| action.malware.vector.Direct install |
Directly installed or inserted by threat agent (after system access) |
related-to |
T1047 |
Windows Management Instrumentation |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1059.005 |
Command and Scripting Interpreter: Visual Basic |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1059.007 |
Command and Scripting Interpreter: JavaScript |
| action.malware.variety.Adminware |
System or network utilities (e.g., PsTools, Netcat) |
related-to |
T1072 |
Software Deployment Tools |
| action.malware.vector.Software update |
Included in automated software update |
related-to |
T1072 |
Software Deployment Tools |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1505.001 |
Server Software Component: SQL Stored Procedures |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1505.001 |
Server Software Component: SQL Stored Procedures |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1505.002 |
Server Software Component: Transport Agent |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1505.002 |
Server Software Component: Transport Agent |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1543 |
Create or Modify System Process |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1543 |
Create or Modify System Process |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1543 |
Create or Modify System Process |
| action.malware.variety.RAT |
Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' |
related-to |
T1543.003 |
Create or Modify System Process: Windows Service |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1547 |
Boot or Logon Autostart Execution |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1547 |
Boot or Logon Autostart Execution |
| action.malware.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1548.002 |
Abuse Elevation Control Mechanism: Bypass User Account Control |
| action.malware.variety.Client-side attack |
Client-side or browser attack (e.g., redirection, XSS, MitB) |
related-to |
T1548.003 |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1563 |
Remote Service Session Hijacking |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1563.001 |
Remote Service Session Hijacking: SSH Hijacking |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1563.002 |
Remote Service Session Hijacking: RDP Hijacking |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564 |
Hide Artifacts |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.001 |
Hide Artifacts: Hidden Files and Directories |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.002 |
Hide Artifacts: Hidden Users |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.003 |
Hide Artifacts: Hidden Window |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.004 |
Hide Artifacts: NTFS File Attributes |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.005 |
Hide Artifacts: Hidden File System |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.006 |
Hide Artifacts: Run Virtual Instance |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1564.007 |
Hide Artifacts: VBA Stomping |
| action.malware.variety.Trojan |
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' |
related-to |
T1564.007 |
Hide Artifacts: VBA Stomping |
| action.malware.vector.Direct install |
Directly installed or inserted by threat agent (after system access) |
related-to |
T1569.002 |
System Services: Service Execution |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1098 |
Account Manipulation |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1098 |
Account Manipulation |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1037 |
Boot or Logon Initialization Scripts |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1037 |
Boot or Logon Initialization Scripts |
| action.malware.variety.Adminware |
System or network utilities (e.g., PsTools, Netcat) |
related-to |
T1554 |
Compromise Client Software Binary |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1554 |
Compromise Client Software Binary |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1554 |
Compromise Client Software Binary |
| action.malware.variety.Trojan |
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' |
related-to |
T1554 |
Compromise Client Software Binary |
| action.malware.variety.Modify data |
Malware which compromises a legitimate file rather than creating new filess |
related-to |
T1136 |
Create Accounts |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1546 |
Event Triggered Execution |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1546 |
Event Triggered Execution |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1133 |
External Remote Services |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1133 |
External Remote Services |
| action.malware.vector.Remote injection |
Remotely injected by agent (i.e. via SQLi) |
related-to |
T1133 |
External Remote Services |
| action.malware.vector.Web application |
Web application. Parent of 'Web application - download' and 'Web application - drive-by. |
related-to |
T1133 |
External Remote Services |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1525 |
Implant Internal Image |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1525 |
Implant Internal Image |
| action.malware.variety.RAT |
Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' |
related-to |
T1525 |
Implant Internal Image |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1525 |
Implant Internal Image |
| action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110 |
Brute Force |
| action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.001 |
Brute Force: Password Guessing |
| action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.002 |
Brute Force: Password Cracking |
| action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.003 |
Brute Force: Password Spraying |
| action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.004 |
Brute Force: Credential Stuffing |
| action.malware.variety.Client-side attack |
Client-side or browser attack (e.g., redirection, XSS, MitB) |
related-to |
T1203 |
Exploitation for Client Execution |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1203 |
Exploitation for Client Execution |
| action.malware.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557.002 |
Adversary-in-the-Middle: ARP Cache Poisoning |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1600 |
Weaken Encryption |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562 |
Impair Defenses |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1562 |
Impair Defenses |
| action.malware.variety.Modify data |
Malware which compromises a legitimate file rather than creating new filess |
related-to |
T1562 |
Impair Defenses |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.001 |
Disable or Modify Tools |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.002 |
Disable Windows Event Logging |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.003 |
Impair Command History Logging |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.004 |
Disable or Modify System Firewall |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.007 |
Disable or Modify Cloud Firewall |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.008 |
Disable Cloud Logs |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1489 |
Service Stop |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1498 |
Network Denial of Service |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1498.001 |
Network Denial of Service: Direct Network Flood |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1498.002 |
Network Denial of Service: Reflection Amplification |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1499 |
Endpoint Denial of Service |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1499.002 |
Endpoint Denial of Service: Service Exhaustion Flood |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1499.003 |
Endpoint Denial of Service: Application Exhaustion Flood |
| action.malware.variety.DoS |
DoS attack |
related-to |
T1499.004 |
Endpoint Denial of Service: Application or System Exploitation |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1622 |
Debugger Evasion |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1211 |
Exploitation for Defense Evasion |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036 |
Masquerading |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1036 |
Masquerading |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1036 |
Masquerading |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1014 |
Rootkit |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1014 |
Rootkit |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553 |
Subvert Trust Controls |
| action.malware.variety.Evade Defenses |
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. |
related-to |
T1553 |
Subvert Trust Controls |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1001 |
Data Obfuscation |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1001.001 |
Data Obfuscation: Junk Data |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1001.001 |
Data Obfuscation: Junk Data |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1001.001 |
Data Obfuscation: Junk Data |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1001.002 |
Data Obfuscation: Steganography |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1001.003 |
Data Obfuscation: Protocol Impersonation |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1071 |
Application Layer Protocol |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1071 |
Application Layer Protocol |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1071 |
Application Layer Protocol |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1132 |
Data Encoding |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1132 |
Data Encoding |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1132.001 |
Data Encoding: Standard Encoding |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1132.001 |
Data Encoding: Standard Encoding |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1132.002 |
Data Encoding: Non-Standard Encoding |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1132.002 |
Data Encoding: Non-Standard Encoding |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1568 |
Dynamic Resolution |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1568 |
Dynamic Resolution |
| action.malware.vector.Download by malware |
Downloaded and installed by local malware |
related-to |
T1568 |
Dynamic Resolution |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1568.001 |
Dynamic Resolution: Fast Flux DSN |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1568.001 |
Dynamic Resolution: Fast Flux DSN |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1568.002 |
Dynamic Resolution: Domain Generation Algorithms |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1568.002 |
Dynamic Resolution: Domain Generation Algorithms |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1568.003 |
Dynamic Resolution: DNS Calculation |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1568.003 |
Dynamic Resolution: DNS Calculation |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1573 |
Encrypted Channels |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1573 |
Encrypted Channels |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1573.002 |
Encrypted Channels: Asymmetric Cryptography |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1573.002 |
Encrypted Channels: Asymmetric Cryptography |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1573.001 |
Encrypted Channels: Symmetric Cryptography |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1573.001 |
Encrypted Channels: Symmetric Cryptography |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1008 |
Fallback Channels |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1008 |
Fallback Channels |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1104 |
Multi-Stage Channels |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1104 |
Multi-Stage Channels |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1572 |
Protocol Tunneling |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1572 |
Protocol Tunneling |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1090 |
Proxy |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1090 |
Proxy |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1205 |
Traffic Signaling |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1205 |
Traffic Signaling |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1205.001 |
Traffic Signaling: Port Knocking |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1205.001 |
Traffic Signaling: Port Knocking |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1205.001 |
Traffic Signaling: Port Knocking |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1102 |
Web Service |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1102 |
Web Service |
| action.malware.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1068 |
Exploitation for Privilege Escalation |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1212 |
Exploitation for Credential Access |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1212 |
Exploitation for Credential Access |
| action.malware.vector.Web application - drive-by |
Web via auto-executed or "drive-by" infection. Child of 'Web application'. |
related-to |
T1212 |
Exploitation for Credential Access |
| action.malware.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1558.004 |
Steal or Forge Kerberos Tickets: AS-REP Roasting |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1595.002 |
Active Scanning: Vulnerability Scanning |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1539 |
Steal Web Session Cookie |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1583.006 |
Acquire Infrastructure: Web Services |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1583.006 |
Acquire Infrastructure: Web Services |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1185 |
Browser Session Hijacking |
| action.malware.variety.Click fraud |
Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. |
related-to |
T1496 |
Resource Hijacking |
| action.malware.variety.Click fraud and cryptocurrency mining |
Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. |
related-to |
T1496 |
Resource Hijacking |
| action.malware.variety.Cryptocurrency mining |
Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. |
related-to |
T1496 |
Resource Hijacking |
| action.malware.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557 |
Man-in-the-Middle |
| action.malware.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557.001 |
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027 |
Obfuscated Files or Information |
| action.malware.variety.Pass-the-hash |
Pass-the-hash |
related-to |
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
| action.malware.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1082 |
System Information Discovery |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1033 |
System Owner/User Discovery |
| action.malware.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1033 |
System Owner/User Discovery |
| action.malware.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1007 |
System Service Discovery |
| action.malware.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1012 |
Query Registry |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1083 |
File and Directory Discovery |
| action.malware.variety.Profile host |
Enumerating the state of the current host |
related-to |
T1083 |
File and Directory Discovery |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1119 |
Automated Collection |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1046 |
Network Service Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1135 |
Network Share Discovery |
| action.malware.variety.Packet sniffer |
Packet sniffer (capture data from network) |
related-to |
T1040 |
Network Sniffing |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1040 |
Network Sniffing |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1018 |
Remote System Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1049 |
System Network Connections Discovery |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1602 |
Data from Configuration Repository |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1021 |
Remote Services |
| action.malware.variety.Pass-the-hash |
Pass-the-hash |
related-to |
T1550 |
Use Alternate Authentication Material |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1550 |
Use Alternate Authentication Material |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1213 |
Data from Information Repository |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1010 |
Application Window Discovery |
| action.malware.vector.Web application - download |
Web via user-executed or downloaded content. Child of 'Web application'. |
related-to |
T1583 |
Acquire Infrastructure |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1583.001 |
Acquire Infrastructure: Domains |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1583.001 |
Acquire Infrastructure: Domains |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1583.002 |
Acquire Infrastructure: DNS Server |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1583.002 |
Acquire Infrastructure: DNS Server |
| action.malware.vector.Web application - download |
Web via user-executed or downloaded content. Child of 'Web application'. |
related-to |
T1584 |
Compromise Infrastructure |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1584.002 |
Compromise Infrastructure: DNS Server |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1584.002 |
Compromise Infrastructure: DNS Server |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1587.001 |
Develop Capabilities: Malware |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1587.004 |
Develop Capabilities: Exploits |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1588.001 |
Obtain Capabilities: Malware |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1588.005 |
Obtain Capabilities: Exploits |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1588.006 |
Obtain Capabilities: Vulnerabilities |
| action.malware.variety.Adminware |
System or network utilities (e.g., PsTools, Netcat) |
related-to |
T1219 |
Remote Access Software |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497 |
Virtualization/Sandbox Evasion |
| action.malware.variety.Adware |
Adware |
related-to |
T1199 |
Trusted Relationship |
| action.malware.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1199 |
Trusted Relationship |
| action.malware.vector.Partner |
Partner connection or credential. (Indicates supply chain breach.) |
related-to |
T1195 |
Supply Chain Compromise |
| action.malware.vector.Software update |
Included in automated software update |
related-to |
T1195 |
Supply Chain Compromise |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.003 |
Input Capture: Web Portal Capture |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1095 |
Non-Application Layer Protocol |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1095 |
Non-Application Layer Protocol |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1571 |
Non-Standard Port |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1571 |
Non-Standard Port |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1505 |
Server Software Component |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1505 |
Server Software Component |
| action.malware.variety.Backdoor |
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. |
related-to |
T1505.003 |
Server Software Component: Web Shell |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1505.003 |
Server Software Component: Web Shell |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1071.001 |
Application Layer Protocol: Web Protocols |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1071.001 |
Application Layer Protocol: Web Protocols |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1071.001 |
Application Layer Protocol: Web Protocols |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1071.003 |
Application Layer Protocol: Mail Protocols |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1071.003 |
Application Layer Protocol: Mail Protocols |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1071.003 |
Application Layer Protocol: Mail Protocols |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1071.004 |
Application Layer Protocol: DNS |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1071.004 |
Application Layer Protocol: DNS |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1071.004 |
Application Layer Protocol: DNS |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1090.001 |
Proxy: Internal Proxy |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1090.001 |
Proxy: Internal Proxy |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1090.002 |
Proxy: External Proxy |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1090.002 |
Proxy: External Proxy |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1090.003 |
Proxy: Multi-hop Proxy |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1090.003 |
Proxy: Multi-hop Proxy |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1090.004 |
Proxy: Domain Fronting |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1090.004 |
Proxy: Domain Fronting |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1102.001 |
Web Service: Dead Drop Resolver |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1102.001 |
Web Service: Dead Drop Resolver |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1102.002 |
Web Service: Bidirectional Communication |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1102.002 |
Web Service: Bidirectional Communication |
| action.malware.variety.Backdoor or C2 |
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. |
related-to |
T1102.003 |
Web Service: One-Way Communication |
| action.malware.variety.C2 |
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. |
related-to |
T1102.003 |
Web Service: One-Way Communication |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056 |
Input Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.001 |
Input Capture: Keylogging |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.002 |
Input Capture: GUI Input Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.004 |
Input Capture: Credential API Hooking |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1056.004 |
Input Capture: Credential API Hooking |
| action.malware.variety.Spyware/Keylogger |
Spyware, keylogger or form-grabber (capture user input or activity) |
related-to |
T1056.004 |
Input Capture: Credential API Hooking |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1113 |
Screen Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114 |
Email Collection |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114.001 |
Email Collection: Local Email Collection |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114.002 |
Email Collection: Remote Email Collection |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114.003 |
Email Collection: Email Forwarding Rule |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1123 |
Audio Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1125 |
Video Capture |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1176 |
Browser Extensions |
| action.malware.vector.Web application - drive-by |
Web via auto-executed or "drive-by" infection. Child of 'Web application'. |
related-to |
T1176 |
Browser Extensions |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1207 |
Rogue Domain Controller |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1217 |
Browser Bookmark Discovery |
| action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1528 |
Steal Application Access Token |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.002 |
OS Credential Dumping: Security Account Manager |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.002 |
OS Credential Dumping: Security Account Manager |
| action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.002 |
OS Credential Dumping: Security Account Manager |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.003 |
OS Credential Dumping: NTDS |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.003 |
OS Credential Dumping: NTDS |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.006 |
OS Credential Dumping: DCSync |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1003.006 |
OS Credential Dumping: DCSync |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.006 |
OS Credential Dumping: DCSync |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.008 |
OS Credential Dumping: /etc/passwd and /etc/shadow |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.008 |
OS Credential Dumping: /etc/passwd and /etc/shadow |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1005 |
Data from Local System |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1025 |
Data from Removable Media |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1039 |
Data from Network Shared Drive |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1213.001 |
Data from Information Repositories: Confluence |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1213.002 |
Data from Information Repositories: Sharepoint |
| action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1530 |
Data from Cloud Storage |
| action.malware.variety.Client-side attack |
Client-side or browser attack (e.g., redirection, XSS, MitB) |
related-to |
T1221 |
Template Injection |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070 |
Indicator Removal on Host |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.001 |
Indicator Removal on Host: Clear Windows Event Logs |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.002 |
Indicator Removal on Host: Clear Linux or Mac System Logs |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.003 |
Indicator Removal on Host: Clear Command History |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.004 |
Indicator Removal on Host: File Deletion |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.005 |
Indicator Removal on Host: Network Share Connection Removal |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.006 |
Indicator Removal on Host: Timestomp |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1485 |
Data Destruction |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1495 |
Firmware Corruption |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1561 |
Disk Wipe |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1561.001 |
Disk Wipe: Disk Content Wipe |
| action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1561.002 |
Disk Wipe: Disk Structure Wipe |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1006 |
Direct Volume Access |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.001 |
Obfuscated Files or Information: Binary Padding |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.002 |
Obfuscated Files or Information: Software Packaging |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.003 |
Obfuscated Files or Information: Steganography |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.004 |
Obfuscated Files or Information: Compile After Dilevery |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.005 |
Obfuscated Files or Information: Indicator Removal from Tools |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.001 |
Masquerading: Invalid Code Signature |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.002 |
Masquerading: Right-to-Left Override |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.003 |
Masquerading: Rename System Utilities |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1036.003 |
Masquerading: Rename System Utilities |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.004 |
Masquerading: Masquerade Task or Service |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.005 |
Masquerading: Match Legitimate Name or Location |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.006 |
Masquerading: Space after Filename |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1222 |
File and Directory Permissions Modification |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1222.001 |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1222.002 |
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1490 |
Inhibit System Recovery |
| action.malware.variety.Ransomware |
Ransomware (encrypt or seize stored data) |
related-to |
T1490 |
Inhibit System Recovery |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497.001 |
Virtualization/Sandbox Evasion: System Checks |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497.002 |
Virtualization/Sandbox Evasion: User Activity Based Checks |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497.003 |
Virtualization/Sandbox Evasion: Time Based Evasion |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.001 |
Subvert Trust Contols: Gatekeeper Bypass |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.002 |
Subvert Trust Contols: Code Signing |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.003 |
Subvert Trust Contols: SIP and Trust Provider Hijacking |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.004 |
Subvert Trust Contols: Install Root Certificate |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.005 |
Subvert Trust Contols: Mark-of-the-Web Bypass |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.006 |
Subvert Trust Contols: Code Signing Policy Modification |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.006 |
Impair Defenses: Indicator Blocking |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1574.012 |
Hijack Execution Flow: COR_PROFILER |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1600.001 |
Weaken Encryption: Reduce Key Space |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1600.002 |
Weaken Encryption: Disable Crypto Hardware |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1601 |
Modify System Image |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1601.001 |
Modify System Image: Patch System Image |
| action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1601.002 |
Modify System Image: Downgrade System Image |
| action.malware.variety.Downloader |
Downloader (pull updates or other malware) |
related-to |
T1610 |
Deploy Container |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1610 |
Deploy Container |
| action.malware.variety.Downloader |
Downloader (pull updates or other malware) |
related-to |
T1204 |
User Execution |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1204 |
User Execution |
| action.malware.variety.Downloader |
Downloader (pull updates or other malware) |
related-to |
T1204.001 |
User Execution: Malicious Link |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1204.001 |
User Execution: Malicious Link |
| action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1204.001 |
User Execution: Malicious Link |
| action.malware.variety.Downloader |
Downloader (pull updates or other malware) |
related-to |
T1204.002 |
User Execution: Malicious File |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1204.002 |
User Execution: Malicious File |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1204.002 |
User Execution: Malicious File |
| action.malware.variety.Downloader |
Downloader (pull updates or other malware) |
related-to |
T1204.003 |
User Execution: Malicious Image |
| action.malware.variety.Trojan |
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' |
related-to |
T1204.003 |
User Execution: Malicious Image |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1204.003 |
User Execution: Malicious Image |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1011 |
Exfiltration Over Other Network Medium |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1011.001 |
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1020 |
Automated Exfiltration |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1020.001 |
Automated Exfiltration: Traffic Duplication |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1029 |
Scheduled Transfer |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1030 |
Data Transfer Size Limits |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1041 |
Exfiltration Over C2 Channels |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048 |
Exfiltration Over Alternative Protocol |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048.001 |
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048.002 |
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048.003 |
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1052 |
Exfiltration Over Physical Medium |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1052.001 |
Exfiltration Over Physical Medium: Exfiltration over USB |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1074 |
Data Staged |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1074.001 |
Data Staged: Local Data Staging |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1074.002 |
Data Staged: Remote Data Staging |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1197 |
BITS Jobs |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1537 |
Transfer Data to Cloud Account |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560 |
Archive Collected Data |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560.001 |
Archive Collected Data: Archive via Utility |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560.002 |
Archive Collected Data: Archive via Library |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560.003 |
Archive Collected Data: Archive via Custom Method |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1567 |
Exfiltration Over Web Service |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1567.001 |
Exfiltration Over Web Service: Exfiltration to Code Repository |
| action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1567.002 |
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1003.007 |
OS Credential Dumping: Proc Filesystem |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.007 |
OS Credential Dumping: Proc Filesystem |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055 |
Process Injection |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.001 |
Process Injection: Dynamic-link Library Injection |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.002 |
Process Injection: Portable Executable Injection |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.003 |
Process Injection: Thread Execution Hijacking |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.004 |
Process Injection: Asynchronous Procedure Call |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.005 |
Process Injection: Thread Local Storage |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.008 |
Process Injection: Ptrace System Calls |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.009 |
Process Injection: Proc Memory |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.011 |
Process Injection: Extra Window Memory Injection |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.012 |
Process Injection: Process Hollowing |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.013 |
Process Injection: Process Doppelganging |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.014 |
Process Injection: VDSO Hijacking |
| action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1115 |
Clipboard Data |
| action.malware.variety.MitM |
Man-in-the-middle attack. Child of 'Exploit vuln'. |
related-to |
T1557.003 |
DHCP Spoofing |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003 |
OS Credential Dumping |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.001 |
OS Credential Dumping: LSASS Memory |
| action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.001 |
OS Credential Dumping: LSASS Memory |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.004 |
OS Credential Dumping: LSA Secrets |
| action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.004 |
OS Credential Dumping: LSA Secrets |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
| action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
| action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.001 |
Unsecured Credentials: Credentials in Files |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.002 |
Unsecured Credentials: Credentials in Registry |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.003 |
Unsecured Credentials: Bash History |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.004 |
Unsecured Credentials: Private Keys |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.005 |
Unsecured Credentials: Cloud Instance Metadata API |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.006 |
Unsecured Credentials: Group Policy Preferences |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555 |
Credentials from Password Stores |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.001 |
Credentials from Password Stores: Keychain |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.002 |
Credentials from Password Stores: Securityd Memory |
| action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1555.002 |
Credentials from Password Stores: Securityd Memory |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.003 |
Credentials from Password Stores: Credentials from Web Browser |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.004 |
Credentials from Password Stores: Windows Credential Manager |
| action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.005 |
Credentials from Password Stores: Password Managers |
| action.malware.variety.Ransomware |
Ransomware (encrypt or seize stored data) |
related-to |
T1486 |
Data Encrypted for Impact |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542 |
Pre-OS Boot |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.001 |
Pre-OS Boot: System Firmware |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.002 |
Pre-OS Boot: Component Firmware |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.003 |
Pre-OS Boot: Bootkit |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.004 |
Pre-OS Boot: ROMMONkit |
| action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.005 |
Pre-OS Boot: TFTP Boot |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1016 |
System Network Configuration Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1016.001 |
System Network Configuration Discovery: Internet Connection Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1482 |
Domain Trust Discovery |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1595 |
Active Scanning |
| action.malware.variety.Scan network |
Enumerating the state of the network |
related-to |
T1595.001 |
Active Scanning: Scanning IP Blocks |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1080 |
Taint Shared Content |
| action.malware.variety.Worm |
Worm (propagate to other systems or devices) |
related-to |
T1080 |
Taint Shared Content |
| action.malware.variety.Worm |
Worm (propagate to other systems or devices) |
related-to |
T1091 |
Replication Through Removable Media |
| action.malware.vector.Removable media |
Removable storage media or devices |
related-to |
T1091 |
Replication Through Removable Media |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1140 |
Deobfuscate/Decode Files or Information |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608 |
Stage Capabilities |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608.001 |
Stage Capabilities: Upload Malware |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608.002 |
Stage Capabilities: Upload Tools |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608.003 |
Stage Capabilities: Install Digital Certificate |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608.004 |
Stage Capabilities: Drive-by Target |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1608.005 |
Stage Capabilities: Link Target |
| action.malware.variety.Unknown |
Unknown |
related-to |
T1612 |
Build Image on Host |
| action.malware.vector.Email |
Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown' |
related-to |
T1566.001 |
Phishing: Spearphishing Attachment |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1566.001 |
Phishing: Spearphishing Attachment |
| action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1598.002 |
Phishing for Information: Spearphishing Attachment |
| action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1556.002 |
Phishing: Spearphishing Link |
| action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1598.003 |
Phishing for Information: Spearphishing Link |
| action.malware.vector.Instant messaging |
Instant Messaging |
related-to |
T1566 |
Phishing |
| action.malware.vector.Network propagation |
Network propagation |
related-to |
T1570 |
Lateral Tool Transfer |
| action.malware.vector.Removable media |
Removable storage media or devices |
related-to |
T1092 |
Communication Through Removable Media |
| action.malware.vector.Web application - drive-by |
Web via auto-executed or "drive-by" infection. Child of 'Web application'. |
related-to |
T1189 |
Drive-by Compromise |
