|
action.hacking.variety.Other
|
Other
| related-to |
T1001
|
Data Obfuscation
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1001.001
|
Junk Data
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1001.002
|
Steganography
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1001.003
|
Protocol or Service Impersonation
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1071
|
Application Layer Protocol
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1071.001
|
Web Protocols
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1071.002
|
File Transfer Protocols
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1071.003
|
Mail Protocols
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1071.004
|
DNS
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1105
|
Ingress Tool Transfer
|
|
action.hacking.variety.Other
|
Other
| related-to |
T1127.001
|
MSBuild
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1027.011
|
Fileless Storage
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1027.012
|
LNK Icon Smuggling
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1027.013
|
Encrypted/Encoded File
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.009
|
Cloud API
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.010
|
AutoHotKey & AutoIT
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.011
|
Lua
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1127.002
|
ClickOnce
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1098.006
|
Additional Container Cluster Roles
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027
|
Obfuscated Files or Information
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.001
|
Binary Padding
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.002
|
Software Packing
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.003
|
Steganography
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.004
|
Compile After Delivery
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.010
|
Command Obfuscation
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.011
|
Fileless Storage
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.012
|
LNK Icon Smuggling
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.013
|
Encrypted/Encoded File
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1027.014
|
Polymorphic Code
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1132.002
|
Non-Standard Encoding
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059.009
|
Cloud API
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059.010
|
AutoHotKey & AutoIT
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059.011
|
Lua
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1127.002
|
ClickOnce
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021.007
|
Cloud Services
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021.008
|
Direct Cloud VM Connections
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1134.003
|
Make and Impersonate Token
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1021.008
|
Direct Cloud VM Connections
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1027.010
|
Command Obfuscation
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.009
|
Cloud API
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.010
|
AutoHotKey & AutoIT
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059.011
|
Lua
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1047
|
Windows Management Instrumentation
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053
|
Scheduled Task/Job
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053.002
|
At
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053.003
|
Cron
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053.005
|
Scheduled Task
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053.006
|
Systemd Timers
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1053.007
|
Container Orchestration Job
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059
|
Command and Scripting Interpreter
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.001
|
PowerShell
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.002
|
AppleScript
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.003
|
Windows Command Shell
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.004
|
Unix Shell
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.005
|
Visual Basic
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.006
|
Python
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.007
|
JavaScript
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1059.008
|
Network Device CLI
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1072
|
Software Deployment Tools
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1105
|
Ingress Tool Transfer
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1106
|
Native API
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1112
|
Modify Registry
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1127
|
Trusted Developer Utilities Proxy Execution
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1127.001
|
MSBuild
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1129
|
Shared Modules
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137
|
Office Application Startup
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137.001
|
Office Template Macros
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137.002
|
Office Test
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137.003
|
Outlook Forms
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137.004
|
Outlook Home Page
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1137.005
|
Outlook Rules
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1187
|
Forced Authentication
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1202
|
Indirect Command Execution
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1216
|
System Script Proxy Execution
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1216.001
|
PubPrn
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1216.002
|
SyncAppvPublishingServer
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218
|
System Binary Proxy Execution
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.001
|
Compiled HTML File
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.002
|
Control Panel
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.003
|
CMSTP
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.004
|
InstallUtil
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.005
|
Mshta
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.007
|
Msiexec
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.008
|
Odbcconf
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.009
|
Regsvcs/Regasm
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.010
|
Regsvr32
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1111
|
Multi-Factor Authentication Interception
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1187
|
Forced Authentication
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1037
|
Boot or Logon Initialization Scripts
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1053
|
Scheduled Task/Job
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1078
|
Valid Accounts
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1098
|
Account Manipulation
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1563.002
|
RDP Hijacking
|
|
action.hacking.variety.Brute force
|
Brute force or password guessing attacks.
| related-to |
T1110
|
Brute Force
|
|
action.hacking.variety.Brute force
|
Brute force or password guessing attacks.
| related-to |
T1222.002
|
Linux and Mac File and Directory Permissions Modification
|
|
action.hacking.variety.Brute force
|
Brute force or password guessing attacks.
| related-to |
T1565.001
|
Stored Data Manipulation
|
|
action.hacking.variety.Brute force
|
Brute force or password guessing attacks.
| related-to |
T1021.003
|
Distributed Component Object Model
|
|
action.hacking.variety.Brute force
|
Brute force or password guessing attacks.
| related-to |
T1531
|
Account Access Removal
|
|
action.hacking.variety.Buffer overflow
|
Buffer overflow. Child of 'Exploit vuln'.
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1001
|
Data Obfuscation
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1102.001
|
Dead Drop Resolver
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1602.001
|
SNMP (MIB Dump)
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1584.002
|
DNS Server
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1008
|
Fallback Channels
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1014
|
Rootkit
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1036
|
Masquerading
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1071
|
Application Layer Protocol
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1090
|
Proxy
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1102
|
Web Service
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1104
|
Multi-Stage Channels
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1132
|
Data Encoding
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1583.007
|
Serverless
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1205
|
Traffic Signaling
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1021.007
|
Cloud Services
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1053.005
|
Scheduled Task
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1211
|
Exploitation for Defense Evasion
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1190
|
Exploit Public-Facing Application
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.hacking.variety.Format string attack
|
Format string attack. Child of 'Exploit vuln'.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Fuzz testing
|
Fuzz testing. Child of 'Exploit vuln'.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.HTTP request smuggling
|
HTTP request smuggling. Child of 'Exploit vuln'.
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.HTTP request smuggling
|
HTTP request smuggling. Child of 'Exploit vuln'.
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.hacking.variety.HTTP request splitting
|
HTTP request splitting. Child of 'Exploit vuln'.
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.HTTP request splitting
|
HTTP request splitting. Child of 'Exploit vuln'.
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.hacking.variety.HTTP response smuggling
|
HTTP response smuggling. Child of 'Exploit vuln'.
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.HTTP response smuggling
|
HTTP response smuggling. Child of 'Exploit vuln'.
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.hacking.variety.HTTP response splitting
|
HTTP response splitting. Child of 'Exploit vuln'.
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.HTTP response splitting
|
HTTP response splitting. Child of 'Exploit vuln'.
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.hacking.variety.Insecure deserialization
|
iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Integer overflows
|
Integer overflows. Child of 'Exploit vuln'.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.LDAP injection
|
LDAP injection. Child of 'Exploit vuln'.
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.hacking.variety.Null byte injection
|
Null byte injection. Child of 'Exploit vuln'.
| related-to |
T1027
|
Obfuscated Files or Information
|
|
action.hacking.variety.Offline cracking
|
Offline password or key cracking (e.g., rainbow tables, Hashcat, JtR)
| related-to |
T1565.001
|
Stored Data Manipulation
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1059
|
Command and Scripting Interpreter
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1505.005
|
Terminal Services DLL
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1569
|
System Services
|
|
action.hacking.variety.OS commanding
|
OS commanding. Child of 'Exploit vuln'.
| related-to |
T1110
|
Brute Force
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1007
|
System Service Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1012
|
Query Registry
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1033
|
System Owner/User Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1057
|
Process Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1069
|
Permission Groups Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1136.003
|
Cloud Account
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1082
|
System Information Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1083
|
File and Directory Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1087
|
Account Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1573.001
|
Symmetric Cryptography
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1119
|
Automated Collection
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1120
|
Peripheral Device Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1124
|
System Time Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1201
|
Password Policy Discovery
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1018
|
Remote System Discovery
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1007
|
System Service Discovery
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1046
|
Network Service Discovery
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1049
|
System Network Connections Discovery
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1119
|
Automated Collection
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1135
|
Network Share Discovery
|
|
action.hacking.variety.Session fixation
|
Session fixation. Child of 'Exploit vuln'.
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.hacking.variety.Session fixation
|
Session fixation. Child of 'Exploit vuln'.
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.hacking.variety.SQLi
|
SQL injection. Child of 'Exploit vuln'.
| related-to |
T1190
|
Exploit Public-Facing Application
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1134
|
Access Token Manipulation
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1127
|
Trusted Developer Utilities Proxy Execution
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1021
|
Remote Services
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1027.007
|
Dynamic API Resolution
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1029
|
Scheduled Transfer
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1547.004
|
Winlogon Helper DLL
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1598.003
|
Spearphishing Link
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1560.001
|
Archive via Utility
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1583.004
|
Server
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1078
|
Valid Accounts
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1011.001
|
Exfiltration Over Bluetooth
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550.004
|
Web Session Cookie
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1601.002
|
Downgrade System Image
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1569.002
|
Service Execution
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1134
|
Access Token Manipulation
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1654
|
Log Enumeration
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1548
|
Abuse Elevation Control Mechanism
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1041
|
Exfiltration Over C2 Channel
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1187
|
Forced Authentication
|
|
action.hacking.variety.XML external entities
|
XML external entities. Child of 'Exploit vuln'.
| related-to |
T1558.002
|
Silver Ticket
|
|
action.hacking.variety.XPath injection
|
XPath injection. Child of 'Exploit vuln'.
| related-to |
T1010
|
Application Window Discovery
|
|
action.hacking.vector.3rd party desktop
|
3rd party online desktop sharing (LogMeIn, Go2Assist)
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1037
|
Boot or Logon Initialization Scripts
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1053
|
Scheduled Task/Job
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1078
|
Valid Accounts
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1098
|
Account Manipulation
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1563.002
|
RDP Hijacking
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1029
|
Scheduled Transfer
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1547.004
|
Winlogon Helper DLL
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1598.003
|
Spearphishing Link
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1583.004
|
Server
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1047
|
Windows Management Instrumentation
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1059
|
Command and Scripting Interpreter
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1552.008
|
Chat Messages
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1505.005
|
Terminal Services DLL
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1569
|
System Services
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1110
|
Brute Force
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1071.001
|
Web Protocols
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1127.002
|
ClickOnce
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1546.013
|
PowerShell Profile
|
|
action.hacking.vector.Command shell
|
Remote shell
| related-to |
T1584.005
|
Botnet
|
|
action.hacking.vector.Desktop sharing software
|
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two
| related-to |
T1027.007
|
Dynamic API Resolution
|
|
action.hacking.vector.Desktop sharing software
|
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two
| related-to |
T1560.001
|
Archive via Utility
|
|
action.hacking.vector.Desktop sharing software
|
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1008
|
Fallback Channels
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1071
|
Application Layer Protocol
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1090
|
Proxy
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1095
|
Non-Application Layer Protocol
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1102
|
Web Service
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1104
|
Multi-Stage Channels
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1105
|
Ingress Tool Transfer
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1195
|
Supply Chain Compromise
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1499.003
|
Application Exhaustion Flood
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1589.001
|
Credentials
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1499.002
|
Service Exhaustion Flood
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1199
|
Trusted Relationship
|
|
action.hacking.vector.Physical access
|
Physical access or connection (i.e., at keyboard or via cable)
| related-to |
T1200
|
Hardware Additions
|
|
action.hacking.vector.VPN
|
VPN
| related-to |
T1133
|
External Remote Services
|
|
action.hacking.vector.Web application
|
Web application
| related-to |
T1090.002
|
External Proxy
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.011
|
Rundll32
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.012
|
Verclsid
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.013
|
Mavinject
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.014
|
MMC
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1218.015
|
Electron Applications
|
|
action.hacking.vector.Desktop sharing software
|
Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two
| related-to |
T1219
|
Remote Access Software
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1220
|
XSL Script Processing
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1480
|
Execution Guardrails
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1480
|
Execution Guardrails
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1480.001
|
Environmental Keying
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1480.001
|
Environmental Keying
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1480.002
|
Mutual Exclusion
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1489
|
Service Stop
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1496
|
Resource Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1496.001
|
Compute Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1496.002
|
Bandwidth Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1496.003
|
SMS Pumping
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1496.004
|
Cloud Service Hijacking
|
|
action.hacking.vector.Hypervisor
|
Hypervisor break-out attack
| related-to |
T1497
|
Virtualization/Sandbox Evasion
|
|
action.hacking.vector.Inter-tenant
|
Penetration of another VM or web site on shared device or infrastructure
| related-to |
T1497
|
Virtualization/Sandbox Evasion
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1498
|
Network Denial of Service
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1498.001
|
Direct Network Flood
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1498.002
|
Reflection Amplification
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1499
|
Endpoint Denial of Service
|
|
action.hacking.variety.Soap array abuse
|
Soap array abuse. Child of 'Exploit vuln'.
| related-to |
T1499
|
Endpoint Denial of Service
|
|
action.hacking.variety.XML external entities
|
XML external entities. Child of 'Exploit vuln'.
| related-to |
T1499
|
Endpoint Denial of Service
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1499.001
|
OS Exhaustion Flood
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1499.002
|
Service Exhaustion Flood
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1499.003
|
Application Exhaustion Flood
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1499.004
|
Application or System Exploitation
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1505.001
|
SQL Stored Procedures
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1505.002
|
Transport Agent
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1518
|
Software Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1518.001
|
Security Software Discovery
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1525
|
Implant Internal Image
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1525
|
Implant Internal Image
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1526
|
Cloud Service Discovery
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1529
|
System Shutdown/Reboot
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1531
|
Account Access Removal
|
|
action.hacking.variety.Forced browsing
|
Forced browsing or predictable resource location. Child of 'Exploit vuln'.
| related-to |
T1539
|
Steal Web Session Cookie
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1539
|
Steal Web Session Cookie
|
|
action.hacking.variety.Session replay
|
Session replay. Child of 'Exploit vuln'.
| related-to |
T1539
|
Steal Web Session Cookie
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543
|
Create or Modify System Process
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1543
|
Create or Modify System Process
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1543
|
Create or Modify System Process
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.001
|
Launch Agent
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.002
|
Systemd Service
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.003
|
Windows Service
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.004
|
Launch Daemon
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.005
|
Container Service
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1546
|
Event Triggered Execution
|
|
action.hacking.variety.XML injection
|
XML injection. Child of 'Exploit vuln'.
| related-to |
T1546
|
Event Triggered Execution
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1546
|
Event Triggered Execution
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548
|
Abuse Elevation Control Mechanism
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.001
|
Setuid and Setgid
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.002
|
Bypass User Account Control
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1548.002
|
Bypass User Account Control
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.003
|
Sudo and Sudo Caching
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1548.003
|
Sudo and Sudo Caching
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.004
|
Elevated Execution with Prompt
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1548.004
|
Elevated Execution with Prompt
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.005
|
Temporary Elevated Cloud Access
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.006
|
TCC Manipulation
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550
|
Use Alternate Authentication Material
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550.001
|
Application Access Token
|
|
action.hacking.variety.Pass-the-hash
|
Pass-the-hash
| related-to |
T1550.002
|
Pass the Hash
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550.002
|
Pass the Hash
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550.003
|
Pass the Ticket
|
|
action.hacking.variety.Session replay
|
Session replay. Child of 'Exploit vuln'.
| related-to |
T1550.004
|
Web Session Cookie
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1550.004
|
Web Session Cookie
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1553
|
Subvert Trust Controls
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1554
|
Compromise Host Software Binary
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1554
|
Compromise Host Software Binary
|
|
action.hacking.variety.Backdoor
|
Hacking action that creates a backdoor for use.
| related-to |
T1556
|
Modify Authentication Process
|
|
action.hacking.vector.Backdoor
|
Hacking actions taken through a backdoor. C2 is only used by malware.
| related-to |
T1556
|
Modify Authentication Process
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1557
|
Adversary-in-the-Middle
|
|
action.hacking.variety.Routing detour
|
Routing detour. Child of 'Exploit vuln'.
| related-to |
T1557
|
Adversary-in-the-Middle
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1557.001
|
LLMNR/NBT-NS Poisoning and SMB Relay
|
|
action.hacking.variety.Cache poisoning
|
Cache poisoning. Child of 'Exploit vuln'.
| related-to |
T1557.002
|
ARP Cache Poisoning
|
|
action.hacking.variety.AiTM
|
Adversary-in-the-middle attack. Child of 'Exploit vuln'
| related-to |
T1557.002
|
ARP Cache Poisoning
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558
|
Steal or Forge Kerberos Tickets
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.001
|
Golden Ticket
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.002
|
Silver Ticket
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.003
|
Kerberoasting
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1558.004
|
AS-REP Roasting
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.004
|
AS-REP Roasting
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.005
|
Ccache Files
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1559
|
Inter-Process Communication
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1559.001
|
Component Object Model
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1559.002
|
Dynamic Data Exchange
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562
|
Impair Defenses
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1562
|
Impair Defenses
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.001
|
Disable or Modify Tools
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.002
|
Disable Windows Event Logging
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.003
|
Impair Command History Logging
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.004
|
Disable or Modify System Firewall
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.007
|
Disable or Modify Cloud Firewall
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.008
|
Disable or Modify Cloud Logs
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.012
|
Disable or Modify Linux Audit System
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1563
|
Remote Service Session Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1563
|
Remote Service Session Hijacking
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1563.001
|
SSH Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1563.001
|
SSH Hijacking
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1563.002
|
RDP Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1563.002
|
RDP Hijacking
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564
|
Hide Artifacts
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564
|
Hide Artifacts
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.001
|
Hidden Files and Directories
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.001
|
Hidden Files and Directories
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.002
|
Hidden Users
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.002
|
Hidden Users
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.003
|
Hidden Window
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.003
|
Hidden Window
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.004
|
NTFS File Attributes
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.004
|
NTFS File Attributes
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.005
|
Hidden File System
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.005
|
Hidden File System
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.006
|
Run Virtual Instance
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.006
|
Run Virtual Instance
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.007
|
VBA Stomping
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.007
|
VBA Stomping
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1568
|
Dynamic Resolution
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1568
|
Dynamic Resolution
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1568.001
|
Fast Flux DNS
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1568.002
|
Domain Generation Algorithms
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1568.003
|
DNS Calculation
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1569
|
System Services
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1569.001
|
Launchctl
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1569.002
|
Service Execution
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1571
|
Non-Standard Port
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1572
|
Protocol Tunneling
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1572
|
Protocol Tunneling
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1573
|
Encrypted Channel
|
|
action.hacking.vector.Other network service
|
Network service that is not remote access or a web application.
| related-to |
T1573
|
Encrypted Channel
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1573.001
|
Symmetric Cryptography
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1573.002
|
Asymmetric Cryptography
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574
|
Hijack Execution Flow
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1574
|
Hijack Execution Flow
|
|
action.hacking.variety.XML injection
|
XML injection. Child of 'Exploit vuln'.
| related-to |
T1574
|
Hijack Execution Flow
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1574.001
|
DLL Search Order Hijacking
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1574.001
|
DLL Search Order Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574.001
|
DLL Search Order Hijacking
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1574.001
|
DLL Search Order Hijacking
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1574.002
|
DLL Side-Loading
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1574.002
|
DLL Side-Loading
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574.002
|
DLL Side-Loading
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1574.002
|
DLL Side-Loading
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1574.004
|
Dylib Hijacking
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574.004
|
Dylib Hijacking
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1574.004
|
Dylib Hijacking
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1574.005
|
Executable Installer File Permissions Weakness
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574.005
|
Executable Installer File Permissions Weakness
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1574.005
|
Executable Installer File Permissions Weakness
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1574.010
|
Services File Permissions Weakness
|
|
action.hacking.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1574.011
|
Services Registry Permissions Weakness
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578
|
Modify Cloud Compute Infrastructure
|
|
action.hacking.vector.Hypervisor
|
Hypervisor break-out attack
| related-to |
T1578
|
Modify Cloud Compute Infrastructure
|
|
action.hacking.vector.Inter-tenant
|
Penetration of another VM or web site on shared device or infrastructure
| related-to |
T1578
|
Modify Cloud Compute Infrastructure
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578.001
|
Create Snapshot
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578.002
|
Create Cloud Instance
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578.003
|
Delete Cloud Instance
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578.004
|
Revert Cloud Instance
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1578.005
|
Modify Cloud Compute Configurations
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1580
|
Cloud Infrastructure Discovery
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583
|
Acquire Infrastructure
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.001
|
Domains
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.002
|
DNS Server
|
|
action.hacking.variety.Forced browsing
|
Forced browsing or predictable resource location. Child of 'Exploit vuln'.
| related-to |
T1583.003
|
Virtual Private Server
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.003
|
Virtual Private Server
|
|
action.hacking.variety.Forced browsing
|
Forced browsing or predictable resource location. Child of 'Exploit vuln'.
| related-to |
T1583.004
|
Server
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.004
|
Server
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1583.005
|
Botnet
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.005
|
Botnet
|
|
action.hacking.variety.Forced browsing
|
Forced browsing or predictable resource location. Child of 'Exploit vuln'.
| related-to |
T1583.006
|
Web Services
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1583.006
|
Web Services
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584
|
Compromise Infrastructure
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.001
|
Domains
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.002
|
DNS Server
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.003
|
Virtual Private Server
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.004
|
Server
|
|
action.hacking.variety.DoS
|
Denial of service
| related-to |
T1584.005
|
Botnet
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.005
|
Botnet
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1584.006
|
Web Services
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1586
|
Compromise Accounts
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1586.001
|
Social Media Accounts
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1586.002
|
Email Accounts
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1587
|
Develop Capabilities
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1587.001
|
Malware
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1587.002
|
Code Signing Certificates
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1587.003
|
Digital Certificates
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1587.004
|
Exploits
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588
|
Obtain Capabilities
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.001
|
Malware
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.002
|
Tool
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.003
|
Code Signing Certificates
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.004
|
Digital Certificates
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.005
|
Exploits
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.006
|
Vulnerabilities
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1588.007
|
Artificial Intelligence
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1589
|
Gather Victim Identity Information
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1589.001
|
Credentials
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1589.002
|
Email Addresses
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1589.003
|
Employee Names
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590
|
Gather Victim Network Information
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.001
|
Domain Properties
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.002
|
DNS
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.003
|
Network Trust Dependencies
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.004
|
Network Topology
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.005
|
IP Addresses
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1590.006
|
Network Security Appliances
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1592
|
Gather Victim Host Information
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1592.001
|
Hardware
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1592.002
|
Software
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1592.003
|
Firmware
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1592.004
|
Client Configurations
|
|
action.hacking.variety.Exploit vuln
|
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.
| related-to |
T1595.002
|
Vulnerability Scanning
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1599
|
Network Boundary Bridging
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1599.001
|
Network Address Translation Traversal
|
|
action.hacking.variety.Cryptanalysis
|
Cryptanalysis. Child of 'Exploit vuln'.
| related-to |
T1600
|
Weaken Encryption
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1602
|
Data from Configuration Repository
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1602.001
|
SNMP (MIB Dump)
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1602.002
|
Network Device Configuration Dump
|
|
action.hacking.variety.Session prediction
|
Credential or session prediction. Child of 'Exploit vuln'.
| related-to |
T1606
|
Forge Web Credentials
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1606
|
Forge Web Credentials
|
|
action.hacking.variety.Session prediction
|
Credential or session prediction. Child of 'Exploit vuln'.
| related-to |
T1606.001
|
Web Cookies
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1606.001
|
Web Cookies
|
|
action.hacking.variety.Unknown
|
Unknown
| related-to |
T1606.002
|
SAML Tokens
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1609
|
Container Administration Command
|
|
action.hacking.variety.Virtual machine escape
|
Virtual machine escape. Child of 'Exploit vuln'.
| related-to |
T1611
|
Escape to Host
|
|
action.hacking.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1613
|
Container and Resource Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1614
|
System Location Discovery
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1614.001
|
System Language Discovery
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1622
|
Debugger Evasion
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1543.005
|
Container Service
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.005
|
Temporary Elevated Cloud Access
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1548.006
|
TCC Manipulation
|
|
action.hacking.variety.Use of stolen creds
|
Use of stolen or default authentication credentials (including credential stuffing)
| related-to |
T1558.005
|
Ccache Files
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.011
|
Ignore Process Interrupts
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.012
|
File/Path Exclusions
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1564.012
|
File/Path Exclusions
|
|
action.hacking.variety.Hijack
|
To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)
| related-to |
T1574.014
|
AppDomainManager
|
|
action.hacking.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1584.008
|
Network Devices
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1651
|
Cloud Administration Command
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1652
|
Device Driver Discovery
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1653
|
Power Settings
|
|
action.hacking.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1654
|
Log Enumeration
|
|
action.hacking.variety.Abuse of functionality
|
Abuse of functionality.
| related-to |
T1665
|
Hide Infrastructure
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1666
|
Modify Cloud Resource Hierarchy
|
