|
action.malware.variety.Other
|
Other
| related-to |
T1080
|
Taint Shared Content
|
|
action.malware.variety.Other
|
Other
| related-to |
T1204
|
User Execution
|
|
action.malware.variety.Other
|
Other
| related-to |
T1204.001
|
Malicious Link
|
|
action.malware.variety.Other
|
Other
| related-to |
T1204.002
|
Malicious File
|
|
action.malware.variety.Other
|
Other
| related-to |
T1204.003
|
Malicious Image
|
|
action.hacking.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1070.010
|
Relocate Malware
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1071.005
|
Publish/Subscribe Protocols
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1016.002
|
Wi-Fi Discovery
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1036.009
|
Break Process Trees
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1071.005
|
Publish/Subscribe Protocols
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1016.002
|
Wi-Fi Discovery
|
|
action.malware.variety.Spyware/Keylogger
|
Spyware, keylogger or form-grabber (capture user input or activity)
| related-to |
T1111
|
Multi-Factor Authentication Interception
|
|
action.malware.variety.Adminware
|
System or network utilities (e.g., PsTools, Netcat)
| related-to |
T1072
|
Software Deployment Tools
|
|
action.malware.variety.Adware
|
Adware
| related-to |
T1199
|
Trusted Relationship
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1037
|
Boot or Logon Initialization Scripts
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1098
|
Account Manipulation
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1133
|
External Remote Services
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1008
|
Fallback Channels
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1098
|
Account Manipulation
|
|
action.malware.variety.Brute force
|
Brute force attack
| related-to |
T1110
|
Brute Force
|
|
action.malware.variety.Brute force
|
Brute force attack
| related-to |
T1222.002
|
Linux and Mac File and Directory Permissions Modification
|
|
action.malware.variety.Brute force
|
Brute force attack
| related-to |
T1565.001
|
Stored Data Manipulation
|
|
action.malware.variety.Brute force
|
Brute force attack
| related-to |
T1021.003
|
Distributed Component Object Model
|
|
action.malware.variety.Brute force
|
Brute force attack
| related-to |
T1531
|
Account Access Removal
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1102.001
|
Dead Drop Resolver
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1008
|
Fallback Channels
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1071
|
Application Layer Protocol
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1584.007
|
Serverless
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1055.014
|
VDSO Hijacking
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1021
|
Remote Services
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1561
|
Disk Wipe
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1090
|
Proxy
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1566.003
|
Spearphishing via Service
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1110.003
|
Password Spraying
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1070.005
|
Network Share Connection Removal
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1578.005
|
Modify Cloud Compute Configurations
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1095
|
Non-Application Layer Protocol
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1102
|
Web Service
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1216
|
System Script Proxy Execution
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1036.003
|
Rename System Utilities
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1546.014
|
Emond
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1104
|
Multi-Stage Channels
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1132
|
Data Encoding
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1583.007
|
Serverless
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1485
|
Data Destruction
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1056
|
Input Capture
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1596.003
|
Digital Certificates
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1547.006
|
Kernel Modules and Extensions
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1090.002
|
External Proxy
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1546.017
|
Udev Rules
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1113
|
Screen Capture
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1114
|
Email Collection
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1110.002
|
Password Cracking
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1556.006
|
Multi-Factor Authentication
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1546.009
|
AppCert DLLs
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1123
|
Audio Capture
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1125
|
Video Capture
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1176
|
Browser Extensions
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1185
|
Browser Session Hijacking
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1114
|
Email Collection
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1587
|
Develop Capabilities
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1558.003
|
Kerberoasting
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1565.002
|
Transmitted Data Manipulation
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1005
|
Data from Local System
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1010
|
Application Window Discovery
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1025
|
Data from Removable Media
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1033
|
System Owner/User Discovery
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1039
|
Data from Network Shared Drive
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1083
|
File and Directory Discovery
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1119
|
Automated Collection
|
|
action.malware.variety.Client-side attack
|
Client-side or browser attack (e.g., redirection, XSS, AitB)
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1542.002
|
Component Firmware
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1092
|
Communication Through Removable Media
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1566.002
|
Spearphishing Link
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1600.001
|
Reduce Key Space
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1027.010
|
Command Obfuscation
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1496.001
|
Compute Hijacking
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1218
|
System Binary Proxy Execution
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1006
|
Direct Volume Access
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1027
|
Obfuscated Files or Information
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1563
|
Remote Service Session Hijacking
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1111
|
Multi-Factor Authentication Interception
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1095
|
Non-Application Layer Protocol
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1499
|
Endpoint Denial of Service
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1059.011
|
Lua
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1036
|
Masquerading
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1505.004
|
IIS Components
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.007
|
Disable or Modify Cloud Firewall
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1195.002
|
Compromise Software Supply Chain
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1568
|
Dynamic Resolution
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1074.001
|
Local Data Staging
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1622
|
Debugger Evasion
|
|
action.malware.variety.Downloader
|
Downloader (pull updates or other malware)
| related-to |
T1204
|
User Execution
|
|
action.malware.variety.Downloader
|
Downloader (pull updates or other malware)
| related-to |
T1001.002
|
Steganography
|
|
action.malware.variety.Downloader
|
Downloader (pull updates or other malware)
| related-to |
T1559.002
|
Dynamic Data Exchange
|
|
action.malware.variety.Downloader
|
Downloader (pull updates or other malware)
| related-to |
T1027.005
|
Indicator Removal from Tools
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1014
|
Rootkit
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1036
|
Masquerading
|
|
action.malware.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1068
|
Exploitation for Privilege Escalation
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1558.003
|
Kerberoasting
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1011
|
Exfiltration Over Other Network Medium
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1021.006
|
Windows Remote Management
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1020
|
Automated Exfiltration
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1055.004
|
Asynchronous Procedure Call
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1029
|
Scheduled Transfer
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1030
|
Data Transfer Size Limits
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1072
|
Software Deployment Tools
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1048
|
Exfiltration Over Alternative Protocol
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1070
|
Indicator Removal
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1552.006
|
Group Policy Preferences
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1213.005
|
Messaging Applications
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1052
|
Exfiltration Over Physical Medium
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1588.002
|
Tool
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1074
|
Data Staged
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1218.013
|
Mavinject
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1574.014
|
AppDomainManager
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1197
|
BITS Jobs
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1115
|
Clipboard Data
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1055
|
Process Injection
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1053.002
|
At
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1612
|
Build Image on Host
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1560.002
|
Archive via Library
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1036.004
|
Masquerade Task or Service
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1538
|
Cloud Service Dashboard
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1548.006
|
TCC Manipulation
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1059.003
|
Windows Command Shell
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
None
|
None
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1585.001
|
Social Media Accounts
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1125
|
Video Capture
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1546.001
|
Change Default File Association
|
|
action.malware.variety.In-memory
|
(malware never stored to persistent storage)
| related-to |
T1115
|
Clipboard Data
|
|
action.malware.variety.Modify data
|
Malware which compromises a legitimate file rather than creating new filess
| related-to |
T1563.002
|
RDP Hijacking
|
|
action.malware.variety.Packet sniffer
|
Packet sniffer (capture data from network)
| related-to |
T1007
|
System Service Discovery
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1003
|
OS Credential Dumping
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1222
|
File and Directory Permissions Modification
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1114
|
Email Collection
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1587
|
Develop Capabilities
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1598.004
|
Spearphishing Voice
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1558.003
|
Kerberoasting
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1115
|
Clipboard Data
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1565.002
|
Transmitted Data Manipulation
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1546.017
|
Udev Rules
|
|
action.malware.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1007
|
System Service Discovery
|
|
action.malware.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1012
|
Query Registry
|
|
action.malware.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1033
|
System Owner/User Discovery
|
|
action.malware.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1082
|
System Information Discovery
|
|
action.malware.variety.Profile host
|
Enumerating the state of the current host
| related-to |
T1083
|
File and Directory Discovery
|
|
action.malware.variety.RAM scraper
|
RAM scraper or memory parser (capture data from volatile memory)
| related-to |
T1222
|
File and Directory Permissions Modification
|
|
action.malware.variety.RAM scraper
|
RAM scraper or memory parser (capture data from volatile memory)
| related-to |
T1114
|
Email Collection
|
|
action.malware.variety.RAM scraper
|
RAM scraper or memory parser (capture data from volatile memory)
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.malware.variety.RAM scraper
|
RAM scraper or memory parser (capture data from volatile memory)
| related-to |
T1598.004
|
Spearphishing Voice
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1014
|
Rootkit
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1195.002
|
Compromise Software Supply Chain
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1016
|
System Network Configuration Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1496.003
|
SMS Pumping
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1018
|
Remote System Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1007
|
System Service Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1046
|
Network Service Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1049
|
System Network Connections Discovery
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1135
|
Network Share Discovery
|
|
action.malware.variety.Spyware/Keylogger
|
Spyware, keylogger or form-grabber (capture user input or activity)
| related-to |
T1546.017
|
Udev Rules
|
|
action.malware.variety.Trojan
|
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor'
| related-to |
T1027.005
|
Indicator Removal from Tools
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1140
|
Deobfuscate/Decode Files or Information
|
|
action.malware.variety.Worm
|
Worm (propagate to other systems or devices)
| related-to |
T1080
|
Taint Shared Content
|
|
action.malware.variety.Worm
|
Worm (propagate to other systems or devices)
| related-to |
T1091
|
Replication Through Removable Media
|
|
action.malware.vector.Direct install
|
Directly installed or inserted by threat agent (after system access)
| related-to |
T1047
|
Windows Management Instrumentation
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1036
|
Masquerading
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1071.001
|
Web Protocols
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1546.013
|
PowerShell Profile
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1203
|
Exploitation for Client Execution
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1559.002
|
Dynamic Data Exchange
|
|
action.malware.vector.Email link
|
Email via embedded link. Child of 'Email'
| related-to |
T1598.004
|
Spearphishing Voice
|
|
action.malware.vector.Email link
|
Email via embedded link. Child of 'Email'
| related-to |
T1001.002
|
Steganography
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1021
|
Remote Services
|
|
action.malware.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1195
|
Supply Chain Compromise
|
|
action.malware.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1199
|
Trusted Relationship
|
|
action.malware.vector.Remote injection
|
Remotely injected by agent (i.e. via SQLi)
| related-to |
T1133
|
External Remote Services
|
|
action.malware.vector.Removable media
|
Removable storage media or devices
| related-to |
T1091
|
Replication Through Removable Media
|
|
action.malware.vector.Removable media
|
Removable storage media or devices
| related-to |
T1092
|
Communication Through Removable Media
|
|
action.malware.vector.Software update
|
Included in automated software update
| related-to |
T1072
|
Software Deployment Tools
|
|
action.malware.vector.Software update
|
Included in automated software update
| related-to |
T1195
|
Supply Chain Compromise
|
|
action.malware.vector.Web application
|
Web application. Parent of 'Web application - download' and 'Web application - drive-by.
| related-to |
T1133
|
External Remote Services
|
|
action.malware.vector.Web application - drive-by
|
Web via auto-executed or "drive-by" infection. Child of 'Web application'.
| related-to |
T1176
|
Browser Extensions
|
|
action.malware.vector.Web application - drive-by
|
Web via auto-executed or "drive-by" infection. Child of 'Web application'.
| related-to |
T1189
|
Drive-by Compromise
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1205
|
Traffic Signaling
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1205
|
Traffic Signaling
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1205.001
|
Port Knocking
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1205.001
|
Port Knocking
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1205.001
|
Port Knocking
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1207
|
Rogue Domain Controller
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1211
|
Exploitation for Defense Evasion
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.malware.vector.Web application - drive-by
|
Web via auto-executed or "drive-by" infection. Child of 'Web application'.
| related-to |
T1212
|
Exploitation for Credential Access
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1213
|
Data from Information Repositories
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1213.001
|
Confluence
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1213.002
|
Sharepoint
|
|
action.malware.variety.Adminware
|
System or network utilities (e.g., PsTools, Netcat)
| related-to |
T1219
|
Remote Access Software
|
|
action.malware.variety.Client-side attack
|
Client-side or browser attack (e.g., redirection, XSS, AitB)
| related-to |
T1221
|
Template Injection
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1222
|
File and Directory Permissions Modification
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1222.001
|
Windows File and Directory Permissions Modification
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1222.002
|
Linux and Mac File and Directory Permissions Modification
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1482
|
Domain Trust Discovery
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1485
|
Data Destruction
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1485.001
|
Lifecycle-Triggered Deletion
|
|
action.malware.variety.Ransomware
|
Ransomware (encrypt or seize stored data)
| related-to |
T1486
|
Data Encrypted for Impact
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1489
|
Service Stop
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1490
|
Inhibit System Recovery
|
|
action.malware.variety.Ransomware
|
Ransomware (encrypt or seize stored data)
| related-to |
T1490
|
Inhibit System Recovery
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1495
|
Firmware Corruption
|
|
action.malware.variety.Click fraud
|
Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'.
| related-to |
T1496
|
Resource Hijacking
|
|
action.malware.variety.Click fraud and cryptocurrency mining
|
Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'.
| related-to |
T1496
|
Resource Hijacking
|
|
action.malware.variety.Cryptocurrency mining
|
Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'.
| related-to |
T1496
|
Resource Hijacking
|
|
action.malware.variety.Click fraud and cryptocurrency mining
|
Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'.
| related-to |
T1496.001
|
Compute Hijacking
|
|
action.malware.variety.Cryptocurrency mining
|
Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'.
| related-to |
T1496.001
|
Compute Hijacking
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1497
|
Virtualization/Sandbox Evasion
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1497.001
|
System Checks
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1497.002
|
User Activity Based Checks
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1497.003
|
Time Based Evasion
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1498
|
Network Denial of Service
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1498.001
|
Direct Network Flood
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1498.002
|
Reflection Amplification
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1499
|
Endpoint Denial of Service
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1499.001
|
OS Exhaustion Flood
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1499.002
|
Service Exhaustion Flood
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1499.003
|
Application Exhaustion Flood
|
|
action.malware.variety.DoS
|
DoS attack
| related-to |
T1499.004
|
Application or System Exploitation
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1505
|
Server Software Component
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1505
|
Server Software Component
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1505.001
|
SQL Stored Procedures
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1505.001
|
SQL Stored Procedures
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1505.002
|
Transport Agent
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1505.002
|
Transport Agent
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1505.003
|
Web Shell
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1505.003
|
Web Shell
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1525
|
Implant Internal Image
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1525
|
Implant Internal Image
|
|
action.malware.variety.RAT
|
Remote Access Trojan. Parent of 'Backdoor' and 'Trojan'
| related-to |
T1525
|
Implant Internal Image
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1525
|
Implant Internal Image
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1528
|
Steal Application Access Token
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1530
|
Data from Cloud Storage
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1537
|
Transfer Data to Cloud Account
|
|
action.malware.variety.Capture app data
|
Capture data from application or system process
| related-to |
T1539
|
Steal Web Session Cookie
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542
|
Pre-OS Boot
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542.001
|
System Firmware
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542.002
|
Component Firmware
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542.003
|
Bootkit
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542.004
|
ROMMONkit
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1542.005
|
TFTP Boot
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1543
|
Create or Modify System Process
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1543
|
Create or Modify System Process
|
|
action.malware.variety.Rootkit
|
Rootkit (maintain local privileges and stealth)
| related-to |
T1543
|
Create or Modify System Process
|
|
action.malware.variety.RAT
|
Remote Access Trojan. Parent of 'Backdoor' and 'Trojan'
| related-to |
T1543.003
|
Windows Service
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1546
|
Event Triggered Execution
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1546
|
Event Triggered Execution
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1547
|
Boot or Logon Autostart Execution
|
|
action.malware.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1548.002
|
Bypass User Account Control
|
|
action.malware.variety.Client-side attack
|
Client-side or browser attack (e.g., redirection, XSS, AitB)
| related-to |
T1548.003
|
Sudo and Sudo Caching
|
|
action.malware.variety.Pass-the-hash
|
Pass-the-hash
| related-to |
T1550
|
Use Alternate Authentication Material
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1550
|
Use Alternate Authentication Material
|
|
action.malware.variety.Pass-the-hash
|
Pass-the-hash
| related-to |
T1550.002
|
Pass the Hash
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1550.002
|
Pass the Hash
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.001
|
Credentials In Files
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.002
|
Credentials in Registry
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.003
|
Bash History
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.004
|
Private Keys
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.005
|
Cloud Instance Metadata API
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.006
|
Group Policy Preferences
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1552.008
|
Chat Messages
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553
|
Subvert Trust Controls
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1553
|
Subvert Trust Controls
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.001
|
Gatekeeper Bypass
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.002
|
Code Signing
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.003
|
SIP and Trust Provider Hijacking
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.004
|
Install Root Certificate
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.005
|
Mark-of-the-Web Bypass
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1553.006
|
Code Signing Policy Modification
|
|
action.malware.variety.Adminware
|
System or network utilities (e.g., PsTools, Netcat)
| related-to |
T1554
|
Compromise Host Software Binary
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1554
|
Compromise Host Software Binary
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1554
|
Compromise Host Software Binary
|
|
action.malware.variety.Trojan
|
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor'
| related-to |
T1554
|
Compromise Host Software Binary
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555
|
Credentials from Password Stores
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.001
|
Keychain
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.002
|
Securityd Memory
|
|
action.malware.variety.RAM scraper
|
RAM scraper or memory parser (capture data from volatile memory)
| related-to |
T1555.002
|
Securityd Memory
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.003
|
Credentials from Web Browsers
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.004
|
Windows Credential Manager
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.005
|
Password Managers
|
|
action.malware.variety.Password dumper
|
Password dumper (extract credential hashes)
| related-to |
T1555.006
|
Cloud Secrets Management Stores
|
|
action.malware.vector.Email link
|
Email via embedded link. Child of 'Email'
| related-to |
T1566.002
|
Spearphishing Link
|
|
action.malware.variety.AiTM
|
Man-in-the-middle attack. Child of 'Exploit vuln'.
| related-to |
T1557
|
Adversary-in-the-Middle
|
|
action.malware.variety.AiTM
|
Man-in-the-middle attack. Child of 'Exploit vuln'.
| related-to |
T1557.001
|
LLMNR/NBT-NS Poisoning and SMB Relay
|
|
action.malware.variety.AiTM
|
Man-in-the-middle attack. Child of 'Exploit vuln'.
| related-to |
T1557.002
|
ARP Cache Poisoning
|
|
action.malware.variety.AiTM
|
Man-in-the-middle attack. Child of 'Exploit vuln'.
| related-to |
T1557.003
|
DHCP Spoofing
|
|
action.hacking.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.011
|
Spoof Security Alerting
|
|
action.malware.variety.Exploit misconfig
|
Exploit a misconfiguration (vs vuln or weakness)
| related-to |
T1558.004
|
AS-REP Roasting
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1560
|
Archive Collected Data
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1560.001
|
Archive via Utility
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1560.002
|
Archive via Library
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1560.003
|
Archive via Custom Method
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1561
|
Disk Wipe
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1561.001
|
Disk Content Wipe
|
|
action.malware.variety.Destroy data
|
Destroy or corrupt stored data
| related-to |
T1561.002
|
Disk Structure Wipe
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562
|
Impair Defenses
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1562
|
Impair Defenses
|
|
action.malware.variety.Modify data
|
Malware which compromises a legitimate file rather than creating new filess
| related-to |
T1562
|
Impair Defenses
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.001
|
Disable or Modify Tools
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.002
|
Disable Windows Event Logging
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.003
|
Impair Command History Logging
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.004
|
Disable or Modify System Firewall
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.006
|
Indicator Blocking
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.007
|
Disable or Modify Cloud Firewall
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.008
|
Disable or Modify Cloud Logs
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.011
|
Spoof Security Alerting
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1562.012
|
Disable or Modify Linux Audit System
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1563
|
Remote Service Session Hijacking
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1563.001
|
SSH Hijacking
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1563.002
|
RDP Hijacking
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564
|
Hide Artifacts
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.001
|
Hidden Files and Directories
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.002
|
Hidden Users
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.003
|
Hidden Window
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.004
|
NTFS File Attributes
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.005
|
Hidden File System
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.006
|
Run Virtual Instance
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1564.007
|
VBA Stomping
|
|
action.malware.variety.Trojan
|
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor'
| related-to |
T1564.007
|
VBA Stomping
|
|
action.malware.vector.Instant messaging
|
Instant Messaging
| related-to |
T1566
|
Phishing
|
|
action.malware.vector.Email
|
Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown'
| related-to |
T1566.001
|
Spearphishing Attachment
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1566.001
|
Spearphishing Attachment
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1567
|
Exfiltration Over Web Service
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1567.001
|
Exfiltration to Code Repository
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1567.002
|
Exfiltration to Cloud Storage
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1567.003
|
Exfiltration to Text Storage Sites
|
|
action.malware.variety.Export data
|
Export data to another site or system
| related-to |
T1567.004
|
Exfiltration Over Webhook
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1568
|
Dynamic Resolution
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1568
|
Dynamic Resolution
|
|
action.malware.vector.Download by malware
|
Downloaded and installed by local malware
| related-to |
T1568
|
Dynamic Resolution
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1568.001
|
Fast Flux DNS
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1568.001
|
Fast Flux DNS
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1568.002
|
Domain Generation Algorithms
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1568.002
|
Domain Generation Algorithms
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1568.003
|
DNS Calculation
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1568.003
|
DNS Calculation
|
|
action.malware.vector.Direct install
|
Directly installed or inserted by threat agent (after system access)
| related-to |
T1569.002
|
Service Execution
|
|
action.malware.vector.Network propagation
|
Network propagation
| related-to |
T1570
|
Lateral Tool Transfer
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1571
|
Non-Standard Port
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1571
|
Non-Standard Port
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1572
|
Protocol Tunneling
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1572
|
Protocol Tunneling
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1573
|
Encrypted Channel
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1573
|
Encrypted Channel
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1573.001
|
Symmetric Cryptography
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1573.001
|
Symmetric Cryptography
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1573.002
|
Asymmetric Cryptography
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1573.002
|
Asymmetric Cryptography
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1574.012
|
COR_PROFILER
|
|
action.malware.vector.Web application - download
|
Web via user-executed or downloaded content. Child of 'Web application'.
| related-to |
T1583
|
Acquire Infrastructure
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1583.001
|
Domains
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1583.001
|
Domains
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1583.002
|
DNS Server
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1583.002
|
DNS Server
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1583.006
|
Web Services
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1583.006
|
Web Services
|
|
action.malware.vector.Web application - download
|
Web via user-executed or downloaded content. Child of 'Web application'.
| related-to |
T1584
|
Compromise Infrastructure
|
|
action.malware.variety.Backdoor or C2
|
Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.
| related-to |
T1584.002
|
DNS Server
|
|
action.malware.variety.C2
|
Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.
| related-to |
T1584.002
|
DNS Server
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1587.001
|
Malware
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1587.004
|
Exploits
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1588.001
|
Malware
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1588.005
|
Exploits
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1588.006
|
Vulnerabilities
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1588.007
|
Artificial Intelligence
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1595
|
Active Scanning
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1595.001
|
Scanning IP Blocks
|
|
action.malware.variety.Scan network
|
Enumerating the state of the network
| related-to |
T1595.002
|
Vulnerability Scanning
|
|
action.malware.vector.Email attachment
|
Email via user-executed attachment. Child of 'Email'
| related-to |
T1598.002
|
Spearphishing Attachment
|
|
action.malware.vector.Email link
|
Email via embedded link. Child of 'Email'
| related-to |
T1598.003
|
Spearphishing Link
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1600
|
Weaken Encryption
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1600.001
|
Reduce Key Space
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1600.002
|
Disable Crypto Hardware
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1601
|
Modify System Image
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1601.001
|
Patch System Image
|
|
action.malware.variety.Disable controls
|
Disable or interfere with security controls
| related-to |
T1601.002
|
Downgrade System Image
|
|
action.malware.variety.Capture stored data
|
Capture data stored on system disk
| related-to |
T1602
|
Data from Configuration Repository
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608
|
Stage Capabilities
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608.001
|
Upload Malware
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608.002
|
Upload Tool
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608.003
|
Install Digital Certificate
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608.004
|
Drive-by Target
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1608.005
|
Link Target
|
|
action.malware.variety.Downloader
|
Downloader (pull updates or other malware)
| related-to |
T1610
|
Deploy Container
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1610
|
Deploy Container
|
|
action.malware.variety.Unknown
|
Unknown
| related-to |
T1612
|
Build Image on Host
|
|
action.malware.variety.Evade Defenses
|
Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.
| related-to |
T1622
|
Debugger Evasion
|
|
action.malware.variety.Backdoor
|
Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.
| related-to |
T1546.017
|
Udev Rules
|
|
action.malware.vector.Partner
|
Partner connection or credential. (Indicates supply chain breach.)
| related-to |
T1584.008
|
Network Devices
|
|
action.malware.vector.remote injection
|
None
| related-to |
T1659
|
Content Injection
|
