|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1001
|
Data Obfuscation
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1001
|
Data Obfuscation
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1001.001
|
Data Obfuscation: Junk Data
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1001.001
|
Data Obfuscation: Junk Data
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1001.001
|
Data Obfuscation: Junk Data
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1001.001
|
Data Obfuscation: Junk Data
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1001.002
|
Data Obfuscation: Steganography
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1001.002
|
Data Obfuscation: Steganography
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1001.003
|
Data Obfuscation: Protocol Impersonation
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1001.003
|
Data Obfuscation: Protocol Impersonation
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1003
|
OS Credential Dumping
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1003
|
OS Credential Dumping
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1003.001
|
OS Credential Dumping: LSASS Memory
|
|
action.malware.variety.RAM scraper
|
RAM scraper or memory parser (capture data from volatile memory)
| related-to |
T1003.001
|
OS Credential Dumping: LSASS Memory
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1003.001
|
OS Credential Dumping: LSASS Memory
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1003.002
|
OS Credential Dumping: Security Account Manager
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1003.002
|
OS Credential Dumping: Security Account Manager
|
|
action.malware.variety.RAM scraper
|
RAM scraper or memory parser (capture data from volatile memory)
| related-to |
T1003.002
|
OS Credential Dumping: Security Account Manager
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1003.002
|
OS Credential Dumping: Security Account Manager
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1003.003
|
OS Credential Dumping: NTDS
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1003.003
|
OS Credential Dumping: NTDS
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1003.003
|
OS Credential Dumping: NTDS
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1003.004
|
OS Credential Dumping: LSA Secrets
|
|
action.malware.variety.RAM scraper
|
RAM scraper or memory parser (capture data from volatile memory)
| related-to |
T1003.004
|
OS Credential Dumping: LSA Secrets
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1003.004
|
OS Credential Dumping: LSA Secrets
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1003.005
|
OS Credential Dumping: Cached Domain Credentials
|
|
action.malware.variety.RAM scraper
|
RAM scraper or memory parser (capture data from volatile memory)
| related-to |
T1003.005
|
OS Credential Dumping: Cached Domain Credentials
|
|
action.malware.vector.Email link
|
Email via embedded link. Child of 'Email'
| related-to |
T1003.005
|
OS Credential Dumping: Cached Domain Credentials
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1003.005
|
OS Credential Dumping: Cached Domain Credentials
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1003.006
|
OS Credential Dumping: DCSync
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1003.006
|
OS Credential Dumping: DCSync
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1003.006
|
OS Credential Dumping: DCSync
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1003.006
|
OS Credential Dumping: DCSync
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1003.007
|
OS Credential Dumping: Proc Filesystem
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1003.007
|
OS Credential Dumping: Proc Filesystem
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1003.007
|
OS Credential Dumping: Proc Filesystem
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1003.008
|
OS Credential Dumping: /etc/passwd and /etc/shadow
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1003.008
|
OS Credential Dumping: /etc/passwd and /etc/shadow
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1003.008
|
OS Credential Dumping: /etc/passwd and /etc/shadow
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1005
|
Data from Local System
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1005
|
Data from Local System
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1006
|
Direct Volume Access
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1007
|
System Service Discovery
|
|
action.malware.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1007
|
System Service Discovery
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1008
|
Fallback Channels
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1008
|
Fallback Channels
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1008
|
Fallback Channels
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1008
|
Fallback Channels
|
|
action.hacking.variety.XPath injection
|
XPath injection. Child of 'Exploit vuln'.
| related-to |
T1010
|
Application Window Discovery
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1010
|
Application Window Discovery
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1011
|
Exfiltration Over Other Network Medium
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1011
|
Exfiltration Over Other Network Medium
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1011.001
|
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1011.001
|
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1012
|
Query Registry
|
|
action.malware.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1012
|
Query Registry
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1014
|
Rootkit
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1014
|
Rootkit
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1014
|
Rootkit
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1014
|
Rootkit
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1016
|
System Network Configuration Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1016.001
|
System Network Configuration Discovery: Internet Connection Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1016.002
|
Wi-Fi Discovery
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1018
|
Remote System Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1018
|
Remote System Discovery
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1020
|
Automated Exfiltration
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1020
|
Automated Exfiltration
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1020.001
|
Automated Exfiltration: Traffic Duplication
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1020.001
|
Automated Exfiltration: Traffic Duplication
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021
|
Remote Services
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1021
|
Remote Services
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021.001
|
Remote Services: Remote Desktop Protocol
|
|
action.hacking.vector.Desktop sharing software
|
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two
| related-to |
T1021.001
|
Remote Services: Remote Desktop Protocol
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021.002
|
Remote Services: SMB/Windows Admin Shares
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1021.002
|
Remote Services: SMB/Windows Admin Shares
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021.003
|
Remote Services: Distributed Component Object Model
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1021.003
|
Remote Services: Distributed Component Object Model
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021.004
|
Remote Services: SSH
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1021.004
|
Remote Services: SSH
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021.005
|
Remote Services: VNC
|
|
action.hacking.vector.Desktop sharing software
|
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two
| related-to |
T1021.005
|
Remote Services: VNC
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021.006
|
Remote Services: Windows Remote Management
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1021.006
|
Remote Services: Windows Remote Management
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021.007
|
Cloud Services
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021.008
|
Direct Cloud VM Connections
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1021.008
|
Direct Cloud VM Connections
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1025
|
Data from Removable Media
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1025
|
Data from Removable Media
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027
|
Obfuscated Files or Information
|
|
action.hacking.variety.Null byte injection
|
Null byte injection. Child of 'Exploit vuln'.
| related-to |
T1027
|
Obfuscated Files or Information
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1027
|
Obfuscated Files or Information
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.001
|
Obfuscated Files or Information: Binary Padding
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1027.001
|
Obfuscated Files or Information: Binary Padding
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1027.002
|
Obfuscated Files or Information: Software Packaging
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.003
|
Obfuscated Files or Information: Steganography
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1027.003
|
Obfuscated Files or Information: Steganography
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1027.004
|
Obfuscated Files or Information: Compile After Dilevery
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1027.005
|
Obfuscated Files or Information: Indicator Removal from Tools
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.010
|
Command Obfuscation
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1027.010
|
Command Obfuscation
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1027.011
|
Fileless Storage
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.011
|
Fileless Storage
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1027.012
|
LNK Icon Smuggling
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.012
|
LNK Icon Smuggling
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1027.013
|
Encrypted/Encoded File
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.013
|
Encrypted/Encoded File
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.014
|
Polymorphic Code
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1029
|
Scheduled Transfer
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1029
|
Scheduled Transfer
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1030
|
Data Transfer Size Limits
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1030
|
Data Transfer Size Limits
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1033
|
System Owner/User Discovery
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1033
|
System Owner/User Discovery
|
|
action.malware.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1033
|
System Owner/User Discovery
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1036
|
Masquerading
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1036
|
Masquerading
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1036
|
Masquerading
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1036
|
Masquerading
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1036
|
Masquerading
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1036.001
|
Masquerading: Invalid Code Signature
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1036.002
|
Masquerading: Right-to-Left Override
|
|
action.social.variety.Forgery
|
Forgery or counterfeiting (fake hardware, software, documents, etc)
| related-to |
T1036.002
|
Masquerading: Right-to-Left Override
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1036.002
|
Masquerading: Right-to-Left Override
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1036.003
|
Masquerading: Rename System Utilities
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1036.003
|
Masquerading: Rename System Utilities
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1036.004
|
Masquerading: Masquerade Task or Service
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1036.005
|
Masquerading: Match Legitimate Name or Location
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1036.006
|
Masquerading: Space after Filename
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1036.008
|
Masquerade File Type
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1036.009
|
Break Process Trees
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1036.010
|
Masquerade Account Name
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1037
|
Boot or Logon Initialization Scripts
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1037
|
Boot or Logon Initialization Scripts
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1037
|
Boot or Logon Initialization Scripts
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1037
|
Boot or Logon Initialization Scripts
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1037
|
Boot or Logon Initialization Scripts
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1037.001
|
Boot or Logon Initialization Scripts: Logon Script (Windows)
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1037.002
|
Boot or Logon Initialization Scripts: Logon Script (Mac)
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1037.003
|
Boot or Logon Initialization Scripts: Network Logon Script
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1037.004
|
Boot or Logon Initialization Scripts: RC Scripts
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1037.005
|
Boot or Logon Initialization Scripts: Startup Items
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1039
|
Data from Network Shared Drive
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1039
|
Data from Network Shared Drive
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1040
|
Network Sniffing
|
|
action.malware.variety.Packet sniffer
|
Packet sniffer (capture data from network)
| related-to |
T1040
|
Network Sniffing
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1040
|
Network Sniffing
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1040
|
Network Sniffing
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1041
|
Exfiltration Over C2 Channels
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1041
|
Exfiltration Over C2 Channels
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1046
|
Network Service Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1046
|
Network Service Discovery
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1047
|
Windows Management Instrumentation
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1047
|
Windows Management Instrumentation
|
|
action.malware.vector.Direct install
|
Directly installed or inserted by threat agent (after system access)
| related-to |
T1047
|
Windows Management Instrumentation
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1048
|
Exfiltration Over Alternative Protocol
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1048
|
Exfiltration Over Alternative Protocol
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1048.001
|
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1048.001
|
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1048.002
|
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1048.002
|
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1048.003
|
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1048.003
|
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1049
|
System Network Connections Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1049
|
System Network Connections Discovery
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1052
|
Exfiltration Over Physical Medium
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1052
|
Exfiltration Over Physical Medium
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1052.001
|
Exfiltration Over Physical Medium: Exfiltration over USB
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1052.001
|
Exfiltration Over Physical Medium: Exfiltration over USB
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053
|
Scheduled Task/Job
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1053
|
Scheduled Task/Job
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1053
|
Scheduled Task/Job
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053.002
|
Scheduled Task/Job: At
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053.003
|
Scheduled Task/Job: Cron
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053.005
|
Scheduled Task/Job: Scheduled Task
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053.006
|
Scheduled Task/Job: Systemd Timers
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053.007
|
Scheduled Task/Job: Container Orchestration Job
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055
|
Process Injection
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.001
|
Process Injection: Dynamic-link Library Injection
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.002
|
Process Injection: Portable Executable Injection
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.003
|
Process Injection: Thread Execution Hijacking
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.004
|
Process Injection: Asynchronous Procedure Call
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.005
|
Process Injection: Thread Local Storage
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.008
|
Process Injection: Ptrace System Calls
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.009
|
Process Injection: Proc Memory
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.011
|
Process Injection: Extra Window Memory Injection
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.012
|
Process Injection: Process Hollowing
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.013
|
Process Injection: Process Doppelganging
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055.014
|
Process Injection: VDSO Hijacking
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1056
|
Input Capture
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1056
|
Input Capture
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1056.001
|
Input Capture: Keylogging
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1056.001
|
Input Capture: Keylogging
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1056.002
|
Input Capture: GUI Input Capture
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1056.002
|
Input Capture: GUI Input Capture
|
|
action.hacking.vector.Web application
|
Web application
| related-to |
T1056.003
|
Input Capture: Web Portal Capture
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1056.003
|
Input Capture: Web Portal Capture
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1056.003
|
Input Capture: Web Portal Capture
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1056.004
|
Input Capture: Credential API Hooking
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1056.004
|
Input Capture: Credential API Hooking
|
|
action.malware.variety.Spyware/Keylogger
|
Spyware, keylogger or form-grabber (capture user input or activity)
| related-to |
T1056.004
|
Input Capture: Credential API Hooking
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1056.004
|
Input Capture: Credential API Hooking
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1057
|
Process Discovery
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059
|
Command and Scripting Interpreter
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059
|
Command and Scripting Interpreter
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059
|
Command and Scripting Interpreter
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.001
|
Command and Scripting Interpreter: PowerShell
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.001
|
Command and Scripting Interpreter: PowerShell
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.002
|
Command and Scripting Interpreter: AppleScript
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059.002
|
Command and Scripting Interpreter: AppleScript
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.002
|
Command and Scripting Interpreter: AppleScript
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.003
|
Command and Scripting Interpreter: Windows Command Shell
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059.003
|
Command and Scripting Interpreter: Windows Command Shell
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.003
|
Command and Scripting Interpreter: Windows Command Shell
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.004
|
Command and Scripting Interpreter: Unix Shell
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059.004
|
Command and Scripting Interpreter: Unix Shell
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.004
|
Command and Scripting Interpreter: Unix Shell
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.005
|
Command and Scripting Interpreter: Visual Basic
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.005
|
Command and Scripting Interpreter: Visual Basic
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1059.005
|
Command and Scripting Interpreter: Visual Basic
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.006
|
Command and Scripting Interpreter: Python
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.006
|
Command and Scripting Interpreter: Python
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.007
|
Command and Scripting Interpreter: JavaScript
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.007
|
Command and Scripting Interpreter: JavaScript
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1059.007
|
Command and Scripting Interpreter: JavaScript
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.008
|
Command and Scripting Interpreter: Network Device CLI
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.008
|
Command and Scripting Interpreter: Network Device CLI
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.009
|
Cloud API
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059.009
|
Cloud API
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.009
|
Cloud API
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.010
|
AutoHotKey & AutoIT
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059.010
|
AutoHotKey & AutoIT
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.010
|
AutoHotKey & AutoIT
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.011
|
Lua
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059.011
|
Lua
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.011
|
Lua
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Format string attack
|
Format string attack. Child of 'Exploit vuln'.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Fuzz testing
|
Fuzz testing. Child of 'Exploit vuln'.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Insecure deserialization
|
iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Integer overflows
|
Integer overflows. Child of 'Exploit vuln'.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.LDAP injection
|
LDAP injection. Child of 'Exploit vuln'.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.malware.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1069
|
Permission Groups Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1069.001
|
Permission Groups Discovery: Local Groups
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1070
|
Indicator Removal on Host
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1070.001
|
Indicator Removal on Host: Clear Windows Event Logs
|
|
attribute.integrity.variety.Log tampering
|
Log tampering or modification
| related-to |
T1070.001
|
Indicator Removal on Host: Clear Windows Event Logs
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1070.002
|
Indicator Removal on Host: Clear Linux or Mac System Logs
|
|
attribute.integrity.variety.Log tampering
|
Log tampering or modification
| related-to |
T1070.002
|
Indicator Removal on Host: Clear Linux or Mac System Logs
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1070.003
|
Indicator Removal on Host: Clear Command History
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1070.004
|
Indicator Removal on Host: File Deletion
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1070.005
|
Indicator Removal on Host: Network Share Connection Removal
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1070.006
|
Indicator Removal on Host: Timestomp
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1070.010
|
Relocate Malware
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1071
|
Application Layer Protocol
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1071
|
Application Layer Protocol
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1071
|
Application Layer Protocol
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1071
|
Application Layer Protocol
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1071
|
Application Layer Protocol
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1071.001
|
Application Layer Protocol: Web Protocols
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1071.001
|
Application Layer Protocol: Web Protocols
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1071.001
|
Application Layer Protocol: Web Protocols
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1071.002
|
Application Layer Protocol: File Transfer Protocol
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1071.002
|
Application Layer Protocol: File Transfer Protocol
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1071.002
|
Application Layer Protocol: File Transfer Protocol
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1071.003
|
Application Layer Protocol: Mail Protocols
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1071.003
|
Application Layer Protocol: Mail Protocols
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1071.003
|
Application Layer Protocol: Mail Protocols
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1071.004
|
Application Layer Protocol: DNS
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1071.004
|
Application Layer Protocol: DNS
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1071.004
|
Application Layer Protocol: DNS
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1071.005
|
Publish/Subscribe Protocols
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1071.005
|
Publish/Subscribe Protocols
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1072
|
Software Deployment Tools
|
|
action.malware.variety.Adminware
|
System or network utilities (e.g., PsTools, Netcat)
| related-to |
T1072
|
Software Deployment Tools
|
|
action.malware.vector.Software update
|
Included in automated software update
| related-to |
T1072
|
Software Deployment Tools
|
|
attribute.integrity.variety.Software installation
|
Software installation or code modification
| related-to |
T1072
|
Software Deployment Tools
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1074
|
Data Staged
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1074.001
|
Data Staged: Local Data Staging
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1074.002
|
Data Staged: Remote Data Staging
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1078
|
Valid Accounts
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1078
|
Valid Accounts
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1078
|
Valid Accounts
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1078.001
|
Valid Accounts: Default Accounts
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1078.002
|
Valid Accounts: Domain Accounts
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1078.003
|
Valid Accounts: Local Accounts
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1078.004
|
Valid Accounts: Cloud Accounts
|
|
action.malware.variety.Other
|
Other
| related-to |
T1080
|
Taint Shared Content
|
|
action.malware.variety.Worm
|
Worm (propagate to other systems or devices)
| related-to |
T1080
|
Taint Shared Content
|
|
attribute.integrity.variety.Software installation
|
Software installation or code modification
| related-to |
T1080
|
Taint Shared Content
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1082
|
System Information Discovery
|
|
action.malware.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1082
|
System Information Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1083
|
File and Directory Discovery
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1083
|
File and Directory Discovery
|
|
action.malware.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1083
|
File and Directory Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1087
|
Account Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1087.001
|
Account Discovery: Local Account
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1090
|
Proxy
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1090
|
Proxy
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1090
|
Proxy
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1090
|
Proxy
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1090.001
|
Proxy: Internal Proxy
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1090.001
|
Proxy: Internal Proxy
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1090.002
|
Proxy: External Proxy
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1090.002
|
Proxy: External Proxy
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1090.003
|
Proxy: Multi-hop Proxy
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1090.003
|
Proxy: Multi-hop Proxy
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1090.004
|
Proxy: Domain Fronting
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1090.004
|
Proxy: Domain Fronting
|
|
action.malware.variety.Worm
|
Worm (propagate to other systems or devices)
| related-to |
T1091
|
Replication Through Removable Media
|
|
action.malware.vector.Removable media
|
Removable storage media or devices
| related-to |
T1091
|
Replication Through Removable Media
|
|
action.social.vector.Removable media
|
Removable storage media
| related-to |
T1091
|
Replication Through Removable Media
|
|
action.malware.vector.Removable media
|
Removable storage media or devices
| related-to |
T1092
|
Communication Through Removable Media
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1095
|
Non-Application Layer Protocol
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1095
|
Non-Application Layer Protocol
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1095
|
Non-Application Layer Protocol
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1098
|
Account Manipulation
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1098
|
Account Manipulation
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1098
|
Account Manipulation
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1098
|
Account Manipulation
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1098
|
Account Manipulation
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1098.001
|
Account Manipulation: Additional Cloud Credentials
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1098.002
|
Account Manipulation: Exchange Email Delegate Permissions
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1098.003
|
Account Manipulation: Add Office 365 Global Administrator Role
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1098.004
|
Account Manipulation: SSH Authorized Keys
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1098.006
|
Additional Container Cluster Roles
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1098.006
|
Additional Container Cluster Roles
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1098.007
|
Additional Local or Domain Groups
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1098.007
|
Additional Local or Domain Groups
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1102
|
Web Service
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1102
|
Web Service
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1102
|
Web Service
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1102
|
Web Service
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1102.001
|
Web Service: Dead Drop Resolver
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1102.001
|
Web Service: Dead Drop Resolver
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1102.002
|
Web Service: Bidirectional Communication
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1102.002
|
Web Service: Bidirectional Communication
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1102.003
|
Web Service: One-Way Communication
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1102.003
|
Web Service: One-Way Communication
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1104
|
Multi-Stage Channels
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1104
|
Multi-Stage Channels
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1104
|
Multi-Stage Channels
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1104
|
Multi-Stage Channels
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1105
|
Ingress Tool Transfer
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1105
|
Ingress Tool Transfer
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1105
|
Ingress Tool Transfer
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1106
|
Native API
|
|
action.hacking.variety.Brute force
|
Brute force or password guessing attacks.
| related-to |
T1110
|
Brute Force
|
|
action.malware.variety.Brute force
|
Brute force attack
| related-to |
T1110
|
Brute Force
|
|
action.hacking.variety.Brute force
|
Brute force or password guessing attacks.
| related-to |
T1110.001
|
Brute Force: Password Guessing
|
|
action.malware.variety.Brute force
|
Brute force attack
| related-to |
T1110.001
|
Brute Force: Password Guessing
|
|
action.hacking.variety.Brute force
|
Brute force or password guessing attacks.
| related-to |
T1110.002
|
Brute Force: Password Cracking
|
|
action.hacking.variety.Offline cracking
|
Offline password or key cracking (e.g., rainbow tables, Hashcat, JtR)
| related-to |
T1110.002
|
Brute Force: Password Cracking
|
|
action.malware.variety.Brute force
|
Brute force attack
| related-to |
T1110.002
|
Brute Force: Password Cracking
|
|
action.hacking.variety.Brute force
|
Brute force or password guessing attacks.
| related-to |
T1110.003
|
Brute Force: Password Spraying
|
|
action.malware.variety.Brute force
|
Brute force attack
| related-to |
T1110.003
|
Brute Force: Password Spraying
|
|
action.hacking.variety.Brute force
|
Brute force or password guessing attacks.
| related-to |
T1110.004
|
Brute Force: Credential Stuffing
|
|
action.malware.variety.Brute force
|
Brute force attack
| related-to |
T1110.004
|
Brute Force: Credential Stuffing
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1111
|
Two-Factor Authentication Interception
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1111
|
Two-Factor Authentication Interception
|
|
action.malware.variety.Spyware/Keylogger
|
Spyware, keylogger or form-grabber (capture user input or activity)
| related-to |
T1111
|
Two-Factor Authentication Interception
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1112
|
Modify Registry
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1113
|
Screen Capture
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1113
|
Screen Capture
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1114
|
Email Collection
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1114
|
Email Collection
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1114.001
|
Email Collection: Local Email Collection
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1114.001
|
Email Collection: Local Email Collection
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1114.002
|
Email Collection: Remote Email Collection
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1114.002
|
Email Collection: Remote Email Collection
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1114.003
|
Email Collection: Email Forwarding Rule
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1114.003
|
Email Collection: Email Forwarding Rule
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1114.003
|
Email Collection: Email Forwarding Rule
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1115
|
Clipboard Data
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1115
|
Clipboard Data
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1119
|
Automated Collection
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1119
|
Automated Collection
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1119
|
Automated Collection
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1119
|
Automated Collection
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1120
|
Peripheral Device Discovery
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1123
|
Audio Capture
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1123
|
Audio Capture
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1124
|
System Time Discovery
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1125
|
Video Capture
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1125
|
Video Capture
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1127
|
Trusted Developer Utilities Proxy Execution
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1127
|
Trusted Developer Utilities Proxy Execution
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1127.001
|
Tursted Developer Utilities Proxy Execution: MSBuild
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1127.001
|
Tursted Developer Utilities Proxy Execution: MSBuild
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1127.002
|
ClickOnce
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1127.002
|
ClickOnce
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1129
|
Shared Modules
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1132
|
Data Encoding
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1132
|
Data Encoding
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1132
|
Data Encoding
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1132.001
|
Data Encoding: Standard Encoding
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1132.001
|
Data Encoding: Standard Encoding
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1132.001
|
Data Encoding: Standard Encoding
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1132.002
|
Data Encoding: Non-Standard Encoding
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1132.002
|
Data Encoding: Non-Standard Encoding
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1132.002
|
Data Encoding: Non-Standard Encoding
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.vector.3rd party desktop
|
3rd party online desktop sharing (LogMeIn, Go2Assist)
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.vector.Desktop sharing software
|
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.vector.VPN
|
VPN
| related-to |
T1133
|
External Remote Services
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1133
|
External Remote Services
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1133
|
External Remote Services
|
|
action.malware.vector.Remote injection
|
Remotely injected by agent (i.e. via SQLi)
| related-to |
T1133
|
External Remote Services
|
|
action.malware.vector.Web application
|
Web application. Parent of 'Web application - download' and 'Web application - drive-by.
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1134
|
Access Token Manipulation
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1134.001
|
Access Token Manipulation: Token Impersonation/Theft
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1134.002
|
Access Token Manipulation: Create Process with Token
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1134.003
|
Access Token Manipulation: Make and Impersonate Token
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1134.004
|
Access Token Manipulation: Parent PID Spoofing
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1134.005
|
Access Token Manipulation: SID-History Injection
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1135
|
Network Share Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1135
|
Network Share Discovery
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1136
|
Create Accounts
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1136
|
Create Accounts
|
|
action.malware.variety.Modify data
|
Malware which compromises a legitimate file rather than creating new filess
| related-to |
T1136
|
Create Accounts
|
|
attribute.integrity.variety.Created account
|
Created new user account
| related-to |
T1136
|
Create Accounts
|
|
attribute.integrity.variety.Created account
|
Created new user account
| related-to |
T1136.001
|
Create Account: Local Account
|
|
attribute.integrity.variety.Created account
|
Created new user account
| related-to |
T1136.002
|
Create Account: Domain Account
|
|
attribute.integrity.variety.Created account
|
Created new user account
| related-to |
T1136.003
|
Create Account: Cloud Account
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137
|
Office Application Startup
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137.001
|
Office Application Startup: Office Template Macros
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137.002
|
Office Application Startup: Office Test
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137.003
|
Office Application Startup: Outlook Forms
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137.004
|
Office Application Startup: Outlook Home Page
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137.005
|
Office Application Startup: Outlook Rules
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1140
|
Deobfuscate/Decode Files or Information
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1176
|
Browser Extensions
|
|
action.malware.vector.Web application - drive-by
|
Web via auto-executed or "drive-by" infection. Child of 'Web application'.
| related-to |
T1176
|
Browser Extensions
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.HTTP request smuggling
|
HTTP request smuggling. Child of 'Exploit vuln'.
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.HTTP request splitting
|
HTTP request splitting. Child of 'Exploit vuln'.
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.HTTP response smuggling
|
HTTP response smuggling. Child of 'Exploit vuln'.
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.HTTP response splitting
|
HTTP response splitting. Child of 'Exploit vuln'.
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.Session fixation
|
Session fixation. Child of 'Exploit vuln'.
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1187
|
Forced Authentication
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1187
|
Forced Authentication
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1187
|
Forced Authentication
|
|
action.malware.vector.Web application - drive-by
|
Web via auto-executed or "drive-by" infection. Child of 'Web application'.
| related-to |
T1189
|
Drive-by Compromise
|
|
action.social.vector.Web application
|
Web application
| related-to |
T1189
|
Drive-by Compromise
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1190
|
Exploit Public-Facing Application
|
|
action.hacking.variety.SQLi
|
SQL injection. Child of 'Exploit vuln'.
| related-to |
T1190
|
Exploit Public-Facing Application
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1195
|
Supply Chain Compromise
|
|
action.malware.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1195
|
Supply Chain Compromise
|
|
action.malware.vector.Software update
|
Included in automated software update
| related-to |
T1195
|
Supply Chain Compromise
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1195.001
|
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
|
|
action.social.vector.Software
|
Software
| related-to |
T1195.001
|
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1195.002
|
Supply Chain Compromise: Compromise Software Supply Chain
|
|
action.social.vector.Software
|
Software
| related-to |
T1195.002
|
Supply Chain Compromise: Compromise Software Supply Chain
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1195.003
|
Supply Chain Compromise: Compromise Hardware Supply Chain
|
|
action.social.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1195.003
|
Supply Chain Compromise: Compromise Hardware Supply Chain
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1197
|
BITS Jobs
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1199
|
Trusted Relationship
|
|
action.malware.variety.Adware
|
Adware
| related-to |
T1199
|
Trusted Relationship
|
|
action.malware.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1199
|
Trusted Relationship
|
|
action.social.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1199
|
Trusted Relationship
|
|
action.hacking.vector.Physical access
|
Physical access or connection (i.e., at keyboard or via cable)
| related-to |
T1200
|
Hardware Additions
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1201
|
Password Policy Discovery
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1202
|
Indirect Command Execution
|
|
action.hacking.variety.Buffer overflow
|
Buffer overflow. Child of 'Exploit vuln'.
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.hacking.variety.HTTP request smuggling
|
HTTP request smuggling. Child of 'Exploit vuln'.
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.hacking.variety.HTTP request splitting
|
HTTP request splitting. Child of 'Exploit vuln'.
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.hacking.variety.HTTP response smuggling
|
HTTP response smuggling. Child of 'Exploit vuln'.
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.hacking.variety.HTTP response splitting
|
HTTP response splitting. Child of 'Exploit vuln'.
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.malware.variety.Client-side attack
|
Client-side or browser attack (e.g., redirection, XSS, AitB)
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.malware.variety.Downloader
|
Downloader (pull updates or other malware)
| related-to |
T1204
|
User Execution
|
|
action.malware.variety.Other
|
Other
| related-to |
T1204
|
User Execution
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1204
|
User Execution
|
|
action.social.vector.Email
|
Email
| related-to |
T1204
|
User Execution
|
|
action.social.vector.Social media
|
Social media or networking
| related-to |
T1204
|
User Execution
|
|
action.malware.variety.Downloader
|
Downloader (pull updates or other malware)
| related-to |
T1204.001
|
User Execution: Malicious Link
|
|
action.malware.variety.Other
|
Other
| related-to |
T1204.001
|
User Execution: Malicious Link
|
|
action.malware.vector.Email link
|
Email via embedded link. Child of 'Email'
| related-to |
T1204.001
|
User Execution: Malicious Link
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1204.001
|
User Execution: Malicious Link
|
|
action.social.vector.Email
|
Email
| related-to |
T1204.001
|
User Execution: Malicious Link
|
|
action.social.vector.Social media
|
Social media or networking
| related-to |
T1204.001
|
User Execution: Malicious Link
|
|
action.malware.variety.Downloader
|
Downloader (pull updates or other malware)
| related-to |
T1204.002
|
User Execution: Malicious File
|
|
action.malware.variety.Other
|
Other
| related-to |
T1204.002
|
User Execution: Malicious File
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1204.002
|
User Execution: Malicious File
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1204.002
|
User Execution: Malicious File
|
|
action.social.vector.Email
|
Email
| related-to |
T1204.002
|
User Execution: Malicious File
|
|
action.social.vector.Social media
|
Social media or networking
| related-to |
T1204.002
|
User Execution: Malicious File
|
|
action.malware.variety.Downloader
|
Downloader (pull updates or other malware)
| related-to |
T1204.003
|
User Execution: Malicious Image
|
|
action.malware.variety.Other
|
Other
| related-to |
T1204.003
|
User Execution: Malicious Image
|
|
action.malware.variety.Trojan
|
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor'
| related-to |
T1204.003
|
User Execution: Malicious Image
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1204.003
|
User Execution: Malicious Image
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1204.003
|
User Execution: Malicious Image
|
|
action.social.vector.Email
|
Email
| related-to |
T1204.003
|
User Execution: Malicious Image
|
|
action.social.vector.Social media
|
Social media or networking
| related-to |
T1204.003
|
User Execution: Malicious Image
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1205
|
Traffic Signaling
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1205.001
|
Traffic Signaling: Port Knocking
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1205.002
|
Traffic Signaling: Socket Filters
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1211
|
Exploitation for Defense Evasion
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.hacking.variety.Session fixation
|
Session fixation. Child of 'Exploit vuln'.
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.hacking.variety.XML external entities
|
XML external entities. Child of 'Exploit vuln'.
| related-to |
T1213
|
Data from Information Repository
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1216
|
System Script Proxy Execution
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1216.001
|
System Script Proxy Execution: PubPrn
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1216.002
|
System Script Proxy Execution: SyncAppvPublishingServer
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218
|
System Binary Proxy Execution
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.001
|
System Binary Proxy Execution: Compiled HTML File
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.002
|
System Binary Proxy Execution: Control Panel
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.003
|
System Binary Proxy Execution: CMSTP
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.004
|
System Binary Proxy Execution: InstallUtil
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.005
|
System Binary Proxy Execution: Mshta
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.007
|
System Binary Proxy Execution: Msiexec
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.008
|
System Binary Proxy Execution: Odbcconf
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.009
|
System Binary Proxy Execution: Regsvcs/Regasm
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.010
|
System Binary Proxy Execution: Regsvr32
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1205
|
Traffic Signaling
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1205
|
Traffic Signaling
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.011
|
System Binary Proxy Execution: Rundll32
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1205.001
|
Traffic Signaling: Port Knocking
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1205.001
|
Traffic Signaling: Port Knocking
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1205.001
|
Traffic Signaling: Port Knocking
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.012
|
System Binary Proxy Execution: Verclsid
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1207
|
Rogue Domain Controller
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.013
|
System Binary Proxy Execution: Mavinject
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1211
|
Exploitation for Defense Evasion
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1211
|
Exploitation for Defense Evasion
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.014
|
System Binary Proxy Execution: MMC
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.015
|
System Binary Proxy Execution: Electron Applications
|
|
action.hacking.vector.Desktop sharing software
|
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two
| related-to |
T1219
|
Remote Access Software
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.malware.vector.Web application - drive-by
|
Web via auto-executed or "drive-by" infection. Child of 'Web application'.
| related-to |
T1212
|
Exploitation for Credential Access
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1220
|
XSL Script Processing
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1213
|
Data from Information Repository
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1213
|
Data from Information Repository
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1213.001
|
Data from Information Repositories: Confluence
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1213.001
|
Data from Information Repositories: Confluence
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1213.002
|
Data from Information Repositories: Sharepoint
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1213.002
|
Data from Information Repositories: Sharepoint
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1213.003
|
Data from Information Repositories: Code Repositories
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1213.004
|
Data from Information Repositories: Customer Relationship Management Software
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1213.005
|
Data from Information Repositories: Messaging Applications
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1480
|
Execution Guardrails
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1480
|
Execution Guardrails
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1480.001
|
Execution Guardrails: Environmental Keying
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1480.001
|
Execution Guardrails: Environmental Keying
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1480.002
|
Execution Guardrails: Mutual Exclusion
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1489
|
Service Stop
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1496
|
Resource Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1496.001
|
Resource Hijacking: Compute Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1496.002
|
Resource Hijacking: Bandwidth Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1496.003
|
Resource Hijacking: SMS Pumping
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1496.004
|
Resource Hijacking: Cloud Service Hijacking
|
|
action.hacking.vector.Hypervisor
|
Hypervisor break-out attack
| related-to |
T1497
|
Virtualization/Sandbox Evasion
|
|
action.hacking.vector.Inter-tenant
|
Penetration of another VM or web site on shared device or infrastructure
| related-to |
T1497
|
Virtualization/Sandbox Evasion
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1498
|
Network Denial of Service
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1498.001
|
Network Denial of Service: Direct Network Flood
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1498.002
|
Network Denial of Service: Reflection Amplification
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1499
|
Endpoint Denial of Service
|
|
action.hacking.variety.Soap array abuse
|
Soap array abuse. Child of 'Exploit vuln'.
| related-to |
T1499
|
Endpoint Denial of Service
|
|
action.hacking.variety.XML external entities
|
XML external entities. Child of 'Exploit vuln'.
| related-to |
T1499
|
Endpoint Denial of Service
|
|
action.malware.variety.Adminware
|
System or network utilities (e.g., PsTools, Netcat)
| related-to |
T1219
|
Remote Access Software
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1499.001
|
Endpoint Denial of Service: OS Exhaustion Flood
|
|
action.malware.variety.Client-side attack
|
Client-side or browser attack (e.g., redirection, XSS, AitB)
| related-to |
T1221
|
Template Injection
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1222
|
File and Directory Permissions Modification
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1222.001
|
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1222.002
|
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1499.002
|
Endpoint Denial of Service: Service Exhaustion Flood
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1499.003
|
Endpoint Denial of Service: Application Exhaustion Flood
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1499.004
|
Endpoint Denial of Service: Application or System Exploitation
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1505.001
|
Server Software Component: SQL Stored Procedures
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1505.002
|
Server Software Component: Transport Agent
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1482
|
Domain Trust Discovery
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1484
|
Domain Policy Modification
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1484.001
|
Domain Policy Modification: Group Policy Modification
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1484.002
|
Domain Policy Modification: Domain Trust Modification
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1485
|
Data Destruction
|
|
attribute.availability.variety.Destruction
|
Destruction
| related-to |
T1485
|
Data Destruction
|
|
attribute.availability.variety.Interruption
|
Interruption
| related-to |
T1485
|
Data Destruction
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1485.001
|
Data Destruction: Lifecycle-Triggered Deletion
|
|
attribute.availability.variety.Destruction
|
Destruction
| related-to |
T1485.001
|
Data Destruction: Lifecycle-Triggered Deletion
|
|
attribute.availability.variety.Interruption
|
Interruption
| related-to |
T1485.001
|
Data Destruction: Lifecycle-Triggered Deletion
|
|
action.malware.variety.Ransomware
|
Ransomware (encrypt or seize stored data)
| related-to |
T1486
|
Data Encrypted for Impact
|
|
attribute.availability.variety.Interruption
|
Interruption
| related-to |
T1486
|
Data Encrypted for Impact
|
|
attribute.availability.variety.Obscuration
|
Conversion or obscuration (ransomware)
| related-to |
T1486
|
Data Encrypted for Impact
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1518
|
Software Discovery
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1489
|
Service Stop
|
|
attribute.availability.variety.Interruption
|
Interruption
| related-to |
T1489
|
Service Stop
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1490
|
Inhibit System Recovery
|
|
action.malware.variety.Ransomware
|
Ransomware (encrypt or seize stored data)
| related-to |
T1490
|
Inhibit System Recovery
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1490
|
Inhibit System Recovery
|
|
attribute.availability.variety.Obscuration
|
Conversion or obscuration (ransomware)
| related-to |
T1491
|
Defacement
|
|
attribute.integrity.variety.Defacement
|
Deface content
| related-to |
T1491
|
Defacement
|
|
attribute.availability.variety.Obscuration
|
Conversion or obscuration (ransomware)
| related-to |
T1491.001
|
Defacement: Internal Defacement
|
|
attribute.integrity.variety.Defacement
|
Deface content
| related-to |
T1491.001
|
Defacement: Internal Defacement
|
|
attribute.availability.variety.Obscuration
|
Conversion or obscuration (ransomware)
| related-to |
T1491.002
|
Defacement: External Defacement
|
|
attribute.integrity.variety.Defacement
|
Deface content
| related-to |
T1491.002
|
Defacement: External Defacement
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1495
|
Firmware Corruption
|
|
attribute.availability.variety.Destruction
|
Destruction
| related-to |
T1495
|
Firmware Corruption
|
|
attribute.availability.variety.Interruption
|
Interruption
| related-to |
T1495
|
Firmware Corruption
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1495
|
Firmware Corruption
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1518.001
|
Software Discovery: Security Software Discovery
|
|
action.malware.variety.Click fraud
|
Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'.
| related-to |
T1496
|
Resource Hijacking
|
|
action.malware.variety.Click fraud and cryptocurrency mining
|
Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'.
| related-to |
T1496
|
Resource Hijacking
|
|
action.malware.variety.Cryptocurrency mining
|
Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'.
| related-to |
T1496
|
Resource Hijacking
|
|
action.malware.variety.Click fraud and cryptocurrency mining
|
Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'.
| related-to |
T1496.001
|
Resource Hijacking: Compute Hijacking
|
|
action.malware.variety.Cryptocurrency mining
|
Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'.
| related-to |
T1496.001
|
Resource Hijacking: Compute Hijacking
|
|
attribute.availability.variety.Degradation
|
Performance degradation
| related-to |
T1496
|
Resource Hijacking
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1525
|
Implant Internal Image
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1525
|
Implant Internal Image
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1526
|
Cloud Service Discovery
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1529
|
System Shutdown/Reboot
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1531
|
Account Access Removal
|
|
action.hacking.variety.Forced browsing
|
Forced browsing or predictable resource location. Child of 'Exploit vuln'.
| related-to |
T1539
|
Steal Web Session Cookie
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1497
|
Virtualization/Sandbox Evasion
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1497.001
|
Virtualization/Sandbox Evasion: System Checks
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1497.002
|
Virtualization/Sandbox Evasion: User Activity Based Checks
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1497.003
|
Virtualization/Sandbox Evasion: Time Based Evasion
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1539
|
Steal Web Session Cookie
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1498
|
Network Denial of Service
|
|
attribute.availability.variety.Degradation
|
Performance degradation
| related-to |
T1498
|
Network Denial of Service
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1498
|
Network Denial of Service
|
|
action.hacking.variety.Session replay
|
Session replay. Child of 'Exploit vuln'.
| related-to |
T1539
|
Steal Web Session Cookie
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1498.001
|
Network Denial of Service: Direct Network Flood
|
|
attribute.availability.variety.Degradation
|
Performance degradation
| related-to |
T1498.001
|
Network Denial of Service: Direct Network Flood
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1498.001
|
Network Denial of Service: Direct Network Flood
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543
|
Create or Modify System Process
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1498.002
|
Network Denial of Service: Reflection Amplification
|
|
attribute.availability.variety.Degradation
|
Performance degradation
| related-to |
T1498.002
|
Network Denial of Service: Reflection Amplification
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1498.002
|
Network Denial of Service: Reflection Amplification
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1543
|
Create or Modify System Process
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1543
|
Create or Modify System Process
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.001
|
Create or Modify System Process: Launch Agent
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1499
|
Endpoint Denial of Service
|
|
attribute.availability.variety.Degradation
|
Performance degradation
| related-to |
T1499
|
Endpoint Denial of Service
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1499
|
Endpoint Denial of Service
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.002
|
Create or Modify System Process: Systemd Service
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1499.001
|
Endpoint Denial of Service: OS Exhaustion Flood
|
|
attribute.availability.variety.Degradation
|
Performance degradation
| related-to |
T1499.001
|
Endpoint Denial of Service: OS Exhaustion Flood
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1499.001
|
Endpoint Denial of Service: OS Exhaustion Flood
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.003
|
Create or Modify System Process: Windows Service
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1499.002
|
Endpoint Denial of Service: Service Exhaustion Flood
|
|
attribute.availability.variety.Degradation
|
Performance degradation
| related-to |
T1499.002
|
Endpoint Denial of Service: Service Exhaustion Flood
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1499.002
|
Endpoint Denial of Service: Service Exhaustion Flood
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.004
|
Create or Modify System Process: Launch Daemon
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1499.003
|
Endpoint Denial of Service: Application Exhaustion Flood
|
|
attribute.availability.variety.Degradation
|
Performance degradation
| related-to |
T1499.003
|
Endpoint Denial of Service: Application Exhaustion Flood
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1499.003
|
Endpoint Denial of Service: Application Exhaustion Flood
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.005
|
Create or Modify System Process: Container Service
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1499.004
|
Endpoint Denial of Service: Application or System Exploitation
|
|
attribute.availability.variety.Degradation
|
Performance degradation
| related-to |
T1499.004
|
Endpoint Denial of Service: Application or System Exploitation
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1499.004
|
Endpoint Denial of Service: Application or System Exploitation
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1505
|
Server Software Component
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1505
|
Server Software Component
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1546
|
Event Triggered Execution
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1505.001
|
Server Software Component: SQL Stored Procedures
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1505.001
|
Server Software Component: SQL Stored Procedures
|
|
action.hacking.variety.XML injection
|
XML injection. Child of 'Exploit vuln'.
| related-to |
T1546
|
Event Triggered Execution
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1505.002
|
Server Software Component: Transport Agent
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1505.002
|
Server Software Component: Transport Agent
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1505.003
|
Server Software Component: Web Shell
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1505.003
|
Server Software Component: Web Shell
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1546
|
Event Triggered Execution
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1525
|
Implant Internal Image
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1525
|
Implant Internal Image
|
|
action.malware.variety.RAT
|
Remote Access Trojan. Parent of 'Backdoor' and 'Trojan'
| related-to |
T1525
|
Implant Internal Image
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1525
|
Implant Internal Image
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548
|
Abuse Elevation Control Mechanism
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1528
|
Steal Application Access Token
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.001
|
Abuse Elevation Control Mechanism: Setuid and Setgid
|
|
attribute.availability.variety.Interruption
|
Interruption
| related-to |
T1529
|
System Shutdown/Reboot
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1530
|
Data from Cloud Storage
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1530
|
Data from Cloud Storage
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.002
|
Abuse Elevation Control Mechanism: Bypass User Account Control
|
|
attribute.availability.variety.Destruction
|
Destruction
| related-to |
T1531
|
Account Access Removal
|
|
attribute.availability.variety.Interruption
|
Interruption
| related-to |
T1531
|
Account Access Removal
|
|
attribute.integrity.variety.Unknown
|
Unknown
| related-to |
T1531
|
Account Access Removal
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1534
|
Internal Spearphishing
|
|
attribute.integrity.variety.Misrepresentation
|
compromise of authenticity (e.g. masquerading as the legitimate owner of an account)
| related-to |
T1534
|
Internal Spearphishing
|
|
attribute.integrity.variety.Repurpose
|
Repurposed asset for unauthorized function
| related-to |
T1535
|
Unused/Unsupported Cloud Regions
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1537
|
Transfer Data to Cloud Account
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1537
|
Transfer Data to Cloud Account
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1548.002
|
Abuse Elevation Control Mechanism: Bypass User Account Control
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.003
|
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1548.003
|
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1539
|
Steal Web Session Cookie
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542
|
Pre-OS Boot
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542.001
|
Pre-OS Boot: System Firmware
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542.002
|
Pre-OS Boot: Component Firmware
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542.003
|
Pre-OS Boot: Bootkit
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542.004
|
Pre-OS Boot: ROMMONkit
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542.005
|
Pre-OS Boot: TFTP Boot
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.004
|
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1543
|
Create or Modify System Process
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1543
|
Create or Modify System Process
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1543
|
Create or Modify System Process
|
|
attribute.integrity.variety.Software installation
|
Software installation or code modification
| related-to |
T1543
|
Create or Modify System Process
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1548.004
|
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
|
|
attribute.integrity.variety.Software installation
|
Software installation or code modification
| related-to |
T1543.001
|
Create or Modify System Process: Launch Agent
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.005
|
Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
|
|
attribute.integrity.variety.Software installation
|
Software installation or code modification
| related-to |
T1543.002
|
Create or Modify System Process: Systemd Service
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.006
|
Abuse Elevation Control Mechanism: TCC Manipulation
|
|
action.malware.variety.RAT
|
Remote Access Trojan. Parent of 'Backdoor' and 'Trojan'
| related-to |
T1543.003
|
Create or Modify System Process: Windows Service
|
|
attribute.integrity.variety.Software installation
|
Software installation or code modification
| related-to |
T1543.003
|
Create or Modify System Process: Windows Service
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550
|
Use Alternate Authentication Material
|
|
attribute.integrity.variety.Software installation
|
Software installation or code modification
| related-to |
T1543.004
|
Create or Modify System Process: Launch Daemon
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550.001
|
Use Alternate Authentication Material: Application Access Token
|
|
action.hacking.variety.Pass-the-hash
|
Pass-the-hash
| related-to |
T1550.002
|
Use Alternate Authentication Material: Pass the Hash
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550.002
|
Use Alternate Authentication Material: Pass the Hash
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550.003
|
Use Alternate Authentication Material: Pass the Ticket
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1546
|
Event Triggered Execution
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1546
|
Event Triggered Execution
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546
|
Event Triggered Execution
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.001
|
Event Triggered Execution: Change Default File Association
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.002
|
Event Triggered Execution: Screensaver
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.003
|
Event Triggered Execution: Windows Management Instrumentation Event Subscription
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.004
|
Event Triggered Execution: Unix Shell Configuration Modification
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.005
|
Event Triggered Execution: Trap
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.006
|
Event Triggered Execution: LC_LOAD_DYLIB Addition
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.007
|
Event Triggered Execution: Netsh Helper DLL
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.008
|
Event Triggered Execution: Accessibility Features
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.009
|
Event Triggered Execution: AppCert DLLs
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.010
|
Event Triggered Execution: AppInit DLLs
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.011
|
Event Triggered Execution: Application Shimming
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.012
|
Event Triggered Execution: Image File Execution Options Injection
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.013
|
Event Triggered Execution: PowerShell Profile
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.014
|
Event Triggered Execution: Emond
|
|
attribute.integrity.variety.Alter behavior
|
Influence or alter human behavior
| related-to |
T1546.015
|
Event Triggered Execution: Component Object Model Hijacking
|
|
attribute.integrity.variety.Software installation
|
Software installation or code modification
| related-to |
T1546.016
|
Event Triggered Execution: Installer Packages
|
|
action.hacking.variety.Session replay
|
Session replay. Child of 'Exploit vuln'.
| related-to |
T1550.004
|
Use Alternate Authentication Material:Web Session Cookie
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.001
|
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.002
|
Boot or Logon Autostart Execution: Authentication Package
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.003
|
Boot or Logon Autostart Execution: Time Providers
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.004
|
Boot or Logon Autostart Execution: Winlogon Helper DLL
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.005
|
Boot or Logon Autostart Execution: Security Support Provider
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.006
|
Boot or Logon Autostart Execution: Kernel Modules and Extensions
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.007
|
Boot or Logon Autostart Execution: Re-opened Applications
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.008
|
Boot or Logon Autostart Execution: LSASS Driver
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.009
|
Boot or Logon Autostart Execution: Shortcut Modification
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.010
|
Boot or Logon Autostart Execution: Port Monitors
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.012
|
Boot or Logon Autostart Execution: Print Processors
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1547.013
|
Boot or Logon Autostart Execution: XDG Autostart Entries
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1547.014
|
Boot or Logon Autostart Execution: Active Setup
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550.004
|
Use Alternate Authentication Material:Web Session Cookie
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1553
|
Subvert Trust Controls
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1554
|
Compromise Client Software Binary
|
|
action.malware.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1548.002
|
Abuse Elevation Control Mechanism: Bypass User Account Control
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1554
|
Compromise Client Software Binary
|
|
action.malware.variety.Client-side attack
|
Client-side or browser attack (e.g., redirection, XSS, AitB)
| related-to |
T1548.003
|
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1556
|
Modify Authentication Process
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1556
|
Modify Authentication Process
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1557
|
Man-in-the-Middle
|
|
action.hacking.variety.Routing detour
|
Routing detour. Child of 'Exploit vuln'.
| related-to |
T1557
|
Man-in-the-Middle
|
|
action.malware.variety.Pass-the-hash
|
Pass-the-hash
| related-to |
T1550
|
Use Alternate Authentication Material
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1550
|
Use Alternate Authentication Material
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1557.001
|
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay
|
|
action.hacking.variety.Cache poisoning
|
Cache poisoning. Child of 'Exploit vuln'.
| related-to |
T1557.002
|
Adversary-in-the-Middle: ARP Cache Poisoning
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1557.002
|
Adversary-in-the-Middle: ARP Cache Poisoning
|
|
action.malware.variety.Pass-the-hash
|
Pass-the-hash
| related-to |
T1550.002
|
Use Alternate Authentication Material: Pass the Hash
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1550.002
|
Use Alternate Authentication Material: Pass the Hash
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558
|
Steal or Forge Kerberos Tickets
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.001
|
Steal or Forge Kerberos Tickets: Golden Ticket
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.002
|
Steal or Forge Kerberos Tickets: Silver Ticket
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1552
|
Unsecured Credentials
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.001
|
Unsecured Credentials: Credentials in Files
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1552.001
|
Unsecured Credentials: Credentials in Files
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.002
|
Unsecured Credentials: Credentials in Registry
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1552.002
|
Unsecured Credentials: Credentials in Registry
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.003
|
Unsecured Credentials: Bash History
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1552.003
|
Unsecured Credentials: Bash History
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.004
|
Unsecured Credentials: Private Keys
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1552.004
|
Unsecured Credentials: Private Keys
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.005
|
Unsecured Credentials: Cloud Instance Metadata API
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1552.005
|
Unsecured Credentials: Cloud Instance Metadata API
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.006
|
Unsecured Credentials: Group Policy Preferences
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1552.006
|
Unsecured Credentials: Group Policy Preferences
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1552.007
|
Unsecured Credentials: Container API
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.008
|
Unsecured Credentials: Chat Messages
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1552.008
|
Unsecured Credentials: Chat Messages
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.003
|
Steal or Forge Kerberos Tickets: Kerberoasting
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553
|
Subvert Trust Controls
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1553
|
Subvert Trust Controls
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1553
|
Subvert Trust Controls
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.001
|
Subvert Trust Contols: Gatekeeper Bypass
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.002
|
Subvert Trust Contols: Code Signing
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.003
|
Subvert Trust Contols: SIP and Trust Provider Hijacking
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.004
|
Subvert Trust Contols: Install Root Certificate
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.005
|
Subvert Trust Contols: Mark-of-the-Web Bypass
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.006
|
Subvert Trust Contols: Code Signing Policy Modification
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1558.004
|
Steal or Forge Kerberos Tickets: AS-REP Roasting
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.004
|
Steal or Forge Kerberos Tickets: AS-REP Roasting
|
|
action.malware.variety.Adminware
|
System or network utilities (e.g., PsTools, Netcat)
| related-to |
T1554
|
Compromise Client Software Binary
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1554
|
Compromise Client Software Binary
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1554
|
Compromise Client Software Binary
|
|
action.malware.variety.Trojan
|
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor'
| related-to |
T1554
|
Compromise Client Software Binary
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555
|
Credentials from Password Stores
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1555
|
Credentials from Password Stores
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.001
|
Credentials from Password Stores: Keychain
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1555.001
|
Credentials from Password Stores: Keychain
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.002
|
Credentials from Password Stores: Securityd Memory
|
|
action.malware.variety.RAM scraper
|
RAM scraper or memory parser (capture data from volatile memory)
| related-to |
T1555.002
|
Credentials from Password Stores: Securityd Memory
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1555.002
|
Credentials from Password Stores: Securityd Memory
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.003
|
Credentials from Password Stores: Credentials from Web Browser
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1555.003
|
Credentials from Password Stores: Credentials from Web Browser
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.004
|
Credentials from Password Stores: Windows Credential Manager
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1555.004
|
Credentials from Password Stores: Windows Credential Manager
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.005
|
Credentials from Password Stores: Password Managers
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1555.005
|
Credentials from Password Stores: Password Managers
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.006
|
Credentials from Password Stores: Cloud Secrets Management Stores
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1555.006
|
Credentials from Password Stores: Cloud Secrets Management Stores
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.005
|
Steal or Forge Kerberos Tickets: Ccache Files
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1559
|
Inter-Process Communication
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1556
|
Modify Authentication Process
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1556
|
Modify Authentication Process
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1556.001
|
Modify Authentication Process: Domain Controller Authentication
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1556.001
|
Modify Authentication Process: Domain Controller Authentication
|
|
action.malware.vector.Email link
|
Email via embedded link. Child of 'Email'
| related-to |
T1566.002
|
Phishing: Spearphishing Link
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1566.002
|
Phishing: Spearphishing Link
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1566.002
|
Phishing: Spearphishing Link
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1556.003
|
Modify Authentication Process: Pluggable Authentication Modules
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1556.003
|
Modify Authentication Process: Pluggable Authentication Modules
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1556.004
|
Modify Authentication Process: Network Device Authentication
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1556.004
|
Modify Authentication Process: Network Device Authentication
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1559.001
|
Inter-Process Communication: Component Object Model
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1559.002
|
Inter-Process Communication: Dynamic Data Exchange
|
|
action.malware.variety.AiTM
|
Man-in-the-middle attack. Child of 'Exploit vuln'.
| related-to |
T1557
|
Man-in-the-Middle
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1557
|
Man-in-the-Middle
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562
|
Impair Defenses
|
|
action.malware.variety.AiTM
|
Man-in-the-middle attack. Child of 'Exploit vuln'.
| related-to |
T1557.001
|
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1562
|
Impair Defenses
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.001
|
Disable or Modify Tools
|
|
action.malware.variety.AiTM
|
Man-in-the-middle attack. Child of 'Exploit vuln'.
| related-to |
T1557.002
|
Adversary-in-the-Middle: ARP Cache Poisoning
|
|
action.malware.variety.AiTM
|
Man-in-the-middle attack. Child of 'Exploit vuln'.
| related-to |
T1557.003
|
DHCP Spoofing
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.002
|
Disable Windows Event Logging
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.003
|
Impair Command History Logging
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.004
|
Disable or Modify System Firewall
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.007
|
Disable or Modify Cloud Firewall
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.008
|
Disable Cloud Logs
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.011
|
Spoof Security Alerting
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.012
|
Disable or Modify Linux Audit System
|
|
action.malware.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1558.004
|
Steal or Forge Kerberos Tickets: AS-REP Roasting
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1563
|
Remote Service Session Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1563
|
Remote Service Session Hijacking
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1563.001
|
Remote Service Session Hijacking: SSH Hijacking
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1560
|
Archive Collected Data
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1560.001
|
Archive Collected Data: Archive via Utility
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1560.002
|
Archive Collected Data: Archive via Library
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1560.003
|
Archive Collected Data: Archive via Custom Method
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1561
|
Disk Wipe
|
|
attribute.availability.variety.Destruction
|
Destruction
| related-to |
T1561
|
Disk Wipe
|
|
attribute.availability.variety.Interruption
|
Interruption
| related-to |
T1561
|
Disk Wipe
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1561
|
Disk Wipe
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1561.001
|
Disk Wipe: Disk Content Wipe
|
|
attribute.availability.variety.Destruction
|
Destruction
| related-to |
T1561.001
|
Disk Wipe: Disk Content Wipe
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1561.001
|
Disk Wipe: Disk Content Wipe
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1561.002
|
Disk Wipe: Disk Structure Wipe
|
|
attribute.availability.variety.Destruction
|
Destruction
| related-to |
T1561.002
|
Disk Wipe: Disk Structure Wipe
|
|
attribute.availability.variety.Interruption
|
Interruption
| related-to |
T1561.002
|
Disk Wipe: Disk Structure Wipe
|
|
attribute.availability.variety.Loss
|
Loss
| related-to |
T1561.002
|
Disk Wipe: Disk Structure Wipe
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1563.001
|
Remote Service Session Hijacking: SSH Hijacking
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1563.002
|
Remote Service Session Hijacking: RDP Hijacking
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562
|
Impair Defenses
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1562
|
Impair Defenses
|
|
action.malware.variety.Modify data
|
Malware which compromises a legitimate file rather than creating new filess
| related-to |
T1562
|
Impair Defenses
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1562
|
Impair Defenses
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1563.002
|
Remote Service Session Hijacking: RDP Hijacking
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.001
|
Disable or Modify Tools
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564
|
Hide Artifacts
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.002
|
Disable Windows Event Logging
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564
|
Hide Artifacts
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.003
|
Impair Command History Logging
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.001
|
Hide Artifacts: Hidden Files and Directories
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.004
|
Disable or Modify System Firewall
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.006
|
Impair Defenses: Indicator Blocking
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.001
|
Hide Artifacts: Hidden Files and Directories
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.007
|
Disable or Modify Cloud Firewall
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.002
|
Hide Artifacts: Hidden Users
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.008
|
Disable Cloud Logs
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.002
|
Hide Artifacts: Hidden Users
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.011
|
Spoof Security Alerting
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.003
|
Hide Artifacts: Hidden Window
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.012
|
Disable or Modify Linux Audit System
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.003
|
Hide Artifacts: Hidden Window
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1563
|
Remote Service Session Hijacking
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.004
|
Hide Artifacts: NTFS File Attributes
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1563.001
|
Remote Service Session Hijacking: SSH Hijacking
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.004
|
Hide Artifacts: NTFS File Attributes
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1563.002
|
Remote Service Session Hijacking: RDP Hijacking
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.005
|
Hide Artifacts: Hidden File System
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564
|
Hide Artifacts
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564
|
Hide Artifacts
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.005
|
Hide Artifacts: Hidden File System
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.001
|
Hide Artifacts: Hidden Files and Directories
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.001
|
Hide Artifacts: Hidden Files and Directories
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.006
|
Hide Artifacts: Run Virtual Instance
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.002
|
Hide Artifacts: Hidden Users
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.002
|
Hide Artifacts: Hidden Users
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.006
|
Hide Artifacts: Run Virtual Instance
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.003
|
Hide Artifacts: Hidden Window
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.003
|
Hide Artifacts: Hidden Window
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.007
|
Hide Artifacts: VBA Stomping
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.004
|
Hide Artifacts: NTFS File Attributes
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.004
|
Hide Artifacts: NTFS File Attributes
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.007
|
Hide Artifacts: VBA Stomping
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.005
|
Hide Artifacts: Hidden File System
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.005
|
Hide Artifacts: Hidden File System
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1568
|
Dynamic Resolution
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.006
|
Hide Artifacts: Run Virtual Instance
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.006
|
Hide Artifacts: Run Virtual Instance
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1568
|
Dynamic Resolution
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.007
|
Hide Artifacts: VBA Stomping
|
|
action.malware.variety.Trojan
|
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor'
| related-to |
T1564.007
|
Hide Artifacts: VBA Stomping
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.007
|
Hide Artifacts: VBA Stomping
|
|
attribute.integrity.variety.Modify data
|
Modified stored data or content
| related-to |
T1565
|
Data Manipulation
|
|
attribute.integrity.variety.Modify data
|
Modified stored data or content
| related-to |
T1565.001
|
Data Manipulation: Stored Data Manipulation
|
|
attribute.integrity.variety.Modify data
|
Modified stored data or content
| related-to |
T1565.002
|
Data Manipulation: Transmitted Data Manipulation
|
|
attribute.integrity.variety.Modify data
|
Modified stored data or content
| related-to |
T1565.003
|
Data Manipulation: Runtime Data Manipulation
|
|
action.malware.vector.Instant messaging
|
Instant Messaging
| related-to |
T1566
|
Phishing
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1566
|
Phishing
|
|
action.social.vector.Email
|
Email
| related-to |
T1566
|
Phishing
|
|
action.malware.vector.Email
|
Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown'
| related-to |
T1566.001
|
Phishing: Spearphishing Attachment
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1566.001
|
Phishing: Spearphishing Attachment
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1566.001
|
Phishing: Spearphishing Attachment
|
|
action.social.vector.Email
|
Email
| related-to |
T1566.001
|
Phishing: Spearphishing Attachment
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1566.002
|
Phishing: Spearphishing Link
|
|
action.social.vector.Email
|
Email
| related-to |
T1566.002
|
Phishing: Spearphishing Link
|
|
action.social.vector.Web application
|
Web application
| related-to |
T1566.002
|
Phishing: Spearphishing Link
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1566.003
|
Phishing: Spearphishing via Service
|
|
action.social.vector.Email
|
Email
| related-to |
T1566.003
|
Phishing: Spearphishing via Service
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1566.004
|
Phishing: Spearphishing Voice
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1567
|
Exfiltration Over Web Service
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1567
|
Exfiltration Over Web Service
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1567.001
|
Exfiltration Over Web Service: Exfiltration to Code Repository
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1567.001
|
Exfiltration Over Web Service: Exfiltration to Code Repository
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1567.002
|
Exfiltration Over Web Service: Exfiltration to Cloud Storage
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1567.002
|
Exfiltration Over Web Service: Exfiltration to Cloud Storage
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1567.003
|
Exfiltration Over Web Service: Exfiltration to Text Storage Sites
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1567.003
|
Exfiltration Over Web Service: Exfiltration to Text Storage Sites
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1567.004
|
Exfiltration Over Web Service: Exfiltration Over Webhook
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1567.004
|
Exfiltration Over Web Service: Exfiltration Over Webhook
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1568.001
|
Dynamic Resolution: Fast Flux DSN
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1568.002
|
Dynamic Resolution: Domain Generation Algorithms
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1568
|
Dynamic Resolution
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1568
|
Dynamic Resolution
|
|
action.malware.vector.Download by malware
|
Downloaded and installed by local malware
| related-to |
T1568
|
Dynamic Resolution
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1568.003
|
Dynamic Resolution: DNS Calculation
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1568.001
|
Dynamic Resolution: Fast Flux DSN
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1568.001
|
Dynamic Resolution: Fast Flux DSN
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1569
|
System Services
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1568.002
|
Dynamic Resolution: Domain Generation Algorithms
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1568.002
|
Dynamic Resolution: Domain Generation Algorithms
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1569.001
|
System Services: Launchctl
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1568.003
|
Dynamic Resolution: DNS Calculation
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1568.003
|
Dynamic Resolution: DNS Calculation
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1569.002
|
System Services: Service Execution
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1571
|
Non-Standard Port
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1572
|
Protocol Tunneling
|
|
action.malware.vector.Direct install
|
Directly installed or inserted by threat agent (after system access)
| related-to |
T1569.002
|
System Services: Service Execution
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1570
|
Lateral Tool Transfer
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1572
|
Protocol Tunneling
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1571
|
Non-Standard Port
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1571
|
Non-Standard Port
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1573
|
Encrypted Channels
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1573
|
Encrypted Channels
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1572
|
Protocol Tunneling
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1572
|
Protocol Tunneling
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1573.001
|
Encrypted Channels: Symmetric Cryptography
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1573.002
|
Encrypted Channels: Asymmetric Cryptography
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1573
|
Encrypted Channels
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1573
|
Encrypted Channels
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574
|
Hijack Execution Flow
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1573.001
|
Encrypted Channels: Symmetric Cryptography
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1573.001
|
Encrypted Channels: Symmetric Cryptography
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1574
|
Hijack Execution Flow
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1573.002
|
Encrypted Channels: Asymmetric Cryptography
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1573.002
|
Encrypted Channels: Asymmetric Cryptography
|
|
action.hacking.variety.XML injection
|
XML injection. Child of 'Exploit vuln'.
| related-to |
T1574
|
Hijack Execution Flow
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1574.001
|
Hijack Execution Flow: DLL Search Order Hijacking
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1574.001
|
Hijack Execution Flow: DLL Search Order Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574.001
|
Hijack Execution Flow: DLL Search Order Hijacking
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1574.001
|
Hijack Execution Flow: DLL Search Order Hijacking
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1574.002
|
Hijack Execution Flow: DLL Side-Loading
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1574.002
|
Hijack Execution Flow: DLL Side-Loading
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574.002
|
Hijack Execution Flow: DLL Side-Loading
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1574.002
|
Hijack Execution Flow: DLL Side-Loading
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1574.004
|
Hijack Execution Flow: Dylib Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574.004
|
Hijack Execution Flow: Dylib Hijacking
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1574.004
|
Hijack Execution Flow: Dylib Hijacking
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1574.005
|
Hijack Execution Flow: Executable Installer File Permissions Weakness
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574.005
|
Hijack Execution Flow: Executable Installer File Permissions Weakness
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1574.005
|
Hijack Execution Flow: Executable Installer File Permissions Weakness
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1574.010
|
Hijack Execution Flow: Services File Permissions Weakness
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1574.011
|
Hijack Execution Flow: Services Registry Permissions Weakness
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578
|
Modify Cloud Compute Infrastructure
|
|
action.hacking.vector.Hypervisor
|
Hypervisor break-out attack
| related-to |
T1578
|
Modify Cloud Compute Infrastructure
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1574.012
|
Hijack Execution Flow: COR_PROFILER
|
|
action.hacking.vector.Inter-tenant
|
Penetration of another VM or web site on shared device or infrastructure
| related-to |
T1578
|
Modify Cloud Compute Infrastructure
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578.001
|
Modify Cloud Compute Infrastructure: Create Snapshot
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578.002
|
Modify Cloud Compute Infrastructure: Create Cloud Instance
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578.003
|
Modify Cloud Compute Infrastructure: Delete Cloud Instance
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578.004
|
Modify Cloud Compute Infrastructure: Revert Cloud Instance
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578.005
|
Modify Cloud Compute Configurations
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1580
|
Cloud Infrastructure Discovery
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583
|
Acquire Infrastructure
|
|
action.malware.vector.Web application - download
|
Web via user-executed or downloaded content. Child of 'Web application'.
| related-to |
T1583
|
Acquire Infrastructure
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.001
|
Acquire Infrastructure: Domains
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1583.001
|
Acquire Infrastructure: Domains
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1583.001
|
Acquire Infrastructure: Domains
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.002
|
Acquire Infrastructure: DNS Server
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1583.002
|
Acquire Infrastructure: DNS Server
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1583.002
|
Acquire Infrastructure: DNS Server
|
|
action.hacking.variety.Forced browsing
|
Forced browsing or predictable resource location. Child of 'Exploit vuln'.
| related-to |
T1583.003
|
Acquire Infrastructure: Virtual Private Server
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.003
|
Acquire Infrastructure: Virtual Private Server
|
|
action.hacking.variety.Forced browsing
|
Forced browsing or predictable resource location. Child of 'Exploit vuln'.
| related-to |
T1583.004
|
Acquire Infrastructure: Server
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.004
|
Acquire Infrastructure: Server
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1583.005
|
Acquire Infrastructure: Botnet
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.005
|
Acquire Infrastructure: Botnet
|
|
value_chain.development.variety.Bot
|
A small program that can be distributed, installed, and controlled en mass.
| related-to |
T1583.005
|
Acquire Infrastructure: Botnet
|
|
action.hacking.variety.Forced browsing
|
Forced browsing or predictable resource location. Child of 'Exploit vuln'.
| related-to |
T1583.006
|
Acquire Infrastructure: Web Services
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.006
|
Acquire Infrastructure: Web Services
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1583.006
|
Acquire Infrastructure: Web Services
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1583.006
|
Acquire Infrastructure: Web Services
|
|
value_chain.development.variety.Website
|
Development of any full website controlled by the attacker
| related-to |
T1583.006
|
Acquire Infrastructure: Web Services
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584
|
Compromise Infrastructure
|
|
action.malware.vector.Web application - download
|
Web via user-executed or downloaded content. Child of 'Web application'.
| related-to |
T1584
|
Compromise Infrastructure
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.001
|
Compromise Infrastructure: Domains
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1584.001
|
Compromise Infrastructure: Domains
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.002
|
Compromise Infrastructure: DNS Server
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1584.002
|
Compromise Infrastructure: DNS Server
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1584.002
|
Compromise Infrastructure: DNS Server
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.003
|
Compromise Infrastructure: Virtual Private Server
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.004
|
Compromise Infrastructure: Server
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1584.005
|
Compromise Infrastructure: Botnet
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.005
|
Compromise Infrastructure: Botnet
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.006
|
Compromise Infrastructure: Web Services
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1585
|
Establish Accounts
|
|
value_chain.development.variety.Persona
|
A fake representation of a person, such as fake social media profiles
| related-to |
T1585
|
Establish Accounts
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1585.001
|
Establish Accounts: Social Media Accounts
|
|
value_chain.development.variety.Persona
|
A fake representation of a person, such as fake social media profiles
| related-to |
T1585.001
|
Establish Accounts: Social Media Accounts
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1585.002
|
Establish Accounts: Email Account
|
|
value_chain.development.variety.Persona
|
A fake representation of a person, such as fake social media profiles
| related-to |
T1585.002
|
Establish Accounts: Email Account
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1586
|
Compromise Account
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1586.001
|
Compromise Account: Social Media Accounts
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1586.001
|
Compromise Account: Social Media Accounts
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1586.001
|
Compromise Account: Social Media Accounts
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1586.002
|
Compromise Account: Email Accounts
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1587
|
Develop Capabilities
|
|
value_chain.development.variety.Unknown
|
Nothing is known about the need for or type of development investment other than it was present.
| related-to |
T1587
|
Develop Capabilities
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1587.001
|
Develop Capabilities: Malware
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1587.001
|
Develop Capabilities: Malware
|
|
value_chain.development.variety.Bot
|
A small program that can be distributed, installed, and controlled en mass.
| related-to |
T1587.001
|
Develop Capabilities: Malware
|
|
value_chain.development.variety.Payload
|
The portion a program that causes a negative effect.
| related-to |
T1587.001
|
Develop Capabilities: Malware
|
|
value_chain.development.variety.Ransomware
|
Ransomware (encrypt or seize stored data)
| related-to |
T1587.001
|
Develop Capabilities: Malware
|
|
value_chain.development.variety.Trojan
|
A program which masquerades as another program to get a target to execute malicious content
| related-to |
T1587.001
|
Develop Capabilities: Malware
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1587.002
|
Develop Capabilities: Code Signing Certificates
|
|
value_chain.development.variety.Other
|
The variety of development required is known, but is not listed.
| related-to |
T1587.002
|
Develop Capabilities: Code Signing Certificates
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1587.003
|
Develop Capabilities: Digital Certificates
|
|
value_chain.development.variety.Other
|
The variety of development required is known, but is not listed.
| related-to |
T1587.003
|
Develop Capabilities: Digital Certificates
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1587.004
|
Develop Capabilities: Exploits
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1587.004
|
Develop Capabilities: Exploits
|
|
value_chain.development.variety.Exploit
|
Code to exploit a vulnerability, including web injects.
| related-to |
T1587.004
|
Develop Capabilities: Exploits
|
|
value_chain.development.variety.Exploit Kits
|
Code sets capable of selecting and trying multiple exploits against a target.
| related-to |
T1587.004
|
Develop Capabilities: Exploits
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588
|
Obtain Capabilities
|
|
value_chain.development.variety.Unknown
|
Nothing is known about the need for or type of development investment other than it was present.
| related-to |
T1588
|
Obtain Capabilities
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.001
|
Obtain Capabilities: Malware
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1588.001
|
Obtain Capabilities: Malware
|
|
value_chain.development.variety.Bot
|
A small program that can be distributed, installed, and controlled en mass.
| related-to |
T1588.001
|
Obtain Capabilities: Malware
|
|
value_chain.development.variety.Payload
|
The portion a program that causes a negative effect.
| related-to |
T1588.001
|
Obtain Capabilities: Malware
|
|
value_chain.development.variety.Ransomware
|
Ransomware (encrypt or seize stored data)
| related-to |
T1588.001
|
Obtain Capabilities: Malware
|
|
value_chain.development.variety.Trojan
|
A program which masquerades as another program to get a target to execute malicious content
| related-to |
T1588.001
|
Obtain Capabilities: Malware
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.002
|
Obtain Capabilities: Tool
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.003
|
Obtain Capabilities: Code Signing Certificates
|
|
value_chain.development.variety.Other
|
The variety of development required is known, but is not listed.
| related-to |
T1588.003
|
Obtain Capabilities: Code Signing Certificates
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.004
|
Obtain Capabilities: Digital Certificates
|
|
value_chain.development.variety.Other
|
The variety of development required is known, but is not listed.
| related-to |
T1588.004
|
Obtain Capabilities: Digital Certificates
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.005
|
Obtain Capabilities: Exploits
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1588.005
|
Obtain Capabilities: Exploits
|
|
value_chain.development.variety.Exploit
|
Code to exploit a vulnerability, including web injects.
| related-to |
T1588.005
|
Obtain Capabilities: Exploits
|
|
value_chain.development.variety.Exploit Kits
|
Code sets capable of selecting and trying multiple exploits against a target.
| related-to |
T1588.005
|
Obtain Capabilities: Exploits
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.006
|
Obtain Capabilities: Vulnerabilities
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1588.006
|
Obtain Capabilities: Vulnerabilities
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.007
|
Artificial Intelligence
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1588.007
|
Artificial Intelligence
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1589
|
Gather Victim Identity Information
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1589.001
|
Gather Victim Identity Information: Credentials
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1589.002
|
Gather Victim Identity Information: Email Addresses
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1589.003
|
Gather Victim Identity Information: Employee Names
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590
|
Gather Victim Network Information
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.001
|
Gather Victim Network Information: Domain Properties
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.002
|
Gather Victim Network Information: DNS
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.003
|
Gather Victim Network Information: Network Trust Dependencies
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.004
|
Gather Victim Network Information: Network Topology
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.005
|
Gather Victim Network Information: IP Addresses
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.006
|
Gather Victim Network Information: Network Security Appliances
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1592
|
Gather Victim Host Information
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1592.001
|
Gather Victim Host Information: Hardware
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1592.002
|
Gather Victim Host Information: Software
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1592.003
|
Gather Victim Host Information: Firmware
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1592.004
|
Gather Victim Host Information: Client Configurations
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1595
|
Active Scanning
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1595.001
|
Active Scanning: Scanning IP Blocks
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1595.002
|
Active Scanning: Vulnerability Scanning
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1595.002
|
Active Scanning: Vulnerability Scanning
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1598
|
Phishing for Information
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1598
|
Phishing for Information
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1598.001
|
Phishing for Information: Spearphishing Service
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1598.001
|
Phishing for Information: Spearphishing Service
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1598.002
|
Phishing for Information: Spearphishing Attachment
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1598.002
|
Phishing for Information: Spearphishing Attachment
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1598.002
|
Phishing for Information: Spearphishing Attachment
|
|
action.malware.vector.Email link
|
Email via embedded link. Child of 'Email'
| related-to |
T1598.003
|
Phishing for Information: Spearphishing Link
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1598.003
|
Phishing for Information: Spearphishing Link
|
|
action.social.variety.Pretexting
|
Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.
| related-to |
T1598.003
|
Phishing for Information: Spearphishing Link
|
|
action.social.variety.Phishing
|
Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting.
| related-to |
T1598.004
|
Phishing for Information: Spearphishing Voice
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1599
|
Network Boundry Bridging
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1599.001
|
Network Boundry Bridging: Network Address Translation Traversal
|
|
action.hacking.variety.Cryptanalysis
|
Cryptanalysis. Child of 'Exploit vuln'.
| related-to |
T1600
|
Weaken Encryption
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1600
|
Weaken Encryption
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1600.001
|
Weaken Encryption: Reduce Key Space
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1600.002
|
Weaken Encryption: Disable Crypto Hardware
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1601
|
Modify System Image
|
|
attribute.integrity.variety.Software installation
|
Software installation or code modification
| related-to |
T1601
|
Modify System Image
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1601.001
|
Modify System Image: Patch System Image
|
|
attribute.integrity.variety.Software installation
|
Software installation or code modification
| related-to |
T1601.001
|
Modify System Image: Patch System Image
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1556.008
|
Network Provider DLL
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1556.008
|
Network Provider DLL
|
|
attribute.integrity.variety.Modify configuration
|
Modified configuration or services
| related-to |
T1556.009
|
Conditional Access Policies
|
|
attribute.integrity.variety.Modify privileges
|
Modified privileges or permissions
| related-to |
T1556.009
|
Conditional Access Policies
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1601.002
|
Modify System Image: Downgrade System Image
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1602
|
Data from Configuration Repository
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1602
|
Data from Configuration Repository
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1602
|
Data from Configuration Repository
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1602.001
|
Data from Configuration Repository: SNMP (MIB Dump)
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1602.001
|
Data from Configuration Repository: SNMP (MIB Dump)
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1602.002
|
Data from Configuration Repository: Network Device Configuration Dump
|
|
attribute.confidentiality.data_disclosure
|
None
| related-to |
T1602.002
|
Data from Configuration Repository: Network Device Configuration Dump
|
|
action.hacking.variety.Session prediction
|
Credential or session prediction. Child of 'Exploit vuln'.
| related-to |
T1606
|
Forge Web Credentials
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1606
|
Forge Web Credentials
|
|
action.hacking.variety.Session prediction
|
Credential or session prediction. Child of 'Exploit vuln'.
| related-to |
T1606.001
|
Forge Web Credentials: Web Cookies
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1606.001
|
Forge Web Credentials: Web Cookies
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1606.002
|
Forge Web Credentials: SAML Tokens
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608
|
Stage Capabilities
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608.001
|
Stage Capabilities: Upload Malware
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608.002
|
Stage Capabilities: Upload Tools
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608.003
|
Stage Capabilities: Install Digital Certificate
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608.004
|
Stage Capabilities: Drive-by Target
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608.005
|
Stage Capabilities: Link Target
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1609
|
Container Administration Command
|
|
action.malware.variety.Downloader
|
Downloader (pull updates or other malware)
| related-to |
T1610
|
Deploy Container
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1610
|
Deploy Container
|
|
action.hacking.variety.Virtual machine escape
|
Virtual machine escape. Child of 'Exploit vuln'.
| related-to |
T1611
|
Escape to Host
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1612
|
Build Image on Host
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1613
|
Container and Resource Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1614
|
System Location Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1614.001
|
System Location Discovery: System Language Discovery
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1622
|
Debugger Evasion
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.005
|
Create or Modify System Process: Container Service
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.005
|
Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.006
|
Abuse Elevation Control Mechanism: TCC Manipulation
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.011
|
Ignore Process Interrupts
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.012
|
File/Path Exclusions
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.012
|
File/Path Exclusions
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1651
|
Cloud Administration Command
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1652
|
Device Driver Discovery
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1653
|
Power Settings
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1654
|
Log Enumeration
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1665
|
Hide Infrastructure
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1666
|
Modify Cloud Resource Hierarchy
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1622
|
Debugger Evasion
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1546.017
|
Udev Rules
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1622
|
Debugger Evasion
|
|
action.social.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1656
|
Impersonation
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1016.002
|
Wi-Fi Discovery
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.002
|
Obfuscated Files or Information: Software Packaging
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.004
|
Obfuscated Files or Information: Compile After Dilevery
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.005
|
Steal or Forge Kerberos Tickets: Ccache Files
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574.014
|
AppDomainManager
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1584.008
|
Network Devices
|
|
action.malware.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1584.008
|
Network Devices
|
|
action.malware.vector.remote injection
|
Remotely injected by agent (i.e. via SQLi)
| related-to |
T1659
|
Content Injection
|
Non-mappable capabilities are either out of scope or unable to be mapped to any
ATT&CK objects
