1. Home
  2. Mapping Frameworks
  3. VERIS Home

VERIS MAPPINGS

The Vocabulary for Event Recording and Incident Sharing (VERIS) provides a common language for describing security incidents in a structured and repeatable manner that allows for the analysis of data across a variety of incidents. This project provides mappings to better connect the who, what, and why captured in VERIS incident representation with the when and how described in MITRE ATT&CK® adversary behavioral tactics and techniques.

VERIS Versions: 1.3.7, 1.3.5 ATT&CK Versions: 12.1, 9.0 ATT&CK Domain: Enterprise, ICS, Mobile

VERIS Mapping Methodology

Download Mapping Artifacts:

download JSON

download YAML

download CSV

download Excel

download STIX Bundles

download Navigator Layers

SELECT VERSIONS

VERIS Version

ATT&CK Version

ATT&CK Domain

Capability Groups

ID Capability Group Name Number of Mappings Number of Capabilities
action.hacking action.hacking 379 41
action.malware action.malware 337 42
attribute.integrity attribute.integrity 72 10
value_chain.development value_chain.development 23 10
value_chain.distribution value_chain.distribution 18 5
value_chain.non-distribution_services value_chain.non-distribution_services 12 1
value_chain.targeting value_chain.targeting 43 4
action.social action.social 29 4

All Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1047 Windows Management Instrumentation
action.hacking.vector.Command shell Remote shell related-to T1047 Windows Management Instrumentation
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1047 Windows Management Instrumentation
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053 Scheduled Task/Job
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1053 Scheduled Task/Job
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053.001 Scheduled Task/Job: At (Linux)
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053.002 Scheduled Task/Job: At (Windows)
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053.003 Scheduled Task/Job: Cron
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053.004 Scheduled Task/Job: Launchd
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053.005 Scheduled Task/Job: Scheduled Task
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053.006 Scheduled Task/Job: Systemd Timers
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053.007 Scheduled Task/Job: Container Orchestration Job
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059 Command and Scripting Interpreter
action.hacking.vector.Command shell Remote shell related-to T1059 Command and Scripting Interpreter
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059.001 Command and Scripting Interpreter: PowerShell
action.hacking.vector.Command shell Remote shell related-to T1059.001 Command and Scripting Interpreter: PowerShell
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059.002 Command and Scripting Interpreter: AppleScript
action.hacking.vector.Command shell Remote shell related-to T1059.002 Command and Scripting Interpreter: AppleScript
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059.003 Command and Scripting Interpreter: Windows Command Shell
action.hacking.vector.Command shell Remote shell related-to T1059.003 Command and Scripting Interpreter: Windows Command Shell
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059.004 Command and Scripting Interpreter: Unix Shell
action.hacking.vector.Command shell Remote shell related-to T1059.004 Command and Scripting Interpreter: Unix Shell
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059.005 Command and Scripting Interpreter: Visual Basic
action.hacking.vector.Command shell Remote shell related-to T1059.005 Command and Scripting Interpreter: Visual Basic
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1059.005 Command and Scripting Interpreter: Visual Basic
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059.006 Command and Scripting Interpreter: Python
action.hacking.vector.Command shell Remote shell related-to T1059.006 Command and Scripting Interpreter: Python
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059.007 Command and Scripting Interpreter: JavaScript
action.hacking.vector.Command shell Remote shell related-to T1059.007 Command and Scripting Interpreter: JavaScript
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1059.007 Command and Scripting Interpreter: JavaScript
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059.008 Command and Scripting Interpreter: Network Device CLI
action.hacking.vector.Command shell Remote shell related-to T1059.008 Command and Scripting Interpreter: Network Device CLI
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1072 Software Deployment Tools
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1072 Software Deployment Tools
action.malware.vector.Software update Included in automated software update related-to T1072 Software Deployment Tools
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1106 Native API
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1112 Modify Registry
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1127 Trusted Developer Utilities Proxy Execution
action.hacking.variety.Unknown Unknown related-to T1127 Trusted Developer Utilities Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1127.001 Tursted Developer Utilities Proxy Execution: MSBuild
action.hacking.variety.Unknown Unknown related-to T1127.001 Tursted Developer Utilities Proxy Execution: MSBuild
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1129 Shared Modules
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1137 Office Application Startup
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1137 Office Application Startup
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1137.001 Office Application Startup: Office Template Macros
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1137.002 Office Application Startup: Office Test
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1137.003 Office Application Startup: Outlook Forms
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1137.004 Office Application Startup: Outlook Home Page
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1137.005 Office Application Startup: Outlook Rules
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1187 Forced Authentication
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1187 Forced Authentication
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1202 Indirect Command Execution
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1216 Signed Script Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1216.001 Signed Script Proxy Execution: PubPrn
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218 Signed Binary Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.001 Signed Binary Proxy Execution: Compiled HTML File
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.002 Signed Binary Proxy Execution: Control Panel
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.003 Signed Binary Proxy Execution: CMSTP
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.004 Signed Binary Proxy Execution: InstallUtil
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.005 Signed Binary Proxy Execution: Mshta
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.007 Signed Binary Proxy Execution: Msiexec
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.008 Signed Binary Proxy Execution: Odbcconf
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.010 Signed Binary Proxy Execution: Regsvr32
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.011 Signed Binary Proxy Execution: Rundll32
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.012 Signed Binary Proxy Execution: Verclsid
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1220 XSL Script Processing
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1505.001 Server Software Component: SQL Stored Procedures
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1505.001 Server Software Component: SQL Stored Procedures
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1505.001 Server Software Component: SQL Stored Procedures
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1505.001 Server Software Component: SQL Stored Procedures
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1505.002 Server Software Component: Transport Agent
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1505.002 Server Software Component: Transport Agent
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1505.002 Server Software Component: Transport Agent
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1505.002 Server Software Component: Transport Agent
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1529 System Shutdown/Reboot
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1543 Create or Modify System Process
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1543 Create or Modify System Process
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1543 Create or Modify System Process
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1543 Create or Modify System Process
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1543 Create or Modify System Process
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1543.001 Create or Modify System Process: Launch Agent
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1543.002 Create or Modify System Process: Systemd Service
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1543.003 Create or Modify System Process: Windows Service
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1543.003 Create or Modify System Process: Windows Service
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1543.004 Create or Modify System Process: Launch Daemon
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1547 Boot or Logon Autostart Execution
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1547 Boot or Logon Autostart Execution
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1547 Boot or Logon Autostart Execution
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547 Boot or Logon Autostart Execution
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1548 Abuse Elevation Control Mechanism
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) related-to T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1548.004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1559 Inter-Process Communication
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1559.001 Inter-Process Communication: Component Object Model
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1559.002 Inter-Process Communication: Dynamic Data Exchange
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1563 Remote Service Session Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563 Remote Service Session Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1563.001 Remote Service Session Hijacking: SSH Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563.001 Remote Service Session Hijacking: SSH Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1563.002 Remote Service Session Hijacking: RDP Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563.002 Remote Service Session Hijacking: RDP Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1564 Hide Artifacts
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1564.001 Hide Artifacts: Hidden Files and Directories
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1564.002 Hide Artifacts: Hidden Users
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1564.003 Hide Artifacts: Hidden Window
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1564.004 Hide Artifacts: NTFS File Attributes
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1564.005 Hide Artifacts: Hidden File System
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1564.006 Hide Artifacts: Run Virtual Instance
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1564.007 Hide Artifacts: VBA Stomping
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1564.007 Hide Artifacts: VBA Stomping
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1569 System Services
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1569.001 System Services: Launchctl
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1569.002 System Services: Service Execution
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1569.002 System Services: Service Execution
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1578 Modify Cloud Computer Infrastructure
action.hacking.vector.Hypervisor Hypervisor break-out attack related-to T1578 Modify Cloud Computer Infrastructure
action.hacking.vector.Inter-tenant Penetration of another VM or web site on shared device or infrastructure related-to T1578 Modify Cloud Computer Infrastructure
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1578.001 Modify Cloud Computer Infrastructure: Create Snapshot
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1578.002 Modify Cloud Computer Infrastructure: Create Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1578.003 Modify Cloud Computer Infrastructure: Delete Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1578.004 Modify Cloud Computer Infrastructure: Revert Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1609 Container Administration Command
action.hacking.variety.Brute force Brute force or password guessing attacks related-to T1110 Brute Force
action.malware.variety.Brute force Brute force attack related-to T1110 Brute Force
action.hacking.variety.Brute force Brute force or password guessing attacks related-to T1110.001 Brute Force: Password Guessing
action.malware.variety.Brute force Brute force attack related-to T1110.001 Brute Force: Password Guessing
action.hacking.variety.Brute force Brute force or password guessing attacks related-to T1110.002 Brute Force: Password Cracking
action.hacking.variety.Offline cracking Offline password or key cracking (e.g., rainbow tables, Hashcat, JtR) related-to T1110.002 Brute Force: Password Cracking
action.malware.variety.Brute force Brute force attack related-to T1110.002 Brute Force: Password Cracking
action.hacking.variety.Brute force Brute force or password guessing attacks related-to T1110.003 Brute Force: Password Spraying
action.malware.variety.Brute force Brute force attack related-to T1110.003 Brute Force: Password Spraying
action.hacking.variety.Brute force Brute force or password guessing attacks related-to T1110.004 Brute Force: Credential Stuffing
action.malware.variety.Brute force Brute force attack related-to T1110.004 Brute Force: Credential Stuffing
action.hacking.variety.Buffer overflow Buffer overflow. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP Response Splitting HTTP Response Splitting. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP request smuggling HTTP request smuggling. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP request splitting HTTP request splitting. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP response smuggling HTTP response smuggling. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) related-to T1203 Exploitation for Client Execution
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1203 Exploitation for Client Execution
action.hacking.variety.Cryptanalysis Cryptanalysis. Child of 'Exploit vuln'. related-to T1600 Weaken Encryption
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600 Weaken Encryption
action.hacking.variety.DoS Denial of service related-to T1498 Network Denial of Service
action.malware.variety.DoS DoS attack related-to T1498 Network Denial of Service
action.hacking.variety.DoS Denial of service related-to T1498.001 Network Denial of Service: Direct Network Flood
action.malware.variety.DoS DoS attack related-to T1498.001 Network Denial of Service: Direct Network Flood
action.hacking.variety.DoS Denial of service related-to T1498.002 Network Denial of Service: Reflection Amplification
action.malware.variety.DoS DoS attack related-to T1498.002 Network Denial of Service: Reflection Amplification
action.hacking.variety.DoS Denial of service related-to T1499 Endpoint Denial of Service
action.hacking.variety.Soap array abuse Soap array abuse. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.hacking.variety.XML attribute blowup XML attribute blowup. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.hacking.variety.XML entity expansion XML entity expansion. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.hacking.variety.XML external entities XML external entities. Child of 'Exploit vuln'. related-to T1499 Endpoint Denial of Service
action.malware.variety.DoS DoS attack related-to T1499 Endpoint Denial of Service
action.hacking.variety.DoS Denial of service related-to T1499.001 Endpoint Denial of Service: OS Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.001 Endpoint Denial of Service: OS Exhaustion Flood
action.hacking.variety.DoS Denial of service related-to T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.002 Endpoint Denial of Service: Service Exhaustion Flood
action.hacking.variety.DoS Denial of service related-to T1499.003 Endpoint Denial of Service: Application Exhaustion Flood
action.malware.variety.DoS DoS attack related-to T1499.003 Endpoint Denial of Service: Application Exhaustion Flood
action.hacking.variety.DoS Denial of service related-to T1499.004 Endpoint Denial of Service: Application or System Exploitation
action.malware.variety.DoS DoS attack related-to T1499.004 Endpoint Denial of Service: Application or System Exploitation
action.hacking.variety.DoS Denial of service related-to T1583.005 Acquire Infrastructure: Botnet
action.hacking.variety.Unknown Unknown related-to T1583.005 Acquire Infrastructure: Botnet
value_chain.development.variety.Bot A small program that can be distributed, installed, and controlled en mass. related-to T1583.005 Acquire Infrastructure: Botnet
value_chain.distribution.variety.Botnet For content distributed from a collection of bots. related-to T1583.005 Acquire Infrastructure: Botnet
action.hacking.variety.DoS Denial of service related-to T1584.005 Compromise Infrastructure: Botnet
action.hacking.variety.Unknown Unknown related-to T1584.005 Compromise Infrastructure: Botnet
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1584.005 Compromise Infrastructure: Botnet
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1584.005 Compromise Infrastructure: Botnet
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Format string attack Format string attack. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Fuzz testing Fuzz testing. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Insecure deserialization iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Integer overflows Integer overflows. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.LDAP injection LDAP injection. Child of 'Exploit vuln'. related-to T1068 Exploitation for Privilege Escalation
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1068 Exploitation for Privilege Escalation
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1190 Exploit Public-Facing Application
action.malware.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) related-to T1190 Exploit Public-Facing Application
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1210 Exploitation of Remote Services
action.malware.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) related-to T1210 Exploitation of Remote Services
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1212 Exploitation for Credential Access
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1212 Exploitation for Credential Access
action.hacking.variety.Session fixation Session fixation. Child of 'Exploit vuln'. related-to T1212 Exploitation for Credential Access
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1212 Exploitation for Credential Access
action.malware.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) related-to T1212 Exploitation for Credential Access
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1212 Exploitation for Credential Access
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1212 Exploitation for Credential Access
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
action.hacking.variety.Unknown Unknown related-to T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.002 Hijack Execution Flow: DLL Side-Loading
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1574.002 Hijack Execution Flow: DLL Side-Loading
action.hacking.variety.Unknown Unknown related-to T1574.002 Hijack Execution Flow: DLL Side-Loading
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness
action.hacking.variety.Unknown Unknown related-to T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.010 Hijack Execution Flow: Services File Permissions Weakness
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1574.004 Hijack Execution Flow: Dylib Hijacking
action.hacking.variety.Unknown Unknown related-to T1574.004 Hijack Execution Flow: Dylib Hijacking
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1595.002 Active Scanning: Vulnerability Scanning
action.malware.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) related-to T1595.002 Active Scanning: Vulnerability Scanning
action.malware.variety.Scan network Scan or footprint network related-to T1595.002 Active Scanning: Vulnerability Scanning
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1595.002 Active Scanning: Vulnerability Scanning
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1007 System Service Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1012 Query Registry
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1057 Process Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1069 Permission Groups Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1069.001 Permission Groups Discovery: Local Groups
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1069.002 Permission Groups Discovery: Domain Groups
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1069.003 Permission Groups Discovery: Cloud Groups
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1082 System Information Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1087 Account Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1087.001 Account Discovery: Local Account
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1087.002 Account Discovery: Domain Account
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1087.003 Account Discovery: Email Account
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1087.004 Account Discovery: Cloud Account
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1119 Automated Collection
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1119 Automated Collection
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1120 Peripheral Device Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1124 System Time Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1201 Password Policy Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1480 Execution Guardrails
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1480.001 Execution Guardrails: Environmental Keying
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1518 Software Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1518.001 Software Discovery: Security Software Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1526 Cloud Service Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1538 Cloud Service Dashboard
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1580 Cloud Infrastructure Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1589 Gather Victim Identity Information
value_chain.targeting.variety.Personal Information Information on individuals such as title, interests, physical location, etc, used to pick an organization as a target related-to T1589 Gather Victim Identity Information
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1589.001 Gather Victim Identity Information: Credentials
value_chain.targeting.variety.Lost or stolen credentials lost or stolen credentials, including credental stuffing, used to pick an organization as a target related-to T1589.001 Gather Victim Identity Information: Credentials
value_chain.targeting.variety.Personal Information Information on individuals such as title, interests, physical location, etc, used to pick an organization as a target related-to T1589.001 Gather Victim Identity Information: Credentials
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1589.002 Gather Victim Identity Information: Email Addresses
value_chain.targeting.variety.Email addresses Email addresses related-to T1589.002 Gather Victim Identity Information: Email Addresses
value_chain.targeting.variety.Personal Information Information on individuals such as title, interests, physical location, etc, used to pick an organization as a target related-to T1589.002 Gather Victim Identity Information: Email Addresses
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1589.003 Gather Victim Identity Information: Employee Names
value_chain.targeting.variety.Personal Information Information on individuals such as title, interests, physical location, etc, used to pick an organization as a target related-to T1589.003 Gather Victim Identity Information: Employee Names
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1590 Gather Victim Network Information
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1590 Gather Victim Network Information
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1590.001 Gather Victim Network Information: Domain Properties
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1590.001 Gather Victim Network Information: Domain Properties
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1590.002 Gather Victim Network Information: DNS
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1590.002 Gather Victim Network Information: DNS
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1590.003 Gather Victim Network Information: Network Trust Dependencies
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1590.003 Gather Victim Network Information: Network Trust Dependencies
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1590.004 Gather Victim Network Information: Network Topology
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1590.004 Gather Victim Network Information: Network Topology
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1590.005 Gather Victim Network Information: IP Addresses
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1590.005 Gather Victim Network Information: IP Addresses
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1590.006 Gather Victim Network Information: Network Security Appliances
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1590.006 Gather Victim Network Information: Network Security Appliances
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1591 Gather Victim Org Information
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1591 Gather Victim Org Information
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1591.001 Gather Victim Org Information: Determine Physical Locations
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1591.001 Gather Victim Org Information: Determine Physical Locations
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1591.002 Gather Victim Org Information: Business Relationships
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1591.002 Gather Victim Org Information: Business Relationships
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1591.003 Gather Victim Org Information: Identify Business Tempo
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1591.003 Gather Victim Org Information: Identify Business Tempo
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1591.004 Gather Victim Org Information: Identify Roles
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1591.004 Gather Victim Org Information: Identify Roles
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1592 Gather Victim Host Information
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1592 Gather Victim Host Information
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1592.001 Gather Victim Host Information: Hardware
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1592.001 Gather Victim Host Information: Hardware
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1592.002 Gather Victim Host Information: Software
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1592.002 Gather Victim Host Information: Software
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1592.003 Gather Victim Host Information: Firmware
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1592.003 Gather Victim Host Information: Firmware
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1592.004 Gather Victim Host Information: Client Configurations
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1592.004 Gather Victim Host Information: Client Configurations
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1593 Search Open Websites/Domains
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1593 Search Open Websites/Domains
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1593.001 Search Open Websites/Domains: Social Media
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1593.001 Search Open Websites/Domains: Social Media
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1593.002 Search Open Websites/Domains: Search Engines
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1593.002 Search Open Websites/Domains: Search Engines
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1594 Search Victim-Owned Websites
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1594 Search Victim-Owned Websites
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1596 Search Open Technical Databases
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1596 Search Open Technical Databases
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1596.001 Search Open Technical Databases: DNS/Passive DNS
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1596.001 Search Open Technical Databases: DNS/Passive DNS
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1596.002 Search Open Technical Databases: WHOIS
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1596.002 Search Open Technical Databases: WHOIS
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1596.003 Search Open Technical Databases: Digital Certificates
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1596.003 Search Open Technical Databases: Digital Certificates
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1596.004 Search Open Technical Databases: CDNs
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1596.004 Search Open Technical Databases: CDNs
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1596.005 Search Open Technical Databases: Scan Databases
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1596.005 Search Open Technical Databases: Scan Databases
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1597 Search Closed Sources
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1597 Search Closed Sources
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1597.001 Search Closed Sources: Threat Intel Vendors
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1597.001 Search Closed Sources: Threat Intel Vendors
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1597.002 Search Closed Sources: Purchase Technical Data
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1597.002 Search Closed Sources: Purchase Technical Data
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1602 Data from Configuration Repository
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1602 Data from Configuration Repository
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1602.001 Data from Configuration Repository: SNMP (MIB Dump)
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1602.002 Data from Configuration Repository: Network Device Configuration Dump
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1613 Container and Resource Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1614 System Location Discovery
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
action.malware.variety.Capture app data Capture data from application or system process related-to T1539 Steal Web Session Cookie
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1583.003 Acquire Infrastructure: Virtual Private Server
action.hacking.variety.Unknown Unknown related-to T1583.003 Acquire Infrastructure: Virtual Private Server
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1583.003 Acquire Infrastructure: Virtual Private Server
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1583.003 Acquire Infrastructure: Virtual Private Server
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1583.004 Acquire Infrastructure: Server
action.hacking.variety.Unknown Unknown related-to T1583.004 Acquire Infrastructure: Server
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1583.004 Acquire Infrastructure: Server
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1583.004 Acquire Infrastructure: Server
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1583.006 Acquire Infrastructure: Web Services
action.hacking.variety.Unknown Unknown related-to T1583.006 Acquire Infrastructure: Web Services
action.malware.variety.C2 Command and control (C2) related-to T1583.006 Acquire Infrastructure: Web Services
value_chain.development.variety.Website Development of any full website controlled by the attacker related-to T1583.006 Acquire Infrastructure: Web Services
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1583.006 Acquire Infrastructure: Web Services
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1583.006 Acquire Infrastructure: Web Services
action.hacking.variety.HTTP Response Splitting HTTP Response Splitting. Child of 'Exploit vuln'. related-to T1185 Man in the Browser
action.hacking.variety.HTTP request smuggling HTTP request smuggling. Child of 'Exploit vuln'. related-to T1185 Man in the Browser
action.hacking.variety.HTTP request splitting HTTP request splitting. Child of 'Exploit vuln'. related-to T1185 Man in the Browser
action.hacking.variety.HTTP response smuggling HTTP response smuggling. Child of 'Exploit vuln'. related-to T1185 Man in the Browser
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1185 Man in the Browser
action.hacking.variety.Session fixation Session fixation. Child of 'Exploit vuln'. related-to T1185 Man in the Browser
action.malware.variety.Capture app data Capture data from application or system process related-to T1185 Man in the Browser
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557 Man-in-the-Middle
action.hacking.variety.Routing detour Routing detour. Child of 'Exploit vuln'. related-to T1557 Man-in-the-Middle
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1557.002 Man-in-the-Middle: ARP Cache Poisoning
action.hacking.variety.Pass-the-hash Pass-the-hash related-to T1550.002 Use Alternate Authentication Material: Pass the Hash
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1550.002 Use Alternate Authentication Material: Pass the Hash
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1550.002 Use Alternate Authentication Material: Pass the Hash
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1001 Data Obfuscation
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1001 Data Obfuscation
action.malware.variety.Unknown Unknown related-to T1001 Data Obfuscation
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1008 Fallback Channels
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1008 Fallback Channels
action.malware.variety.C2 Command and control (C2) related-to T1008 Fallback Channels
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1071 Application Layer Protocol
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1071 Application Layer Protocol
action.malware.variety.C2 Command and control (C2) related-to T1071 Application Layer Protocol
action.malware.variety.Unknown Unknown related-to T1071 Application Layer Protocol
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1078 Valid Accounts
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1078 Valid Accounts
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1078 Valid Accounts
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1090 Proxy
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1090 Proxy
action.malware.variety.C2 Command and control (C2) related-to T1090 Proxy
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1095 Non-Application Layer Protocol
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1095 Non-Application Layer Protocol
action.malware.variety.C2 Command and control (C2) related-to T1095 Non-Application Layer Protocol
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1102 Web Service
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1102 Web Service
action.malware.variety.C2 Command and control (C2) related-to T1102 Web Service
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1104 Multi-Stage Channels
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1104 Multi-Stage Channels
action.malware.variety.C2 Command and control (C2) related-to T1104 Multi-Stage Channels
action.hacking.variety.Unknown Unknown related-to T1105 Ingress Tool Transfer
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1105 Ingress Tool Transfer
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1105 Ingress Tool Transfer
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1132 Data Encoding
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1132 Data Encoding
action.malware.variety.C2 Command and control (C2) related-to T1132 Data Encoding
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1133 External Remote Services
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1133 External Remote Services
action.hacking.vector.3rd party desktop 3rd party online desktop sharing (LogMeIn, Go2Assist) related-to T1133 External Remote Services
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1133 External Remote Services
action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1133 External Remote Services
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1133 External Remote Services
action.malware.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) related-to T1133 External Remote Services
action.malware.vector.Remote injection Remotely injected by agent (i.e. via SQLi) related-to T1133 External Remote Services
action.malware.vector.Web application Web application. Parent of 'Web application - download' and 'Web application - drive-by. related-to T1133 External Remote Services
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1205 Traffic Signaling
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1205 Traffic Signaling
action.malware.variety.C2 Command and control (C2) related-to T1205 Traffic Signaling
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1505 Server Software Component
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1505 Server Software Component
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1505 Server Software Component
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1505.003 Server Software Component: Web Shell
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1505.003 Server Software Component: Web Shell
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1505.003 Server Software Component: Web Shell
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1525 Implant Container Image
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1525 Implant Container Image
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1525 Implant Container Image
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1525 Implant Container Image
action.malware.variety.Unknown Unknown related-to T1525 Implant Container Image
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1568 Dynamic Resolution
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1568 Dynamic Resolution
action.malware.variety.C2 Command and control (C2) related-to T1568 Dynamic Resolution
action.malware.vector.Download by malware Downloaded and installed by local malware related-to T1568 Dynamic Resolution
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1571 Non-Standard Port
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1571 Non-Standard Port
action.malware.variety.C2 Command and control (C2) related-to T1571 Non-Standard Port
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1572 Protocol Tunneling
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1572 Protocol Tunneling
action.malware.variety.C2 Command and control (C2) related-to T1572 Protocol Tunneling
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1573 Encrypted Channels
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1573 Encrypted Channels
action.malware.variety.C2 Command and control (C2) related-to T1573 Encrypted Channels
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1573.001 Encrypted Channels: Symmetric Cryptography
action.malware.variety.C2 Command and control (C2) related-to T1573.001 Encrypted Channels: Symmetric Cryptography
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1573.002 Encrypted Channels: Asymmetric Cryptography
action.malware.variety.C2 Command and control (C2) related-to T1573.002 Encrypted Channels: Asymmetric Cryptography
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1021 Remote Services
action.malware.vector.Network propagation Network propagation related-to T1021 Remote Services
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1021.001 Remote Services: Remote Desktop Protocol
action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1021.001 Remote Services: Remote Desktop Protocol
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1021.002 Remote Services: SMB/Windows Admin Shares
action.hacking.vector.Command shell Remote shell related-to T1021.002 Remote Services: SMB/Windows Admin Shares
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1021.003 Remote Services: Distributed Component Object Model
action.hacking.vector.Command shell Remote shell related-to T1021.003 Remote Services: Distributed Component Object Model
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1021.004 Remote Services: SSH
action.hacking.vector.Command shell Remote shell related-to T1021.004 Remote Services: SSH
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1021.005 Remote Services: VNC
action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1021.005 Remote Services: VNC
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1021.006 Remote Services: Windows Remote Management
action.hacking.vector.Command shell Remote shell related-to T1021.006 Remote Services: Windows Remote Management
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1078.001 Valid Accounts: Default Accounts
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1078.002 Valid Accounts: Domain Accounts
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1078.003 Valid Accounts: Local Accounts
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1078.004 Valid Accounts: Cloud Accounts
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1134 Access Token Manipulation
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1134.001 Access Token Manipulation: Token Impersonation/Theft
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1134.002 Access Token Manipulation: Create Process with Token
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1134.003 Access Token Manipulation: Make and Impersonate Token
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1134.004 Access Token Manipulation: Parent PID Spoofing
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1134.005 Access Token Manipulation: SID-History Injection
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1550 Use Alternate Authentication Material
action.malware.vector.Network propagation Network propagation related-to T1550 Use Alternate Authentication Material
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1550.001 Use Alternate Authentication Material: Application Access Token
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1550.003 Use Alternate Authentication Material: Pass the Ticket
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1550.004 Use Alternate Authentication Material: Web Session Cookies
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1558 Steal or Forge Kerberos Tickets
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1586 Compromise Account
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1586.001 Compromise Account: Social Media Accounts
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1586.001 Compromise Account: Social Media Accounts
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1586.001 Compromise Account: Social Media Accounts
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1586.002 Compromise Account: Email Accounts
action.hacking.variety.Virtual machine escape Virtual machine escape. Child of 'Exploit vuln'. related-to T1611 Escape to Host
action.hacking.variety.XML external entities XML external entities. Child of 'Exploit vuln'. related-to T1213 Data from Information Repository
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213 Data from Information Repository
action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1546 Event Triggered Execution
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1546 Event Triggered Execution
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1546 Event Triggered Execution
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546 Event Triggered Execution
action.hacking.variety.Unknown Unknown related-to T1574 Hijack Execution Flow
action.hacking.variety.XML injection XML injection. Child of 'Exploit vuln'. related-to T1574 Hijack Execution Flow
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1574 Hijack Execution Flow
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1574 Hijack Execution Flow
action.hacking.variety.XPath injection XPath injection. Child of 'Exploit vuln'. related-to T1010 Application Window Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1010 Application Window Discovery
action.hacking.variety.Unknown Unknown related-to T1111 Two-Factor Authentication Interception
action.hacking.variety.Unknown Unknown related-to T1583 Acquire Infrastructure
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. related-to T1583 Acquire Infrastructure
action.hacking.variety.Unknown Unknown related-to T1583.001 Acquire Infrastructure: Domains
action.malware.variety.C2 Command and control (C2) related-to T1583.001 Acquire Infrastructure: Domains
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1583.001 Acquire Infrastructure: Domains
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1583.001 Acquire Infrastructure: Domains
action.hacking.variety.Unknown Unknown related-to T1583.002 Acquire Infrastructure: DNS Server
action.malware.variety.C2 Command and control (C2) related-to T1583.002 Acquire Infrastructure: DNS Server
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1583.002 Acquire Infrastructure: DNS Server
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1583.002 Acquire Infrastructure: DNS Server
action.hacking.variety.Unknown Unknown related-to T1584 Compromise Infrastructure
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. related-to T1584 Compromise Infrastructure
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1584 Compromise Infrastructure
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1584 Compromise Infrastructure
action.hacking.variety.Unknown Unknown related-to T1584.001 Compromise Infrastructure: Domains
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1584.001 Compromise Infrastructure: Domains
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1584.001 Compromise Infrastructure: Domains
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1584.001 Compromise Infrastructure: Domains
action.hacking.variety.Unknown Unknown related-to T1584.002 Compromise Infrastructure: DNS Server
action.malware.variety.C2 Command and control (C2) related-to T1584.002 Compromise Infrastructure: DNS Server
value_chain.distribution.variety.Compromised server malicious content added to a benign server, such as a webserver, by the actor, without the permission or necessarily knowledge of the server’s owner related-to T1584.002 Compromise Infrastructure: DNS Server
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1584.002 Compromise Infrastructure: DNS Server
action.hacking.variety.Unknown Unknown related-to T1584.003 Compromise Infrastructure: Virtual Private Server
value_chain.distribution.variety.Compromised server malicious content added to a benign server, such as a webserver, by the actor, without the permission or necessarily knowledge of the server’s owner related-to T1584.003 Compromise Infrastructure: Virtual Private Server
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1584.003 Compromise Infrastructure: Virtual Private Server
action.hacking.variety.Unknown Unknown related-to T1584.004 Compromise Infrastructure: Server
value_chain.distribution.variety.Compromised server malicious content added to a benign server, such as a webserver, by the actor, without the permission or necessarily knowledge of the server’s owner related-to T1584.004 Compromise Infrastructure: Server
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1584.004 Compromise Infrastructure: Server
action.hacking.variety.Unknown Unknown related-to T1584.006 Compromise Infrastructure: Web Services
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1584.006 Compromise Infrastructure: Web Services
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1584.006 Compromise Infrastructure: Web Services
action.hacking.variety.Unknown Unknown related-to T1587 Develop Capabilities
value_chain.development.variety.Unknown Nothing is known about the need for or type of development investment other than it was present. related-to T1587 Develop Capabilities
action.hacking.variety.Unknown Unknown related-to T1587.001 Develop Capabilities: Malware
action.malware.variety.Unknown Unknown related-to T1587.001 Develop Capabilities: Malware
value_chain.development.variety.Bot A small program that can be distributed, installed, and controlled en mass. related-to T1587.001 Develop Capabilities: Malware
value_chain.development.variety.Payload The portion a program that causes a negative effect. related-to T1587.001 Develop Capabilities: Malware
value_chain.development.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1587.001 Develop Capabilities: Malware
value_chain.development.variety.Trojan A program which masquerades as another program to get a target to execute malicious content related-to T1587.001 Develop Capabilities: Malware
action.hacking.variety.Unknown Unknown related-to T1587.002 Develop Capabilities: Code Signing Certificates
value_chain.development.variety.Other The variety of development required is known, but is not listed. related-to T1587.002 Develop Capabilities: Code Signing Certificates
action.hacking.variety.Unknown Unknown related-to T1587.003 Develop Capabilities: Digital Certificates
value_chain.development.variety.Other The variety of development required is known, but is not listed. related-to T1587.003 Develop Capabilities: Digital Certificates
action.hacking.variety.Unknown Unknown related-to T1587.004 Develop Capabilities: Exploits
action.malware.variety.Unknown Unknown related-to T1587.004 Develop Capabilities: Exploits
value_chain.development.variety.Exploit Code to exploit a vulnerability, including web injects. related-to T1587.004 Develop Capabilities: Exploits
value_chain.development.variety.Exploit Kits Code sets capable of selecting and trying multiple exploits against a target. related-to T1587.004 Develop Capabilities: Exploits
action.hacking.variety.Unknown Unknown related-to T1588 Obtain Capabilities
value_chain.development.variety.Unknown Nothing is known about the need for or type of development investment other than it was present. related-to T1588 Obtain Capabilities
action.hacking.variety.Unknown Unknown related-to T1588.001 Obtain Capabilities: Malware
action.malware.variety.Unknown Unknown related-to T1588.001 Obtain Capabilities: Malware
value_chain.development.variety.Bot A small program that can be distributed, installed, and controlled en mass. related-to T1588.001 Obtain Capabilities: Malware
value_chain.development.variety.Payload The portion a program that causes a negative effect. related-to T1588.001 Obtain Capabilities: Malware
value_chain.development.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1588.001 Obtain Capabilities: Malware
value_chain.development.variety.Trojan A program which masquerades as another program to get a target to execute malicious content related-to T1588.001 Obtain Capabilities: Malware
action.hacking.variety.Unknown Unknown related-to T1588.002 Obtain Capabilities: Tool
action.hacking.variety.Unknown Unknown related-to T1588.003 Obtain Capabilities: Code Signing Certificates
value_chain.development.variety.Other The variety of development required is known, but is not listed. related-to T1588.003 Obtain Capabilities: Code Signing Certificates
action.hacking.variety.Unknown Unknown related-to T1588.004 Obtain Capabilities: Digital Certificates
value_chain.development.variety.Other The variety of development required is known, but is not listed. related-to T1588.004 Obtain Capabilities: Digital Certificates
action.hacking.variety.Unknown Unknown related-to T1588.005 Obtain Capabilities: Exploits
action.malware.variety.Unknown Unknown related-to T1588.005 Obtain Capabilities: Exploits
value_chain.development.variety.Exploit Code to exploit a vulnerability, including web injects. related-to T1588.005 Obtain Capabilities: Exploits
value_chain.development.variety.Exploit Kits Code sets capable of selecting and trying multiple exploits against a target. related-to T1588.005 Obtain Capabilities: Exploits
action.hacking.variety.Unknown Unknown related-to T1588.006 Obtain Capabilities: Vulnerabilities
action.malware.variety.Unknown Unknown related-to T1588.006 Obtain Capabilities: Vulnerabilities
action.hacking.variety.Unknown Unknown related-to T1599 Network Boundry Bridging
action.hacking.variety.Unknown Unknown related-to T1599.001 Network Boundry Bridging: Network Address Translation Traversal
action.hacking.variety.Unknown Unknown related-to T1606 Forge Web Credentials
action.hacking.variety.Unknown Unknown related-to T1606.001 Forge Web Credentials: Web Cookies
action.hacking.variety.Unknown Unknown related-to T1606.002 Forge Web Credentials: SAML Tokens
action.hacking.variety.Unknown Unknown related-to T1531 Account Access Removal
attribute.integrity.variety.Unknown Unknown related-to T1531 Account Access Removal
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1037 Boot or Logon Initialization Script
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1037 Boot or Logon Initialization Script
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037 Boot or Logon Initialization Script
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1098 Account Manipulation
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1098 Account Manipulation
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098 Account Manipulation
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1136 Create Account
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1136 Create Account
attribute.integrity.variety.Created account Created new user account related-to T1136 Create Account
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1197 BITS Jobs
action.malware.variety.Export data Export data to another site or system related-to T1197 BITS Jobs
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1542 Pre-OS Boot
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542 Pre-OS Boot
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1554 Compromise Client Software Binary
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1554 Compromise Client Software Binary
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1554 Compromise Client Software Binary
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1554 Compromise Client Software Binary
action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1219 Remote Access Software
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1219 Remote Access Software
action.hacking.vector.Hypervisor Hypervisor break-out attack related-to T1497 Virtualization/Sandbox Evasion
action.hacking.vector.Inter-tenant Penetration of another VM or web site on shared device or infrastructure related-to T1497 Virtualization/Sandbox Evasion
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497 Virtualization/Sandbox Evasion
action.hacking.vector.Partner Partner connection or credential related-to T1199 Trusted Relationship
action.malware.variety.Adware Adware related-to T1199 Trusted Relationship
action.hacking.vector.Partner Partner connection or credential related-to T1195 Supply Chain Compromise
action.malware.vector.Software update Included in automated software update related-to T1195 Supply Chain Compromise
action.hacking.vector.Partner Partner connection or credential related-to T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools
action.hacking.vector.Partner Partner connection or credential related-to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain
action.hacking.vector.Partner Partner connection or credential related-to T1195.003 Supply Chain Compromise: Compromise Hardware Supply Chain
action.hacking.vector.Physical access Physical access or connection (i.e., at keyboard or via cable) related-to T1200 Hardware Additions
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1205.001 Traffic Signaling: Port Knocking
action.malware.variety.C2 Command and control (C2) related-to T1205.001 Traffic Signaling: Port Knocking
action.malware.variety.C2 Command and control (C2) related-to T1001.001 Data Obfuscation: Junk Data
action.malware.variety.Unknown Unknown related-to T1001.001 Data Obfuscation: Junk Data
action.malware.variety.C2 Command and control (C2) related-to T1071.001 Application Layer Protocol: Web Protocols
action.malware.variety.Unknown Unknown related-to T1071.001 Application Layer Protocol: Web Protocols
action.malware.variety.C2 Command and control (C2) related-to T1071.002 Application Layer Protocol: File Transfer Protocol
action.malware.variety.Unknown Unknown related-to T1071.002 Application Layer Protocol: File Transfer Protocol
action.malware.variety.C2 Command and control (C2) related-to T1071.003 Application Layer Protocol: Mail Protocols
action.malware.variety.Unknown Unknown related-to T1071.003 Application Layer Protocol: Mail Protocols
action.malware.variety.C2 Command and control (C2) related-to T1071.004 Application Layer Protocol: DNS
action.malware.variety.Unknown Unknown related-to T1071.004 Application Layer Protocol: DNS
action.malware.variety.C2 Command and control (C2) related-to T1090.001 Proxy: Internal Proxy
action.malware.variety.C2 Command and control (C2) related-to T1090.002 Proxy: External Proxy
action.malware.variety.C2 Command and control (C2) related-to T1090.003 Proxy: Multi-hop Proxy
action.malware.variety.C2 Command and control (C2) related-to T1090.004 Proxy: Domain Fronting
action.malware.variety.C2 Command and control (C2) related-to T1102.001 Web Service: Dead Drop Resolver
action.malware.variety.C2 Command and control (C2) related-to T1102.002 Web Service: Bidirectional Communication
action.malware.variety.C2 Command and control (C2) related-to T1102.003 Web Service: One-Way Communication
action.malware.variety.C2 Command and control (C2) related-to T1132.001 Data Encoding: Standard Encoding
action.malware.variety.C2 Command and control (C2) related-to T1132.002 Data Encoding: Non-Standard Encoding
action.malware.variety.C2 Command and control (C2) related-to T1568.001 Dynamic Resolution: Fast Flux DNS
action.malware.variety.C2 Command and control (C2) related-to T1568.002 Dynamic Resolution: Domain Generation Algorithms
action.malware.variety.C2 Command and control (C2) related-to T1568.003 Dynamic Resolution: DNS Calculation
action.malware.variety.Capture app data Capture data from application or system process related-to T1056 Input Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1056.001 Input Capture: Keylogging
action.malware.variety.Capture app data Capture data from application or system process related-to T1056.002 Input Capture: GUI Input Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1056.003 Input Capture: Web Portal Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1056.004 Input Capture: Credential API Hooking
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1056.004 Input Capture: Credential API Hooking
action.malware.variety.Spyware/Keylogger Spyware, keylogger or form-grabber (capture user input or activity) related-to T1056.004 Input Capture: Credential API Hooking
action.malware.variety.Capture app data Capture data from application or system process related-to T1113 Screen Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1114 Email Collection
action.malware.variety.Capture app data Capture data from application or system process related-to T1114.001 Email Collection: Local Email Collection
action.malware.variety.Capture app data Capture data from application or system process related-to T1114.002 Email Collection: Remote Email Collection
action.malware.variety.Capture app data Capture data from application or system process related-to T1114.003 Email Collection: Email Forwarding Rule
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1114.003 Email Collection: Email Forwarding Rule
action.malware.variety.Capture app data Capture data from application or system process related-to T1123 Audio Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1125 Video Capture
action.malware.variety.Capture app data Capture data from application or system process related-to T1176 Browser Extensions
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1176 Browser Extensions
action.malware.variety.Capture app data Capture data from application or system process related-to T1207 Rogue Domain Controller
action.malware.variety.Capture app data Capture data from application or system process related-to T1217 Browser Bookmark Discovery
action.malware.variety.Capture app data Capture data from application or system process related-to T1528 Steal Application Access Token
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.002 OS Credential Dumping: Security Account Manager
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.002 OS Credential Dumping: Security Account Manager
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1003.002 OS Credential Dumping: Security Account Manager
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.003 OS Credential Dumping: NTDS
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.003 OS Credential Dumping: NTDS
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.006 OS Credential Dumping: DCSync
action.malware.variety.Export data Export data to another site or system related-to T1003.006 OS Credential Dumping: DCSync
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.006 OS Credential Dumping: DCSync
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1005 Data from Local System
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1025 Data from Removable Media
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1033 System Owner/User Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1039 Data from Network Shared Drive
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1083 File and Directory Discovery
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213.001 Data from Information Repositories: Confluence
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1213.002 Data from Information Repositories: Sharepoint
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1530 Data from Cloud Storage Object
action.malware.variety.Click fraud Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Click fraud and cryptocurrency mining Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Cryptocurrency mining Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. related-to T1496 Resource Hijacking
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) related-to T1221 Template Injection
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070 Indicator Removal on Host
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.001 Indicator Removal on Host: Clear Windows Event Logs
attribute.integrity.variety.Log tampering Log tampering or modification related-to T1070.001 Indicator Removal on Host: Clear Windows Event Logs
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs
attribute.integrity.variety.Log tampering Log tampering or modification related-to T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.003 Indicator Removal on Host: Clear Command History
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.004 Indicator Removal on Host: File Deletion
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.005 Indicator Removal on Host: Network Share Connection Removal
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070.006 Indicator Removal on Host: Timestomp
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1485 Data Destruction
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1495 Firmware Corruption
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561 Disk Wipe
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561.001 Disk Wipe: Disk Content Wipe
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1561.002 Disk Wipe: Disk Structure Wipe
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1006 Direct Volume Access
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027 Obfuscated Files or Information
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.001 Obfuscated Files or Information: Binary Padding
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.002 Obfuscated Files or Information: Software Packaging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.003 Obfuscated Files or Information: Steganography
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.004 Obfuscated Files or Information: Compile After Dilevery
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036 Masquerading
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1036 Masquerading
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.001 Masquerading: Invalid Code Signature
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.002 Masquerading: Right-to-Left Override
action.social.variety.Forgery Forgery or counterfeiting (fake hardware, software, documents, etc) related-to T1036.002 Masquerading: Right-to-Left Override
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1036.002 Masquerading: Right-to-Left Override
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.003 Masquerading: Rename System Utilities
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1036.003 Masquerading: Rename System Utilities
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.004 Masquerading: Masquerade Task or Service
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.005 Masquerading: Match Legitimate Name or Location
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.006 Masquerading: Space after Filename
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222 File and Directory Permissions Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1490 Inhibit System Recovery
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1490 Inhibit System Recovery
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.001 Virtualization/Sandbox Evasion: System Checks
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553 Subvert Trust Contols
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.001 Subvert Trust Contols: Gatekeeper Bypass
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.002 Subvert Trust Contols: Code Signing
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.003 Subvert Trust Contols: SIP and Trust Provider Hijacking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.004 Subvert Trust Contols: Install Root Certificate
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.005 Subvert Trust Contols: Mark-of-the-Web Bypass
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553.006 Subvert Trust Contols: Code Signing Policy Modification
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562 Impair Defenses
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1562 Impair Defenses
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.001 Impair Defenses: Disable or Modify Tools
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.002 Impair Defenses: Disable Windows Event Logging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.003 Impair Defenses: Impair Command History Logging
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.004 Impair Defenses: Disable or Modify System Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.006 Impair Defenses: Indicator Blocking
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.007 Impair Defenses: Disable or Modify Cloud Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.008 Impair Defenses: Disable Cloud Logs
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1574.012 Hijack Execution Flow: COR_PROFILER
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600.001 Weaken Encryption: Reduce Key Space
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1600.002 Weaken Encryption: Disable Crypto Hardware
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601 Modify System Image
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601.001 Modify System Image: Patch System Image
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601.002 Modify System Image: Downgrade System Image
action.malware.variety.DoS DoS attack related-to T1489 Service Stop
action.malware.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) related-to T1211 Exploitation for Defense Evasion
action.malware.variety.Export data Export data to another site or system related-to T1011 Exfiltration Over Other Network Medium
action.malware.variety.Export data Export data to another site or system related-to T1011.001 Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
action.malware.variety.Export data Export data to another site or system related-to T1020 Automated Exfiltration
action.malware.variety.Export data Export data to another site or system related-to T1020.001 Automated Exfiltration: Traffic Duplication
action.malware.variety.Export data Export data to another site or system related-to T1029 Scheduled Transfer
action.malware.variety.Export data Export data to another site or system related-to T1030 Data Transfer Size Limits
action.malware.variety.Export data Export data to another site or system related-to T1041 Exfiltration Over C2 Channels
action.malware.variety.Export data Export data to another site or system related-to T1048 Exfiltration Over Alternative Protocol
action.malware.variety.Export data Export data to another site or system related-to T1048.001 Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
action.malware.variety.Export data Export data to another site or system related-to T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
action.malware.variety.Export data Export data to another site or system related-to T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol
action.malware.variety.Export data Export data to another site or system related-to T1052 Exfiltration Over Physical Medium
action.malware.variety.Export data Export data to another site or system related-to T1052.001 Exfiltration Over Physical Medium: Exfiltration over USB
action.malware.variety.Export data Export data to another site or system related-to T1074 Data Staged
action.malware.variety.Export data Export data to another site or system related-to T1074.001 Data Staged: Local Data Staging
action.malware.variety.Export data Export data to another site or system related-to T1074.002 Data Staged: Remote Data Staging
action.malware.variety.Export data Export data to another site or system related-to T1537 Transfer Data to Cloud Account
action.malware.variety.Export data Export data to another site or system related-to T1560 Archive Collected Data
action.malware.variety.Export data Export data to another site or system related-to T1560.001 Archive Collected Data: Archive via Utility
action.malware.variety.Export data Export data to another site or system related-to T1560.002 Archive Collected Data: Archive via Library
action.malware.variety.Export data Export data to another site or system related-to T1560.003 Archive Collected Data: Archive via Custom Method
action.malware.variety.Export data Export data to another site or system related-to T1567 Exfiltration Over Web Service
action.malware.variety.Export data Export data to another site or system related-to T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository
action.malware.variety.Export data Export data to another site or system related-to T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1003.007 OS Credential Dumping: Proc Filesystem
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.007 OS Credential Dumping: Proc Filesystem
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055 Process Injection
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.001 Process Injection: Dynamic-link Library Injection
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.002 Process Injection: Portable Executable Injection
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.003 Process Injection: Thread Execution Hijacking
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.004 Process Injection: Asynchronous Procedure Call
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.005 Process Injection: Thread Local Storage
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.008 Process Injection: Ptrace System Calls
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.009 Process Injection: Proc Memory
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.011 Process Injection: Extra Window Memory Injection
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.012 Process Injection: Process Hollowing
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.013 Process Injection: Process Doppelganging
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055.014 Process Injection: VDSO Hijacking
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1115 Clipboard Data
action.malware.variety.Packet sniffer Packet sniffer (capture data from network) related-to T1040 Network Sniffing
action.malware.variety.Scan network Scan or footprint network related-to T1040 Network Sniffing
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003 OS Credential Dumping
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.001 OS Credential Dumping: LSASS Memory
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1003.001 OS Credential Dumping: LSASS Memory
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.004 OS Credential Dumping: LSA Secrets
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1003.004 OS Credential Dumping: LSA Secrets
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.005 OS Credential Dumping: Cached Domain Credentials
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1003.005 OS Credential Dumping: Cached Domain Credentials
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1003.005 OS Credential Dumping: Cached Domain Credentials
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.001 Unsecured Credentials: Credentials in Files
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.002 Unsecured Credentials: Credentials in Registry
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.003 Unsecured Credentials: Bash History
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.004 Unsecured Credentials: Private Keys
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.005 Unsecured Credentials: Cloud Instance Metadata API
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.006 Unsecured Credentials: Group Policy Preferences
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555 Credentials from Password Stores
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.001 Credentials from Password Stores: Keychain
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.002 Credentials from Password Stores: Securityd Memory
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1555.002 Credentials from Password Stores: Securityd Memory
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.003 Credentials from Password Stores: Credentials from Web Browser
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.004 Credentials from Password Stores: Windows Credential Manager
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.005 Credentials from Password Stores: Password Managers
action.malware.variety.Ransomware Ransomware (encrypt or seize stored data) related-to T1486 Data Encrypted for Impact
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1014 Rootkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.001 Pre-OS Boot: System Firmware
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.002 Pre-OS Boot: Component Firmware
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.003 Pre-OS Boot: Bootkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.004 Pre-OS Boot: ROMMONkit
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.005 Pre-OS Boot: TFTP Boot
action.malware.variety.Scan network Scan or footprint network related-to T1016 System Network Configuration Discovery
action.malware.variety.Scan network Scan or footprint network related-to T1016.001 System Network Configuration Discovery: Internet Connection Discovery
action.malware.variety.Scan network Scan or footprint network related-to T1018 Remote System Discovery
action.malware.variety.Scan network Scan or footprint network related-to T1046 Network Service Scanning
action.malware.variety.Scan network Scan or footprint network related-to T1049 System Network Connections Discovery
action.malware.variety.Scan network Scan or footprint network related-to T1135 Network Share Discovery
action.malware.variety.Scan network Scan or footprint network related-to T1482 Domain Trust Discovery
action.malware.variety.Scan network Scan or footprint network related-to T1595 Active Scanning
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1595 Active Scanning
action.malware.variety.Scan network Scan or footprint network related-to T1595.001 Active Scanning: Scanning IP Blocks
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1595.001 Active Scanning: Scanning IP Blocks
action.malware.variety.Trojan An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' related-to T1204.003 User Execution: Malicious Image
action.malware.variety.Unknown Unknown related-to T1204.003 User Execution: Malicious Image
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1204.003 User Execution: Malicious Image
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1204.003 User Execution: Malicious Image
action.malware.variety.Unknown Unknown related-to T1080 Taint Shared Content
action.malware.variety.Worm Worm (propagate to other systems or devices) related-to T1080 Taint Shared Content
action.malware.variety.Worm Worm (propagate to other systems or devices) related-to T1091 Replication Through Removable Media
action.malware.vector.Removable media Removable storage media or devices related-to T1091 Replication Through Removable Media
action.malware.variety.Unknown Unknown related-to T1001.002 Data Obfuscation: Steganography
action.malware.variety.Unknown Unknown related-to T1001.003 Data Obfuscation: Protocol Impersonation
action.malware.variety.Unknown Unknown related-to T1140 Deobfuscate/Decode Files or Information
action.malware.variety.Unknown Unknown related-to T1204 User Execution
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1204 User Execution
action.malware.variety.Unknown Unknown related-to T1204.001 User Execution: Malicious Link
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1204.001 User Execution: Malicious Link
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1204.001 User Execution: Malicious Link
action.malware.variety.Unknown Unknown related-to T1204.002 User Execution: Malicious File
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1204.002 User Execution: Malicious File
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1204.002 User Execution: Malicious File
action.malware.variety.Unknown Unknown related-to T1608 Stage Capabilities
value_chain.distribution.variety.Unknown Nothing is known about the need for or type of distribution investment other than it was present. related-to T1608 Stage Capabilities
action.malware.variety.Unknown Unknown related-to T1608.001 Stage Capabilities: Upload Malware
value_chain.distribution.variety.Website Malicious content shared intentionally, including bullet-proof hosting related-to T1608.001 Stage Capabilities: Upload Malware
action.malware.variety.Unknown Unknown related-to T1608.002 Stage Capabilities: Upload Tools
value_chain.distribution.variety.Website Malicious content shared intentionally, including bullet-proof hosting related-to T1608.002 Stage Capabilities: Upload Tools
action.malware.variety.Unknown Unknown related-to T1608.003 Stage Capabilities: Install Digital Certificate
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1608.003 Stage Capabilities: Install Digital Certificate
action.malware.variety.Unknown Unknown related-to T1608.004 Stage Capabilities: Drive-by Target
value_chain.distribution.variety.Website Malicious content shared intentionally, including bullet-proof hosting related-to T1608.004 Stage Capabilities: Drive-by Target
action.malware.variety.Unknown Unknown related-to T1608.005 Stage Capabilities: Link Target
action.malware.variety.Unknown Unknown related-to T1610 Deploy Container
action.malware.variety.Unknown Unknown related-to T1612 Build Image on Host
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1566.001 Phishing: Spearphishing Attachment
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1566.001 Phishing: Spearphishing Attachment
action.social.vector.Email Email related-to T1566.001 Phishing: Spearphishing Attachment
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1598.002 Phishing for Information: Spearphishing Attachment
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1598.002 Phishing for Information: Spearphishing Attachment
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1598.002 Phishing for Information: Spearphishing Attachment
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1598.002 Phishing for Information: Spearphishing Attachment
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1556.002 Phishing: Spearphishing Link
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.002 Phishing: Spearphishing Link
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.002 Phishing: Spearphishing Link
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1598.003 Phishing for Information: Spearphishing Link
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1598.003 Phishing for Information: Spearphishing Link
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1598.003 Phishing for Information: Spearphishing Link
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1598.003 Phishing for Information: Spearphishing Link
action.malware.vector.Instant messaging Instant Messaging related-to T1566 Phishing
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1566 Phishing
action.malware.vector.Network propagation Network propagation related-to T1570 Lateral Tool Transfer
action.malware.vector.Removable media Removable storage media or devices related-to T1092 Communication Through Removable Media
action.malware.vector.Web application - drive-by Web via auto-executed or "drive-by" infection. Child of 'Web application'. related-to T1189 Drive-by Compromise
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1566.002 Phishing: Spearphishing Link
action.social.vector.Email Email related-to T1566.002 Phishing: Spearphishing Link
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1566.003 Phishing: Spearphishing via Service
action.social.vector.Email Email related-to T1566.003 Phishing: Spearphishing via Service
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1598 Phishing for Information
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1598 Phishing for Information
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1598 Phishing for Information
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1598.001 Phishing for Information: Spearphishing Service
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1598.001 Phishing for Information: Spearphishing Service
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1598.001 Phishing for Information: Spearphishing Service
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1534 Internal Spearphishing
attribute.integrity.variety.Misrepresentation compromise of authenticity (e.g. masquerading as the legitimate owner of an account) related-to T1534 Internal Spearphishing
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1585 Establish Accounts
value_chain.development.variety.Persona A fake representation of a person, such as fake social media profiles related-to T1585 Establish Accounts
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1585.001 Establish Accounts: Social Media Accounts
value_chain.development.variety.Persona A fake representation of a person, such as fake social media profiles related-to T1585.001 Establish Accounts: Social Media Accounts
action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario) related-to T1585.002 Establish Accounts: Email Account
value_chain.development.variety.Persona A fake representation of a person, such as fake social media profiles related-to T1585.002 Establish Accounts: Email Account
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.001 Event Triggered Execution: Change Default File Association
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.002 Event Triggered Execution Screensaver
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.004 Event Triggered Execution: Unix Shell Configuration Modification
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.005 Event Triggered Execution: Trap
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.006 Event Triggered Execution: LC_LOAD_DYLIB Addition
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.007 Event Triggered Execution: Netsh Helper DLL
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.008 Event Triggered Execution: Accessibility Features
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.009 Event Triggered Execution: AppCert DLLs
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.010 Event Triggered Execution: AppInit DLLs
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.011 Event Triggered Execution: Application Shimming
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.012 Event Triggered Execution: Image File Execution Options Injection
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.013 Event Triggered Execution: PowerShell Profile
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.014 Event Triggered Execution: Emond
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.015 Event Triggered Execution: Component Object Model Hijacking
attribute.integrity.variety.Created account Created new user account related-to T1136.001 Create Account: Local Account
attribute.integrity.variety.Created account Created new user account related-to T1136.002 Create Account: Domain Account
attribute.integrity.variety.Created account Created new user account related-to T1136.003 Create Account: Cloud Account
attribute.integrity.variety.Defacement Deface content related-to T1491 Defacement
attribute.integrity.variety.Defacement Deface content related-to T1491.001 Defacement: Internal Defacement
attribute.integrity.variety.Defacement Deface content related-to T1491.002 Defacement: External Defacement
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.003 Boot or Logon Initialization Scripts: Network Logon Script
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.004 Boot or Logon Initialization Scripts: RC Scripts
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.005 Boot or Logon Initialization Scripts: Startup Items
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1484 Domain Policy Modification
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1484.001 Domain Policy Modification: Group Policy Modification
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1484.002 Domain Policy Modification: Domain Trust Modification
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.002 Boot or Logon Autostart Execution: Authentication Package
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.003 Boot or Logon Autostart Execution: Time Providers
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.005 Boot or Logon Autostart Execution: Security Support Provider
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.007 Boot or Logon Autostart Execution: Re-opened Applications
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.008 Boot or Logon Autostart Execution: LSASS Driver
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.009 Boot or Logon Autostart Execution: Shortcut Modification
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.010 Boot or Logon Autostart Execution: Port Monitors
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.011 Boot or Logon Autostart Execution: Plist Modification
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.012 Boot or Logon Autostart Execution: Print Processors
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.013 Boot or Logon Autostart Execution: XDG Autostart Entries
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556 Modify Authentication Process
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556 Modify Authentication Process
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.001 Modify Authentication Process: Domain Controller Authentication
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.001 Modify Authentication Process: Domain Controller Authentication
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.003 Modify Authentication Process: Pluggable Authentication Modules
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.003 Modify Authentication Process: Pluggable Authentication Modules
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.004 Modify Authentication Process: Network Device Authentication
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.004 Modify Authentication Process: Network Device Authentication
attribute.integrity.variety.Modify data Modified stored data or content related-to T1565 Data Manipulation
attribute.integrity.variety.Modify data Modified stored data or content related-to T1565.001 Data Manipulation: Stored Data Manipulation
attribute.integrity.variety.Modify data Modified stored data or content related-to T1565.002 Data Manipulation: Transmitted Data Manipulation
attribute.integrity.variety.Modify data Modified stored data or content related-to T1565.003 Data Manipulation: Runtime Data Manipulation
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.001 Account Manipulation: Additional Cloud Credentials
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.002 Account Manipulation: Exchange Email Delegate Permissions
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.003 Account Manipulation: Add Office 365 Global Administrator Role
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.004 Account Manipulation: SSH Authorized Keys
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1547.014 Boot or Logon Autostart Execution: Active Setup
attribute.integrity.variety.Repurpose Repurposed asset for unauthorized function related-to T1535 Unused/Unsupported Cloud Regions

Non-Mappable Capabilities

Non-mappable capabilities are either out of scope or unable to be mapped to any ATT&CK objects
Capability ID Capability Description
action.misuse.vector.Web application Web application
action.misuse.result.Lateral movement The misuse action used security access or permissions already acuired
action.social.result.Lateral movement The social action used security access or permissions already acuired
action.hacking.variety.SQLi SQL injection. Child of 'Exploit vuln'.
action.hacking.result.Other The result of the hacking action is not listed
action.malware.result.Unknown The result of the malware action is unknown
action.hacking.variety.Special element injection Special element injection. Child of 'Exploit vuln'.
action.social.target.Helpdesk Helpdesk staff
value_chain.non-distribution services.variety.VPN A VPN service (either formally or informally hosted) is used by the actor to obscure their source
action.social.target.Auditor Auditor
action.malware.vector.Email other Email sub-variety known, but not one of those listed (attachment, link, autoexecute, etc). Child of 'Email'
action.social.variety.Baiting Baiting (planting infected media)
action.social.target.Call center Call center staff
action.misuse.variety.Unapproved software Use of unapproved software or services
value_chain.targeting.variety.Partner The actor used access to a partner to target the victim.
value_chain.targeting.variety.Default credentials Credentials the system came with
value_chain.distribution.variety.NA No type of distribution was necessary
action.malware.vector.Unknown Unknown
action.malware.vector.Other Other
action.misuse.variety.Net misuse Inappropriate use of network or Web access including cloud services
action.social.target.System admin System or network administrator
action.social.target.Other employee Regular employee not otherwise listed. Child of 'End-user or employee'
action.hacking.variety.SSI injection SSI injection. Child of 'Exploit vuln'.
action.social.vector.In-person In-person
value_chain.targeting.variety.Other The variety of targeting was known, but is not listed
value_chain.targeting.variety.Unknown Nothing is known about the need for or type of targeting investment other than it was present.
action.hacking.variety.XQuery injection XQuery injection. Child of 'Exploit vuln'.
action.malware.vector.Email autoexecute Email via automatic execution. Child of 'Email'
action.malware.result.Other The result of the malware action is not listed
action.social.vector.IM Instant messaging
action.malware.result.Deploy payload e.g. cryptomining, ransomware, etc
value_chain.non-distribution services.variety.DNS DNS services including fast flux
action.misuse.variety.Knowledge abuse Abuse of private or entrusted knowledge
action.malware.variety.Downloader Downloader (pull updates or other malware)
action.social.vector.Social media Social media or networking
value_chain.distribution.variety.Loader malware that loads other malware
action.social.target.End-user End-user of the victim's products and/or services. Child of 'End-user or employee'
value_chain.non-distribution services.variety.C2 Command and control. Separate from distribution of mawlare or bots, this is how they are maintained
action.hacking.vector.VPN VPN
action.social.variety.Spam Spam (unsolicited or undesired email and advertisements)
action.social.variety.Other Other
action.misuse.variety.Data mishandling Handling of data in an unapproved manner
action.social.target.Former employee Former employee
action.misuse.vector.Physical access Physical access within corporate facility
action.social.variety.Unknown Unknown
value_chain.targeting.variety.Vulnerabilities Knowledge of software vulnerabilities, both at an organization or associated with a specific vendor's product, used to pick them as a target.
action.misuse.variety.Unapproved workaround Unapproved workaround or shortcut
value_chain.non-distribution services.variety.Unknown Nothing is known about the need for or type of non-distribution service investment other than it was present.
action.social.result.Exfiltrate The social action exfiltrated data from the victim
attribute.integrity.variety.Fraudulent transaction Initiate fraudulent transaction
action.hacking.variety.Path traversal Path traversal. Child of 'Exploit vuln'.
action.hacking.vector.Unknown Unknown
action.misuse.vector.Non-corporate Non-corporate facilities or networks
action.social.variety.Propaganda Propaganda or disinformation
attribute.integrity.variety.Other Other
action.malware.result.Exfiltrate The malware action exfiltrated data from the victim
action.hacking.vector.Desktop sharing Graphical desktop sharing (RDP, VNC, PCAnywhere, Citrix)
action.misuse.result.Exfiltrate The misuse action exfiltrated data from the victim
action.social.vector.Documents Documents
action.hacking.variety.Null byte injection Null byte injection. Child of 'Exploit vuln'.
action.social.result.Elevate The social action resulted in additional security permissions
action.social.vector.Removable media Removable storage media
action.social.vector.SMS SMS or texting
action.social.vector.Software Software
action.misuse.vector.LAN access Local network access within corporate facility
action.malware.variety.Other Other
action.malware.result.Elevate The malware action resulted in additional security permissions
action.social.variety.Scam Online scam or hoax (e.g., scareware, 419 scam, auction fraud)
action.social.target.Other Other
value_chain.non-distribution services.variety.Marketplace Use of a marketplace was required as part of this incident.
action.social.variety.Elicitation Elicitation (subtle extraction of info through conversation)
action.social.variety.Bribery Bribery or solicitation
action.social.vector.Website Website
action.hacking.variety.XSS Cross-site scripting. Child of 'Exploit vuln'.
action.hacking.result.NA The hacking action did not have a result
action.misuse.result.Infiltrate Do not use. Misuse inherently implies having permission so none can be gained.
action.misuse.vector.Unknown Unknown
value_chain.distribution.variety.Direct Distributed directly from the actor's computer
action.social.target.Partner Partner (B2B)
action.hacking.vector.Other Other
action.misuse.result.Elevate Do not use. Misuse inherently implies having permission so none can be elevated.
action.social.result.Deploy payload e.g. cryptomining, ransomware, etc
action.social.result.Other The result of the social action is not listed
value_chain.development.variety.NA No type of development was necessary
action.misuse.variety.Email misuse Inappropriate use of email or IM
action.malware.variety.SQL injection SQL injection attack
action.misuse.vector.Remote access Remote access connection to corporate network (i.e. VPN)
action.misuse.variety.Unknown Unknown
action.social.target.Developer Software developer
action.social.result.Infiltrate The social action resulted in additional security access
value_chain.non-distribution services.variety.Hashcracking i.e. converting hashes into the text that produce them
action.misuse.variety.Snap picture Actor photographs the confidentiality data variety.
action.hacking.variety.RFI Remote file inclusion. Child of 'Exploit vuln'.
action.social.target.Unknown Unknown
action.malware.vector.Email Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown'
action.hacking.variety.User breakout Elevation of privilege by another customer in shared environment. Child of 'Exploit vuln'.
value_chain.non-distribution services.variety.NA No type of non-distribution service was necessary
action.misuse.result.Other The result of the misuse action is not listed
action.social.target.Maintenance Maintenance or janitorial staff
action.malware.vector.Email unknown Email but sub-variety (attachment, autoexecute, link, etc) not known. Child of 'Email'
action.malware.result.Infiltrate The malware action resulted in additional security access
action.social.target.End-user or employee End-user or regular employee not otherwise listed. Parent of 'End-user' or 'Other employee'
action.hacking.variety.Session prediction Credential or session prediction. Child of 'Exploit vuln'.
value_chain.non-distribution services.variety.Proxy A proxy service (either formally or informally hosted) is used by the actor to obscure their source
action.hacking.variety.Cache poisoning Cache poisoning. Child of 'Exploit vuln'.
action.social.variety.Influence Influence tactics (Leveraging authority or obligation, framing, etc)
action.hacking.result.Lateral movement The hacking action used security access or permissions already acuired
action.hacking.result.Deploy payload e.g. cryptomining, ransomware, etc
action.hacking.result.Elevate The hacking action resulted in additional security permissions
value_chain.non-distribution services.variety.Escrow Something kept in the custody of a third party until a condition has been fulfilled.
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'.
action.social.vector.Unknown Unknown
attribute.confidentiality.data_disclosure
action.hacking.result.Unknown The result of the hacking action is unknown
action.social.vector.Phone Phone
action.hacking.variety.Reverse engineering Reverse engineering. Child of 'Exploit vuln'.
action.misuse.variety.Illicit content Storage or distribution of illicit content
action.misuse.vector.Other Other
action.social.vector.Other Other
action.social.result.Unknown The result of the social action is unknown
value_chain.targeting.variety.Misconfigurations Knowledge of system misconfigurations used to pick an organization as a target
action.malware.result.Lateral movement The malware action used security access or permissions already acuired
action.social.target.Human resources Human resources staff
action.hacking.result.Exfiltrate The hacking action exfiltrated data from the victim
value_chain.distribution.variety.Partner The actor distributed the attack to the victim through a partner, (i.e. supply chain attack).
attribute.integrity.variety.Hardware tampering Hardware tampering or physical alteration
action.social.target.Guard Security guard
action.misuse.variety.Possession abuse Abuse of physical access to asset
action.malware.result.NA The malware action did not have a result
action.misuse.result.Deploy payload e.g. cryptomining, ransomware, etc
action.misuse.variety.Unapproved hardware Use of unapproved hardware or devices
action.social.target.Manager Manager or supervisor
value_chain.distribution.variety.Email Distribution by email including anonymous/one time and spam
action.misuse.variety.Other Other
value_chain.targeting.variety.Weaknesses Knowledge of weaknesses other than vulnerability and misconfigurations used to pick an organization as a target
action.social.variety.Extortion Extortion or blackmail
action.hacking.variety.CSRF Cross-site request forgery. Child of 'Exploit vuln'.
value_chain.non-distribution services.variety.Counter AV Services for testing if malware is detected by anti-virus
action.hacking.variety.URL redirector abuse URL redirector abuse. Child of 'Exploit vuln'.
action.hacking.vector.Web application Web application
action.hacking.variety.Other Other
action.malware.variety.Spam Send spam
action.misuse.result.Unknown The result of the misuse action is unknown
value_chain.targeting.variety.NA No type of targeting was necessary. (This includes targeted.Targeted since the victim was chosen without targeting.
action.social.target.Cashier Cashier, teller or waiter
action.social.target.Finance Finance or accounting staff
action.misuse.result.NA The misuse action did not have a result
action.social.target.Executive Senior staff with legal responsibility such as board members and corporate officers
value_chain.distribution.variety.Phone Distribution over the Plain Old Telephone System (POTS).
action.social.target.Customer Customer (B2C)
attribute.integrity.variety.Software installation Software installation or code modification
action.hacking.variety.Mail command injection Mail command injection. Child of 'Exploit vuln'.
action.hacking.variety.Session replay Session replay. Child of 'Exploit vuln'.
action.misuse.variety.Privilege abuse Abuse of system access privileges
action.social.result.NA The social action did not have a result
action.hacking.result.Infiltrate The hacking action resulted in additional security access