access
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1212 Exploitation for Credential Access
action.hacking.variety.Format string attack Format string attack. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Fuzz testing Fuzz testing. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP request smuggling HTTP request smuggling. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP request smuggling HTTP request smuggling. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP request splitting HTTP request splitting. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP request splitting HTTP request splitting. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP response smuggling HTTP response smuggling. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP response smuggling HTTP response smuggling. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP response splitting HTTP response splitting. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP response splitting HTTP response splitting. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.Insecure deserialization iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Integer overflows Integer overflows. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.LDAP injection LDAP injection. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Null byte injection Null byte injection. Child of 'Exploit vuln'. related-to T1027 Obfuscated Files or Information
action.hacking.variety.Offline cracking Offline password or key cracking (e.g., rainbow tables, Hashcat, JtR) related-to T1565.001 Stored Data Manipulation
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059 Command and Scripting Interpreter
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1505.005 Terminal Services DLL
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1569 System Services
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1110 Brute Force
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1007 System Service Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1012 Query Registry
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1033 System Owner/User Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1057 Process Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1069 Permission Groups Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1136.003 Cloud Account
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1082 System Information Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1083 File and Directory Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1087 Account Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1573.001 Symmetric Cryptography
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1119 Automated Collection
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1120 Peripheral Device Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1124 System Time Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1201 Password Policy Discovery
action.hacking.variety.Scan network Enumerating the state of the network related-to T1018 Remote System Discovery
action.hacking.variety.Scan network Enumerating the state of the network related-to T1007 System Service Discovery
action.hacking.variety.Scan network Enumerating the state of the network related-to T1046 Network Service Discovery
action.hacking.variety.Scan network Enumerating the state of the network related-to T1049 System Network Connections Discovery
action.hacking.variety.Scan network Enumerating the state of the network related-to T1119 Automated Collection
action.hacking.variety.Scan network Enumerating the state of the network related-to T1135 Network Share Discovery
action.hacking.variety.Session fixation Session fixation. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.Session fixation Session fixation. Child of 'Exploit vuln'. related-to T1212 Exploitation for Credential Access
action.hacking.variety.SQLi SQL injection. Child of 'Exploit vuln'. related-to T1190 Exploit Public-Facing Application
action.hacking.variety.Unknown Unknown related-to T1134 Access Token Manipulation
action.hacking.variety.Unknown Unknown related-to T1127 Trusted Developer Utilities Proxy Execution
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1021 Remote Services
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1027.007 Dynamic API Resolution
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1029 Scheduled Transfer
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1547.004 Winlogon Helper DLL
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1598.003 Spearphishing Link
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1560.001 Archive via Utility
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1583.004 Server
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1078 Valid Accounts
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1011.001 Exfiltration Over Bluetooth
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1550.004 Web Session Cookie
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1601.002 Downgrade System Image
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1569.002 Service Execution
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1133 External Remote Services
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1134 Access Token Manipulation
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1654 Log Enumeration
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1548 Abuse Elevation Control Mechanism
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1041 Exfiltration Over C2 Channel
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1187 Forced Authentication
action.hacking.variety.XML external entities XML external entities. Child of 'Exploit vuln'. related-to T1558.002 Silver Ticket
action.hacking.variety.XPath injection XPath injection. Child of 'Exploit vuln'. related-to T1010 Application Window Discovery
action.hacking.vector.3rd party desktop 3rd party online desktop sharing (LogMeIn, Go2Assist) related-to T1133 External Remote Services
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1037 Boot or Logon Initialization Scripts
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1053 Scheduled Task/Job
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1078 Valid Accounts
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1098 Account Manipulation
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1133 External Remote Services
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1563.002 RDP Hijacking
action.hacking.vector.Command shell Remote shell related-to T1029 Scheduled Transfer
action.hacking.vector.Command shell Remote shell related-to T1547.004 Winlogon Helper DLL
action.hacking.vector.Command shell Remote shell related-to T1598.003 Spearphishing Link
action.hacking.vector.Command shell Remote shell related-to T1583.004 Server
action.hacking.vector.Command shell Remote shell related-to T1047 Windows Management Instrumentation
action.hacking.vector.Command shell Remote shell related-to T1059 Command and Scripting Interpreter
action.hacking.vector.Command shell Remote shell related-to T1552.008 Chat Messages
action.hacking.vector.Command shell Remote shell related-to T1505.005 Terminal Services DLL
action.hacking.vector.Command shell Remote shell related-to T1569 System Services
action.hacking.vector.Command shell Remote shell related-to T1110 Brute Force
action.hacking.vector.Command shell Remote shell related-to T1071.001 Web Protocols
action.hacking.vector.Command shell Remote shell related-to T1127.002 ClickOnce
action.hacking.vector.Command shell Remote shell related-to T1546.013 PowerShell Profile
action.hacking.vector.Command shell Remote shell related-to T1584.005 Botnet
action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1027.007 Dynamic API Resolution
action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1560.001 Archive via Utility
action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1133 External Remote Services
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1008 Fallback Channels
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1071 Application Layer Protocol
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1090 Proxy
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1095 Non-Application Layer Protocol
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1102 Web Service
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1104 Multi-Stage Channels
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1105 Ingress Tool Transfer
action.hacking.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1195 Supply Chain Compromise
action.hacking.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1499.003 Application Exhaustion Flood
action.hacking.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1589.001 Credentials
action.hacking.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1499.002 Service Exhaustion Flood
action.hacking.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1199 Trusted Relationship
action.hacking.vector.Physical access Physical access or connection (i.e., at keyboard or via cable) related-to T1200 Hardware Additions
action.hacking.vector.VPN VPN related-to T1133 External Remote Services
action.hacking.vector.Web application Web application related-to T1090.002 External Proxy
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1072 Software Deployment Tools
action.malware.variety.Adware Adware related-to T1199 Trusted Relationship
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1037 Boot or Logon Initialization Scripts
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1098 Account Manipulation
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1133 External Remote Services
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1008 Fallback Channels
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1098 Account Manipulation
action.malware.variety.Brute force Brute force attack related-to T1110 Brute Force
action.malware.variety.Brute force Brute force attack related-to T1222.002 Linux and Mac File and Directory Permissions Modification
action.malware.variety.Brute force Brute force attack related-to T1565.001 Stored Data Manipulation
action.malware.variety.Brute force Brute force attack related-to T1021.003 Distributed Component Object Model
action.malware.variety.Brute force Brute force attack related-to T1531 Account Access Removal
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102.001 Dead Drop Resolver
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1008 Fallback Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1071 Application Layer Protocol
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1584.007 Serverless
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1055.014 VDSO Hijacking
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1021 Remote Services
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1561 Disk Wipe
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1090 Proxy
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1566.003 Spearphishing via Service
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1110.003 Password Spraying
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1070.005 Network Share Connection Removal
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1578.005 Modify Cloud Compute Configurations
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1095 Non-Application Layer Protocol
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1102 Web Service
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1216 System Script Proxy Execution
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1036.003 Rename System Utilities
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1546.014 Emond
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1104 Multi-Stage Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1132 Data Encoding
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.007 Serverless
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1485 Data Destruction
action.malware.variety.Capture app data Capture data from application or system process related-to T1056 Input Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1596.003 Digital Certificates
action.malware.variety.Capture app data Capture data from application or system process related-to T1547.006 Kernel Modules and Extensions
action.malware.variety.Capture app data Capture data from application or system process related-to T1090.002 External Proxy
action.malware.variety.Capture app data Capture data from application or system process related-to T1546.017 Udev Rules
action.malware.variety.Capture app data Capture data from application or system process related-to T1113 Screen Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1114 Email Collection
action.malware.variety.Capture app data Capture data from application or system process related-to T1110.002 Password Cracking
action.malware.variety.Capture app data Capture data from application or system process related-to T1556.006 Multi-Factor Authentication
action.malware.variety.Capture app data Capture data from application or system process related-to T1546.009 AppCert DLLs
action.malware.variety.Capture app data Capture data from application or system process related-to T1123 Audio Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1125 Video Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1176 Browser Extensions
action.malware.variety.Capture app data Capture data from application or system process related-to T1185 Browser Session Hijacking
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1114 Email Collection
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1587 Develop Capabilities
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1558.003 Kerberoasting
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1565.002 Transmitted Data Manipulation
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1005 Data from Local System
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1010 Application Window Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1025 Data from Removable Media
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1033 System Owner/User Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1039 Data from Network Shared Drive
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1083 File and Directory Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1119 Automated Collection
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, AitB) related-to T1203 Exploitation for Client Execution
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1542.002 Component Firmware
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1092 Communication Through Removable Media
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1566.002 Spearphishing Link
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1600.001 Reduce Key Space
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1027.010 Command Obfuscation
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1496.001 Compute Hijacking
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1218 System Binary Proxy Execution
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1006 Direct Volume Access
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027 Obfuscated Files or Information
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1563 Remote Service Session Hijacking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1111 Multi-Factor Authentication Interception
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1095 Non-Application Layer Protocol
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1499 Endpoint Denial of Service
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1059.011 Lua
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036 Masquerading
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1505.004 IIS Components
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.007 Disable or Modify Cloud Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1195.002 Compromise Software Supply Chain
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1568 Dynamic Resolution
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1074.001 Local Data Staging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1622 Debugger Evasion
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1204 User Execution
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1001.002 Steganography
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1559.002 Dynamic Data Exchange
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1027.005 Indicator Removal from Tools
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1014 Rootkit
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
action.malware.variety.Export data Export data to another site or system related-to T1558.003 Kerberoasting
action.malware.variety.Export data Export data to another site or system related-to T1011 Exfiltration Over Other Network Medium
action.malware.variety.Export data Export data to another site or system related-to T1021.006 Windows Remote Management
action.malware.variety.Export data Export data to another site or system related-to T1020 Automated Exfiltration
action.malware.variety.Export data Export data to another site or system related-to T1055.004 Asynchronous Procedure Call
action.malware.variety.Export data Export data to another site or system related-to T1029 Scheduled Transfer
action.malware.variety.Export data Export data to another site or system related-to T1030 Data Transfer Size Limits
action.malware.variety.Export data Export data to another site or system related-to T1072 Software Deployment Tools
action.malware.variety.Export data Export data to another site or system related-to T1048 Exfiltration Over Alternative Protocol
action.malware.variety.Export data Export data to another site or system related-to T1070 Indicator Removal
action.malware.variety.Export data Export data to another site or system related-to T1552.006 Group Policy Preferences
action.malware.variety.Export data Export data to another site or system related-to T1213.005 Messaging Applications
action.malware.variety.Export data Export data to another site or system related-to T1052 Exfiltration Over Physical Medium
action.malware.variety.Export data Export data to another site or system related-to T1588.002 Tool
action.malware.variety.Export data Export data to another site or system related-to T1074 Data Staged
action.malware.variety.Export data Export data to another site or system related-to T1218.013 Mavinject
action.malware.variety.Export data Export data to another site or system related-to T1574.014 AppDomainManager
action.malware.variety.Export data Export data to another site or system related-to T1197 BITS Jobs
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1115 Clipboard Data
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055 Process Injection
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1053.002 At
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1612 Build Image on Host
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1560.002 Archive via Library
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1036.004 Masquerade Task or Service
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1538 Cloud Service Dashboard
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1548.006 TCC Manipulation
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1059.003 Windows Command Shell
action.malware.variety.In-memory (malware never stored to persistent storage) related-to None None
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1585.001 Social Media Accounts
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1125 Video Capture
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1546.001 Change Default File Association
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1115 Clipboard Data
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1563.002 RDP Hijacking
action.malware.variety.Packet sniffer Packet sniffer (capture data from network) related-to T1007 System Service Discovery
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003 OS Credential Dumping
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1222 File and Directory Permissions Modification
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1114 Email Collection
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1587 Develop Capabilities
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1598.004 Spearphishing Voice
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1558.003 Kerberoasting
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1115 Clipboard Data
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1565.002 Transmitted Data Manipulation
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1546.017 Udev Rules
action.malware.variety.Profile host Enumerating the state of the current host related-to T1007 System Service Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1012 Query Registry
action.malware.variety.Profile host Enumerating the state of the current host related-to T1033 System Owner/User Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1082 System Information Discovery
action.malware.variety.Profile host Enumerating the state of the current host related-to T1083 File and Directory Discovery
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1222 File and Directory Permissions Modification
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1114 Email Collection
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1598.004 Spearphishing Voice
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1014 Rootkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1195.002 Compromise Software Supply Chain
action.malware.variety.Scan network Enumerating the state of the network related-to T1016 System Network Configuration Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1496.003 SMS Pumping
action.malware.variety.Scan network Enumerating the state of the network related-to T1018 Remote System Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1007 System Service Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1046 Network Service Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1049 System Network Connections Discovery
action.malware.variety.Scan network Enumerating the state of the network related-to T1135 Network Share Discovery
action.malware.variety.Spyware/Keylogger Spyware, keylogger or form-grabber (capture user input or activity) related-to T1546.017 Udev Rules
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1027.005 Indicator Removal from Tools
action.malware.variety.Unknown Unknown related-to T1140 Deobfuscate/Decode Files or Information
action.malware.variety.Worm Worm (propagate to other systems or devices) related-to T1080 Taint Shared Content
action.malware.variety.Worm Worm (propagate to other systems or devices) related-to T1091 Replication Through Removable Media
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1047 Windows Management Instrumentation
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1036 Masquerading
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1071.001 Web Protocols
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1546.013 PowerShell Profile
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1203 Exploitation for Client Execution
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1559.002 Dynamic Data Exchange
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1598.004 Spearphishing Voice
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1001.002 Steganography
action.malware.vector.Network propagation Network propagation related-to T1021 Remote Services
action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1195 Supply Chain Compromise
action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1199 Trusted Relationship
action.malware.vector.Remote injection Remotely injected by agent (i.e. via SQLi) related-to T1133 External Remote Services
action.malware.vector.Removable media Removable storage media or devices related-to T1091 Replication Through Removable Media
action.malware.vector.Removable media Removable storage media or devices related-to T1092 Communication Through Removable Media
action.malware.vector.Software update Included in automated software update related-to T1072 Software Deployment Tools
action.malware.vector.Software update Included in automated software update related-to T1195 Supply Chain Compromise
action.malware.vector.Web application Web application. Parent of 'Web application - download' and 'Web application - drive-by. related-to T1133 External Remote Services
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1176 Browser Extensions
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1189 Drive-by Compromise
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1014 Rootkit
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1036 Masquerading
action.social.variety.Forgery Forgery or counterfeiting (fake hardware, software, documents, etc) related-to T1562.007 Disable or Modify Cloud Firewall
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1562.007 Disable or Modify Cloud Firewall
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1204 User Execution
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1001.002 Steganography
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1559.002 Dynamic Data Exchange
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1027.005 Indicator Removal from Tools
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1027.005 Indicator Removal from Tools
action.social.vector.Email Email related-to T1204 User Execution
action.social.vector.Email Email related-to T1001.002 Steganography
action.social.vector.Email Email related-to T1559.002 Dynamic Data Exchange
action.social.vector.Email Email related-to T1027.005 Indicator Removal from Tools
action.social.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1499.002 Service Exhaustion Flood
action.social.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1199 Trusted Relationship
action.social.vector.Removable media Removable storage media related-to T1091 Replication Through Removable Media
action.social.vector.Social media Social media or networking related-to T1204 User Execution
action.social.vector.Social media Social media or networking related-to T1001.002 Steganography
action.social.vector.Social media Social media or networking related-to T1559.002 Dynamic Data Exchange
action.social.vector.Social media Social media or networking related-to T1027.005 Indicator Removal from Tools
action.social.vector.Software Software related-to T1499.003 Application Exhaustion Flood
action.social.vector.Software Software related-to T1589.001 Credentials
action.social.vector.Web application Web application related-to T1189 Drive-by Compromise
attribute.confidentiality.data_disclosure None related-to T1003 OS Credential Dumping
attribute.confidentiality.data_disclosure None related-to T1222 File and Directory Permissions Modification
attribute.confidentiality.data_disclosure None related-to T1114 Email Collection
attribute.confidentiality.data_disclosure None related-to T1587 Develop Capabilities
attribute.confidentiality.data_disclosure None related-to T1547 Boot or Logon Autostart Execution
attribute.confidentiality.data_disclosure None related-to T1598.004 Spearphishing Voice
attribute.confidentiality.data_disclosure None related-to T1558.003 Kerberoasting
attribute.confidentiality.data_disclosure None related-to T1115 Clipboard Data
attribute.confidentiality.data_disclosure None related-to T1003.008 /etc/passwd and /etc/shadow
attribute.confidentiality.data_disclosure None related-to T1005 Data from Local System
attribute.confidentiality.data_disclosure None related-to T1011 Exfiltration Over Other Network Medium
attribute.confidentiality.data_disclosure None related-to T1011.001 Exfiltration Over Bluetooth
attribute.confidentiality.data_disclosure None related-to T1020 Automated Exfiltration
attribute.confidentiality.data_disclosure None related-to T1020.001 Traffic Duplication
attribute.confidentiality.data_disclosure None related-to T1025 Data from Removable Media
attribute.confidentiality.data_disclosure None related-to T1029 Scheduled Transfer
attribute.confidentiality.data_disclosure None related-to T1030 Data Transfer Size Limits
attribute.confidentiality.data_disclosure None related-to T1039 Data from Network Shared Drive
attribute.confidentiality.data_disclosure None related-to T1040 Network Sniffing
attribute.confidentiality.data_disclosure None related-to T1041 Exfiltration Over C2 Channel
attribute.confidentiality.data_disclosure None related-to T1048 Exfiltration Over Alternative Protocol
attribute.confidentiality.data_disclosure None related-to T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
attribute.confidentiality.data_disclosure None related-to T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
attribute.confidentiality.data_disclosure None related-to T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
attribute.confidentiality.data_disclosure None related-to T1052 Exfiltration Over Physical Medium
attribute.confidentiality.data_disclosure None related-to T1052.001 Exfiltration over USB
attribute.confidentiality.data_disclosure None related-to T1056 Input Capture
attribute.confidentiality.data_disclosure None related-to T1056.001 Keylogging
attribute.confidentiality.data_disclosure None related-to T1056.002 GUI Input Capture
attribute.confidentiality.data_disclosure None related-to T1056.003 Web Portal Capture
attribute.confidentiality.data_disclosure None related-to T1056.004 Credential API Hooking
attribute.confidentiality.data_disclosure None related-to T1113 Screen Capture
attribute.confidentiality.data_disclosure None related-to T1114 Email Collection
attribute.confidentiality.data_disclosure None related-to T1114.001 Local Email Collection
attribute.confidentiality.data_disclosure None related-to T1114.002 Remote Email Collection
attribute.confidentiality.data_disclosure None related-to T1114.003 Email Forwarding Rule
attribute.confidentiality.data_disclosure None related-to T1115 Clipboard Data
attribute.confidentiality.data_disclosure None related-to T1119 Automated Collection
attribute.confidentiality.data_disclosure None related-to T1123 Audio Capture
attribute.confidentiality.data_disclosure None related-to T1125 Video Capture
attribute.confidentiality.data_disclosure None related-to T1187 Forced Authentication
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1114.003 Email Forwarding Rule
attribute.integrity.variety.Created account Created new user account related-to T1136 Create Account
attribute.integrity.variety.Created account Created new user account related-to T1136.001 Local Account
attribute.integrity.variety.Created account Created new user account related-to T1136.002 Domain Account
attribute.integrity.variety.Created account Created new user account related-to T1136.003 Cloud Account
attribute.integrity.variety.Log tampering Log tampering or modification related-to T1070.001 Clear Windows Event Logs
attribute.integrity.variety.Log tampering Log tampering or modification related-to T1070.002 Clear Linux or Mac System Logs
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037 Boot or Logon Initialization Scripts
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.001 Logon Script (Windows)
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.002 Login Hook
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.003 Network Logon Script
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.004 RC Scripts
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.005 Startup Items
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098 Account Manipulation
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.001 Additional Cloud Credentials
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.002 Additional Email Delegate Permissions
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.003 Additional Cloud Roles
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.004 SSH Authorized Keys
attribute.integrity.variety.Software installation Software installation or code modification related-to T1072 Software Deployment Tools
attribute.integrity.variety.Software installation Software installation or code modification related-to T1080 Taint Shared Content
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1205 Traffic Signaling
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1205 Traffic Signaling
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.011 Rundll32
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1205.001 Port Knocking
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1205.001 Port Knocking
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1205.001 Port Knocking
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.012 Verclsid
action.malware.variety.Capture app data Capture data from application or system process related-to T1207 Rogue Domain Controller
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.013 Mavinject
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1211 Exploitation for Defense Evasion
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1211 Exploitation for Defense Evasion
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.014 MMC
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.015 Electron Applications
action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1219 Remote Access Software
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1212 Exploitation for Credential Access
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1212 Exploitation for Credential Access
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1212 Exploitation for Credential Access
attribute.confidentiality.data_disclosure None related-to T1212 Exploitation for Credential Access
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1220 XSL Script Processing
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213 Data from Information Repositories
attribute.confidentiality.data_disclosure None related-to T1213 Data from Information Repositories
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213.001 Confluence
attribute.confidentiality.data_disclosure None related-to T1213.001 Confluence
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213.002 Sharepoint
attribute.confidentiality.data_disclosure None related-to T1213.002 Sharepoint
attribute.confidentiality.data_disclosure None related-to T1213.003 Code Repositories
attribute.confidentiality.data_disclosure None related-to T1213.004 Customer Relationship Management Software
attribute.confidentiality.data_disclosure None related-to T1213.005 Messaging Applications
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1480 Execution Guardrails
action.hacking.variety.Scan network Enumerating the state of the network related-to T1480 Execution Guardrails
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1480.001 Environmental Keying
action.hacking.variety.Scan network Enumerating the state of the network related-to T1480.001 Environmental Keying
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1480.002 Mutual Exclusion
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1489 Service Stop
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1496 Resource Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1496.001 Compute Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1496.002 Bandwidth Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1496.003 SMS Pumping
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1496.004 Cloud Service Hijacking
action.hacking.vector.Hypervisor Hypervisor break-out attack related-to T1497 Virtualization/Sandbox Evasion
action.hacking.vector.Inter-tenant Penetration of another VM or web site on shared device or infrastructure related-to T1497 Virtualization/Sandbox Evasion
action.hacking.variety.DoS Denial of service related-to T1498 Network Denial of Service
action.hacking.variety.DoS Denial of service related-to T1498.001 Direct Network Flood
action.hacking.variety.DoS Denial of service related-to T1498.002 Reflection Amplification
action.hacking.variety.DoS Denial of service related-to T1499 Endpoint Denial of Service
action.hacking.variety.Soap array abuse Soap array abuse. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.hacking.variety.XML external entities XML external entities. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1219 Remote Access Software
action.hacking.variety.DoS Denial of service related-to T1499.001 OS Exhaustion Flood
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, AitB) related-to T1221 Template Injection
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222 File and Directory Permissions Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222.001 Windows File and Directory Permissions Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222.002 Linux and Mac File and Directory Permissions Modification
action.hacking.variety.DoS Denial of service related-to T1499.002 Service Exhaustion Flood
action.hacking.variety.DoS Denial of service related-to T1499.003 Application Exhaustion Flood
action.hacking.variety.DoS Denial of service related-to T1499.004 Application or System Exploitation
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1505.001 SQL Stored Procedures
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1505.002 Transport Agent
action.malware.variety.Scan network Enumerating the state of the network related-to T1482 Domain Trust Discovery
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1484 Domain or Tenant Policy Modification
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1484.001 Group Policy Modification
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1484.002 Trust Modification
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1485 Data Destruction
attribute.availability.variety.Destruction Destruction related-to T1485 Data Destruction
attribute.availability.variety.Interruption Interruption related-to T1485 Data Destruction
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1485.001 Lifecycle-Triggered Deletion
attribute.availability.variety.Destruction Destruction related-to T1485.001 Lifecycle-Triggered Deletion
attribute.availability.variety.Interruption Interruption related-to T1485.001 Lifecycle-Triggered Deletion
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1486 Data Encrypted for Impact
attribute.availability.variety.Interruption Interruption related-to T1486 Data Encrypted for Impact
attribute.availability.variety.Obscuration Conversion or obscuration (ransomware) related-to T1486 Data Encrypted for Impact
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1518 Software Discovery
action.malware.variety.DoS DoS attack related-to T1489 Service Stop
attribute.availability.variety.Interruption Interruption related-to T1489 Service Stop
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1490 Inhibit System Recovery
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1490 Inhibit System Recovery
attribute.availability.variety.Loss Loss related-to T1490 Inhibit System Recovery
attribute.availability.variety.Obscuration Conversion or obscuration (ransomware) related-to T1491 Defacement
attribute.integrity.variety.Defacement Deface content related-to T1491 Defacement
attribute.availability.variety.Obscuration Conversion or obscuration (ransomware) related-to T1491.001 Internal Defacement
attribute.integrity.variety.Defacement Deface content related-to T1491.001 Internal Defacement
attribute.availability.variety.Obscuration Conversion or obscuration (ransomware) related-to T1491.002 External Defacement
attribute.integrity.variety.Defacement Deface content related-to T1491.002 External Defacement
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1495 Firmware Corruption
attribute.availability.variety.Destruction Destruction related-to T1495 Firmware Corruption
attribute.availability.variety.Interruption Interruption related-to T1495 Firmware Corruption
attribute.availability.variety.Loss Loss related-to T1495 Firmware Corruption
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1518.001 Security Software Discovery
action.malware.variety.Click fraud Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Click fraud and cryptocurrency mining Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Cryptocurrency mining Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Click fraud and cryptocurrency mining Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. related-to T1496.001 Compute Hijacking
action.malware.variety.Cryptocurrency mining Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. related-to T1496.001 Compute Hijacking
attribute.availability.variety.Degradation Performance degradation related-to T1496 Resource Hijacking
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1525 Implant Internal Image
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1525 Implant Internal Image
action.hacking.variety.Scan network Enumerating the state of the network related-to T1526 Cloud Service Discovery
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1529 System Shutdown/Reboot
action.hacking.variety.Unknown Unknown related-to T1531 Account Access Removal
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497 Virtualization/Sandbox Evasion
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.001 System Checks
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.002 User Activity Based Checks
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.003 Time Based Evasion
action.hacking.variety.AiTM Adversary-in-the-middle attack. Child of 'Exploit vuln' related-to T1539 Steal Web Session Cookie
action.malware.variety.DoS DoS attack related-to T1498 Network Denial of Service
attribute.availability.variety.Degradation Performance degradation related-to T1498 Network Denial of Service
attribute.availability.variety.Loss Loss related-to T1498 Network Denial of Service
action.hacking.variety.Session replay Session replay. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
action.malware.variety.DoS DoS attack related-to T1498.001 Direct Network Flood
attribute.availability.variety.Degradation Performance degradation related-to T1498.001 Direct Network Flood
attribute.availability.variety.Loss Loss related-to T1498.001 Direct Network Flood
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543 Create or Modify System Process
action.malware.variety.DoS DoS attack related-to T1498.002 Reflection Amplification
attribute.availability.variety.Degradation Performance degradation related-to T1498.002 Reflection Amplification
attribute.availability.variety.Loss Loss related-to T1498.002 Reflection Amplification
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1543 Create or Modify System Process
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1543 Create or Modify System Process
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.001 Launch Agent
action.malware.variety.DoS DoS attack related-to T1499 Endpoint Denial of Service
attribute.availability.variety.Degradation Performance degradation related-to T1499 Endpoint Denial of Service
attribute.availability.variety.Loss Loss related-to T1499 Endpoint Denial of Service
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.002 Systemd Service
action.malware.variety.DoS DoS attack related-to T1499.001 OS Exhaustion Flood
attribute.availability.variety.Degradation Performance degradation related-to T1499.001 OS Exhaustion Flood
attribute.availability.variety.Loss Loss related-to T1499.001 OS Exhaustion Flood
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.003 Windows Service
action.malware.variety.DoS DoS attack related-to T1499.002 Service Exhaustion Flood
attribute.availability.variety.Degradation Performance degradation related-to T1499.002 Service Exhaustion Flood
attribute.availability.variety.Loss Loss related-to T1499.002 Service Exhaustion Flood
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.004 Launch Daemon
action.malware.variety.DoS DoS attack related-to T1499.003 Application Exhaustion Flood
attribute.availability.variety.Degradation Performance degradation related-to T1499.003 Application Exhaustion Flood
attribute.availability.variety.Loss Loss related-to T1499.003 Application Exhaustion Flood
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.005 Container Service
action.malware.variety.DoS DoS attack related-to T1499.004 Application or System Exploitation
attribute.availability.variety.Degradation Performance degradation related-to T1499.004 Application or System Exploitation
attribute.availability.variety.Loss Loss related-to T1499.004 Application or System Exploitation
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505 Server Software Component
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505 Server Software Component
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.001 SQL Stored Procedures
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.001 SQL Stored Procedures
action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.002 Transport Agent
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.002 Transport Agent
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.003 Web Shell
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.003 Web Shell
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1546 Event Triggered Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1547 Boot or Logon Autostart Execution
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1547 Boot or Logon Autostart Execution
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1525 Implant Internal Image
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1525 Implant Internal Image
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1525 Implant Internal Image
action.malware.variety.Unknown Unknown related-to T1525 Implant Internal Image
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548 Abuse Elevation Control Mechanism
action.malware.variety.Capture app data Capture data from application or system process related-to T1528 Steal Application Access Token
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.001 Setuid and Setgid
attribute.availability.variety.Interruption Interruption related-to T1529 System Shutdown/Reboot
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1530 Data from Cloud Storage
attribute.confidentiality.data_disclosure None related-to T1530 Data from Cloud Storage
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.002 Bypass User Account Control
attribute.availability.variety.Destruction Destruction related-to T1531 Account Access Removal
attribute.availability.variety.Interruption Interruption related-to T1531 Account Access Removal
attribute.integrity.variety.Unknown Unknown related-to T1531 Account Access Removal
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1534 Internal Spearphishing
attribute.integrity.variety.Misrepresentation compromise of authenticity (e.g. masquerading as the legitimate owner of an account) related-to T1534 Internal Spearphishing
attribute.integrity.variety.Repurpose Repurposed asset for unauthorized function related-to T1535 Unused/Unsupported Cloud Regions
action.malware.variety.Export data Export data to another site or system related-to T1537 Transfer Data to Cloud Account
attribute.confidentiality.data_disclosure None related-to T1537 Transfer Data to Cloud Account
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.002 Bypass User Account Control
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.003 Sudo and Sudo Caching
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.003 Sudo and Sudo Caching
action.malware.variety.Capture app data Capture data from application or system process related-to T1539 Steal Web Session Cookie
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542 Pre-OS Boot
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.001 System Firmware
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.002 Component Firmware
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.003 Bootkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.004 ROMMONkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.005 TFTP Boot
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.004 Elevated Execution with Prompt
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1543 Create or Modify System Process
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1543 Create or Modify System Process
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1543 Create or Modify System Process
attribute.integrity.variety.Software installation Software installation or code modification related-to T1543 Create or Modify System Process
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.004 Elevated Execution with Prompt
attribute.integrity.variety.Software installation Software installation or code modification related-to T1543.001 Launch Agent
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.005 Temporary Elevated Cloud Access
attribute.integrity.variety.Software installation Software installation or code modification related-to T1543.002 Systemd Service
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.006 TCC Manipulation
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1543.003 Windows Service
attribute.integrity.variety.Software installation Software installation or code modification related-to T1543.003 Windows Service
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1550 Use Alternate Authentication Material
attribute.integrity.variety.Software installation Software installation or code modification related-to T1543.004 Launch Daemon
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1550.001 Application Access Token
action.hacking.variety.Pass-the-hash Pass-the-hash related-to T1550.002 Pass the Hash
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1550.002 Pass the Hash
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1550.003 Pass the Ticket
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1546 Event Triggered Execution
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546 Event Triggered Execution
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.001 Change Default File Association
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.002 Screensaver
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.003 Windows Management Instrumentation Event Subscription
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.004 Unix Shell Configuration Modification
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.005 Trap
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.006 LC_LOAD_DYLIB Addition
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.007 Netsh Helper DLL
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.008 Accessibility Features
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.009 AppCert DLLs
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.010 AppInit DLLs
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.011 Application Shimming
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.012 Image File Execution Options Injection
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.013 PowerShell Profile
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.014 Emond
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.015 Component Object Model Hijacking
attribute.integrity.variety.Software installation Software installation or code modification related-to T1546.016 Installer Packages
action.hacking.variety.Session replay Session replay. Child of 'Exploit vuln'. related-to T1550.004 Web Session Cookie
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1547 Boot or Logon Autostart Execution
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547 Boot or Logon Autostart Execution
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.001 Registry Run Keys / Startup Folder
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.002 Authentication Package
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.003 Time Providers
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.004 Winlogon Helper DLL
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.005 Security Support Provider
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.006 Kernel Modules and Extensions
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.007 Re-opened Applications
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.008 LSASS Driver
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.009 Shortcut Modification
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.010 Port Monitors
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.012 Print Processors
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.013 XDG Autostart Entries
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1547.014 Active Setup
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1550.004 Web Session Cookie
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1554 Compromise Host Software Binary
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.002 Bypass User Account Control
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1554 Compromise Host Software Binary
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, AitB) related-to T1548.003 Sudo and Sudo Caching
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1556 Modify Authentication Process
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1556 Modify Authentication Process
action.hacking.variety.AiTM Adversary-in-the-middle attack. Child of 'Exploit vuln' related-to T1557 Adversary-in-the-Middle
action.hacking.variety.Routing detour Routing detour. Child of 'Exploit vuln'. related-to T1557 Adversary-in-the-Middle
action.malware.variety.Pass-the-hash Pass-the-hash related-to T1550 Use Alternate Authentication Material
action.malware.vector.Network propagation Network propagation related-to T1550 Use Alternate Authentication Material
action.hacking.variety.AiTM Adversary-in-the-middle attack. Child of 'Exploit vuln' related-to T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
action.hacking.variety.Cache poisoning Cache poisoning. Child of 'Exploit vuln'. related-to T1557.002 ARP Cache Poisoning
action.hacking.variety.AiTM Adversary-in-the-middle attack. Child of 'Exploit vuln' related-to T1557.002 ARP Cache Poisoning
action.malware.variety.Pass-the-hash Pass-the-hash related-to T1550.002 Pass the Hash
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1550.002 Pass the Hash
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558 Steal or Forge Kerberos Tickets
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558.001 Golden Ticket
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558.002 Silver Ticket
attribute.confidentiality.data_disclosure None related-to T1552 Unsecured Credentials
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.001 Credentials In Files
attribute.confidentiality.data_disclosure None related-to T1552.001 Credentials In Files
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.002 Credentials in Registry
attribute.confidentiality.data_disclosure None related-to T1552.002 Credentials in Registry
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.003 Bash History
attribute.confidentiality.data_disclosure None related-to T1552.003 Bash History
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.004 Private Keys
attribute.confidentiality.data_disclosure None related-to T1552.004 Private Keys
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.005 Cloud Instance Metadata API
attribute.confidentiality.data_disclosure None related-to T1552.005 Cloud Instance Metadata API
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.006 Group Policy Preferences
attribute.confidentiality.data_disclosure None related-to T1552.006 Group Policy Preferences
attribute.confidentiality.data_disclosure None related-to T1552.007 Container API
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.008 Chat Messages
attribute.confidentiality.data_disclosure None related-to T1552.008 Chat Messages
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558.003 Kerberoasting
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553 Subvert Trust Controls
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.001 Gatekeeper Bypass
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.002 Code Signing
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.003 SIP and Trust Provider Hijacking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.004 Install Root Certificate
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.005 Mark-of-the-Web Bypass
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.006 Code Signing Policy Modification
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1558.004 AS-REP Roasting
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558.004 AS-REP Roasting
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1554 Compromise Host Software Binary
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1554 Compromise Host Software Binary
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1554 Compromise Host Software Binary
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1554 Compromise Host Software Binary
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555 Credentials from Password Stores
attribute.confidentiality.data_disclosure None related-to T1555 Credentials from Password Stores
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.001 Keychain
attribute.confidentiality.data_disclosure None related-to T1555.001 Keychain
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.002 Securityd Memory
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1555.002 Securityd Memory
attribute.confidentiality.data_disclosure None related-to T1555.002 Securityd Memory
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.003 Credentials from Web Browsers
attribute.confidentiality.data_disclosure None related-to T1555.003 Credentials from Web Browsers
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.004 Windows Credential Manager
attribute.confidentiality.data_disclosure None related-to T1555.004 Windows Credential Manager
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.005 Password Managers
attribute.confidentiality.data_disclosure None related-to T1555.005 Password Managers
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.006 Cloud Secrets Management Stores
attribute.confidentiality.data_disclosure None related-to T1555.006 Cloud Secrets Management Stores
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558.005 Ccache Files
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1559 Inter-Process Communication
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556 Modify Authentication Process
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556 Modify Authentication Process
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.001 Domain Controller Authentication
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.001 Domain Controller Authentication
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1566.002 Spearphishing Link
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1566.002 Spearphishing Link
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1566.002 Spearphishing Link
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.003 Pluggable Authentication Modules
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.003 Pluggable Authentication Modules
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.004 Network Device Authentication
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.004 Network Device Authentication
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1559.001 Component Object Model
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1559.002 Dynamic Data Exchange
action.malware.variety.AiTM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557 Adversary-in-the-Middle
attribute.confidentiality.data_disclosure None related-to T1557 Adversary-in-the-Middle
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562 Impair Defenses
action.malware.variety.AiTM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.001 Disable or Modify Tools
action.malware.variety.AiTM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.002 ARP Cache Poisoning
action.malware.variety.AiTM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.003 DHCP Spoofing
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.002 Disable Windows Event Logging
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.003 Impair Command History Logging
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.004 Disable or Modify System Firewall
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.007 Disable or Modify Cloud Firewall
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.008 Disable or Modify Cloud Logs
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.011 Spoof Security Alerting
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.012 Disable or Modify Linux Audit System
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1558.004 AS-REP Roasting
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1563 Remote Service Session Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1563 Remote Service Session Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1563.001 SSH Hijacking
action.malware.variety.Export data Export data to another site or system related-to T1560 Archive Collected Data
action.malware.variety.Export data Export data to another site or system related-to T1560.001 Archive via Utility
action.malware.variety.Export data Export data to another site or system related-to T1560.002 Archive via Library
action.malware.variety.Export data Export data to another site or system related-to T1560.003 Archive via Custom Method
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561 Disk Wipe
attribute.availability.variety.Destruction Destruction related-to T1561 Disk Wipe
attribute.availability.variety.Interruption Interruption related-to T1561 Disk Wipe
attribute.availability.variety.Loss Loss related-to T1561 Disk Wipe
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561.001 Disk Content Wipe
attribute.availability.variety.Destruction Destruction related-to T1561.001 Disk Content Wipe
attribute.availability.variety.Loss Loss related-to T1561.001 Disk Content Wipe
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561.002 Disk Structure Wipe
attribute.availability.variety.Destruction Destruction related-to T1561.002 Disk Structure Wipe
attribute.availability.variety.Interruption Interruption related-to T1561.002 Disk Structure Wipe
attribute.availability.variety.Loss Loss related-to T1561.002 Disk Structure Wipe
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1563.001 SSH Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1563.002 RDP Hijacking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562 Impair Defenses
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1562 Impair Defenses
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1563.002 RDP Hijacking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.001 Disable or Modify Tools
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564 Hide Artifacts
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.002 Disable Windows Event Logging
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.003 Impair Command History Logging
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.001 Hidden Files and Directories
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.004 Disable or Modify System Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.006 Indicator Blocking
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.001 Hidden Files and Directories
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.007 Disable or Modify Cloud Firewall
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.002 Hidden Users
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.008 Disable or Modify Cloud Logs
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.002 Hidden Users
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.011 Spoof Security Alerting
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.003 Hidden Window
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.012 Disable or Modify Linux Audit System
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.003 Hidden Window
action.malware.vector.Network propagation Network propagation related-to T1563 Remote Service Session Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.004 NTFS File Attributes
action.malware.vector.Network propagation Network propagation related-to T1563.001 SSH Hijacking
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.004 NTFS File Attributes
action.malware.vector.Network propagation Network propagation related-to T1563.002 RDP Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.005 Hidden File System
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.005 Hidden File System
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.001 Hidden Files and Directories
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.001 Hidden Files and Directories
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.006 Run Virtual Instance
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.002 Hidden Users
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.002 Hidden Users
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.006 Run Virtual Instance
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.003 Hidden Window
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.003 Hidden Window
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.007 VBA Stomping
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.004 NTFS File Attributes
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.004 NTFS File Attributes
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.007 VBA Stomping
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.005 Hidden File System
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.005 Hidden File System
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1568 Dynamic Resolution
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.006 Run Virtual Instance
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.006 Run Virtual Instance
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1568 Dynamic Resolution
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.007 VBA Stomping
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1564.007 VBA Stomping
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.007 VBA Stomping
attribute.integrity.variety.Modify data Modified stored data or content related-to T1565 Data Manipulation
attribute.integrity.variety.Modify data Modified stored data or content related-to T1565.001 Stored Data Manipulation
attribute.integrity.variety.Modify data Modified stored data or content related-to T1565.002 Transmitted Data Manipulation
attribute.integrity.variety.Modify data Modified stored data or content related-to T1565.003 Runtime Data Manipulation
action.malware.vector.Instant messaging Instant Messaging related-to T1566 Phishing
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1566 Phishing
action.social.vector.Email Email related-to T1566 Phishing
action.malware.vector.Email Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown' related-to T1566.001 Spearphishing Attachment
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1566.001 Spearphishing Attachment
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1566.001 Spearphishing Attachment
action.social.vector.Email Email related-to T1566.001 Spearphishing Attachment
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1566.002 Spearphishing Link
action.social.vector.Email Email related-to T1566.002 Spearphishing Link
action.social.vector.Web application Web application related-to T1566.002 Spearphishing Link
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1566.003 Spearphishing via Service
action.social.vector.Email Email related-to T1566.003 Spearphishing via Service
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1566.004 Spearphishing Voice
action.malware.variety.Export data Export data to another site or system related-to T1567 Exfiltration Over Web Service
attribute.confidentiality.data_disclosure None related-to T1567 Exfiltration Over Web Service
action.malware.variety.Export data Export data to another site or system related-to T1567.001 Exfiltration to Code Repository
attribute.confidentiality.data_disclosure None related-to T1567.001 Exfiltration to Code Repository
action.malware.variety.Export data Export data to another site or system related-to T1567.002 Exfiltration to Cloud Storage
attribute.confidentiality.data_disclosure None related-to T1567.002 Exfiltration to Cloud Storage
action.malware.variety.Export data Export data to another site or system related-to T1567.003 Exfiltration to Text Storage Sites
attribute.confidentiality.data_disclosure None related-to T1567.003 Exfiltration to Text Storage Sites
action.malware.variety.Export data Export data to another site or system related-to T1567.004 Exfiltration Over Webhook
attribute.confidentiality.data_disclosure None related-to T1567.004 Exfiltration Over Webhook
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1568.001 Fast Flux DNS
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1568.002 Domain Generation Algorithms
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568 Dynamic Resolution
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568 Dynamic Resolution
action.malware.vector.Download by malware Downloaded and installed by local malware related-to T1568 Dynamic Resolution
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1568.003 DNS Calculation
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.001 Fast Flux DNS
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.001 Fast Flux DNS
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1569 System Services
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.002 Domain Generation Algorithms
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.002 Domain Generation Algorithms
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1569.001 Launchctl
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1568.003 DNS Calculation
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1568.003 DNS Calculation
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1569.002 Service Execution
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1571 Non-Standard Port
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1572 Protocol Tunneling
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1569.002 Service Execution
action.malware.vector.Network propagation Network propagation related-to T1570 Lateral Tool Transfer
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1572 Protocol Tunneling
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1571 Non-Standard Port
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1571 Non-Standard Port
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1573 Encrypted Channel
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1573 Encrypted Channel
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1572 Protocol Tunneling
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1572 Protocol Tunneling
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1573.001 Symmetric Cryptography
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1573.002 Asymmetric Cryptography
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573 Encrypted Channel
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573 Encrypted Channel
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574 Hijack Execution Flow
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573.001 Symmetric Cryptography
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573.001 Symmetric Cryptography
action.hacking.variety.Unknown Unknown related-to T1574 Hijack Execution Flow
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1573.002 Asymmetric Cryptography
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1573.002 Asymmetric Cryptography
action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1574 Hijack Execution Flow
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.001 DLL Search Order Hijacking
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1574.001 DLL Search Order Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574.001 DLL Search Order Hijacking
action.hacking.variety.Unknown Unknown related-to T1574.001 DLL Search Order Hijacking
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.002 DLL Side-Loading
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1574.002 DLL Side-Loading
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574.002 DLL Side-Loading
action.hacking.variety.Unknown Unknown related-to T1574.002 DLL Side-Loading
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1574.004 Dylib Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574.004 Dylib Hijacking
action.hacking.variety.Unknown Unknown related-to T1574.004 Dylib Hijacking
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.005 Executable Installer File Permissions Weakness
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574.005 Executable Installer File Permissions Weakness
action.hacking.variety.Unknown Unknown related-to T1574.005 Executable Installer File Permissions Weakness
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.010 Services File Permissions Weakness
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.011 Services Registry Permissions Weakness
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578 Modify Cloud Compute Infrastructure
action.hacking.vector.Hypervisor Hypervisor break-out attack related-to T1578 Modify Cloud Compute Infrastructure
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1574.012 COR_PROFILER
action.hacking.vector.Inter-tenant Penetration of another VM or web site on shared device or infrastructure related-to T1578 Modify Cloud Compute Infrastructure
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578.001 Create Snapshot
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578.002 Create Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578.003 Delete Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578.004 Revert Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578.005 Modify Cloud Compute Configurations
action.hacking.variety.Scan network Enumerating the state of the network related-to T1580 Cloud Infrastructure Discovery
action.hacking.variety.Unknown Unknown related-to T1583 Acquire Infrastructure
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. related-to T1583 Acquire Infrastructure
action.hacking.variety.Unknown Unknown related-to T1583.001 Domains
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1583.001 Domains
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.001 Domains
action.hacking.variety.Unknown Unknown related-to T1583.002 DNS Server
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1583.002 DNS Server
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.002 DNS Server
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1583.003 Virtual Private Server
action.hacking.variety.Unknown Unknown related-to T1583.003 Virtual Private Server
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1583.004 Server
action.hacking.variety.Unknown Unknown related-to T1583.004 Server
action.hacking.variety.DoS Denial of service related-to T1583.005 Botnet
action.hacking.variety.Unknown Unknown related-to T1583.005 Botnet
value_chain.development.variety.Bot A small program that can be distributed, installed, and controlled en mass. related-to T1583.005 Botnet
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1583.006 Web Services
action.hacking.variety.Unknown Unknown related-to T1583.006 Web Services
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1583.006 Web Services
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1583.006 Web Services
value_chain.development.variety.Website Development of any full website controlled by the attacker related-to T1583.006 Web Services
action.hacking.variety.Unknown Unknown related-to T1584 Compromise Infrastructure
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. related-to T1584 Compromise Infrastructure
action.hacking.variety.Unknown Unknown related-to T1584.001 Domains
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1584.001 Domains
action.hacking.variety.Unknown Unknown related-to T1584.002 DNS Server
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1584.002 DNS Server
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1584.002 DNS Server
action.hacking.variety.Unknown Unknown related-to T1584.003 Virtual Private Server
action.hacking.variety.Unknown Unknown related-to T1584.004 Server
action.hacking.variety.DoS Denial of service related-to T1584.005 Botnet
action.hacking.variety.Unknown Unknown related-to T1584.005 Botnet
action.hacking.variety.Unknown Unknown related-to T1584.006 Web Services
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1585 Establish Accounts
value_chain.development.variety.Persona A fake representation of a person, such as fake social media profiles related-to T1585 Establish Accounts
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1585.001 Social Media Accounts
value_chain.development.variety.Persona A fake representation of a person, such as fake social media profiles related-to T1585.001 Social Media Accounts
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1585.002 Email Accounts
value_chain.development.variety.Persona A fake representation of a person, such as fake social media profiles related-to T1585.002 Email Accounts
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1586 Compromise Accounts
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1586.001 Social Media Accounts
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1586.001 Social Media Accounts
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1586.001 Social Media Accounts
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1586.002 Email Accounts
action.hacking.variety.Unknown Unknown related-to T1587 Develop Capabilities
value_chain.development.variety.Unknown Nothing is known about the need for or type of development investment other than it was present. related-to T1587 Develop Capabilities
action.hacking.variety.Unknown Unknown related-to T1587.001 Malware
action.malware.variety.Unknown Unknown related-to T1587.001 Malware
value_chain.development.variety.Bot A small program that can be distributed, installed, and controlled en mass. related-to T1587.001 Malware
value_chain.development.variety.Payload The portion a program that causes a negative effect. related-to T1587.001 Malware
value_chain.development.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1587.001 Malware
value_chain.development.variety.Trojan A program which masquerades as another program to get a target to execute malicious content related-to T1587.001 Malware
action.hacking.variety.Unknown Unknown related-to T1587.002 Code Signing Certificates
value_chain.development.variety.Other The variety of development required is known, but is not listed. related-to T1587.002 Code Signing Certificates
action.hacking.variety.Unknown Unknown related-to T1587.003 Digital Certificates
value_chain.development.variety.Other The variety of development required is known, but is not listed. related-to T1587.003 Digital Certificates
action.hacking.variety.Unknown Unknown related-to T1587.004 Exploits
action.malware.variety.Unknown Unknown related-to T1587.004 Exploits
value_chain.development.variety.Exploit Code to exploit a vulnerability, including web injects. related-to T1587.004 Exploits
value_chain.development.variety.Exploit Kits Code sets capable of selecting and trying multiple exploits against a target. related-to T1587.004 Exploits
action.hacking.variety.Unknown Unknown related-to T1588 Obtain Capabilities
value_chain.development.variety.Unknown Nothing is known about the need for or type of development investment other than it was present. related-to T1588 Obtain Capabilities
action.hacking.variety.Unknown Unknown related-to T1588.001 Malware
action.malware.variety.Unknown Unknown related-to T1588.001 Malware
value_chain.development.variety.Bot A small program that can be distributed, installed, and controlled en mass. related-to T1588.001 Malware
value_chain.development.variety.Payload The portion a program that causes a negative effect. related-to T1588.001 Malware
value_chain.development.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1588.001 Malware
value_chain.development.variety.Trojan A program which masquerades as another program to get a target to execute malicious content related-to T1588.001 Malware
action.hacking.variety.Unknown Unknown related-to T1588.002 Tool
action.hacking.variety.Unknown Unknown related-to T1588.003 Code Signing Certificates
value_chain.development.variety.Other The variety of development required is known, but is not listed. related-to T1588.003 Code Signing Certificates
action.hacking.variety.Unknown Unknown related-to T1588.004 Digital Certificates
value_chain.development.variety.Other The variety of development required is known, but is not listed. related-to T1588.004 Digital Certificates
action.hacking.variety.Unknown Unknown related-to T1588.005 Exploits
action.malware.variety.Unknown Unknown related-to T1588.005 Exploits
value_chain.development.variety.Exploit Code to exploit a vulnerability, including web injects. related-to T1588.005 Exploits
value_chain.development.variety.Exploit Kits Code sets capable of selecting and trying multiple exploits against a target. related-to T1588.005 Exploits
action.hacking.variety.Unknown Unknown related-to T1588.006 Vulnerabilities
action.malware.variety.Unknown Unknown related-to T1588.006 Vulnerabilities
action.hacking.variety.Unknown Unknown related-to T1588.007 Artificial Intelligence
action.malware.variety.Unknown Unknown related-to T1588.007 Artificial Intelligence
action.hacking.variety.Scan network Enumerating the state of the network related-to T1589 Gather Victim Identity Information
action.hacking.variety.Scan network Enumerating the state of the network related-to T1589.001 Credentials
action.hacking.variety.Scan network Enumerating the state of the network related-to T1589.002 Email Addresses
action.hacking.variety.Scan network Enumerating the state of the network related-to T1589.003 Employee Names
action.hacking.variety.Scan network Enumerating the state of the network related-to T1590 Gather Victim Network Information
action.hacking.variety.Scan network Enumerating the state of the network related-to T1590.001 Domain Properties
action.hacking.variety.Scan network Enumerating the state of the network related-to T1590.002 DNS
action.hacking.variety.Scan network Enumerating the state of the network related-to T1590.003 Network Trust Dependencies
action.hacking.variety.Scan network Enumerating the state of the network related-to T1590.004 Network Topology
action.hacking.variety.Scan network Enumerating the state of the network related-to T1590.005 IP Addresses
action.hacking.variety.Scan network Enumerating the state of the network related-to T1590.006 Network Security Appliances
action.hacking.variety.Scan network Enumerating the state of the network related-to T1592 Gather Victim Host Information
action.hacking.variety.Scan network Enumerating the state of the network related-to T1592.001 Hardware
action.hacking.variety.Scan network Enumerating the state of the network related-to T1592.002 Software
action.hacking.variety.Scan network Enumerating the state of the network related-to T1592.003 Firmware
action.hacking.variety.Scan network Enumerating the state of the network related-to T1592.004 Client Configurations
action.malware.variety.Scan network Enumerating the state of the network related-to T1595 Active Scanning
action.malware.variety.Scan network Enumerating the state of the network related-to T1595.001 Scanning IP Blocks
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1595.002 Vulnerability Scanning
action.malware.variety.Scan network Enumerating the state of the network related-to T1595.002 Vulnerability Scanning
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1598 Phishing for Information
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1598 Phishing for Information
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1598.001 Spearphishing Service
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1598.001 Spearphishing Service
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1598.002 Spearphishing Attachment
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1598.002 Spearphishing Attachment
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1598.002 Spearphishing Attachment
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1598.003 Spearphishing Link
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1598.003 Spearphishing Link
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1598.003 Spearphishing Link
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1598.004 Spearphishing Voice
action.hacking.variety.Unknown Unknown related-to T1599 Network Boundary Bridging
action.hacking.variety.Unknown Unknown related-to T1599.001 Network Address Translation Traversal
action.hacking.variety.Cryptanalysis Cryptanalysis. Child of 'Exploit vuln'. related-to T1600 Weaken Encryption
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600 Weaken Encryption
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600.001 Reduce Key Space
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600.002 Disable Crypto Hardware
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601 Modify System Image
attribute.integrity.variety.Software installation Software installation or code modification related-to T1601 Modify System Image
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601.001 Patch System Image
attribute.integrity.variety.Software installation Software installation or code modification related-to T1601.001 Patch System Image
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601.002 Downgrade System Image
action.hacking.variety.Scan network Enumerating the state of the network related-to T1602 Data from Configuration Repository
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1602 Data from Configuration Repository
attribute.confidentiality.data_disclosure None related-to T1602 Data from Configuration Repository
action.hacking.variety.Scan network Enumerating the state of the network related-to T1602.001 SNMP (MIB Dump)
attribute.confidentiality.data_disclosure None related-to T1602.001 SNMP (MIB Dump)
action.hacking.variety.Scan network Enumerating the state of the network related-to T1602.002 Network Device Configuration Dump
attribute.confidentiality.data_disclosure None related-to T1602.002 Network Device Configuration Dump
action.hacking.variety.Session prediction Credential or session prediction. Child of 'Exploit vuln'. related-to T1606 Forge Web Credentials
action.hacking.variety.Unknown Unknown related-to T1606 Forge Web Credentials
action.hacking.variety.Session prediction Credential or session prediction. Child of 'Exploit vuln'. related-to T1606.001 Web Cookies
action.hacking.variety.Unknown Unknown related-to T1606.001 Web Cookies
action.hacking.variety.Unknown Unknown related-to T1606.002 SAML Tokens
action.malware.variety.Unknown Unknown related-to T1608 Stage Capabilities
action.malware.variety.Unknown Unknown related-to T1608.001 Upload Malware
action.malware.variety.Unknown Unknown related-to T1608.002 Upload Tool
action.malware.variety.Unknown Unknown related-to T1608.003 Install Digital Certificate
action.malware.variety.Unknown Unknown related-to T1608.004 Drive-by Target
action.malware.variety.Unknown Unknown related-to T1608.005 Link Target
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1609 Container Administration Command
action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1610 Deploy Container
action.malware.variety.Unknown Unknown related-to T1610 Deploy Container
action.hacking.variety.Virtual machine escape Virtual machine escape. Child of 'Exploit vuln'. related-to T1611 Escape to Host
action.malware.variety.Unknown Unknown related-to T1612 Build Image on Host
action.hacking.variety.Scan network Enumerating the state of the network related-to T1613 Container and Resource Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1614 System Location Discovery
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1614.001 System Language Discovery
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1622 Debugger Evasion
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1622 Debugger Evasion
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1622 Debugger Evasion
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1546.017 Udev Rules
action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1584.008 Network Devices
action.malware.vector.remote injection None related-to T1659 Content Injection
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.008 Network Provider DLL
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.008 Network Provider DLL
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.009 Conditional Access Policies
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.009 Conditional Access Policies
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.005 Container Service
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.005 Temporary Elevated Cloud Access
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.006 TCC Manipulation
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558.005 Ccache Files
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.011 Ignore Process Interrupts
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564.012 File/Path Exclusions
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564.012 File/Path Exclusions
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1574.014 AppDomainManager
action.hacking.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1584.008 Network Devices
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1651 Cloud Administration Command
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1652 Device Driver Discovery
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1653 Power Settings
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1654 Log Enumeration
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1665 Hide Infrastructure
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1666 Modify Cloud Resource Hierarchy

Non-Mappable Capabilities

Non-mappable capabilities are either out of scope or unable to be mapped to any ATT&CK objects
Capability ID Capability Description
Action.Social.Variety.Influence Influence tactics (Leveraging authority or obligation, framing, etc)
Attribute.Availability.Variety.Acceleration Acceleration
Attribute.Integrity.Variety.Hardware tampering Hardware tampering or physical alteration
Action.Malware.Variety.Spam Send spam
Action.Hacking.Variety.CSRF Cross-site request forgery. Child of 'Exploit vuln'.
Attribute.Integrity.Variety.Other Other
Action.Malware.Variety.Other Other
Action.Hacking.Variety.SSI injection SSI injection. Child of 'Exploit vuln'.
Action.Social.Variety.Scam Online scam or hoax (e.g., scareware, 419 scam, auction fraud)
Action.Hacking.Variety.Special element injection Special element injection. Child of 'Exploit vuln'.
Action.Malware.Vector.Email other Email sub-variety known, but not one of those listed (attachment, link, autoexecute, etc). Child of 'Email'
Action.Social.Vector.Documents Documents
Action.Malware.Vector.Unknown Unknown
Action.Social.Variety.Elicitation Elicitation (subtle extraction of info through conversation)
Action.Malware.Vector.Email autoexecute Email via automatic execution. Child of 'Email'
Attribute.Availability.Variety.Other Other
Action.Hacking.Vector.Other Other
Action.Social.Vector.IM Instant messaging
Action.Social.Variety.Extortion Extortion or blackmail
Action.Social.Variety.Bribery Bribery or solicitation
Action.Hacking.Variety.URL redirector abuse URL redirector abuse. Child of 'Exploit vuln'.
Action.Hacking.Variety.Reverse engineering Reverse engineering. Child of 'Exploit vuln'.
Action.Hacking.Variety.XML entity expansion XML entity expansion. Child of 'Exploit vuln'.
Action.Hacking.Variety.XSS Cross-site scripting. Child of 'Exploit vuln'.
Action.Social.Variety.Other Other
Action.Hacking.Variety.User breakout Elevation of privilege by another customer in shared environment. Child of 'Exploit vuln'.
Action.Social.Variety.Spam Spam (unsolicited or undesired email and advertisements)
Action.Hacking.Variety.RFI Remote file inclusion. Child of 'Exploit vuln'.
Action.Social.Variety.Prompt Bombing Bombarding the user with MFA prompts to get them to accept the login request
Action.Social.Vector.Unknown Unknown
Value_chain.development.variety.NA No type of development was necessary
Action.Hacking.Variety.Soap array abuse Soap array abuse. Child of 'Exploit vuln'.
Action.Social.Vector.SMS SMS or texting
Action.Hacking.Variety.Mail command injection Mail command injection. Child of 'Exploit vuln'.
Action.Hacking.Vector.Unknown Unknown
Action.Social.Vector.Other Other
Attribute.Availability.Variety.Unknown Unknown
Attribute.Integrity.Variety.Fraudulent transaction Initiate fraudulent transaction
Action.Hacking.Variety.XML attribute blowup XML attribute blowup. Child of 'Exploit vuln'.
Action.Hacking.Variety.XQuery injection XQuery injection. Child of 'Exploit vuln'.
Action.Social.Variety.Unknown Unknown
Action.Social.Vector.In-person In-person
Action.Hacking.Variety.Other Other
Action.Social.Variety.Propaganda Propaganda or disinformation
Action.Social.Variety.Baiting Prepare malicious content in a location where a victim is likely to interact with it. (e.g. SEO - vect: websites, left usbs- vect: removable media, etc)
Action.Social.Vector.Phone Phone
Action.Malware.Vector.Other Other
Value_chain.development.variety.Email Develop an email such as for phishing.
Value_chain.development.variety.Physical Development of something physical such as a skimming device
Action.Malware.Vector.Email unknown Email but sub-variety (attachment, autoexecute, link, etc) not known. Child of 'Email'
Action.Hacking.Variety.Path traversal Path traversal. Child of 'Exploit vuln'.