action.malware.vector.Direct install |
Directly installed or inserted by threat agent (after system access) |
related-to |
T1047 |
Windows Management Instrumentation |
action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1059.005 |
Command and Scripting Interpreter: Visual Basic |
action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1059.007 |
Command and Scripting Interpreter: JavaScript |
action.malware.variety.Adminware |
System or network utilities (e.g., PsTools, Netcat) |
related-to |
T1072 |
Software Deployment Tools |
action.malware.vector.Software update |
Included in automated software update |
related-to |
T1072 |
Software Deployment Tools |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1505.001 |
Server Software Component: SQL Stored Procedures |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1505.002 |
Server Software Component: Transport Agent |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1543 |
Create or Modify System Process |
action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1543 |
Create or Modify System Process |
action.malware.variety.RAT |
Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' |
related-to |
T1543.003 |
Create or Modify System Process: Windows Service |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1547 |
Boot or Logon Autostart Execution |
action.malware.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1548.002 |
Abuse Elevation Control Mechanism: Bypass User Account Control |
action.malware.variety.Client-side attack |
Client-side or browser attack (e.g., redirection, XSS, MitB) |
related-to |
T1548.003 |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
action.malware.vector.Network propagation |
Network propagation |
related-to |
T1563 |
Remote Service Session Hijacking |
action.malware.vector.Network propagation |
Network propagation |
related-to |
T1563.001 |
Remote Service Session Hijacking: SSH Hijacking |
action.malware.vector.Network propagation |
Network propagation |
related-to |
T1563.002 |
Remote Service Session Hijacking: RDP Hijacking |
action.malware.variety.Trojan |
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' |
related-to |
T1564.007 |
Hide Artifacts: VBA Stomping |
action.malware.vector.Direct install |
Directly installed or inserted by threat agent (after system access) |
related-to |
T1569.002 |
System Services: Service Execution |
action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110 |
Brute Force |
action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.001 |
Brute Force: Password Guessing |
action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.002 |
Brute Force: Password Cracking |
action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.003 |
Brute Force: Password Spraying |
action.malware.variety.Brute force |
Brute force attack |
related-to |
T1110.004 |
Brute Force: Credential Stuffing |
action.malware.variety.Client-side attack |
Client-side or browser attack (e.g., redirection, XSS, MitB) |
related-to |
T1203 |
Exploitation for Client Execution |
action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1203 |
Exploitation for Client Execution |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1600 |
Weaken Encryption |
action.malware.variety.DoS |
DoS attack |
related-to |
T1498 |
Network Denial of Service |
action.malware.variety.DoS |
DoS attack |
related-to |
T1498.001 |
Network Denial of Service: Direct Network Flood |
action.malware.variety.DoS |
DoS attack |
related-to |
T1498.002 |
Network Denial of Service: Reflection Amplification |
action.malware.variety.DoS |
DoS attack |
related-to |
T1499 |
Endpoint Denial of Service |
action.malware.variety.DoS |
DoS attack |
related-to |
T1499.001 |
Endpoint Denial of Service: OS Exhaustion Flood |
action.malware.variety.DoS |
DoS attack |
related-to |
T1499.002 |
Endpoint Denial of Service: Service Exhaustion Flood |
action.malware.variety.DoS |
DoS attack |
related-to |
T1499.003 |
Endpoint Denial of Service: Application Exhaustion Flood |
action.malware.variety.DoS |
DoS attack |
related-to |
T1499.004 |
Endpoint Denial of Service: Application or System Exploitation |
action.malware.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1068 |
Exploitation for Privilege Escalation |
action.malware.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) |
related-to |
T1190 |
Exploit Public-Facing Application |
action.malware.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) |
related-to |
T1210 |
Exploitation of Remote Services |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1212 |
Exploitation for Credential Access |
action.malware.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) |
related-to |
T1212 |
Exploitation for Credential Access |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1212 |
Exploitation for Credential Access |
action.malware.vector.Web application - drive-by |
Web via auto-executed or "drive-by" infection. Child of 'Web application'. |
related-to |
T1212 |
Exploitation for Credential Access |
action.malware.variety.Exploit misconfig |
Exploit a misconfiguration (vs vuln or weakness) |
related-to |
T1558.004 |
Steal or Forge Kerberos Tickets: AS-REP Roasting |
action.malware.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) |
related-to |
T1595.002 |
Active Scanning: Vulnerability Scanning |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1595.002 |
Active Scanning: Vulnerability Scanning |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1119 |
Automated Collection |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1602 |
Data from Configuration Repository |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1539 |
Steal Web Session Cookie |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1583.006 |
Acquire Infrastructure: Web Services |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1185 |
Man in the Browser |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
action.malware.variety.Unknown |
Unknown |
related-to |
T1001 |
Data Obfuscation |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1008 |
Fallback Channels |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1071 |
Application Layer Protocol |
action.malware.variety.Unknown |
Unknown |
related-to |
T1071 |
Application Layer Protocol |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1090 |
Proxy |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1095 |
Non-Application Layer Protocol |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1102 |
Web Service |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1104 |
Multi-Stage Channels |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1132 |
Data Encoding |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1133 |
External Remote Services |
action.malware.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) |
related-to |
T1133 |
External Remote Services |
action.malware.vector.Remote injection |
Remotely injected by agent (i.e. via SQLi) |
related-to |
T1133 |
External Remote Services |
action.malware.vector.Web application |
Web application. Parent of 'Web application - download' and 'Web application - drive-by. |
related-to |
T1133 |
External Remote Services |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1205 |
Traffic Signaling |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1505 |
Server Software Component |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1505.003 |
Server Software Component: Web Shell |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1525 |
Implant Container Image |
action.malware.variety.RAT |
Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' |
related-to |
T1525 |
Implant Container Image |
action.malware.variety.Unknown |
Unknown |
related-to |
T1525 |
Implant Container Image |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1568 |
Dynamic Resolution |
action.malware.vector.Download by malware |
Downloaded and installed by local malware |
related-to |
T1568 |
Dynamic Resolution |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1571 |
Non-Standard Port |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1572 |
Protocol Tunneling |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1573 |
Encrypted Channels |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1573.001 |
Encrypted Channels: Symmetric Cryptography |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1573.002 |
Encrypted Channels: Asymmetric Cryptography |
action.malware.vector.Network propagation |
Network propagation |
related-to |
T1021 |
Remote Services |
action.malware.vector.Network propagation |
Network propagation |
related-to |
T1550 |
Use Alternate Authentication Material |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1213 |
Data from Information Repository |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1546 |
Event Triggered Execution |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1574 |
Hijack Execution Flow |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1010 |
Application Window Discovery |
action.malware.vector.Web application - download |
Web via user-executed or downloaded content. Child of 'Web application'. |
related-to |
T1583 |
Acquire Infrastructure |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1583.001 |
Acquire Infrastructure: Domains |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1583.002 |
Acquire Infrastructure: DNS Server |
action.malware.vector.Web application - download |
Web via user-executed or downloaded content. Child of 'Web application'. |
related-to |
T1584 |
Compromise Infrastructure |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1584.002 |
Compromise Infrastructure: DNS Server |
action.malware.variety.Unknown |
Unknown |
related-to |
T1587.001 |
Develop Capabilities: Malware |
action.malware.variety.Unknown |
Unknown |
related-to |
T1587.004 |
Develop Capabilities: Exploits |
action.malware.variety.Unknown |
Unknown |
related-to |
T1588.001 |
Obtain Capabilities: Malware |
action.malware.variety.Unknown |
Unknown |
related-to |
T1588.005 |
Obtain Capabilities: Exploits |
action.malware.variety.Unknown |
Unknown |
related-to |
T1588.006 |
Obtain Capabilities: Vulnerabilities |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1037 |
Boot or Logon Initialization Script |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1098 |
Account Manipulation |
action.malware.variety.Modify data |
Malware which compromises a legitimate file rather than creating new filess |
related-to |
T1136 |
Create Account |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1197 |
BITS Jobs |
action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542 |
Pre-OS Boot |
action.malware.variety.Adminware |
System or network utilities (e.g., PsTools, Netcat) |
related-to |
T1554 |
Compromise Client Software Binary |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1554 |
Compromise Client Software Binary |
action.malware.variety.Trojan |
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' |
related-to |
T1554 |
Compromise Client Software Binary |
action.malware.variety.Adminware |
System or network utilities (e.g., PsTools, Netcat) |
related-to |
T1219 |
Remote Access Software |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497 |
Virtualization/Sandbox Evasion |
action.malware.variety.Adware |
Adware |
related-to |
T1199 |
Trusted Relationship |
action.malware.vector.Software update |
Included in automated software update |
related-to |
T1195 |
Supply Chain Compromise |
action.malware.variety.Backdoor |
Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' |
related-to |
T1205.001 |
Traffic Signaling: Port Knocking |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1205.001 |
Traffic Signaling: Port Knocking |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1001.001 |
Data Obfuscation: Junk Data |
action.malware.variety.Unknown |
Unknown |
related-to |
T1001.001 |
Data Obfuscation: Junk Data |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1071.001 |
Application Layer Protocol: Web Protocols |
action.malware.variety.Unknown |
Unknown |
related-to |
T1071.001 |
Application Layer Protocol: Web Protocols |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
action.malware.variety.Unknown |
Unknown |
related-to |
T1071.002 |
Application Layer Protocol: File Transfer Protocol |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1071.003 |
Application Layer Protocol: Mail Protocols |
action.malware.variety.Unknown |
Unknown |
related-to |
T1071.003 |
Application Layer Protocol: Mail Protocols |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1071.004 |
Application Layer Protocol: DNS |
action.malware.variety.Unknown |
Unknown |
related-to |
T1071.004 |
Application Layer Protocol: DNS |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1090.001 |
Proxy: Internal Proxy |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1090.002 |
Proxy: External Proxy |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1090.003 |
Proxy: Multi-hop Proxy |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1090.004 |
Proxy: Domain Fronting |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1102.001 |
Web Service: Dead Drop Resolver |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1102.002 |
Web Service: Bidirectional Communication |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1102.003 |
Web Service: One-Way Communication |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1132.001 |
Data Encoding: Standard Encoding |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1132.002 |
Data Encoding: Non-Standard Encoding |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1568.001 |
Dynamic Resolution: Fast Flux DNS |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1568.002 |
Dynamic Resolution: Domain Generation Algorithms |
action.malware.variety.C2 |
Command and control (C2) |
related-to |
T1568.003 |
Dynamic Resolution: DNS Calculation |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056 |
Input Capture |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.001 |
Input Capture: Keylogging |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.002 |
Input Capture: GUI Input Capture |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.003 |
Input Capture: Web Portal Capture |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1056.004 |
Input Capture: Credential API Hooking |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1056.004 |
Input Capture: Credential API Hooking |
action.malware.variety.Spyware/Keylogger |
Spyware, keylogger or form-grabber (capture user input or activity) |
related-to |
T1056.004 |
Input Capture: Credential API Hooking |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1113 |
Screen Capture |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114 |
Email Collection |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114.001 |
Email Collection: Local Email Collection |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114.002 |
Email Collection: Remote Email Collection |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1114.003 |
Email Collection: Email Forwarding Rule |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1123 |
Audio Capture |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1125 |
Video Capture |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1176 |
Browser Extensions |
action.malware.vector.Web application - drive-by |
Web via auto-executed or "drive-by" infection. Child of 'Web application'. |
related-to |
T1176 |
Browser Extensions |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1207 |
Rogue Domain Controller |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1217 |
Browser Bookmark Discovery |
action.malware.variety.Capture app data |
Capture data from application or system process |
related-to |
T1528 |
Steal Application Access Token |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.002 |
OS Credential Dumping: Security Account Manager |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.002 |
OS Credential Dumping: Security Account Manager |
action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.002 |
OS Credential Dumping: Security Account Manager |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.003 |
OS Credential Dumping: NTDS |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.003 |
OS Credential Dumping: NTDS |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.006 |
OS Credential Dumping: DCSync |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1003.006 |
OS Credential Dumping: DCSync |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.006 |
OS Credential Dumping: DCSync |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1003.008 |
OS Credential Dumping: /etc/passwd and /etc/shadow |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.008 |
OS Credential Dumping: /etc/passwd and /etc/shadow |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1005 |
Data from Local System |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1025 |
Data from Removable Media |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1033 |
System Owner/User Discovery |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1039 |
Data from Network Shared Drive |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1083 |
File and Directory Discovery |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1213.001 |
Data from Information Repositories: Confluence |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1213.002 |
Data from Information Repositories: Sharepoint |
action.malware.variety.Capture stored data |
Capture data stored on system disk |
related-to |
T1530 |
Data from Cloud Storage Object |
action.malware.variety.Click fraud |
Click fraud, whether or not cryptocurrency mining. Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'. |
related-to |
T1496 |
Resource Hijacking |
action.malware.variety.Click fraud and cryptocurrency mining |
Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'. |
related-to |
T1496 |
Resource Hijacking |
action.malware.variety.Cryptocurrency mining |
Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'. |
related-to |
T1496 |
Resource Hijacking |
action.malware.variety.Client-side attack |
Client-side or browser attack (e.g., redirection, XSS, MitB) |
related-to |
T1221 |
Template Injection |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070 |
Indicator Removal on Host |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.001 |
Indicator Removal on Host: Clear Windows Event Logs |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.002 |
Indicator Removal on Host: Clear Linux or Mac System Logs |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.003 |
Indicator Removal on Host: Clear Command History |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.004 |
Indicator Removal on Host: File Deletion |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.005 |
Indicator Removal on Host: Network Share Connection Removal |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1070.006 |
Indicator Removal on Host: Timestomp |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1485 |
Data Destruction |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1495 |
Firmware Corruption |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1561 |
Disk Wipe |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1561.001 |
Disk Wipe: Disk Content Wipe |
action.malware.variety.Destroy data |
Destroy or corrupt stored data |
related-to |
T1561.002 |
Disk Wipe: Disk Structure Wipe |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1006 |
Direct Volume Access |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027 |
Obfuscated Files or Information |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.001 |
Obfuscated Files or Information: Binary Padding |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.002 |
Obfuscated Files or Information: Software Packaging |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.003 |
Obfuscated Files or Information: Steganography |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.004 |
Obfuscated Files or Information: Compile After Dilevery |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1027.005 |
Obfuscated Files or Information: Indicator Removal from Tools |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036 |
Masquerading |
action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1036 |
Masquerading |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.001 |
Masquerading: Invalid Code Signature |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.002 |
Masquerading: Right-to-Left Override |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.003 |
Masquerading: Rename System Utilities |
action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1036.003 |
Masquerading: Rename System Utilities |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.004 |
Masquerading: Masquerade Task or Service |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.005 |
Masquerading: Match Legitimate Name or Location |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1036.006 |
Masquerading: Space after Filename |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1222 |
File and Directory Permissions Modification |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1222.001 |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1222.002 |
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1490 |
Inhibit System Recovery |
action.malware.variety.Ransomware |
Ransomware (encrypt or seize stored data) |
related-to |
T1490 |
Inhibit System Recovery |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497.001 |
Virtualization/Sandbox Evasion: System Checks |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497.002 |
Virtualization/Sandbox Evasion: User Activity Based Checks |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1497.003 |
Virtualization/Sandbox Evasion: Time Based Evasion |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553 |
Subvert Trust Contols |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.001 |
Subvert Trust Contols: Gatekeeper Bypass |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.002 |
Subvert Trust Contols: Code Signing |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.003 |
Subvert Trust Contols: SIP and Trust Provider Hijacking |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.004 |
Subvert Trust Contols: Install Root Certificate |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.005 |
Subvert Trust Contols: Mark-of-the-Web Bypass |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1553.006 |
Subvert Trust Contols: Code Signing Policy Modification |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562 |
Impair Defenses |
action.malware.variety.Modify data |
Malware which compromises a legitimate file rather than creating new filess |
related-to |
T1562 |
Impair Defenses |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.001 |
Impair Defenses: Disable or Modify Tools |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.002 |
Impair Defenses: Disable Windows Event Logging |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.003 |
Impair Defenses: Impair Command History Logging |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.004 |
Impair Defenses: Disable or Modify System Firewall |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.006 |
Impair Defenses: Indicator Blocking |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.007 |
Impair Defenses: Disable or Modify Cloud Firewall |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1562.008 |
Impair Defenses: Disable Cloud Logs |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1574.012 |
Hijack Execution Flow: COR_PROFILER |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1600.001 |
Weaken Encryption: Reduce Key Space |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1600.002 |
Weaken Encryption: Disable Crypto Hardware |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1601 |
Modify System Image |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1601.001 |
Modify System Image: Patch System Image |
action.malware.variety.Disable controls |
Disable or interfere with security controls |
related-to |
T1601.002 |
Modify System Image: Downgrade System Image |
action.malware.variety.DoS |
DoS attack |
related-to |
T1489 |
Service Stop |
action.malware.variety.Exploit vuln |
Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) |
related-to |
T1211 |
Exploitation for Defense Evasion |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1011 |
Exfiltration Over Other Network Medium |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1011.001 |
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1020 |
Automated Exfiltration |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1020.001 |
Automated Exfiltration: Traffic Duplication |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1029 |
Scheduled Transfer |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1030 |
Data Transfer Size Limits |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1041 |
Exfiltration Over C2 Channels |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048 |
Exfiltration Over Alternative Protocol |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048.001 |
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048.002 |
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1048.003 |
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1052 |
Exfiltration Over Physical Medium |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1052.001 |
Exfiltration Over Physical Medium: Exfiltration over USB |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1074 |
Data Staged |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1074.001 |
Data Staged: Local Data Staging |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1074.002 |
Data Staged: Remote Data Staging |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1537 |
Transfer Data to Cloud Account |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560 |
Archive Collected Data |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560.001 |
Archive Collected Data: Archive via Utility |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560.002 |
Archive Collected Data: Archive via Library |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1560.003 |
Archive Collected Data: Archive via Custom Method |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1567 |
Exfiltration Over Web Service |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1567.001 |
Exfiltration Over Web Service: Exfiltration to Code Repository |
action.malware.variety.Export data |
Export data to another site or system |
related-to |
T1567.002 |
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1003.007 |
OS Credential Dumping: Proc Filesystem |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.007 |
OS Credential Dumping: Proc Filesystem |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055 |
Process Injection |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.001 |
Process Injection: Dynamic-link Library Injection |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.002 |
Process Injection: Portable Executable Injection |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.003 |
Process Injection: Thread Execution Hijacking |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.004 |
Process Injection: Asynchronous Procedure Call |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.005 |
Process Injection: Thread Local Storage |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.008 |
Process Injection: Ptrace System Calls |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.009 |
Process Injection: Proc Memory |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.011 |
Process Injection: Extra Window Memory Injection |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.012 |
Process Injection: Process Hollowing |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.013 |
Process Injection: Process Doppelganging |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1055.014 |
Process Injection: VDSO Hijacking |
action.malware.variety.In-memory |
(malware never stored to persistent storage) |
related-to |
T1115 |
Clipboard Data |
action.malware.variety.Packet sniffer |
Packet sniffer (capture data from network) |
related-to |
T1040 |
Network Sniffing |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1040 |
Network Sniffing |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003 |
OS Credential Dumping |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.001 |
OS Credential Dumping: LSASS Memory |
action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.001 |
OS Credential Dumping: LSASS Memory |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.004 |
OS Credential Dumping: LSA Secrets |
action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.004 |
OS Credential Dumping: LSA Secrets |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1003.005 |
OS Credential Dumping: Cached Domain Credentials |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.001 |
Unsecured Credentials: Credentials in Files |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.002 |
Unsecured Credentials: Credentials in Registry |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.003 |
Unsecured Credentials: Bash History |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.004 |
Unsecured Credentials: Private Keys |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.005 |
Unsecured Credentials: Cloud Instance Metadata API |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1552.006 |
Unsecured Credentials: Group Policy Preferences |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555 |
Credentials from Password Stores |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.001 |
Credentials from Password Stores: Keychain |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.002 |
Credentials from Password Stores: Securityd Memory |
action.malware.variety.RAM scraper |
RAM scraper or memory parser (capture data from volatile memory) |
related-to |
T1555.002 |
Credentials from Password Stores: Securityd Memory |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.003 |
Credentials from Password Stores: Credentials from Web Browser |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.004 |
Credentials from Password Stores: Windows Credential Manager |
action.malware.variety.Password dumper |
Password dumper (extract credential hashes) |
related-to |
T1555.005 |
Credentials from Password Stores: Password Managers |
action.malware.variety.Ransomware |
Ransomware (encrypt or seize stored data) |
related-to |
T1486 |
Data Encrypted for Impact |
action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1014 |
Rootkit |
action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.001 |
Pre-OS Boot: System Firmware |
action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.002 |
Pre-OS Boot: Component Firmware |
action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.003 |
Pre-OS Boot: Bootkit |
action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.004 |
Pre-OS Boot: ROMMONkit |
action.malware.variety.Rootkit |
Rootkit (maintain local privileges and stealth) |
related-to |
T1542.005 |
Pre-OS Boot: TFTP Boot |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1016 |
System Network Configuration Discovery |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1016.001 |
System Network Configuration Discovery: Internet Connection Discovery |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1018 |
Remote System Discovery |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1046 |
Network Service Scanning |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1049 |
System Network Connections Discovery |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1135 |
Network Share Discovery |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1482 |
Domain Trust Discovery |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1595 |
Active Scanning |
action.malware.variety.Scan network |
Scan or footprint network |
related-to |
T1595.001 |
Active Scanning: Scanning IP Blocks |
action.malware.variety.Trojan |
An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor' |
related-to |
T1204.003 |
User Execution: Malicious Image |
action.malware.variety.Unknown |
Unknown |
related-to |
T1204.003 |
User Execution: Malicious Image |
action.malware.variety.Unknown |
Unknown |
related-to |
T1080 |
Taint Shared Content |
action.malware.variety.Worm |
Worm (propagate to other systems or devices) |
related-to |
T1080 |
Taint Shared Content |
action.malware.variety.Worm |
Worm (propagate to other systems or devices) |
related-to |
T1091 |
Replication Through Removable Media |
action.malware.vector.Removable media |
Removable storage media or devices |
related-to |
T1091 |
Replication Through Removable Media |
action.malware.variety.Unknown |
Unknown |
related-to |
T1001.002 |
Data Obfuscation: Steganography |
action.malware.variety.Unknown |
Unknown |
related-to |
T1001.003 |
Data Obfuscation: Protocol Impersonation |
action.malware.variety.Unknown |
Unknown |
related-to |
T1140 |
Deobfuscate/Decode Files or Information |
action.malware.variety.Unknown |
Unknown |
related-to |
T1204 |
User Execution |
action.malware.variety.Unknown |
Unknown |
related-to |
T1204.001 |
User Execution: Malicious Link |
action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1204.001 |
User Execution: Malicious Link |
action.malware.variety.Unknown |
Unknown |
related-to |
T1204.002 |
User Execution: Malicious File |
action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1204.002 |
User Execution: Malicious File |
action.malware.variety.Unknown |
Unknown |
related-to |
T1608 |
Stage Capabilities |
action.malware.variety.Unknown |
Unknown |
related-to |
T1608.001 |
Stage Capabilities: Upload Malware |
action.malware.variety.Unknown |
Unknown |
related-to |
T1608.002 |
Stage Capabilities: Upload Tools |
action.malware.variety.Unknown |
Unknown |
related-to |
T1608.003 |
Stage Capabilities: Install Digital Certificate |
action.malware.variety.Unknown |
Unknown |
related-to |
T1608.004 |
Stage Capabilities: Drive-by Target |
action.malware.variety.Unknown |
Unknown |
related-to |
T1608.005 |
Stage Capabilities: Link Target |
action.malware.variety.Unknown |
Unknown |
related-to |
T1610 |
Deploy Container |
action.malware.variety.Unknown |
Unknown |
related-to |
T1612 |
Build Image on Host |
action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1566.001 |
Phishing: Spearphishing Attachment |
action.malware.vector.Email attachment |
Email via user-executed attachment. Child of 'Email' |
related-to |
T1598.002 |
Phishing for Information: Spearphishing Attachment |
action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1556.002 |
Phishing: Spearphishing Link |
action.malware.vector.Email link |
Email via embedded link. Child of 'Email' |
related-to |
T1598.003 |
Phishing for Information: Spearphishing Link |
action.malware.vector.Instant messaging |
Instant Messaging |
related-to |
T1566 |
Phishing |
action.malware.vector.Network propagation |
Network propagation |
related-to |
T1570 |
Lateral Tool Transfer |
action.malware.vector.Removable media |
Removable storage media or devices |
related-to |
T1092 |
Communication Through Removable Media |
action.malware.vector.Web application - drive-by |
Web via auto-executed or "drive-by" infection. Child of 'Web application'. |
related-to |
T1189 |
Drive-by Compromise |